Correct some stuff
This commit is contained in:
parent
ceb7b6b5cd
commit
25df845769
|
@ -260,8 +260,11 @@ common.run_os_command(
|
||||||
# Set up the basic features of the nftables firewall
|
# Set up the basic features of the nftables firewall
|
||||||
nftables_base_rules = """# Base rules
|
nftables_base_rules = """# Base rules
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
# Add the filter table and chains
|
||||||
add table inet filter
|
add table inet filter
|
||||||
add chain inet filter forward {{ type filter hook forward priority 0; }}
|
add chain inet filter forward {{ type filter hook forward priority 0; }}
|
||||||
|
add chain inet filter input {{ type filter hook input priority 0; }}
|
||||||
|
# Include static rules and network rules
|
||||||
include "{rulesdir}/static/*"
|
include "{rulesdir}/static/*"
|
||||||
include "{rulesdir}/networks/*"
|
include "{rulesdir}/networks/*"
|
||||||
""".format(
|
""".format(
|
||||||
|
|
|
@ -247,15 +247,26 @@ class VXNetworkInstance():
|
||||||
)
|
)
|
||||||
|
|
||||||
def createFirewall(self):
|
def createFirewall(self):
|
||||||
nftables_network_rules = """# Rules for network {chainname}
|
nftables_network_rules = """# Rules for network {vxlannic}
|
||||||
add chain inet filter {chainname}
|
add chain inet filter {vxlannic}-in
|
||||||
add rule inet filter {chainname} counter
|
add chain inet filter {vxlannic}-out
|
||||||
# Jump from forward chain to this chain when matching netaddr
|
add rule inet filter {vxlannic}-in counter
|
||||||
add rule inet filter forward ip saddr {netaddr} counter jump {chainname}
|
add rule inet filter {vxlannic}-out counter
|
||||||
add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
|
# Jump from forward chain to this chain when matching net
|
||||||
|
add rule inet filter forward ip daddr {netaddr} counter jump {vxlannic}-in
|
||||||
|
add rule inet filter forward ip saddr {netaddr} counter jump {vxlannic}-out
|
||||||
|
# Allow ICMP traffic into the router from network
|
||||||
|
add rule inet filter input ip protocol icmp meta iifname {bridgenic} counter accept
|
||||||
|
# Allow DNS and DHCP traffic into the router from network
|
||||||
|
add rule inet filter input tcp dport 53 meta iifname {bridgenic} counter accept
|
||||||
|
add rule inet filter input udp dport 53 meta iifname {bridgenic} counter accept
|
||||||
|
add rule inet filter input udp dport 67 meta iifname {bridgenic} counter accept
|
||||||
|
# Block traffic into the router from network
|
||||||
|
add rule inet filter input meta iifname {bridgenic} counter drop
|
||||||
""".format(
|
""".format(
|
||||||
netaddr=self.ip_network,
|
netaddr=self.ip_network,
|
||||||
chainname=self.vxlan_nic
|
vxlannic=self.vxlan_nic,
|
||||||
|
bridgenic=self.bridge_nic
|
||||||
)
|
)
|
||||||
print(nftables_network_rules)
|
print(nftables_network_rules)
|
||||||
with open(self.nftables_netconf_filename, 'w') as nfbasefile:
|
with open(self.nftables_netconf_filename, 'w') as nfbasefile:
|
||||||
|
@ -326,6 +337,9 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
|
||||||
'--expand-hosts',
|
'--expand-hosts',
|
||||||
'--domain={}'.format(self.domain),
|
'--domain={}'.format(self.domain),
|
||||||
'--local=/{}/'.format(self.domain),
|
'--local=/{}/'.format(self.domain),
|
||||||
|
'--auth-zone={}'.format(self.domain),
|
||||||
|
# '--auth-peer=127.0.0.1,{}'.format(self.ip_gateway),
|
||||||
|
'--auth-sec-servers=127.0.0.1,[::1],{}'.format(self.ip_gateway),
|
||||||
'--listen-address={}'.format(self.ip_gateway),
|
'--listen-address={}'.format(self.ip_gateway),
|
||||||
'--bind-interfaces',
|
'--bind-interfaces',
|
||||||
'--leasefile-ro',
|
'--leasefile-ro',
|
||||||
|
@ -333,6 +347,7 @@ add rule inet filter forward ip daddr {netaddr} counter jump {chainname}
|
||||||
'--dhcp-range={},{},4h'.format(self.dhcp_start, self.dhcp_end),
|
'--dhcp-range={},{},4h'.format(self.dhcp_start, self.dhcp_end),
|
||||||
'--dhcp-lease-max=99',
|
'--dhcp-lease-max=99',
|
||||||
'--dhcp-hostsdir={}'.format(self.dnsmasq_hostsdir),
|
'--dhcp-hostsdir={}'.format(self.dnsmasq_hostsdir),
|
||||||
|
'--log-queries=extra',
|
||||||
'--log-facility=DAEMON',
|
'--log-facility=DAEMON',
|
||||||
'--keep-in-foreground'
|
'--keep-in-foreground'
|
||||||
]
|
]
|
||||||
|
|
|
@ -14,7 +14,10 @@ import re
|
||||||
#
|
#
|
||||||
def get_zookeeper_key():
|
def get_zookeeper_key():
|
||||||
# Get the interface from environment (passed by dnsmasq)
|
# Get the interface from environment (passed by dnsmasq)
|
||||||
|
try:
|
||||||
interface = os.environ['DNSMASQ_INTERFACE']
|
interface = os.environ['DNSMASQ_INTERFACE']
|
||||||
|
except:
|
||||||
|
exit(1)
|
||||||
# Get the ID of the interface (the digits)
|
# Get the ID of the interface (the digits)
|
||||||
network_vni = re.findall('\d+', interface)[0]
|
network_vni = re.findall('\d+', interface)[0]
|
||||||
# Create the key
|
# Create the key
|
||||||
|
|
Loading…
Reference in New Issue