Use nftables to configure firewall

.dockerignore

@@ -1,4 +1,3 @@
-tests
 helper-scripts
 dist
 build

.github/workflows/publish.yml

@@ -13,7 +13,7 @@ jobs:
   create_release:
     if: github.event.pull_request.merged
     name: Create release
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     outputs:
       upload_url: ${{ steps.create_release.outputs.upload_url }}
       version: ${{ steps.export_outputs.outputs.version }}
@@ -26,6 +26,7 @@ jobs:
 
       - name: Checkout submodules
         run: git submodule update --init
+
       - name: Install ubuntu dependencies
         run: |
           sudo apt-get update
@@ -68,7 +69,7 @@ jobs:
     strategy:
       matrix:
         include:
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             asset_name: skale-${{ needs.create_release.outputs.version }}-Linux-x86_64
     steps:
     - uses: actions/checkout@v2
@@ -78,7 +79,7 @@ jobs:
         python-version: 3.11
 
     - name: Install ubuntu dependencies
-      if: matrix.os == 'ubuntu-20.04'
+      if: matrix.os == 'ubuntu-22.04'
       run: |
         sudo apt-get update
 
@@ -127,7 +128,7 @@ jobs:
     strategy:
       matrix:
         include:
-          - os: ubuntu-20.04
+          - os: ubuntu-22.04
             asset_name: skale-${{ needs.create_release.outputs.version }}-Linux-x86_64-sync
     steps:
     - uses: actions/checkout@v2
@@ -137,7 +138,7 @@ jobs:
         python-version: 3.11
 
     - name: Install ubuntu dependencies
-      if: matrix.os == 'ubuntu-20.04'
+      if: matrix.os == 'ubuntu-22.04'
       run: |
         sudo apt-get update
 

.github/workflows/test.yml

@@ -3,7 +3,7 @@ on: [push, pull_request]
 
 jobs:
   test:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
         python-version: [3.11]
@@ -23,20 +23,19 @@ jobs:
     - name: Install ubuntu dependencies
       run: |
         sudo apt-get update
-        sudo apt-get install python-setuptools iptables
+        sudo apt-get install iptables nftables python3-nftables
 
     - name: Install python dependencies
       run: |
         python -m pip install --upgrade pip
-        pip install -e .
+        # pip install setuptools==75.5.0
         pip install -e .[dev]
-        pip install --upgrade 'setuptools<45.0.0'
 
     - name: Lint with flake8
       run: |
         flake8 .
 
-    - name: Build binary in Ubuntu 18.04 environment - normal
+    - name: Build binary - normal
       run: |
         mkdir -p ./dist
         docker build . -t node-cli-builder
@@ -46,13 +45,7 @@ jobs:
     - name: Check build - normal
       run: sudo /home/ubuntu/dist/skale-test-Linux-x86_64
 
-    - name: Build binary in Ubuntu 20.04 environment - normal
-      run: |
-        scripts/build.sh test test normal
-
-    - name: Check build - sync
-      run: sudo /home/ubuntu/dist/skale-test-Linux-x86_64
-    - name: Build sync binary in Ubuntu 18.04 environment
+    - name: Build binary - sync
       run: |
         mkdir -p ./dist
         docker build . -t node-cli-builder
@@ -62,12 +55,15 @@ jobs:
     - name: Check build - sync
       run: sudo /home/ubuntu/dist/skale-test-Linux-x86_64-sync
 
-    - name: Build sync binary in Ubuntu 20.04 environment
+    - name: Run prepare test build
       run: |
-        scripts/build.sh test test sync
-
-    - name: Check build - sync
-      run: sudo /home/ubuntu/dist/skale-test-Linux-x86_64-sync
+        scripts/build.sh test test normal
 
     - name: Run tests
-      run: bash ./scripts/run_tests.sh
+      run: |
+        export PYTHONPATH=${PYTHONPATH}:/usr/lib/python3/dist-packages/
+        bash ./scripts/run_tests.sh
+
+    - name: Run nftables tests
+      run: |
+        scripts/run_nftables_test.sh

Dockerfile

@@ -1,22 +1,29 @@
-FROM python:3.11-buster
+FROM python:3.11-bookworm
 
 ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && apt-get install -y software-properties-common
-RUN apt-get install -y  \
+RUN apt-get update && apt install -y \
                        git \
                        build-essential \
+                       software-properties-common \
                        zlib1g-dev \
                        libssl-dev \
                        libffi-dev \
                        swig \
-                       iptables
+                       iptables \
+                       nftables \ 
+                       python3-nftables \ 
+                       libxslt-dev \
+                       kmod
+
 
 RUN mkdir /app
 WORKDIR /app
 
 COPY . .
 
