1. 11 May, 2021 1 commit
  2. 10 May, 2021 1 commit
  3. 09 May, 2021 1 commit
  4. 07 May, 2021 12 commits
    • Thomas Haller's avatar
      firewall: merge branch 'th/firewall' · 661934e4
      Thomas Haller authored
      !841
      661934e4
    • Thomas Haller's avatar
      firewall: rename NMUtilsShareRules to NMFirewallConfig · aa859d85
      Thomas Haller authored
      It's still not a very good name, but it seems better then
      NMUtilsShareRules.
      
      Currently, NMFirewallConfig is mostly about masquerading for shared
      mode. But in practice, it's a piece of configuration for something to
      configure in the firewall (the NAT and filter rules).
      aa859d85
    • Thomas Haller's avatar
    • Thomas Haller's avatar
      e9c1d2a9
    • Thomas Haller's avatar
      firewall: rework iptables rules for shared mode to use custom chain · ad371200
      Thomas Haller authored
      - add our own rules to a separate custom change. This allows
        to simply flush and delete the chain. This is supposed to
        interfere less with what is already configured on the system.
      
      - also use comments to our rules, so that we can delete them
        more explicitly and don't kill the wrong rule.
      
      - rework the code how we call iptables. We no longer create a list
        of argv arguments that we iterate over. Instead, call functions that
        do the job. The actual arguments move further down the call stack.
      
      - enabling masquerading is now more separate from our other shared
        rules. These two things are mostly independent and the code now
        reflects that.
      
      Before:
        up:   /usr/sbin/iptables --table filter --insert INPUT --in-interface eth0 --protocol tcp --destination-port 53 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --insert INPUT --in-interface eth0 --protocol udp --destination-port 53 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --insert INPUT --in-interface eth0 --protocol tcp --destination-port 67 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --insert INPUT --in-interface eth0 --protocol udp --destination-port 67 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --insert FORWARD --in-interface eth0 --jump REJECT
        up:   /usr/sbin/iptables --table filter --insert FORWARD --out-interface eth0 --jump REJECT
        up:   /usr/sbin/iptables --table filter --insert FORWARD --in-interface eth0 --out-interface eth0 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --insert FORWARD --source 192.168.42.0/255.255.255.0 --in-interface eth0 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --insert FORWARD --destination 192.168.42.0/255.255.255.0 --out-interface eth0 --match state --state ESTABLISHED,RELATED --jump ACCEPT
        up:   /usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.42.0/255.255.255.0 ! --destination 192.168.42.0/255.255.255.0 --jump MASQUERADE
        down: /usr/sbin/iptables --table nat --delete POSTROUTING --source 192.168.42.0/255.255.255.0 ! --destination 192.168.42.0/255.255.255.0 --jump MASQUERADE
        down: /usr/sbin/iptables --table filter --delete FORWARD --destination 192.168.42.0/255.255.255.0 --out-interface eth0 --match state --state ESTABLISHED,RELATED --jump ACCEPT
        down: /usr/sbin/iptables --table filter --delete FORWARD --source 192.168.42.0/255.255.255.0 --in-interface eth0 --jump ACCEPT
        down: /usr/sbin/iptables --table filter --delete FORWARD --in-interface eth0 --out-interface eth0 --jump ACCEPT
        down: /usr/sbin/iptables --table filter --delete FORWARD --out-interface eth0 --jump REJECT
        down: /usr/sbin/iptables --table filter --delete FORWARD --in-interface eth0 --jump REJECT
        down: /usr/sbin/iptables --table filter --delete INPUT --in-interface eth0 --protocol udp --destination-port 67 --jump ACCEPT
        down: /usr/sbin/iptables --table filter --delete INPUT --in-interface eth0 --protocol tcp --destination-port 67 --jump ACCEPT
        down: /usr/sbin/iptables --table filter --delete INPUT --in-interface eth0 --protocol udp --destination-port 53 --jump ACCEPT
        down: /usr/sbin/iptables --table filter --delete INPUT --in-interface eth0 --protocol tcp --destination-port 53 --jump ACCEPT
      
