-
-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for ACLs for bridge NIC device when using nftables driver. #1225
Conversation
Support for ACLs for bridge NIC device when using nftables driver. Signed-off-by: Mike Robski <[email protected]>
Support for security.acls* fields for bridge NIC device when using nftables driver. Signed-off-by: Mike Robski <[email protected]>
Support for ACLs for bridge NIC device when using nftables driver. Modified nftable template to allow combining fitering and ACL rules. Updated ACL processing to detect bridge NIC devices with ACL applied and re-generate nftable if the instance is running. Signed-off-by: Mike Robski <[email protected]>
Support for ACLs for bridge NIC device when using nftables driver. Signed-off-by: Mike Robski <[email protected]>
I'm confused by that comment, nftables does have a |
@mikerobski any chance that you can open PRs from a personal fork? That would then let me push rebases and tweaks on top of your change to tweak it until it's in shape for merging, avoiding needless back and forth for tiny changes to your PR. |
@mikerobski And sorry for the delay on this one. It's been a bit of a crazy time on my end what between getting married and a whole bunch of travel. I somehow remembered this PR being more complex than it is now, possibly because of a previous version of it. As it stands, this is well structured and pretty minimal so we should be able to get this into shape and merged pretty quick. It looks like I'll want to do a few small edits to the doc, add an API extension string and some other minor changes, but outside of the |
The ACL rules we add are L2 and reject nft rule is not being accepted for the bridge family. |
Ah, right, makes sense when processed at the L2 level. |
I will look into it, but it may take me some time to figure out. |
This works perfectly fine here and results in the expected:
|
While indeed it works for input, it does not work for forward:
It will be confusing to allow the reject rule when it is not supported for the forward chain, right? |
When is the forward table being hit in the bridge case? Btw, I just noticed a bit of a problem when testing this branch locally here.
Then both containers can interact with the internet just fine, the container with no ACL applied can interact with all other containers except for the one with the ACL applied. So far that's normal. What's not normal is that the container with the ACL applied is completely unable to interact with the container which doesn't have the ACL applied even though the restricted container has an rule allowing all egress. Trying to ping from the container with the ACL to the one without only shows ARP going out and being responded to, no actual ICMP packet, so that'd suggest that the ARP response isn't making it back to the container with the ACL. |
Signed-off-by: Mike Robski <[email protected]>
@stgraber the nftemplate was adjusted to support the setup you were testing and some additional edge cases. |
Confirmed that the branch fixes the instance to instance communication issue. |
Can you respond to those? |
Yes, forward table is used for instances with interfaces on the same bridge. |
Okay, I think I'd be fine with supporting rejects and just converting them to drop in the forward table. The reality is that 90% of the time folks are going to care about ingress/egress to things outside of the bridge, so having reject support on that would be very good as drop on egress is a pretty brutal behavior that will often cause issues. |
The implementation does the conversion of reject to drop only for the default ACL rules. The rest of the rules are inspected and using a |
Yeah, I know. What I'm saying is that given that Then the documentation should just mention that when using ACLs with And so for everything else, which should be the very vast majority of rules, |
Signed-off-by: Mike Robski <[email protected]>
Signed-off-by: Mike Robski <[email protected]>
Signed-off-by: Mike Robski <[email protected]>
Signed-off-by: Mike Robski <[email protected]>
The code was updated to allow |
I'm looking at this one now. I've got a bunch of smaller changes, mostly rebasing and re-titling things. I also added an extra check in one of the functions so we don't try to update instances that are on another cluster member when updating a bridge ACL. The current logic with the
So I'm looking at a better way to directly hit the device update codepath for the device we care about without having to go through the rest of the logic. |
Allows "security.acls*" fields to be used to apply ACLs to bridge NIC device when the firewall driver is nftables.
Since the nftables do not support "reject" rules, the implementation converts the default rules from "reject" to "drop" when needed.
The ACL rules are applied together with the filtering rules, if specified. The filtering rules are applied before the ACL rules and are enforced even if the ACL definition contains allow rule that permits the traffic.