Add agent-managed firewall with nftables

Move firewall management from stemcell scripts to bosh-agent to properly
handle Jammy containers running on Noble hosts (cgroup v2 inherited from
host).

- Create platform/firewall package with nftables implementation using
  github.com/google/nftables library (pure Go, no C deps)
- Add SetupFirewall() to Platform interface, called during bootstrap
- Add 'bosh-agent firewall-allow <service>' CLI command for monit wrapper
- Detect cgroup version at runtime from /proc/self/cgroup
- NATS firewall only enabled for Jammy (Noble uses ephemeral credentials)
- Gracefully handle missing base firewall (warn, don't fail)

Author: rkoster

agent/bootstrap.go

@@ -100,6 +100,10 @@ func (boot bootstrap) Run() (err error) { //nolint:gocyclo
 		return bosherr.WrapError(err, "Setting up networking")
 	}
 
+	if err = boot.platform.SetupFirewall(settings.GetMbusURL()); err != nil {
+		return bosherr.WrapError(err, "Setting up firewall")
+	}
+
 	if err = boot.platform.SetupRawEphemeralDisks(settings.RawEphemeralDiskSettings()); err != nil {
 		return bosherr.WrapError(err, "Setting up raw ephemeral disk")
 	}

go.mod

@@ -15,6 +15,7 @@ require (
 	github.com/coreos/go-iptables v0.8.0
 	github.com/gofrs/uuid v4.4.0+incompatible
 	github.com/golang/mock v1.6.0
+	github.com/google/nftables v0.2.0
 	github.com/google/uuid v1.6.0
 	github.com/kevinburke/ssh_config v1.4.0
 	github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321
@@ -67,9 +68,12 @@ require (
 	github.com/jcmturner/goidentity/v6 v6.0.1 // indirect
 	github.com/jcmturner/gokrb5/v8 v8.4.4 // indirect
 	github.com/jcmturner/rpc/v2 v2.0.3 // indirect
+	github.com/josharian/native v1.1.0 // indirect
 	github.com/jpillora/backoff v1.0.0 // indirect
 	github.com/klauspost/compress v1.18.3 // indirect
 	github.com/masterzen/simplexml v0.0.0-20190410153822-31eea3082786 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/nats-io/nkeys v0.4.14 // indirect
 	github.com/nats-io/nuid v1.0.1 // indirect

go.sum

@@ -109,6 +109,8 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/nftables v0.2.0 h1:PbJwaBmbVLzpeldoeUKGkE2RjstrjPKMl6oLrfEJ6/8=
+github.com/google/nftables v0.2.0/go.mod h1:Beg6V6zZ3oEn0JuiUQ4wqwuyqqzasOltcoXPtgLbFp4=
 github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83 h1:z2ogiKUYzX5Is6zr/vP9vJGqPwcdqsWjOt+V8J7+bTc=
 github.com/google/pprof v0.0.0-20260115054156-294ebfa9ad83/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -135,6 +137,8 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
+github.com/josharian/native v1.1.0 h1:uuaP0hAbW7Y4l0ZRQ6C9zfb7Mg1mbFKry/xzDAfmtLA=
+github.com/josharian/native v1.1.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE=
 github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung=
 github.com/jpillora/backoff v1.0.0 h1:uvFg412JmmHBHw7iwprIxkPMI+sGQ4kzOWsMeHnm2EA=
@@ -157,6 +161,10 @@ github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321 h1:AKIJL2PfBX2uie0
 github.com/masterzen/winrm v0.0.0-20250927112105-5f8e6c707321/go.mod h1:JajVhkiG2bYSNYYPYuWG7WZHr42CTjMTcCjfInRNCqc=
 github.com/maxbrunsfeld/counterfeiter/v6 v6.12.1 h1:D4O2wLxB384TS3ohBJMfolnxb4qGmoZ1PnWNtit8LYo=
 github.com/maxbrunsfeld/counterfeiter/v6 v6.12.1/go.mod h1:RuJdxo0oI6dClIaMzdl3hewq3a065RH65dofJP03h8I=
+github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
+github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
+github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
 github.com/mfridman/tparse v0.18.0 h1:wh6dzOKaIwkUGyKgOntDW4liXSo37qg5AXbIhkMV3vE=
 github.com/mfridman/tparse v0.18.0/go.mod h1:gEvqZTuCgEhPbYk/2lS3Kcxg1GmTxxU7kTC8DvP0i/A=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
@@ -220,6 +228,8 @@ github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
 github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde h1:AMNpJRc7P+GTwVbl8DkK2I9I8BBUzNiHuH/tlxrpan0=
 github.com/tidwall/transform v0.0.0-20201103190739-32f242e2dbde/go.mod h1:MvrEmduDUz4ST5pGZ7CABCnOU5f3ZiOAZzT6b1A6nX8=
+github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
+github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=