 ENV PATH=/app/buildvenv/bin:$PATH
+ENV PYTHONPATH="{PYTHONPATH}:/usr/lib/python3/dist-packages"
+
 RUN python3.11 -m venv /app/buildvenv && \
     pip install --upgrade pip && \
     pip install wheel setuptools==63.2.0 && \

main.spec

@@ -2,15 +2,12 @@
 
 import importlib.util
 
-libxtwrapper_path = importlib.util.find_spec('libxtwrapper').origin
-
 
 block_cipher = None
 
 a = Analysis(
     ['node_cli/main.py'],
     pathex=['.'],
-    binaries=[(libxtwrapper_path, '.')],
     datas=[
        ("./text.yml", "data"),
        ("./datafiles/skaled-ssl-test", "data/datafiles")

node_cli/cli/__init__.py

@@ -1,4 +1,4 @@
-__version__ = '2.5.0'
+__version__ = '2.6.0'
 
 if __name__ == "__main__":
     print(__version__)

node_cli/cli/node.py

@@ -19,8 +19,8 @@
 
 import click
 
+from node_cli.core.node import configure_firewall_rules
 from node_cli.core.node import (
-    configure_firewall_rules,
     get_node_signature,
     init,
     restore,
@@ -239,12 +239,13 @@ def check(network):
     run_checks(network)
 
 
-@node.command(help='Reconfigure iptables rules')
+@node.command(help='Reconfigure nftables rules')
+@click.option('--monitoring', is_flag=True)
 @click.option('--yes', is_flag=True, callback=abort_if_false,
               expose_value=False,
               prompt='Are you sure you want to reconfigure firewall rules?')
-def configure_firewall():
-    configure_firewall_rules()
+def configure_firewall(monitoring):
+    configure_firewall_rules(enable_monitoring=monitoring)
 
 
 @node.command(help='Show node version information')

node_cli/configs/__init__.py

@@ -163,3 +163,5 @@ def _get_env():
 TELEGRAF_TEMPLATE_PATH = os.path.join(CONTAINER_CONFIG_PATH, 'telegraf.conf.j2')
 TELEGRAF_CONFIG_PATH = os.path.join(CONTAINER_CONFIG_PATH, 'telegraf.conf')
 NODE_DOCKER_CONFIG_PATH = os.path.join(NODE_DATA_PATH, 'docker.json')
+
+NFTABLES_RULES_PATH = '/etc/nftables.conf'

node_cli/core/checks.py

@@ -321,10 +321,6 @@ def _check_apt_package(self, package_name: str,
         else:
             return self._ok(name=package_name, info=info)
 
-    @preinstall
-    def iptables_persistent(self) -> CheckResult:
-        return self._check_apt_package('iptables-persistent')
-
     @preinstall
     def lvm2(self) -> CheckResult:
         return self._check_apt_package('lvm2')
@@ -415,26 +411,26 @@ def docker_api(self) -> CheckResult:
 
     @preinstall
     def docker_compose(self) -> CheckResult:
-        name = 'docker-compose'
-        cmd = shutil.which('docker-compose')
+        name = 'docker'
+        cmd = shutil.which('docker')
         if cmd is None:
-            info = 'No such command: "docker-compose"'
+            info = 'No such command: "docker"'
             return self._failed(name=name, info=info)
 
         v_cmd_result = run_cmd(
-            ['docker-compose', '-v'],
+            ['docker', 'compose', 'version'],
             check_code=False,
             separate_stderr=True
         )
         output = v_cmd_result.stdout.decode('utf-8').rstrip()
         if v_cmd_result.returncode != 0:
-            info = f'Checking docker-compose version failed with: {output}'
+            info = f'Checking docker compose version failed with: {output}'
             return self._failed(name=name, info=output)
 
         actual_version = output.split(',')[0].split()[-1].strip()
         expected_version = self.requirements['docker-compose']
 
-        info = f'Expected docker-compose version {expected_version}, actual {actual_version}'  # noqa
+        info = f'Expected docker compose version {expected_version}, actual {actual_version}'  # noqa
         if version_parse(actual_version) < version_parse(expected_version):
             return self._failed(name=name, info=info)
         else: