nftables-settings-default: new package.

ipuustin · ipuustin · commit dc1390c5f0fe · 2017-06-16T15:57:00.000+03:00
Signed-off-by: Ismo Puustinen &lt;ismo.puustinen@intel.com&gt;
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/99-network-device.rules b/meta-refkit-core/recipes-security/nftables-settings-default/files/99-network-device.rules
@@ -0,0 +1 @@
+SUBSYSTEM=="net", ENV{SYSTEMD_WANTS}="network-device-event@$name.service"
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config-update.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config-update.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Create firewall config if it doesn't exist
+After=firewall-zones-update.service
+Requires=firewall-zones-update.service
+ConditionPathExists=!/run/firewall/firewall.ruleset
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/firewall-update.py
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.path b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.path
@@ -0,0 +1,14 @@
+[Unit]
+Description=Track changes to firewall zone ruleset and service chains
+# do not track paths before firewall service is enabled
+After=firewall-config-update.service
+# break down the ordering cycle with basic.target
+DefaultDependencies=false
+
+[Path]
+ReloadOnTrigger=true
+PathChanged=/run/firewall/zones.ruleset
+PathChanged=/usr/lib/firewall/services
+PathChanged=/etc/firewall/services
+PathChanged=/usr/lib/firewall/zones.config
+PathChanged=/etc/firewall/zones.config
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update firewall settings
+
+[Service]
+Type=simple
+
+# We can run firewall-update.py even though this service might have been
+# activated via the same command. If there is no change, the
+# zones.ruleset file isn't changed.
+
+ExecStart=/usr/bin/firewall-update.py
+ExecReload=/usr/bin/firewall-update.py
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-update.py b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-update.py
@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+
+# TODO: allow defining the zones on-the-fly based on the configuration
+
+import os
+import sys
+import re
+import fcntl
+import configparser
+
+zonesConfigPaths = ["/usr/lib/firewall/zones.config", "/etc/firewall/zones.config"]
+zonesTemplatePath = "/usr/lib/firewall/zones.template"
+zonesRulesetPath = "/run/firewall/zones.ruleset"
+servicePaths = ["/usr/lib/firewall/services", "/etc/firewall/services"]
+configTemplatePath = "/usr/lib/firewall/firewall.template"
+configRulesetPath = "/run/firewall/firewall.ruleset"
+
+# lock to prevent processing several events at once
+lock = open("/run/firewall/config_flock", "w")
+fcntl.lockf(lock, fcntl.LOCK_EX)
+
+# get available interfaces
+interfaces = os.listdir("/sys/class/net")
+
+# map interfaces to zones according to configuration
+config = configparser.ConfigParser()
+files = config.read(zonesConfigPaths)
+
+def search_interfaces(key, conf):
+    ret = ""
+    if "match" in conf:
+        if key in conf["match"]:
+            r = re.compile(conf["match"][key])
+            ifs = ", ".join([i for i in interfaces if r.search(i)])
+            ret = "elements = { " + ifs + " }"
+
+    return ret
+
+# run regexps on the interfaces
+local_ifs = search_interfaces("ZONE_LOCAL", config)
+lan_ifs = search_interfaces("ZONE_LAN", config)
+wan_ifs = search_interfaces("ZONE_WAN", config)
+dmz_ifs = search_interfaces("ZONE_DMZ", config)
+vpn_ifs = search_interfaces("ZONE_VPN", config)
+all_ifs = search_interfaces("ZONE_ALL", config)
+
+# read the zones template
+with open(zonesTemplatePath, "r") as f:
+    data = f.read()
+
+output_data = data.format(local_interfaces=local_ifs, lan_interfaces=lan_ifs,
+                          wan_interfaces=wan_ifs, dmz_interfaces=dmz_ifs,
+                          vpn_interfaces=vpn_ifs, all_interfaces=all_ifs)
+
+# Do not write the ruleset file if it already exists and there is no change.
+# This prevents unneccessary firewall setup changes.