main/agent.go

@@ -13,6 +13,7 @@ import (
 	boshapp "github.com/cloudfoundry/bosh-agent/v2/app"
 	"github.com/cloudfoundry/bosh-agent/v2/infrastructure/agentlogger"
 	"github.com/cloudfoundry/bosh-agent/v2/platform"
+	boshfirewall "github.com/cloudfoundry/bosh-agent/v2/platform/firewall"
 )
 
 const mainLogTag = "main"
@@ -81,6 +82,9 @@ func main() {
 		case "compile":
 			compileTarball(cmd, os.Args[2:])
 			return
+		case "firewall-allow":
+			handleFirewallAllow(os.Args[2:])
+			return
 		}
 	}
 	asyncLog := logger.NewAsyncWriterLogger(logger.LevelDebug, os.Stderr)
@@ -103,3 +107,35 @@ func newSignalableLogger(logger logger.Logger) logger.Logger {
 	signalableLogger, _ := agentlogger.NewSignalableLogger(logger, c)
 	return signalableLogger
 }
+
+// handleFirewallAllow handles the "bosh-agent firewall-allow <service>" CLI command.
+// This is called by processes (like monit) that need firewall access to local services.
+func handleFirewallAllow(args []string) {
+	if len(args) < 1 {
+		fmt.Fprintf(os.Stderr, "Usage: bosh-agent firewall-allow <service>\n")
+		fmt.Fprintf(os.Stderr, "Allowed services: %v\n", boshfirewall.AllowedServices)
+		os.Exit(1)
+	}
+
+	service := boshfirewall.Service(args[0])
+
+	// Create minimal logger for CLI command
+	log := logger.NewLogger(logger.LevelError)
+
+	// Create firewall manager
+	firewallMgr, err := boshfirewall.NewNftablesFirewall(log)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error creating firewall manager: %s\n", err)
+		os.Exit(1)
+	}
+
+	// Get parent PID (the process that called us)
+	callerPID := os.Getppid()
+
+	if err := firewallMgr.AllowService(service, callerPID); err != nil {
+		fmt.Fprintf(os.Stderr, "Error allowing service: %s\n", err)
+		os.Exit(1)
+	}
+
+	fmt.Printf("Firewall exception added for service: %s (caller PID: %d)\n", service, callerPID)
+}

platform/dummy_platform.go

@@ -562,6 +562,10 @@ func (p dummyPlatform) SetupRecordsJSONPermission(path string) error {
 	return nil
 }
 
+func (p dummyPlatform) SetupFirewall(mbusURL string) error {
+	return nil
+}
+
 func (p dummyPlatform) Shutdown() error {
 	return nil
 }

