|
|
66253d |
From 8d480dea4b3fd4ecce20c1569d000cb999dd50f6 Mon Sep 17 00:00:00 2001
|
|
|
66253d |
From: Eric Garver <eric@garver.life>
|
|
|
66253d |
Date: Sun, 19 Jan 2020 14:37:31 -0500
|
|
|
66253d |
Subject: [PATCH 31/37] feat: nftables: support AllowZoneDrifting=yes
|
|
|
66253d |
|
|
|
66253d |
(cherry picked from commit 517a061c5886f2ebfb4aa7d73804aa7f3c5a3004)
|
|
|
66253d |
(cherry picked from commit 92c5926bb9e493545f8d949ba00cbf72e4c7f202)
|
|
|
66253d |
---
|
|
|
66253d |
src/firewall/core/nftables.py | 91 ++++++++++++++++++++---------------
|
|
|
66253d |
1 file changed, 52 insertions(+), 39 deletions(-)
|
|
|
66253d |
|
|
|
66253d |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
66253d |
index cb8521fb7a5a..c8e893b5dbf6 100644
|
|
|
66253d |
--- a/src/firewall/core/nftables.py
|
|
|
66253d |
+++ b/src/firewall/core/nftables.py
|
|
|
66253d |
@@ -208,8 +208,11 @@ class nftables(object):
|
|
|
66253d |
|
|
|
66253d |
index = zone_source_index_cache[family].index(zone_source)
|
|
|
66253d |
else:
|
|
|
66253d |
- index = len(zone_source_index_cache[family])
|
|
|
66253d |
-
|
|
|
66253d |
+ if self._fw._allow_zone_drifting:
|
|
|
66253d |
+ index = 0
|
|
|
66253d |
+ else:
|
|
|
66253d |
+ index = len(zone_source_index_cache[family])
|
|
|
66253d |
+
|
|
|
66253d |
_verb_snippet = rule[verb]
|
|
|
66253d |
del rule[verb]
|
|
|
66253d |
if index == 0:
|
|
|
66253d |
@@ -506,13 +509,14 @@ class nftables(object):
|
|
|
66253d |
"prio": IPTABLES_TO_NFT_HOOK["raw"][chain][1]}}})
|
|
|
66253d |
|
|
|
66253d |
for chain in ["PREROUTING"]:
|
|
|
66253d |
- default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "name": "raw_%s_ZONES" % chain}}})
|
|
|
66253d |
- default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "chain": "raw_%s" % chain,
|
|
|
66253d |
- "expr": [{"jump": {"target": "raw_%s_ZONES" % chain}}]}}})
|
|
|
66253d |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
66253d |
+ default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "name": "raw_%s_%s" % (chain, dispatch_suffix)}}})
|
|
|
66253d |
+ default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "chain": "raw_%s" % chain,
|
|
|
66253d |
+ "expr": [{"jump": {"target": "raw_%s_%s" % (chain, dispatch_suffix)}}]}}})
|
|
|
66253d |
|
|
|
66253d |
for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys():
|
|
|
66253d |
default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
@@ -521,13 +525,14 @@ class nftables(object):
|
|
|
66253d |
"type": "filter",
|
|
|
66253d |
"hook": "%s" % IPTABLES_TO_NFT_HOOK["mangle"][chain][0],
|
|
|
66253d |
"prio": IPTABLES_TO_NFT_HOOK["mangle"][chain][1]}}})
|
|
|
66253d |
- default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "name": "mangle_%s_ZONES" % chain}}})
|
|
|
66253d |
- default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "chain": "mangle_%s" % chain,
|
|
|
66253d |
- "expr": [{"jump": {"target": "mangle_%s_ZONES" % chain}}]}}})
|
|
|
66253d |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
66253d |
+ default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "name": "mangle_%s_%s" % (chain, dispatch_suffix)}}})
|
|
|
66253d |
+ default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "chain": "mangle_%s" % chain,
|
|
|
66253d |
+ "expr": [{"jump": {"target": "mangle_%s_%s" % (chain, dispatch_suffix)}}]}}})
|
|
|
66253d |
|
|
|
66253d |
for family in ["ip", "ip6"]:
|
|
|
66253d |
for chain in IPTABLES_TO_NFT_HOOK["nat"].keys():
|
|
|
66253d |
@@ -537,13 +542,15 @@ class nftables(object):
|
|
|
66253d |
"type": "nat",
|
|
|
66253d |
"hook": "%s" % IPTABLES_TO_NFT_HOOK["nat"][chain][0],
|
|
|
66253d |
"prio": IPTABLES_TO_NFT_HOOK["nat"][chain][1]}}})
|
|
|
66253d |
- default_rules.append({"add": {"chain": {"family": family,
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "name": "nat_%s_ZONES" % chain}}})
|
|
|
66253d |
- default_rules.append({"add": {"rule": {"family": family,
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "chain": "nat_%s" % chain,
|
|
|
66253d |
- "expr": [{"jump": {"target": "nat_%s_ZONES" % chain}}]}}})
|
|
|
66253d |
+
|
|
|
66253d |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
66253d |
+ default_rules.append({"add": {"chain": {"family": family,
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "name": "nat_%s_%s" % (chain, dispatch_suffix)}}})