+
+current_data = None
+
+if os.path.exists(zonesRulesetPath):
+    with open(zonesRulesetPath, "r", encoding="utf-8") as f:
+        current_data = f.read()
+
+if not current_data or current_data != output_data:
+    # different file content, write the ruleset file
+    with open(zonesRulesetPath, "w") as f:
+        f.write(output_data)
+
+if "--only-zones" in sys.argv:
+    # configured to run only zone update
+    sys.exit(0)
+
+# read the firewall template
+with open(configTemplatePath, "r") as f:
+    data = f.read()
+
+serviceFiles = []
+for path in filter(os.path.exists, servicePaths):
+    serviceFiles += [os.path.realpath(os.path.join(path, f)) for f in os.listdir(path)]
+
+service_file_blob = "\n".join(['include "%s"' % f for f in serviceFiles])
+
+output_data = data.format(service_chains=service_file_blob)
+
+# write the ruleset file
+with open(configRulesetPath, "w") as f:
+    f.write(output_data)
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-zones-update.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-zones-update.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Create firewall zone configuration if it doesn't exist
+ConditionPathExists=!/run/firewall/zones.ruleset
+
+[Service]
+ExecStart=/usr/bin/firewall-update.py --only-zones
+Type=oneshot
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.conf b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.conf
@@ -0,0 +1,2 @@
+# tmpfiles.d
+d       /run/firewall   0600    root    root    -       -
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.path b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.path
@@ -0,0 +1,9 @@
+[Unit]
+Description=Track changes to firewall configuration
+
+[Path]
+ReloadOnTrigger=true
+PathChanged=/run/firewall/firewall.ruleset
+
+[Install]
+WantedBy=network.target
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=nftables firewall
+DefaultDependencies=false
+Before=network-pre.target multi-user.target shutdown.target
+Conflicts=shutdown.target
+
+# firewall-config-update makes sure that the firewall configuration has been created
+After=firewall-config-update.service
+# requires first-time update and also the configuration file tracking
+Requires=firewall-config-update.service
+Wants=firewall-config.path
+
+[Service]
+Type=simple
+ExecStart=/usr/sbin/nft -I /run/firewall -I /usr/lib/firewall -f /run/firewall/firewall.ruleset
+ExecReload=/usr/sbin/nft -I /run/firewall -I /usr/lib/firewall -f /run/firewall/firewall.ruleset
+
+[Install]
+WantedBy=network.target
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template
@@ -0,0 +1,77 @@
+#!/usr/sbin/nft
+
+flush ruleset;
+
+include "variables.ruleset"
+
+table inet filter {{
+
+    include "zones.ruleset"
+
+    map tcp_service_map {{
+        type inet_service : verdict
+    }}
+
+    map udp_service_map {{
+        type inet_service : verdict
+    }}
+
+    chain input {{
+        # Run this later than service and application scripts (priority 1)
+        # and drop all packets that don't match to the the rules.
+        type filter hook input priority 1; policy drop;
+
+        # Accept packets tagged by services and applications.
+        mark $accept_packet accept;
+
+        # Accept packets belonging to established and related connections.
+        ct state established,related accept;
+
+        # Allow packets to localhost interfaces.
+        iif @ZONE_LOCAL accept;
+
+        # Check if the services have declared custom rules.
+        tcp dport vmap @tcp_service_map;
+        udp dport vmap @udp_service_map;
+
+        # Allow some icmpv6 to make IPv6 work (see RFC 4890). This
+        # configuration is for an "end host firewall", protecting a
+        # single device. In order to use the device as a router or as a
+        # bridge, enable the relevant options as explained in the RFC.
+        # For home gateway router use, see RFC 6092.
+
+        # Allow basic IPv6 functionality.
+        ip6 nexthdr icmpv6 icmpv6 type {{
+            destination-unreachable,
+            packet-too-big,
+            time-exceeded,
+            parameter-problem,
+            echo-request,
+            echo-reply
+        }} accept;
+
+        # Allow auto configuration support.
+        ip6 nexthdr icmpv6 icmpv6 type {{
+            nd-neighbor-solicit,
+            nd-neighbor-advert,
+            nd-router-advert,
+            nd-router-solicit
+        }} ip6 hoplimit 255 accept;
+
+        # Allow multicast listener discovery on link-local addresses.
+        ip6 nexthdr icmpv6 icmpv6 type {{
+            mld-listener-query,
+            mld-listener-report,
+            mld-listener-reduction
+        }} ip6 saddr fe80::/10 accept;
+
+        # Allow multicast router discovery messages on link-local
+        # addresses (hop limit 1).
+        ip6 nexthdr icmpv6 icmpv6 type {{
+            nd-router-advert,
+            nd-router-solicit
+        }} ip6 hoplimit 1 ip6 saddr fe80::/10 accept;
+    }}
+}}
+
+{service_chains}
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/network-device-event@.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/network-device-event@.service
@@ -0,0 +1,15 @@
+# Update firewall zones every time the network interfaces change (a VPN
+# interface is started, USB network card is removed, etc).
+
+[Unit]
+Description=Network device trigger (%I)
+BindsTo=sys-subsystem-net-devices-%i.device
+# no need to track changes to interfaces before firewall has been
+# configured
+After=sys-subsystem-net-devices-%i.device firewall.target
+
+[Service]
+ExecStart=/usr/bin/firewall-update.py --only-zones
+ExecStop=/usr/bin/firewall-update.py --only-zones
+Type=forking
+RemainAfterExit=yes
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/variables.ruleset b/meta-refkit-core/recipes-security/nftables-settings-default/files/variables.ruleset
@@ -0,0 +1,16 @@
+#!/usr/sbin/nft
+
+# The idea is that if a service is positively sure that a packet is
+# meant for it _and_ it wants to accept it, it needs to tag it with the
+# "accept_packet" mark.  If the service thinks a packet doesn't belong
+# to it, it just needs to accept it using the "accept" verdict. In a
+# (rare) case when the service knows that a packet belongs to it but it
+# needs to drop or reject it, the service can just use "drop" or
+# "reject" verdicts to stop the packet processing.
