Allow ipv6 firewall rules (#112)

metal-stack · Aug 6, 2024 · 352de63 · 352de63
1 parent f3fbfba
commit 352de63
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 10 deletions.
diff --git a/pkg/netconf/nftables.go b/pkg/netconf/nftables.go
@@ -221,9 +221,15 @@ func getFirewallRules(c config) FirewallRules {
 		return FirewallRules{}
 	}
 	var (
-		egressRules  = []string{"# egress rules specified during firewall creation"}
-		ingressRules = []string{"# ingress rules specified during firewall creation"}
+		egressRules           = []string{"# egress rules specified during firewall creation"}
+		ingressRules          = []string{"# ingress rules specified during firewall creation"}
+		inputInterfaces       = getInput(c)
+		quotedInputInterfaces []string
 	)
+	for _, i := range inputInterfaces.InInterfaces {
+		quotedInputInterfaces = append(quotedInputInterfaces, "\""+i+"\"")
+	}
+
 	for _, r := range c.FirewallRules.Egress {
 		ports := make([]string, len(r.Ports))
 		for i, v := range r.Ports {
@@ -234,9 +240,8 @@ func getFirewallRules(c config) FirewallRules {
 			if err != nil {
 				continue
 			}
-			// We could potentially also take private primary network interface as iifname instead if saddr
 			egressRules = append(egressRules,
-				fmt.Sprintf("ip saddr { 10.0.0.0/8 } %s daddr %s %s dport { %s } counter accept comment %q", af, daddr, strings.ToLower(r.Protocol), strings.Join(ports, ","), r.Comment))
+				fmt.Sprintf("iifname { %s } %s daddr %s %s dport { %s } counter accept comment %q", strings.Join(quotedInputInterfaces, ","), af, daddr, strings.ToLower(r.Protocol), strings.Join(ports, ","), r.Comment))
 		}
 	}
 

diff --git a/pkg/netconf/testdata/firewall_with_rules.yaml b/pkg/netconf/testdata/firewall_with_rules.yaml
@@ -198,7 +198,7 @@ firewall_rules:
       to:
         - "100.1.2.3/32"
         - "100.1.2.4/32"
-      comment: "allow incomming ssh"
+      comment: "allow incoming ssh"
     - protocol: TCP
       ports: [80,443,8080]
       from:

diff --git a/pkg/netconf/testdata/nftrules_with_rules b/pkg/netconf/testdata/nftrules_with_rules
@@ -27,12 +27,12 @@ table inet metal {
         ct state established,related counter accept comment "stateful forward"
         tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
         # egress rules specified during firewall creation
-        ip saddr { 10.0.0.0/8 } ip daddr 0.0.0.0/0 tcp dport { 443 } counter accept comment "allow apt update"
-        ip saddr { 10.0.0.0/8 } ip daddr 1.2.3.4/32 tcp dport { 443 } counter accept comment "allow apt update"
-        ip saddr { 10.0.0.0/8 } ip6 daddr ::/0 tcp dport { 443 } counter accept comment "allow apt update v6"
+        iifname { "vrf3981","vrf3982" } ip daddr 0.0.0.0/0 tcp dport { 443 } counter accept comment "allow apt update"
+        iifname { "vrf3981","vrf3982" } ip daddr 1.2.3.4/32 tcp dport { 443 } counter accept comment "allow apt update"
+        iifname { "vrf3981","vrf3982" } ip6 daddr ::/0 tcp dport { 443 } counter accept comment "allow apt update v6"
         # ingress rules specified during firewall creation
-        ip daddr { 100.1.2.3/32, 100.1.2.4/32 } ip saddr 2.3.4.0/24 tcp dport { 22 } counter accept comment "allow incomming ssh"
-        ip daddr { 100.1.2.3/32, 100.1.2.4/32 } ip saddr 192.168.1.0/16 tcp dport { 22 } counter accept comment "allow incomming ssh"
+        ip daddr { 100.1.2.3/32, 100.1.2.4/32 } ip saddr 2.3.4.0/24 tcp dport { 22 } counter accept comment "allow incoming ssh"
+        ip daddr { 100.1.2.3/32, 100.1.2.4/32 } ip saddr 192.168.1.0/16 tcp dport { 22 } counter accept comment "allow incoming ssh"
         oifname { "vrf3981", "vni3981", "vlan3981" } ip saddr 1.2.3.0/24 tcp dport { 80,443,8080 } counter accept comment ""
         oifname { "vrf3981", "vni3981", "vlan3981" } ip saddr 192.168.0.0/16 tcp dport { 80,443,8080 } counter accept comment ""
         limit rate 2/minute counter log prefix "nftables-metal-dropped: "