|
|
|
66253d |
+ default_rules.append({"add": {"rule": {"family": family,
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "chain": "nat_%s" % chain,
|
|
|
66253d |
+ "expr": [{"jump": {"target": "nat_%s_%s" % (chain, dispatch_suffix)}}]}}})
|
|
|
66253d |
|
|
|
66253d |
for chain in IPTABLES_TO_NFT_HOOK["filter"].keys():
|
|
|
66253d |
default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
@@ -554,9 +561,6 @@ class nftables(object):
|
|
|
66253d |
"prio": IPTABLES_TO_NFT_HOOK["filter"][chain][1]}}})
|
|
|
66253d |
|
|
|
66253d |
# filter, INPUT
|
|
|
66253d |
- default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "name": "filter_%s_ZONES" % "INPUT"}}})
|
|
|
66253d |
default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
"table": TABLE_NAME,
|
|
|
66253d |
"chain": "filter_%s" % "INPUT",
|
|
|
66253d |
@@ -578,10 +582,14 @@ class nftables(object):
|
|
|
66253d |
"op": "==",
|
|
|
66253d |
"right": "lo"}},
|
|
|
66253d |
{"accept": None}]}}})
|
|
|
66253d |
- default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "chain": "filter_%s" % "INPUT",
|
|
|
66253d |
- "expr": [{"jump": {"target": "filter_%s_ZONES" % "INPUT"}}]}}})
|
|
|
66253d |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
66253d |
+ default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "name": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}})
|
|
|
66253d |
+ default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "chain": "filter_%s" % "INPUT",
|
|
|
66253d |
+ "expr": [{"jump": {"target": "filter_%s_%s" % ("INPUT", dispatch_suffix)}}]}}})
|
|
|
66253d |
if log_denied != "off":
|
|
|
66253d |
default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
"table": TABLE_NAME,
|
|
|
66253d |
@@ -610,10 +618,6 @@ class nftables(object):
|
|
|
66253d |
"expr": [{"reject": {"type": "icmpx", "expr": "admin-prohibited"}}]}}})
|
|
|
66253d |
|
|
|
66253d |
# filter, FORWARD
|
|
|
66253d |
- for direction in ["IN", "OUT"]:
|
|
|
66253d |
- default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "name": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}})
|
|
|
66253d |
default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
"table": TABLE_NAME,
|
|
|
66253d |
"chain": "filter_%s" % "FORWARD",
|
|
|
66253d |
@@ -636,10 +640,14 @@ class nftables(object):
|
|
|
66253d |
"right": "lo"}},
|
|
|
66253d |
{"accept": None}]}}})
|
|
|
66253d |
for direction in ["IN", "OUT"]:
|
|
|
66253d |
- default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
- "table": TABLE_NAME,
|
|
|
66253d |
- "chain": "filter_%s" % "FORWARD",
|
|
|
66253d |
- "expr": [{"jump": {"target": "filter_%s_%s_ZONES" % ("FORWARD", direction)}}]}}})
|
|
|
66253d |
+ for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
|
66253d |
+ default_rules.append({"add": {"chain": {"family": "inet",
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "name": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}})
|
|
|
66253d |
+ default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
+ "table": TABLE_NAME,
|
|
|
66253d |
+ "chain": "filter_%s" % "FORWARD",
|
|
|
66253d |
+ "expr": [{"jump": {"target": "filter_%s_%s_%s" % ("FORWARD", direction, dispatch_suffix)}}]}}})
|
|
|
66253d |
if log_denied != "off":
|
|
|
66253d |
default_rules.append({"add": {"rule": {"family": "inet",
|
|
|
66253d |
"table": TABLE_NAME,
|
|
|
66253d |
@@ -778,12 +786,17 @@ class nftables(object):
|
|
|
66253d |
"OUTPUT": "daddr",
|
|
|
66253d |
}[chain]
|
|
|
66253d |
|
|
|
66253d |
+ if self._fw._allow_zone_drifting:
|
|
|
66253d |
+ zone_dispatch_chain = "%s_%s_ZONES_SOURCE" % (table, chain)
|
|
|
66253d |
+ else:
|
|
|
66253d |
+ zone_dispatch_chain = "%s_%s_ZONES" % (table, chain)
|
|
|
66253d |
+
|
|
|
66253d |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
|
|
|
66253d |
action = "goto"
|
|
|
66253d |
|
|
|
66253d |
rule = {"family": family,
|
|
|
66253d |
"table": TABLE_NAME,
|
|
|
66253d |
- "chain": "%s_%s_ZONES" % (table, chain),
|
|
|
66253d |
+ "chain": zone_dispatch_chain,
|
|
|
66253d |
"expr": [self._rule_addr_fragment(opt, address),
|
|
|
66253d |
{action: {"target": "%s_%s" % (table, target)}}]}
|
|
|
66253d |
rule.update(self._zone_source_fragment(zone, address))
|
|
|
66253d |
--
|
|
|
66253d |
2.23.0
|
|
|
66253d |
|