Do not drop in case of accept

metal-stack · Jan 22, 2024 · 99b8a18 · 99b8a18
1 parent 442cb28
commit 99b8a18
Show file tree

Hide file tree

Showing 8 changed files with 19 additions and 9 deletions.
diff --git a/pkg/netconf/testdata/nftrules b/pkg/netconf/testdata/nftrules
@@ -22,7 +22,8 @@ table inet metal {
     chain forward {
         type filter hook forward priority 0; policy drop;
         ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
-        counter jump refuse
+        tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
+        limit rate 2/minute counter log prefix "nftables-metal-dropped: "
     }
     chain output {
         type filter hook output priority 0; policy accept;

diff --git a/pkg/netconf/testdata/nftrules_accept_forwarding b/pkg/netconf/testdata/nftrules_accept_forwarding
@@ -22,7 +22,8 @@ table inet metal {
     chain forward {
         type filter hook forward priority 0; policy accept;
         ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
-        counter jump refuse
+        tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
+
     }
     chain output {
         type filter hook output priority 0; policy accept;

diff --git a/pkg/netconf/testdata/nftrules_dmz b/pkg/netconf/testdata/nftrules_dmz
@@ -25,7 +25,8 @@ table inet metal {
     chain forward {
         type filter hook forward priority 0; policy drop;
         ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
-        counter jump refuse
+        tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
+        limit rate 2/minute counter log prefix "nftables-metal-dropped: "
     }
     chain output {
         type filter hook output priority 0; policy accept;

diff --git a/pkg/netconf/testdata/nftrules_dmz_app b/pkg/netconf/testdata/nftrules_dmz_app
@@ -25,7 +25,8 @@ table inet metal {
     chain forward {
         type filter hook forward priority 0; policy drop;
         ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
-        counter jump refuse
+        tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
+        limit rate 2/minute counter log prefix "nftables-metal-dropped: "
     }
     chain output {
         type filter hook output priority 0; policy accept;

diff --git a/pkg/netconf/testdata/nftrules_ipv6 b/pkg/netconf/testdata/nftrules_ipv6
@@ -25,7 +25,8 @@ table inet metal {
     chain forward {
         type filter hook forward priority 0; policy drop;
         ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
-        counter jump refuse
+        tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
+        limit rate 2/minute counter log prefix "nftables-metal-dropped: "
     }
     chain output {
         type filter hook output priority 0; policy accept;

diff --git a/pkg/netconf/testdata/nftrules_shared b/pkg/netconf/testdata/nftrules_shared
@@ -25,7 +25,8 @@ table inet metal {
     chain forward {
         type filter hook forward priority 0; policy drop;
         ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
-        counter jump refuse
+        tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
+        limit rate 2/minute counter log prefix "nftables-metal-dropped: "
     }
     chain output {
         type filter hook output priority 0; policy accept;

diff --git a/pkg/netconf/testdata/nftrules_vpn b/pkg/netconf/testdata/nftrules_vpn
@@ -22,7 +22,8 @@ table inet metal {
     chain forward {
         type filter hook forward priority 0; policy drop;
         ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
-        counter jump refuse
+        tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
+        limit rate 2/minute counter log prefix "nftables-metal-dropped: "
     }
     chain output {
         type filter hook output priority 0; policy accept;

diff --git a/pkg/netconf/tpl/nftrules.tpl b/pkg/netconf/tpl/nftrules.tpl
@@ -29,9 +29,12 @@ table inet metal {
         counter jump refuse
     }
     chain forward {
-        type filter hook forward priority 0; policy {{.ForwardPolicy}};
+        type filter hook forward priority 0; policy {{ .ForwardPolicy }};
         ct state invalid counter drop comment "drop invalid packets from forwarding to prevent malicious activity"
-        counter jump refuse
+        tcp dport bgp ct state new counter jump refuse comment "block bgp forward to machines"
+        {{ if eq .ForwardPolicy "drop" -}}
+        limit rate 2/minute counter log prefix "nftables-metal-dropped: "
+        {{- end }}
     }
     chain output {
         type filter hook output priority 0; policy accept;