platform/firewall/cgroup_linux.go

@@ -0,0 +1,87 @@
+//go:build linux
+
+package firewall
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	cgroups "github.com/containerd/cgroups/v3"
+)
+
+// DetectCgroupVersion detects the cgroup version at runtime by checking
+// whether the system is using unified (v2) or legacy (v1) cgroup hierarchy.
+// This correctly handles:
+// - Jammy VM on Jammy host: Detects cgroup v1
+// - Jammy container on Noble host: Detects cgroup v2 (inherits from host!)
+// - Noble anywhere: Detects cgroup v2
+func DetectCgroupVersion() (CgroupVersion, error) {
+	if cgroups.Mode() == cgroups.Unified {
+		return CgroupV2, nil
+	}
+	return CgroupV1, nil
+}
+
+// GetProcessCgroup gets the cgroup identity for a process by reading /proc/<pid>/cgroup
+func GetProcessCgroup(pid int, version CgroupVersion) (ProcessCgroup, error) {
+	cgroupFile := fmt.Sprintf("/proc/%d/cgroup", pid)
+	data, err := os.ReadFile(cgroupFile)
+	if err != nil {
+		return ProcessCgroup{}, fmt.Errorf("reading %s: %w", cgroupFile, err)
+	}
+
+	if version == CgroupV2 {
+		return parseCgroupV2(string(data))
+	}
+	return parseCgroupV1(string(data))
+}
+
+// parseCgroupV2 extracts the cgroup path from /proc/<pid>/cgroup for cgroup v2
+// Format: "0::/system.slice/bosh-agent.service"
+func parseCgroupV2(data string) (ProcessCgroup, error) {
+	for _, line := range strings.Split(data, "\n") {
+		line = strings.TrimSpace(line)
+		if strings.HasPrefix(line, "0::") {
+			path := strings.TrimPrefix(line, "0::")
+			return ProcessCgroup{
+				Version: CgroupV2,
+				Path:    path,
+			}, nil
+		}
+	}
+	return ProcessCgroup{}, fmt.Errorf("cgroup v2 path not found in /proc/self/cgroup")
+}
+
+// parseCgroupV1 extracts the cgroup info from /proc/<pid>/cgroup for cgroup v1
+// Format: "12:net_cls,net_prio:/system.slice/bosh-agent.service"
+func parseCgroupV1(data string) (ProcessCgroup, error) {
+	// Look for net_cls controller which is used for firewall matching
+	for _, line := range strings.Split(data, "\n") {
+		line = strings.TrimSpace(line)
+		if strings.Contains(line, "net_cls") {
+			parts := strings.SplitN(line, ":", 3)
+			if len(parts) >= 3 {
+				return ProcessCgroup{
+					Version: CgroupV1,
+					Path:    parts[2],
+					// ClassID will be set when the process is added to the cgroup
+				}, nil
+			}
+		}
+	}
+
+	// Fallback: return empty path, will use classid-based matching
+	return ProcessCgroup{
+		Version: CgroupV1,
+	}, nil
+}
+
+// ReadOperatingSystem reads the operating system name from the BOSH-managed file
+func ReadOperatingSystem() (string, error) {
+	data, err := os.ReadFile("/var/vcap/bosh/etc/operating_system")
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(string(data)), nil
+}

platform/firewall/cgroup_other.go

@@ -0,0 +1,20 @@
+//go:build !linux
+
+package firewall
+
+import "fmt"
+
+// DetectCgroupVersion is not supported on non-Linux platforms
+func DetectCgroupVersion() (CgroupVersion, error) {
+	return CgroupV1, fmt.Errorf("cgroup detection not supported on this platform")
+}
+
+// GetProcessCgroup is not supported on non-Linux platforms
+func GetProcessCgroup(pid int, version CgroupVersion) (ProcessCgroup, error) {
+	return ProcessCgroup{}, fmt.Errorf("cgroup not supported on this platform")
+}
+
+// ReadOperatingSystem is not supported on non-Linux platforms
+func ReadOperatingSystem() (string, error) {
+	return "", fmt.Errorf("operating system detection not supported on this platform")
+}

platform/firewall/firewall.go

@@ -0,0 +1,57 @@
+package firewall
+
+// Service represents a local service that can be protected by firewall
+type Service string
+
+const (
+	ServiceMonit Service = "monit"
+	// Future services can be added here
+)
+
+// AllowedServices is the list of services that can be requested via CLI
+var AllowedServices = []Service{ServiceMonit}
+
+// CgroupVersion represents the cgroup hierarchy version
+type CgroupVersion int
+
+const (
+	CgroupV1 CgroupVersion = 1
+	CgroupV2 CgroupVersion = 2
+)
+
+// ProcessCgroup represents a process's cgroup identity
+type ProcessCgroup struct {
+	Version CgroupVersion
+	Path    string // For cgroup v2: full path like "/system.slice/bosh-agent.service"
+	ClassID uint32 // For cgroup v1: net_cls classid
+}
+
+//go:generate go run github.com/maxbrunsfeld/counterfeiter/v6 -generate
+//counterfeiter:generate . Manager
+
+// Manager manages firewall rules for local service access
+type Manager interface {
+	// SetupAgentRules sets up the agent's own firewall exceptions during bootstrap.
+	// Called once during agent bootstrap after networking is configured.
+	// mbusURL is the NATS URL for setting up NATS firewall rules (Jammy only).
+	SetupAgentRules(mbusURL string) error
+
+	// AllowService opens firewall for the calling process to access a service.
+	// Returns error if service is not in AllowedServices.
+	// Called by external processes via "bosh-agent firewall-allow <service>".
+	AllowService(service Service, callerPID int) error
+
+	// Cleanup removes all agent-managed firewall rules.
+	// Called during agent shutdown (optional).
+	Cleanup() error
+}
+
+// IsAllowedService checks if a service is in the allowed list
+func IsAllowedService(s Service) bool {
+	for _, allowed := range AllowedServices {
+		if s == allowed {
+			return true
+		}
+	}
+	return false
+}