removed enableIDS flag

api/v1/firewall_types.go

@@ -81,8 +81,8 @@ type Data struct {
 	EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`
 	// FirewallNetworks holds the networks known at the metal-api for this firewall machine
 	FirewallNetworks []FirewallNetwork `json:"firewallNetworks,omitempty"`
-	// DisableSuricataIDS specifies if we need to enable IDS on the firewall machine
-	DisableSuricataIDS bool `json:"disableSuricataIDS,omitempty"`
+	// EnableIDS specifies if we need to enable IDS on the firewall machine
+	EnableIDS bool `json:"enableIDS,omitempty"`
 }
 
 // FirewallStatus defines the observed state of Firewall

config/crd/bases/metal-stack.io_firewalls.yaml

@@ -53,10 +53,6 @@ spec:
                 description: ControllerVersion holds the firewall-controller version
                   to reconcile.
                 type: string
-              disableSuricataIDS:
-                description: DisableSuricataIDS specifies if we need to enable IDS
-                  on the firewall machine
-                type: boolean
               dryrun:
                 description: DryRun if set to true, firewall rules are not applied
                 type: boolean
@@ -76,6 +72,10 @@ spec:
                   - networkid
                   type: object
                 type: array
+              enableIDS:
+                description: EnableIDS specifies if we need to enable IDS on the firewall
+                  machine
+                type: boolean
               firewallNetworks:
                 description: FirewallNetworks holds the networks known at the metal-api
                   for this firewall machine

controllers/firewall_controller.go

@@ -143,7 +143,7 @@ func (r *FirewallReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 	}
 
 	log.Info("reconciling suricata config")
-	if err := r.Suricata.ReconcileSuricata(kb, !f.Spec.DisableSuricataIDS); err != nil {
+	if err := r.Suricata.ReconcileSuricata(kb, f.Spec.EnableIDS); err != nil {
 		errors = multierror.Append(errors, err)
 	}
 
@@ -426,7 +426,7 @@ func (r *FirewallReconciler) updateStatus(ctx context.Context, f firewallv1.Fire
 	f.Status.FirewallStats.DeviceStats = deviceStats
 
 	idsStats := firewallv1.IDSStatsByDevice{}
-	if r.Suricata.EnableIDS {
+	if f.Spec.EnableIDS {
 		ss, err := r.Suricata.InterfaceStats()
 		if err != nil {
 			return err

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/mdlayher/netlink v1.1.1 // indirect
 	github.com/metal-stack/metal-go v0.14.0
 	github.com/metal-stack/metal-lib v0.7.2
-	github.com/metal-stack/metal-networker v0.6.4
+	github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a
 	github.com/metal-stack/v v1.0.3
 	github.com/txn2/txeh v1.3.0
 	github.com/vishvananda/netlink v1.1.0

go.sum

@@ -543,8 +543,8 @@ github.com/metal-stack/metal-go v0.14.0/go.mod h1:fk411K2KQ6sitmlG21YfbRfBzNaJGL
 github.com/metal-stack/metal-lib v0.6.9/go.mod h1:r8qhfX72eAzClR/pEaQvdwM//Otx9gegYoOphLPmmQ4=
 github.com/metal-stack/metal-lib v0.7.2 h1:vXuQnpoXJV4otCwLyB74MiiokaidAoAcNnivkG9/UTI=
 github.com/metal-stack/metal-lib v0.7.2/go.mod h1:eDBJ88yC8jUk+bAJXpF1Upw6j3lbbgv3UIF0D+llMec=
-github.com/metal-stack/metal-networker v0.6.4 h1:RygBG0/xji9Qzg0/th2DSpkoCjGNznzrbfT0i6uWAlo=
-github.com/metal-stack/metal-networker v0.6.4/go.mod h1:IjlXMdBetE2i81VogBSSQKJFjwrskV6+6drPN/VPJqY=
+github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a h1:vfnMxRFa+9gcdgCfUKIhdu5WfuXiwJ4oZi2XQRrV5rE=
+github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a/go.mod h1:IjlXMdBetE2i81VogBSSQKJFjwrskV6+6drPN/VPJqY=
 github.com/metal-stack/security v0.4.0/go.mod h1:C7kSrHwRcG+47375RJjhakN1LenbEJF9uQd4I50nZlY=
 github.com/metal-stack/security v0.5.1/go.mod h1:t7P93F6/iSDR729OS/3x5t69ewBCsHUYqRVaHb5nxjc=
 github.com/metal-stack/security v0.5.3/go.mod h1:t7P93F6/iSDR729OS/3x5t69ewBCsHUYqRVaHb5nxjc=

main.go

@@ -24,20 +24,20 @@ import (
 	"os"
 	"time"
 
