Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for ACLs for bridge NIC device when using nftables driver. #1225

Closed
wants to merge 9 commits into from

Conversation

mikerobski
Copy link
Contributor

Allows "security.acls*" fields to be used to apply ACLs to bridge NIC device when the firewall driver is nftables.

Since the nftables do not support "reject" rules, the implementation converts the default rules from "reject" to "drop" when needed.

The ACL rules are applied together with the filtering rules, if specified. The filtering rules are applied before the ACL rules and are enforced even if the ACL definition contains allow rule that permits the traffic.

Support for ACLs for bridge NIC device when using nftables driver.

Signed-off-by: Mike Robski <[email protected]>
Support for security.acls* fields for bridge NIC device when using nftables driver.

Signed-off-by: Mike Robski <[email protected]>
Support for ACLs for bridge NIC device when using nftables driver.
Modified nftable template to allow combining fitering and ACL rules.
Updated ACL processing to detect bridge NIC devices with ACL applied and re-generate nftable if the instance is running.

Signed-off-by: Mike Robski <[email protected]>
Support for ACLs for bridge NIC device when using nftables driver.

Signed-off-by: Mike Robski <[email protected]>
@github-actions github-actions bot added the Documentation Documentation needs updating label Sep 18, 2024
@stgraber
Copy link
Member

Since the nftables do not support "reject" rules, the implementation converts the default rules from "reject" to "drop" when needed.

I'm confused by that comment, nftables does have a reject target, what do you mean by that?

@stgraber
Copy link
Member

@mikerobski any chance that you can open PRs from a personal fork?

That would then let me push rebases and tweaks on top of your change to tweak it until it's in shape for merging, avoiding needless back and forth for tiny changes to your PR.

@stgraber
Copy link
Member

@mikerobski And sorry for the delay on this one. It's been a bit of a crazy time on my end what between getting married and a whole bunch of travel. I somehow remembered this PR being more complex than it is now, possibly because of a previous version of it. As it stands, this is well structured and pretty minimal so we should be able to get this into shape and merged pretty quick.

It looks like I'll want to do a few small edits to the doc, add an API extension string and some other minor changes, but outside of the drop vs reject thing, this looks well structured and almost good to go.

@mikerobski
Copy link
Contributor Author

Since the nftables do not support "reject" rules, the implementation converts the default rules from "reject" to "drop" when needed.

I'm confused by that comment, nftables does have a reject target, what do you mean by that?

The ACL rules we add are L2 and reject nft rule is not being accepted for the bridge family.

@stgraber
Copy link
Member

The ACL rules we add are L2 and reject nft rule is not being accepted for the bridge family.

Ah, right, makes sense when processed at the L2 level.

@mikerobski
Copy link
Contributor Author

@mikerobski any chance that you can open PRs from a personal fork?

That would then let me push rebases and tweaks on top of your change to tweak it until it's in shape for merging, avoiding needless back and forth for tiny changes to your PR.

I will look into it, but it may take me some time to figure out.

@stgraber
Copy link
Member

stgraber commented Dec 20, 2024

Ah, right, makes sense when processed at the L2 level.

stgraber@dakara:~/data/code/lxc/incus (pr1225)$ sudo nft delete rule bridge incus in.u1.eth0 handle 34
stgraber@dakara:~/data/code/lxc/incus (pr1225)$ sudo nft insert rule bridge incus in.u1.eth0 iifname "veth078cc364" ip daddr 1.1.1.1 reject
stgraber@dakara:~/data/code/lxc/incus (pr1225)$ 

This works perfectly fine here and results in the expected:

root@u1:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 1.1.1.1 icmp_seq=1 Destination Port Unreachable
From 1.1.1.1 icmp_seq=2 Destination Port Unreachable
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1022ms

root@u1:~# 

@mikerobski
Copy link
Contributor Author

Ah, right, makes sense when processed at the L2 level.

stgraber@dakara:~/data/code/lxc/incus (pr1225)$ sudo nft delete rule bridge incus in.u1.eth0 handle 34
stgraber@dakara:~/data/code/lxc/incus (pr1225)$ sudo nft insert rule bridge incus in.u1.eth0 iifname "veth078cc364" ip daddr 1.1.1.1 reject
stgraber@dakara:~/data/code/lxc/incus (pr1225)$ 

This works perfectly fine here and results in the expected:

root@u1:~# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
From 1.1.1.1 icmp_seq=1 Destination Port Unreachable
From 1.1.1.1 icmp_seq=2 Destination Port Unreachable
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1022ms

root@u1:~# 

While indeed it works for input, it does not work for forward:

table bridge incus {
        chain fwd.vm01.eth0 {
                type filter hook forward priority filter; policy accept;
                ip daddr 1.1.1.1 counter packets 0 bytes 0 drop
                ip daddr 1.1.1.1 counter packets 0 bytes 0 drop
        }

        chain in.vm01.eth0 {
                type filter hook input priority filter; policy accept;
                ip daddr 1.1.1.1 counter packets 0 bytes 0 drop
                ip daddr 1.1.1.1 counter packets 0 bytes 0 reject with icmp port-unreachable
        }
}
nft add rule bridge incus fwd.vm01.eth0 ip daddr 1.1.1.1 counter reject
Error: Could not process rule: Operation not supported
add rule bridge incus fwd.vm01.eth0 ip daddr 1.1.1.1 counter reject
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

It will be confusing to allow the reject rule when it is not supported for the forward chain, right?

