Skip to content

Commit

Permalink
Merge pull request #1059 from Luap99/tcp
Browse files Browse the repository at this point in the history 
nftables/iptables: add dns rule for tcp as well
  • Loading branch information
@openshift-merge-bot
openshift-merge-bot[bot] authored Aug 16, 2024
2 parents 9259511 + 23ac90f commit 8405241
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 27 deletions.
26 changes: 24 additions & 2 deletions src/firewall/nft.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -379,10 +379,22 @@ impl firewall::FirewallDriver for Nftables {
INPUTCHAIN,
vec![
get_subnet_match(&subnet, "saddr", stmt::Operator::EQ),
stmt::Statement::Match(stmt::Match {
left: expr::Expression::Named(expr::NamedExpression::Meta(
expr::Meta {
key: expr::MetaKey::L4proto,
},
)),
right: expr::Expression::Named(expr::NamedExpression::Set(vec![
expr::SetItem::Element(expr::Expression::String("udp".to_string())),
expr::SetItem::Element(expr::Expression::String("tcp".to_string())),
])),
op: stmt::Operator::EQ,
}),
stmt::Statement::Match(stmt::Match {
left: expr::Expression::Named(expr::NamedExpression::Payload(
expr::Payload::PayloadField(expr::PayloadField {
protocol: "udp".to_string(),
protocol: "th".to_string(),
field: "dport".to_string(),
}),
)),
Expand Down Expand Up @@ -1125,10 +1137,20 @@ fn make_dns_dnat_rule(dns_ip: &IpAddr, dns_port: u16) -> schema::NfListObject {
DNATCHAIN,
vec![
get_ip_match(dns_ip, "daddr", stmt::Operator::EQ),
stmt::Statement::Match(stmt::Match {
left: expr::Expression::Named(expr::NamedExpression::Meta(expr::Meta {
key: expr::MetaKey::L4proto,
})),
right: expr::Expression::Named(expr::NamedExpression::Set(vec![
expr::SetItem::Element(expr::Expression::String("udp".to_string())),
expr::SetItem::Element(expr::Expression::String("tcp".to_string())),
])),
op: stmt::Operator::EQ,
}),
stmt::Statement::Match(stmt::Match {
left: expr::Expression::Named(expr::NamedExpression::Payload(
expr::Payload::PayloadField(expr::PayloadField {
protocol: "udp".to_string(),
protocol: "th".to_string(),
field: "dport".to_string(),
}),
)),
Expand Down
32 changes: 18 additions & 14 deletions src/firewall/varktables/types.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -373,13 +373,15 @@ pub fn get_network_chains<'a>(

// Always add ACCEPT rules in firewall for dns traffic from containers
// to gateway when using bridge network with internal dns.
netavark_input_chain.build_rule(VarkRule::new(
format!(
"-p {} -s {} --dport {} -j {}",
"udp", network, dns_port, ACCEPT
),
Some(TeardownPolicy::OnComplete),
));
for proto in ["udp", "tcp"] {
netavark_input_chain.build_rule(VarkRule::new(
format!(
"-p {} -s {} --dport {} -j {}",
proto, network, dns_port, ACCEPT
),
Some(TeardownPolicy::OnComplete),
));
}
chains.push(netavark_input_chain);

// Drop all invalid packages, due a race the container source ip could be leaked on the local
Expand Down Expand Up @@ -522,13 +524,15 @@ pub fn get_port_forwarding_chains<'a>(
ip_value = format!("[{ip_value}]")
}
netavark_hostport_dn_chain.create = true;
netavark_hostport_dn_chain.build_rule(VarkRule::new(
format!(
"-j {} -d {} -p {} --dport {} --to-destination {}:{}",
DNAT, dns_ip, "udp", 53, ip_value, pfwd.dns_port
),
Some(TeardownPolicy::OnComplete),
));
for proto in ["udp", "tcp"] {
netavark_hostport_dn_chain.build_rule(VarkRule::new(
format!(
"-j {} -d {} -p {} --dport {} --to-destination {}:{}",
DNAT, dns_ip, proto, 53, ip_value, pfwd.dns_port
),
Some(TeardownPolicy::OnComplete),
));
}
}
}

Expand Down
16 changes: 11 additions & 5 deletions test/100-bridge-iptables.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -250,12 +250,16 @@ fw_driver=iptables
}

@test "$fw_driver - bridge driver must generate config for aardvark with custom dns server" {
# get a random port directly to avoid low ports e.g. 53 would not create iptables
dns_port=$((RANDOM+10000))

NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
setup $(get_container_netns_path)

run_in_host_netns iptables -S NETAVARK_INPUT
assert "${lines[1]}" == "-A NETAVARK_INPUT -s 10.89.3.0/24 -p udp -m udp --dport 53 -j ACCEPT" "ipv4 dns udp accept rule"
assert "${lines[2]}" == "-A NETAVARK_INPUT -s 10.89.3.0/24 -p tcp -m tcp --dport 53 -j ACCEPT" "ipv4 dns tcp accept rule"
run_in_host_netns ip6tables -S NETAVARK_INPUT
assert "${lines[1]}" == "-A NETAVARK_INPUT -s fd10:88:a::/64 -p udp -m udp --dport 53 -j ACCEPT" "ipv6 dns udp accept rule"
assert "${lines[2]}" == "-A NETAVARK_INPUT -s fd10:88:a::/64 -p tcp -m tcp --dport 53 -j ACCEPT" "ipv6 dns tcp accept rule"