-	"github.com/metal-stack/firewall-controller/pkg/suricata"
-
 	"github.com/metal-stack/metal-lib/pkg/sign"
 	"github.com/metal-stack/v"
+
+	"github.com/metal-stack/firewall-controller/controllers"
+	"github.com/metal-stack/firewall-controller/controllers/crd"
+	"github.com/metal-stack/firewall-controller/pkg/suricata"
+
 	apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
 	"k8s.io/apimachinery/pkg/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/log/zap"
 
-	"github.com/metal-stack/firewall-controller/controllers"
-	"github.com/metal-stack/firewall-controller/controllers/crd"
-
 	firewallv1 "github.com/metal-stack/firewall-controller/api/v1"
 	// +kubebuilder:scaffold:imports
 )
@@ -63,18 +63,23 @@ func main() {
 	var (
 		metricsAddr          string
 		enableLeaderElection bool
-		enableIDS            bool
 		enableSignatureCheck bool
 		hostsFile            string
 	)
-	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
-	flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,
+
+	fs := flag.NewFlagSet("", flag.ContinueOnError)
+	fs.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
+	fs.BoolVar(&enableLeaderElection, "enable-leader-election", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
-	flag.BoolVar(&enableIDS, "enable-IDS", true, "Set this to false to exclude IDS.")
-	flag.StringVar(&hostsFile, "hosts-file", "/etc/hosts", "The hosts file to manipulate for the droptailer.")
-	flag.BoolVar(&enableSignatureCheck, "enable-signature-check", true, "Set this to false to ignore signature checking.")
-	flag.Parse()
+	fs.StringVar(&hostsFile,
+		"hosts-file", "/etc/hosts", "The hosts file to manipulate for the droptailer.")
+	fs.BoolVar(&enableSignatureCheck,
+		"enable-signature-check", true, "Set this to false to ignore signature checking.")
+	if err := fs.Parse(os.Args[1:]); err != nil {
+		// Log error but continue program execution
+		setupLog.Error(err, "error parsing flags")
+	}
 
 	ctrl.SetLogger(zap.New(zap.UseDevMode(true)))
 
@@ -161,7 +166,7 @@ func main() {
 		Client:               mgr.GetClient(),
 		Log:                  ctrl.Log.WithName("controllers").WithName("Firewall"),
 		Scheme:               mgr.GetScheme(),
-		Suricata:             suricata.New(enableIDS),
+		Suricata:             suricata.New(),
 		EnableSignatureCheck: enableSignatureCheck,
 		CAPubKey:             caPubKey,
 	}).SetupWithManager(mgr); err != nil {

pkg/suricata/suricata.go

@@ -20,7 +20,7 @@ const (
 
 type Suricata struct {
 	socket    string
-	EnableIDS bool
+	enableIDS bool
 }
 
 type InterfaceStats map[string]InterFaceStat
@@ -31,10 +31,9 @@ type InterFaceStat struct {
 	Pkts             int
 }
 
-func New(enableIDS bool) *Suricata {
+func New() *Suricata {
 	return &Suricata{
-		socket:    defaultSocket,
-		EnableIDS: enableIDS,
+		socket: defaultSocket,
 	}
 }
 
@@ -66,7 +65,7 @@ func (s *Suricata) InterfaceStats() (*InterfaceStats, error) {
 }
 
 func (s *Suricata) ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) error {
-	if enableIDS != s.EnableIDS {
+	if enableIDS != s.enableIDS {
 		configurator := netconf.FirewallConfigurator{
 			CommonConfigurator: netconf.CommonConfigurator{
 				Kb: kb,
@@ -78,7 +77,7 @@ func (s *Suricata) ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) e
 		if err := s.restart(); err != nil {
 			return fmt.Errorf("failed to restart suricata: %w", err)
 		}
-		s.EnableIDS = enableIDS
+		s.enableIDS = enableIDS
 	}
 
 	return nil