@stgraber
Copy link
Member

When is the forward table being hit in the bridge case?
Is that for connections between interfaces on the same bridge?

Btw, I just noticed a bit of a problem when testing this branch locally here.
If I create two containers and only apply an ACL to one of them:

egress:
- action: allow
  state: enabled
- action: drop
  destination: 1.1.1.1
  state: enabled
ingress: []

Then both containers can interact with the internet just fine, the container with no ACL applied can interact with all other containers except for the one with the ACL applied. So far that's normal.

What's not normal is that the container with the ACL applied is completely unable to interact with the container which doesn't have the ACL applied even though the restricted container has an rule allowing all egress.

Trying to ping from the container with the ACL to the one without only shows ARP going out and being responded to, no actual ICMP packet, so that'd suggest that the ARP response isn't making it back to the container with the ACL.

@mikerobski
Copy link
Contributor Author

@stgraber the nftemplate was adjusted to support the setup you were testing and some additional edge cases.

@stgraber
Copy link
Member

Confirmed that the branch fixes the instance to instance communication issue.

@stgraber
Copy link
Member

When is the forward table being hit in the bridge case?
Is that for connections between interfaces on the same bridge?

Can you respond to those?

@mikerobski
Copy link
Contributor Author

When is the forward table being hit in the bridge case?
Is that for connections between interfaces on the same bridge?

Can you respond to those?

Yes, forward table is used for instances with interfaces on the same bridge.

@stgraber
Copy link
Member

Okay, I think I'd be fine with supporting rejects and just converting them to drop in the forward table.
We'll obviously want a documentation note about this behavior, but that should be fine.

The reality is that 90% of the time folks are going to care about ingress/egress to things outside of the bridge, so having reject support on that would be very good as drop on egress is a pretty brutal behavior that will often cause issues.

@mikerobski
Copy link
Contributor Author

Okay, I think I'd be fine with supporting rejects and just converting them to drop in the forward table. We'll obviously want a documentation note about this behavior, but that should be fine.

The reality is that 90% of the time folks are going to care about ingress/egress to things outside of the bridge, so having reject support on that would be very good as drop on egress is a pretty brutal behavior that will often cause issues.

The implementation does the conversion of reject to drop only for the default ACL rules. The rest of the rules are inspected and using a reject action will result in an error "Invalid action reject for bridge filter".
This behavior is described in the network_acls.md edit.

@stgraber
Copy link
Member

The implementation does the conversion of reject to drop only for the default ACL rules. The rest of the rules are inspected and using a reject action will result in an error "Invalid action reject for bridge filter".
This behavior is described in the network_acls.md edit.

Yeah, I know. What I'm saying is that given that reject only needs to be turned into a drop when put in the forward table (instance to instance communication), I'd like to still allow for reject as an action and just internally turn those into drop when generating the forward entries.

Then the documentation should just mention that when using ACLs with nft, instance to instance traffic within the same network is dropped rather than rejected due to a nft limitation.

And so for everything else, which should be the very vast majority of rules, reject will work as expected.

@mikerobski
Copy link
Contributor Author

Yeah, I know. What I'm saying is that given that reject only needs to be turned into a drop when put in the forward table (instance to instance communication), I'd like to still allow for reject as an action and just internally turn those into drop when generating the forward entries.

Then the documentation should just mention that when using ACLs with nft, instance to instance traffic within the same network is dropped rather than rejected due to a nft limitation.

And so for everything else, which should be the very vast majority of rules, reject will work as expected.

The code was updated to allow reject rules and to convert them to drop for the forward and output chains.
I also updated the documentation to explain this behavior.

@stgraber
Copy link
Member

I'm looking at this one now. I've got a bunch of smaller changes, mostly rebasing and re-titling things. I also added an extra check in one of the functions so we don't try to update instances that are on another cluster member when updating a bridge ACL.

The current logic with the force_update flag has quite a few problems:

  • It relies on the instance having a local device for that network (not common, most use a profile)
  • It triggers a very costly full instance config Update
  • Because updates send out /dev/incus notifications, the guest will be notify of a change despite not seeing any actual change in the configuration

So I'm looking at a better way to directly hit the device update codepath for the device we care about without having to go through the rest of the logic.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Documentation Documentation needs updating
Development

Successfully merging this pull request may close these issues.

2 participants