diff --git a/pkg/netconf/nftables.go b/pkg/netconf/nftables.go index 9f289b4..964240b 100644 --- a/pkg/netconf/nftables.go +++ b/pkg/netconf/nftables.go @@ -38,6 +38,11 @@ type ( VPN bool ForwardPolicy string FirewallRules FirewallRules + Input Input + } + + Input struct { + InInterfaces []string } FirewallRules struct { @@ -84,6 +89,7 @@ func newNftablesConfigApplier(c config, validator net.Validator, enableDNSProxy SNAT: getSNAT(c, enableDNSProxy), ForwardPolicy: string(forwardPolicy), FirewallRules: getFirewallRules(c), + Input: getInput(c), } if enableDNSProxy { @@ -105,6 +111,15 @@ func isDMZNetwork(n *models.V1MachineNetwork) bool { return *n.Networktype == mn.PrivateSecondaryShared && containsDefaultRoute(n.Destinationprefixes) } +func getInput(c config) Input { + input := Input{} + networks := c.GetNetworks(mn.PrivatePrimaryUnshared, mn.PrivatePrimaryShared, mn.PrivateSecondaryShared) + for _, n := range networks { + input.InInterfaces = append(input.InInterfaces, fmt.Sprintf("vrf%d", *n.Vrf)) + } + return input +} + func getSNAT(c config, enableDNSProxy bool) []SNAT { var result []SNAT @@ -116,6 +131,7 @@ func getSNAT(c config, enableDNSProxy bool) []SNAT { if isDMZNetwork(n) { privatePfx = append(privatePfx, n.Prefixes...) } + } var ( diff --git a/pkg/netconf/testdata/nftrules b/pkg/netconf/testdata/nftrules index f222441..9c9fc40 100644 --- a/pkg/netconf/testdata/nftrules +++ b/pkg/netconf/testdata/nftrules @@ -13,8 +13,10 @@ table inet metal { ct state established,related counter accept comment "stateful input" tcp dport ssh ct state new counter accept comment "SSH incoming connections" - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics" ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/pkg/netconf/testdata/nftrules_accept_forwarding b/pkg/netconf/testdata/nftrules_accept_forwarding index e297a7d..bdbd8da 100644 --- a/pkg/netconf/testdata/nftrules_accept_forwarding +++ b/pkg/netconf/testdata/nftrules_accept_forwarding @@ -13,8 +13,10 @@ table inet metal { ct state established,related counter accept comment "stateful input" tcp dport ssh ct state new counter accept comment "SSH incoming connections" - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics" ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/pkg/netconf/testdata/nftrules_dmz b/pkg/netconf/testdata/nftrules_dmz index 14b9dae..a609824 100644 --- a/pkg/netconf/testdata/nftrules_dmz +++ b/pkg/netconf/testdata/nftrules_dmz @@ -16,8 +16,10 @@ table inet metal { ip saddr 10.0.0.0/8 udp dport domain ip daddr 185.1.2.3 accept comment "dnat to dns proxy" tcp dport ssh ct state new counter accept comment "SSH incoming connections" - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3983" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3983" tcp dport 9630 counter accept comment "nftables metrics" ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/pkg/netconf/testdata/nftrules_dmz_app b/pkg/netconf/testdata/nftrules_dmz_app index f26536d..83bee38 100644 --- a/pkg/netconf/testdata/nftrules_dmz_app +++ b/pkg/netconf/testdata/nftrules_dmz_app @@ -16,8 +16,10 @@ table inet metal { ip saddr 10.0.0.0/8 udp dport domain ip daddr 10.0.20.2 accept comment "dnat to dns proxy" tcp dport ssh ct state new counter accept comment "SSH incoming connections" - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3983" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3983" tcp dport 9630 counter accept comment "nftables metrics" ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/pkg/netconf/testdata/nftrules_ipv6 b/pkg/netconf/testdata/nftrules_ipv6 index 45fd8c0..7f1bf79 100644 --- a/pkg/netconf/testdata/nftrules_ipv6 +++ b/pkg/netconf/testdata/nftrules_ipv6 @@ -16,8 +16,10 @@ table inet metal { ip saddr 10.0.0.0/8 udp dport domain ip6 daddr 2a02:c00:20::1 accept comment "dnat to dns proxy" tcp dport ssh ct state new counter accept comment "SSH incoming connections" - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics" ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/pkg/netconf/testdata/nftrules_shared b/pkg/netconf/testdata/nftrules_shared index 7331874..ff571e6 100644 --- a/pkg/netconf/testdata/nftrules_shared +++ b/pkg/netconf/testdata/nftrules_shared @@ -16,8 +16,8 @@ table inet metal { ip saddr 10.0.0.0/8 udp dport domain ip daddr 185.1.2.3 accept comment "dnat to dns proxy" tcp dport ssh ct state new counter accept comment "SSH incoming connections" - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics" ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/pkg/netconf/testdata/nftrules_vpn b/pkg/netconf/testdata/nftrules_vpn index 8d3422d..55c5d06 100644 --- a/pkg/netconf/testdata/nftrules_vpn +++ b/pkg/netconf/testdata/nftrules_vpn @@ -13,8 +13,10 @@ table inet metal { ct state established,related counter accept comment "stateful input" iifname "tailscale*" accept comment "Accept tailscale traffic" - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics" ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/pkg/netconf/testdata/nftrules_with_rules b/pkg/netconf/testdata/nftrules_with_rules index 5d5cd75..be23005 100644 --- a/pkg/netconf/testdata/nftrules_with_rules +++ b/pkg/netconf/testdata/nftrules_with_rules @@ -13,8 +13,10 @@ table inet metal { ct state established,related counter accept comment "stateful input" tcp dport ssh ct state new counter accept comment "SSH incoming connections" - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3981" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3981" tcp dport 9630 counter accept comment "nftables metrics" + iifname "vrf3982" tcp dport 9100 counter accept comment "node metrics" + iifname "vrf3982" tcp dport 9630 counter accept comment "nftables metrics" ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/pkg/netconf/tpl/nftrules.tpl b/pkg/netconf/tpl/nftrules.tpl index b32939a..03d9b9f 100644 --- a/pkg/netconf/tpl/nftrules.tpl +++ b/pkg/netconf/tpl/nftrules.tpl @@ -22,8 +22,10 @@ table inet metal { {{- else -}} tcp dport ssh ct state new counter accept comment "SSH incoming connections" {{- end }} - ip saddr 10.0.0.0/8 tcp dport 9100 counter accept comment "node metrics" - ip saddr 10.0.0.0/8 tcp dport 9630 counter accept comment "nftables metrics" + {{- range .Input.InInterfaces }} + iifname "{{ . }}" tcp dport 9100 counter accept comment "node metrics" + iifname "{{ . }}" tcp dport 9630 counter accept comment "nftables metrics" + {{- end }} ct state invalid counter drop comment "drop invalid packets to prevent malicious activity" counter jump refuse diff --git a/validate.sh b/validate.sh index ac4425c..9491f50 100755 --- a/validate.sh +++ b/validate.sh @@ -15,5 +15,4 @@ validate () { } validate "ubuntu" "24.04" "frr-10" -validate "debian" "12" "frr-8" validate "debian" "12" "frr-10" \ No newline at end of file