+#
+# Note that it's harmless to select "accept" verdict in the recipe,
+# since the packet will be processed by other chains too, and a "drop"
+# or "reject" in any one of those is enough to drop or reject the
+# packet.
+
+define accept_packet = 0x1
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.config b/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.config
@@ -0,0 +1,4 @@
+[match]
+ZONE_LAN=.*
+ZONE_LOCAL=lo.*
+ZONE_ALL=.*
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.template b/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.template
@@ -0,0 +1,43 @@
+#!/usr/sbin/nft
+
+# LOCAL zone -- loopback device and container virtual interfaces
+set ZONE_LOCAL {{
+    type iface_index
+    {local_interfaces}
+}}
+
+# LAN zone -- the internal network
+set ZONE_LAN {{
+    type iface_index
+    {lan_interfaces}
+}}
+
+# WAN zone -- typically the Internet
+set ZONE_WAN {{
+    type iface_index
+    {wan_interfaces}
+}}
+
+# DMZ zone -- for instance a wireless LAN interface if those are without
+# encryption or SSID password
+set ZONE_DMZ {{
+    type iface_index
+    {dmz_interfaces}
+}}
+
+# VPN zone -- virtual VPN interfaces. Since VPN interfaces come and go
+# dynamically, the interface indexes associated with interface names change.
+# Whenever a new VPN interface is brought up, the service doing it should add
+# the VPN interface to this set ("nft add element inet filter ZONE_VPN {{vpn0}}")
+# and remove it after it's gone ("nft delete ..."). This is not needed if the
+# dynamic loading of the firewall ruleset is enabled after any interface change.
+set ZONE_VPN {{
+    type iface_index
+    {vpn_interfaces}
+}}
+
+# ALL zone -- all network interfaces
+set ZONE_ALL {{
+    type iface_index
+    {all_interfaces}
+}}
diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/nftables-settings-default_0.1.bb b/meta-refkit-core/recipes-security/nftables-settings-default/nftables-settings-default_0.1.bb
@@ -0,0 +1,58 @@
+# Copyright (C) 2017 Intel.
+# Released under the MIT license (see COPYING.MIT for the terms)
+
+DESCRIPTION = "Default nftables configuration."
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+inherit systemd
+
+RDEPENDS_${PN} = "python3 python3-re python3-fcntl"
+
+SRC_URI = " \
+    file://firewall-update.py \
+    file://zones.config \
+    file://zones.template \
+    file://firewall.template \
+    file://firewall.conf \
+    file://99-network-device.rules \
+    file://firewall.service \
+    file://firewall-config.path \
+    file://firewall-config.service \
+    file://firewall-config-update.service \
+    file://firewall-zones-update.service \
+    file://firewall.path \
+    file://network-device-event@.service \
+    file://variables.ruleset \
+"
+
+do_install() {
+    install -d ${D}${base_libdir}/udev/rules.d
+    install -d ${D}${libdir}/tmpfiles.d
+    install -d ${D}${libdir}/firewall/services
+    install -d ${D}${bindir}
+    install -d ${D}${systemd_unitdir}/system/
+
+    install -m 0644 ${WORKDIR}/*.service ${D}${systemd_unitdir}/system/
+    install -m 0644 ${WORKDIR}/*.path ${D}${systemd_unitdir}/system/
+    install -m 0755 ${WORKDIR}/firewall-update.py ${D}${bindir}/
+    install -m 0644 ${WORKDIR}/zones.config ${D}${libdir}/firewall/
+    install -m 0644 ${WORKDIR}/*.template ${D}${libdir}/firewall/
+    install -m 0644 ${WORKDIR}/variables.ruleset ${D}${libdir}/firewall/
+    install -m 0644 ${WORKDIR}/99-network-device.rules ${D}${base_libdir}/udev/rules.d/
+    install -m 0644 ${WORKDIR}/firewall.conf ${D}${libdir}/tmpfiles.d/
+}
+
+FILES_${PN} = " \
+    ${base_libdir}/udev/rules.d \
+    ${libdir}/tmpfiles.d \
+    ${libdir}/firewall/services \
+    ${libdir}/firewall/* \
+    ${bindir}/* \
+    ${systemd_unitdir}/system/* \
+"
+
+SYSTEMD_SERVICE_${PN} = " \
+    firewall.service \
+    firewall.path \
+"

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+SUBSYSTEM=="net", ENV{SYSTEMD_WANTS}="network-device-event@$name.service"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# tmpfiles.d`
	`2`	`+d /run/firewall 0600 root root - -`