From 2080b7457a93d5253e0205a0cb512f27eb964f3f Mon Sep 17 00:00:00 2001 From: badrogger Date: Mon, 16 Dec 2024 19:34:21 +0000 Subject: [PATCH] Add include to the nftables conf file --- node_cli/configs/__init__.py | 1 + node_cli/core/nftables.py | 26 +++++++++++++++++--------- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/node_cli/configs/__init__.py b/node_cli/configs/__init__.py index abd9399f..7d256f14 100644 --- a/node_cli/configs/__init__.py +++ b/node_cli/configs/__init__.py @@ -165,3 +165,4 @@ def _get_env(): NODE_DOCKER_CONFIG_PATH = os.path.join(NODE_DATA_PATH, 'docker.json') NFTABLES_RULES_PATH = '/etc/nftables.conf' +NFTABLES_CHAIN_FOLDER_PATH = '/etc/nft.conf.d/chains' diff --git a/node_cli/core/nftables.py b/node_cli/core/nftables.py index 20aa7a17..f7df5a47 100644 --- a/node_cli/core/nftables.py +++ b/node_cli/core/nftables.py @@ -1,10 +1,11 @@ import json import logging +import os import sys from typing import Optional from dataclasses import dataclass -from node_cli.configs import ENV, NFTABLES_RULES_PATH +from node_cli.configs import ENV, NFTABLES_RULES_PATH, NFTABLES_CHAIN_FOLDER_PATH from node_cli.utils.helper import get_ssh_port, run_cmd logger = logging.getLogger(__name__) @@ -34,7 +35,7 @@ class NFTablesError(Exception): class NFTablesManager: - def __init__(self, family: str = 'inet', table: str = 'firewall', chain: str = 'input') -> None: + def __init__(self, family: str = 'inet', table: str = 'firewall', chain: str = 'skale') -> None: self.nft = nftables.Nftables() self.nft.set_json_output(True) self.family = family @@ -72,7 +73,7 @@ def chain_exists(self, chain_name: str) -> bool: return chain_name in self.get_chains() def create_chain_if_not_exists( - self, chain: str, hook: str, priority: int = 0, policy: str = 'accept' + self, chain: str, hook: str, priority: int = 1, policy: str = 'accept' ) -> None: if not self.chain_exists(chain): cmd = { @@ -299,6 +300,8 @@ def get_plain_ruleset(self) -> str: def setup_firewall(self, enable_monitoring: bool = False) -> None: """Setup firewall rules""" + + logger.info('Configuring firewall rules') try: self.create_table_if_not_exists() @@ -306,6 +309,7 @@ def setup_firewall(self, enable_monitoring: bool = False) -> None: 'input': {'hook': 'input', 'policy': 'accept'}, 'forward': {'hook': 'forward', 'policy': 'drop'}, 'output': {'hook': 'output', 'policy': 'accept'}, + 'skale': {'hook': 'input', 'policy': 'accept'}, } for chain, config in base_chains_config.items(): @@ -334,33 +338,37 @@ def setup_firewall(self, enable_monitoring: bool = False) -> None: ) ) - self.add_drop_rule_if_node_exists(protocol='tcp') + # self.add_drop_rule_if_node_exists(protocol='tcp') self.add_drop_rule_if_node_exists(protocol='udp') except Exception as e: logger.error('Failed to setup firewall: %s', e) raise NFTablesError(e) + logger.info('Firewall rules are configured') + + +def prepare_directories() -> None: + logger.info('Prepare directories for nftables') + os.makedirs(NFTABLES_CHAIN_FOLDER_PATH, exist_ok=True) def configure_nftables(enable_monitoring: bool = False) -> None: - logger.info('Enabling nftables services') + prepare_directories() enable_nftables_service() - logger.info('Configuring firewall rules') nft_mgr = NFTablesManager() nft_mgr.setup_firewall(enable_monitoring=enable_monitoring) - logger.info('Firewall rules are configured') ruleset = nft_mgr.get_plain_ruleset() save_nftables_rules(ruleset) - logger.info('Firewall setup completed successfully') def enable_nftables_service() -> None: + logger.info('Enabling nftables services') run_cmd(['systemctl', 'enable', 'nftables']) def save_nftables_rules(ruleset: str) -> None: logger.info('Saving nftables rules') - content = '#!/usr/sbin/nft -f\n' + 'flush ruleset\n' + ruleset + content = f'#!/usr/sbin/nft -f\nflush ruleset\n{ruleset}\ninclude "{NFTABLES_CHAIN_FOLDER_PATH}/*"' # noqa with open(NFTABLES_RULES_PATH, 'w') as f: f.write(content) logger.info('Rules saved successfully to %s', NFTABLES_RULES_PATH)