|
 |
24f428 |
From 1bb4312264f71a91c9afd22bf2b9c1fdbd00dc7a Mon Sep 17 00:00:00 2001
|
|
|
24f428 |
From: Eric Garver <e@erig.me>
|
|
|
24f428 |
Date: Mon, 3 Dec 2018 12:40:41 -0500
|
|
|
24f428 |
Subject: [PATCH 03/23] nftables: fix panic mode not filtering output packets
|
|
|
24f428 |
|
|
|
24f428 |
This simplifies policy in the nftables backend by filtering only on the
|
|
|
24f428 |
prerouting and output hooks. The others hooks are unnecessary since
|
|
|
24f428 |
we're using a higher precedence.
|
|
|
24f428 |
|
|
|
24f428 |
Also fixes an issue when re-enabling panic mode multiple times. Due to
|
|
|
24f428 |
rule de-duplication the policy drop rule was not being re-added.
|
|
|
24f428 |
|
|
|
24f428 |
Fixes: rhbz 1579740
|
|
|
24f428 |
Fixes: a0f683dfef2c ("nftables: fix policy")
|
|
|
24f428 |
(cherry picked from commit 2f5608b4897ff99afbb1c2425a94df035031c1a2)
|
|
|
24f428 |
---
|
|
|
24f428 |
src/firewall/core/nftables.py | 36 +++++++++--------------------------
|
|
|
24f428 |
1 file changed, 9 insertions(+), 27 deletions(-)
|
|
|
24f428 |
|
|
|
24f428 |
diff --git a/src/firewall/core/nftables.py b/src/firewall/core/nftables.py
|
|
|
24f428 |
index 69236a9600c2..44cd4f9e1752 100644
|
|
|
24f428 |
--- a/src/firewall/core/nftables.py
|
|
|
24f428 |
+++ b/src/firewall/core/nftables.py
|
|
|
24f428 |
@@ -314,38 +314,20 @@ class nftables(object):
|
|
|
24f428 |
# packets while initially starting and for panic mode. As such, using
|
|
|
24f428 |
# hooks with a higher priority than our base chains is sufficient.
|
|
|
24f428 |
#
|
|
|
24f428 |
- table_chains = []
|
|
|
24f428 |
- for table in list(IPTABLES_TO_NFT_HOOK.keys()):
|
|
|
24f428 |
- for chain in IPTABLES_TO_NFT_HOOK[table]:
|
|
|
24f428 |
- table_chains.append((table, chain))
|
|
|
24f428 |
-
|
|
|
24f428 |
table_name = TABLE_NAME + "_" + "policy_drop"
|
|
|
24f428 |
|
|
|
24f428 |
- def _policy_drop_helper(table, chain, family, rules):
|
|
|
24f428 |
- _chain = "%s_%s" % (table, chain)
|
|
|
24f428 |
- _hook = IPTABLES_TO_NFT_HOOK[table][chain][0]
|
|
|
24f428 |
- # add hooks with priority -1, only contain drop rule
|
|
|
24f428 |
- _priority = IPTABLES_TO_NFT_HOOK[table][chain][1] - 1
|
|
|
24f428 |
- _add_chain = "add chain %s %s %s '{ type filter hook %s priority %d ; }'" % \
|
|
|
24f428 |
- (family, table_name, _chain, _hook, _priority)
|
|
|
24f428 |
- rules.append(splitArgs(_add_chain))
|
|
|
24f428 |
- rules.append(["add", "rule", family, table_name, _chain, "drop"])
|
|
|
24f428 |
-
|
|
|
24f428 |
rules = []
|
|
|
24f428 |
if policy == "DROP":
|
|
|
24f428 |
- for family in ["inet", "ip", "ip6"]:
|
|
|
24f428 |
- rules.append(["add", "table", family, table_name])
|
|
|
24f428 |
-
|
|
|
24f428 |
- for table,chain in table_chains:
|
|
|
24f428 |
- if table == "nat":
|
|
|
24f428 |
- # nat requires two families
|
|
|
24f428 |
- for family in ["ip", "ip6"]:
|
|
|
24f428 |
- _policy_drop_helper(table, chain, family, rules)
|
|
|
24f428 |
- else:
|
|
|
24f428 |
- _policy_drop_helper(table, chain, "inet", rules)
|
|
|
24f428 |
+ rules.append(["add", "table", "inet", table_name])
|
|
|
24f428 |
+
|
|
|
24f428 |
+ # To drop everything we need to use the "raw" priority. These occur
|
|
|
24f428 |
+ # before conntrack, mangle, nat, etc
|
|
|
24f428 |
+ for hook in ["prerouting", "output"]:
|
|
|
24f428 |
+ _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \
|
|
|
24f428 |
+ (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1)
|
|
|
24f428 |
+ rules.append(splitArgs(_add_chain))
|
|
|
24f428 |
elif policy == "ACCEPT":
|
|
|
24f428 |
- for family in ["inet", "ip", "ip6"]:
|
|
|
24f428 |
- rules.append(["delete", "table", family, table_name])
|
|
|
24f428 |
+ rules.append(["delete", "table", "inet", table_name])
|
|
|
24f428 |
else:
|
|
|
24f428 |
FirewallError(UNKNOWN_ERROR, "not implemented")
|
|
|
24f428 |
|
|
|
24f428 |
--
|
|
|
24f428 |
2.20.1
|
|
|
24f428 |
|