Support IPv6

metal-stack · Jul 13, 2024 · a03372d · a03372d
1 parent 253b4d8
commit a03372d
Show file tree

Hide file tree

Showing 11 changed files with 50 additions and 19 deletions.
diff --git a/pkg/netconf/nftables.go b/pkg/netconf/nftables.go
@@ -38,6 +38,11 @@ type (
  VPN bool
  ForwardPolicy string
  FirewallRules FirewallRules
+ Input Input
+ }
+
+ Input struct {
+ InInterfaces []string
  }
 
  FirewallRules struct {
@@ -84,6 +89,7 @@ func newNftablesConfigApplier(c config, validator net.Validator, enableDNSProxy
  SNAT: getSNAT(c, enableDNSProxy),
  ForwardPolicy: string(forwardPolicy),
  FirewallRules: getFirewallRules(c),
+ Input: getInput(c),
  }
 
  if enableDNSProxy {
@@ -105,6 +111,15 @@ func isDMZNetwork(n *models.V1MachineNetwork) bool {
  return *n.Networktype == mn.PrivateSecondaryShared && containsDefaultRoute(n.Destinationprefixes)
 }
 
+func getInput(c config) Input {
+ input := Input{}
+ networks := c.GetNetworks(mn.PrivatePrimaryUnshared, mn.PrivatePrimaryShared, mn.PrivateSecondaryShared)
+ for _, n := range networks {
+ input.InInterfaces = append(input.InInterfaces, fmt.Sprintf("vrf%d", *n.Vrf))
+ }
+ return input
+}
+
 func getSNAT(c config, enableDNSProxy bool) []SNAT {
  var result []SNAT
 
@@ -116,6 +131,7 @@ func getSNAT(c config, enableDNSProxy bool) []SNAT {
  if isDMZNetwork(n) {
  privatePfx = append(privatePfx, n.Prefixes...)
  }
+
  }
 
  var (

diff --git a/pkg/netconf/testdata/nftrules b/pkg/netconf/testdata/nftrules
@@ -13,8 +13,10 @@ table inet metal {
  ct state established,related counter accept comment "stateful input"
 
  tcp dport ssh ct state new counter accept comment "SSH incoming connections"
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics"
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/pkg/netconf/testdata/nftrules_accept_forwarding b/pkg/netconf/testdata/nftrules_accept_forwarding
@@ -13,8 +13,10 @@ table inet metal {
  ct state established,related counter accept comment "stateful input"
 
  tcp dport ssh ct state new counter accept comment "SSH incoming connections"
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics"
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/pkg/netconf/testdata/nftrules_dmz b/pkg/netconf/testdata/nftrules_dmz
@@ -16,8 +16,10 @@ table inet metal {
  ip saddr 10.0.0.0/8 udp dport domain ip daddr 185.1.2.3 accept comment "dnat to dns proxy"
 
  tcp dport ssh ct state new counter accept comment "SSH incoming connections"
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3983" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3983" tcp dport 9630 counter accept comment "nftables metrics"
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/pkg/netconf/testdata/nftrules_dmz_app b/pkg/netconf/testdata/nftrules_dmz_app
@@ -16,8 +16,10 @@ table inet metal {
  ip saddr 10.0.0.0/8 udp dport domain ip daddr 10.0.20.2 accept comment "dnat to dns proxy"
 
  tcp dport ssh ct state new counter accept comment "SSH incoming connections"
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3983" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3983" tcp dport 9630 counter accept comment "nftables metrics"
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/pkg/netconf/testdata/nftrules_ipv6 b/pkg/netconf/testdata/nftrules_ipv6
@@ -16,8 +16,10 @@ table inet metal {
  ip saddr 10.0.0.0/8 udp dport domain ip6 daddr 2a02:c00:20::1 accept comment "dnat to dns proxy"
 
  tcp dport ssh ct state new counter accept comment "SSH incoming connections"
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics"
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/pkg/netconf/testdata/nftrules_shared b/pkg/netconf/testdata/nftrules_shared
@@ -16,8 +16,8 @@ table inet metal {
  ip saddr 10.0.0.0/8 udp dport domain ip daddr 185.1.2.3 accept comment "dnat to dns proxy"
 
  tcp dport ssh ct state new counter accept comment "SSH incoming connections"
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics"
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/pkg/netconf/testdata/nftrules_vpn b/pkg/netconf/testdata/nftrules_vpn
@@ -13,8 +13,10 @@ table inet metal {
  ct state established,related counter accept comment "stateful input"
 
  iifname "tailscale*" accept comment "Accept tailscale traffic"
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics"
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/pkg/netconf/testdata/nftrules_with_rules b/pkg/netconf/testdata/nftrules_with_rules
@@ -13,8 +13,10 @@ table inet metal {
  ct state established,related counter accept comment "stateful input"
 
  tcp dport ssh ct state new counter accept comment "SSH incoming connections"
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics"
+ iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics"
+ iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics"
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/pkg/netconf/tpl/nftrules.tpl b/pkg/netconf/tpl/nftrules.tpl
@@ -22,8 +22,10 @@ table inet metal {
  {{- else -}}
  tcp dport ssh ct state new counter accept comment "SSH incoming connections"
  {{- end }}
- ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics"
- ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics"
+ {{- range .Input.InInterfaces }}
+ iifname "{{ . }}" tcp dport 9100 counter accept comment "node metrics"
+ iifname "{{ . }}" tcp dport 9630 counter accept comment "nftables metrics"
+ {{- end }}
 
  ct state invalid counter drop comment "drop invalid packets to prevent malicious activity"
  counter jump refuse

diff --git a/validate.sh b/validate.sh
@@ -15,5 +15,4 @@ validate () {
 }
 
 validate "ubuntu" "24.04" "frr-10"
-validate "debian" "12" "frr-8"
 validate "debian" "12" "frr-10"