      Now:
      
        up:   /usr/sbin/iptables --table nat --insert POSTROUTING --source 192.168.42.0/24 ! --destination 192.168.42.0/24 --jump MASQUERADE -m comment --comment nm-shared-eth0
        up:   /usr/sbin/iptables --table filter --new-chain nm-sh-in-eth0
        up:   /usr/sbin/iptables --table filter --append nm-sh-in-eth0 --protocol tcp --destination-port 67 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --append nm-sh-in-eth0 --protocol udp --destination-port 67 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --append nm-sh-in-eth0 --protocol tcp --destination-port 53 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --append nm-sh-in-eth0 --protocol udp --destination-port 53 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --new-chain nm-sh-fw-eth0
        up:   /usr/sbin/iptables --table filter --append nm-sh-fw-eth0 --destination 192.168.42.0/24 --out-interface eth0 --match state --state ESTABLISHED,RELATED --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --append nm-sh-fw-eth0 --source 192.168.42.0/24 --in-interface eth0 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --append nm-sh-fw-eth0 --in-interface eth0 --out-interface eth0 --jump ACCEPT
        up:   /usr/sbin/iptables --table filter --append nm-sh-fw-eth0 --out-interface eth0 --jump REJECT
        up:   /usr/sbin/iptables --table filter --append nm-sh-fw-eth0 --in-interface eth0 --jump REJECT
        up:   /usr/sbin/iptables --table filter --insert INPUT --in-interface eth0 --jump nm-sh-in-eth0 -m comment --comment nm-shared-eth0
        up:   /usr/sbin/iptables --table filter --insert FORWARD --jump nm-sh-fw-eth0 -m comment --comment nm-shared-eth0
        down: /usr/sbin/iptables --table nat --delete POSTROUTING --source 192.168.42.0/24 ! --destination 192.168.42.0/24 --jump MASQUERADE -m comment --comment nm-shared-eth0
        down: /usr/sbin/iptables --table filter --delete INPUT --in-interface eth0 --jump nm-sh-in-eth0 -m comment --comment nm-shared-eth0
        down: /usr/sbin/iptables --table filter --delete FORWARD --jump nm-sh-fw-eth0 -m comment --comment nm-shared-eth0
        down: /usr/sbin/iptables --table filter --flush nm-sh-in-eth0
        down: /usr/sbin/iptables --table filter --delete-chain nm-sh-in-eth0
        down: /usr/sbin/iptables --table filter --flush nm-sh-fw-eth0
        down: /usr/sbin/iptables --table filter --delete-chain nm-sh-fw-eth0
      ad371200
    • Thomas Haller's avatar
      firewall: extract _share_iptables_set_masquerade() helper · c752de22
      Thomas Haller authored
      When we configure iptables rules, we really do two independent
      steps: enable masquerading and do some filtering.
      
      As such, introduce a helper method _share_iptables_set_masquerade() for
      the masquerading part.
      
      nm_utils_share_rules_apply() is at the moment a bit odd, because
      of the order in which we add/remove the rule. This will get better next.
      c752de22
    • Thomas Haller's avatar
      firewall: use prefix length instead of netmask for iptables arguments · f5e12f39
      Thomas Haller authored
      The form "address/netmask" is unnecessarily verbose. iptables
      supports prefix length notation just fine.
      f5e12f39
    • Thomas Haller's avatar
    • Thomas Haller's avatar
    • Thomas Haller's avatar
      firewall: rework NMUtilsShareRules to generate argv on demand · 2277c949
      Thomas Haller authored
      Previously, NMUtilsShareRules basically was tracking a list of command
      line arguments, and during apply(), it would spawn the (iptables)
      processes.
      
      But in practice, this list was always pre-determined by a few
      parameters, the interface name and the subnet. Instead of keeping the
      list of arguments, only keep those few parameters. And generate the list
      of arguments only for the short time when we need them.
      
      The difference is that we will want to support nftables too. Later,
      we can just generate a different list of commands, but there is no
      need to keep this list around.
      2277c949
    • Thomas Haller's avatar
      firewall: downgrade info logging for iptables commands · a9a33f2d
      Thomas Haller authored
      Sure, it's interesting to see the actual iptables commands in the log.
      But not at <info> level!
      a9a33f2d
    • Thomas Haller's avatar
      firewall: fix adding duplicate iptables rules for shared mode · 60744889
      Thomas Haller authored
      nm_act_request_set_shared() already calls nm_utils_share_rules_apply().
      Calling it twice, is pretty bad because during deactivate we will only
      remove one of each duplicate rule.
      
      Fixes: 701654b9 ('core: refactor tracking of shared-rules to use NMUtilsShareRules')
      60744889
  5. 06 May, 2021 16 commits
  6. 05 May, 2021 2 commits
  7. 04 May, 2021 7 commits