# check aardvark config and running
run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
assert "${lines[0]}" =~ "10.89.3.1,fd10:88:a::1" "aardvark set to listen to all IPs"
Expand All @@ -265,7 +269,7 @@ fw_driver=iptables
aardvark_pid=$(cat "$NETAVARK_TMPDIR/config/aardvark-dns/aardvark.pid")
assert "$ardvark_pid" =~ "[0-9]*" "aardvark pid not found"
run_helper ps "$aardvark_pid"
assert "${lines[1]}" =~ ".*aardvark-dns --config $NETAVARK_TMPDIR/config/aardvark-dns -p $dns_port run" "aardvark not running or bad options"
assert "${lines[1]}" =~ ".*aardvark-dns --config $NETAVARK_TMPDIR/config/aardvark-dns -p 53 run" "aardvark not running or bad options"
}

@test "$fw_driver - bridge driver must generate config for aardvark with multiple custom dns server" {
Expand Down Expand Up @@ -316,8 +320,10 @@ fw_driver=iptables
# check iptables
run_in_host_netns iptables -t nat -S NETAVARK-HOSTPORT-DNAT
assert "${lines[1]}" == "-A NETAVARK-HOSTPORT-DNAT -d 10.89.3.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.89.3.1:$dns_port" "ipv4 dns forward rule"
assert "${lines[2]}" == "-A NETAVARK-HOSTPORT-DNAT -d 10.89.3.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.89.3.1:$dns_port" "ipv4 dns tcp forward rule"
run_in_host_netns ip6tables -t nat -S NETAVARK-HOSTPORT-DNAT
assert "${lines[1]}" == "-A NETAVARK-HOSTPORT-DNAT -d fd10:88:a::1/128 -p udp -m udp --dport 53 -j DNAT --to-destination [fd10:88:a::1]:$dns_port" "ipv6 dns forward rule"
assert "${lines[2]}" == "-A NETAVARK-HOSTPORT-DNAT -d fd10:88:a::1/128 -p tcp -m tcp --dport 53 -j DNAT --to-destination [fd10:88:a::1]:$dns_port" "ipv6 dns tcp forward rule"

# check aardvark config and running
run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
Expand Down
13 changes: 7 additions & 6 deletions test/250-bridge-nftables.bats
View file
Original file line number Diff line number Diff line change
Expand Up @@ -240,12 +240,13 @@ export NETAVARK_FW=nftables
}

@test "$fw_driver - bridge driver must generate config for aardvark with custom dns server" {
# get a random port directly to avoid low ports e.g. 53 would not create nftables rules
dns_port=$((RANDOM+10000))

NETAVARK_DNS_PORT="$dns_port" run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
run_netavark --file ${TESTSDIR}/testfiles/dualstack-bridge-custom-dns-server.json \
setup $(get_container_netns_path)

# check nftables
run_in_host_netns nft list chain inet netavark INPUT
assert "${lines[3]}" =~ "ip saddr 10.89.3.0/24 meta l4proto \{ tcp, udp \} th dport 53 accept" "DNS accept rule"

# check aardvark config and running
run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
assert "${lines[0]}" =~ "10.89.3.1,fd10:88:a::1" "aardvark set to listen to all IPs"
Expand All @@ -255,7 +256,7 @@ export NETAVARK_FW=nftables
aardvark_pid=$(cat "$NETAVARK_TMPDIR/config/aardvark-dns/aardvark.pid")
assert "$ardvark_pid" =~ "[0-9]*" "aardvark pid not found"
run_helper ps "$aardvark_pid"
assert "${lines[1]}" =~ ".*aardvark-dns --config $NETAVARK_TMPDIR/config/aardvark-dns -p $dns_port run" "aardvark not running or bad options"
assert "${lines[1]}" =~ ".*aardvark-dns --config $NETAVARK_TMPDIR/config/aardvark-dns -p 53 run" "aardvark not running or bad options"
}

@test "$fw_driver - bridge driver must generate config for aardvark with multiple custom dns server" {
Expand Down Expand Up @@ -305,7 +306,7 @@ export NETAVARK_FW=nftables

# check nftables
run_in_host_netns nft list chain inet netavark NETAVARK-HOSTPORT-DNAT
assert "${lines[2]}" =~ "ip daddr 10.89.3.1 udp dport 53 dnat ip to 10.89.3.1:$dns_port" "DNS forward rule"
assert "${lines[2]}" =~ "ip daddr 10.89.3.1 meta l4proto \{ tcp, udp \} th dport 53 dnat ip to 10.89.3.1:$dns_port" "DNS forward rule"

# check aardvark config and running
run_helper cat "$NETAVARK_TMPDIR/config/aardvark-dns/podman1"
Expand Down

0 comments on commit 8405241

Please sign in to comment.