Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

machine configuration to manage firewall #4421

Closed
Tracked by #7561
smira opened this issue Oct 22, 2021 · 1 comment · Fixed by #7999
Closed
Tracked by #7561

machine configuration to manage firewall #4421

smira opened this issue Oct 22, 2021 · 1 comment · Fixed by #7999
Assignees
@smira

Comments

@smira
Copy link
Member

smira commented Oct 22, 2021
edited
Loading

See https://github.com/sbezverk/nftableslib

First goal: define minimal but usable rule configuration we could put to the machine configuration. Format should be extensible in the future if we want to expand later.

  • only ingress traffic
  • if the port is defined in the rule, block everything which is not listed in ingress: section
  • if the port is not defined in any rule, NetworkDefaultAction is applied
kind: NetworkRuleConfig
portSelector:
  ports: [6443, 10250]
  protocol: tcp
ingress:
  - cidr: 10.0.0.0/8
  - cidr: 2000:fd00::/16
---
kind: NetworkRuleConfig
portSelector:
  ports: [80, 1000-2000]
  protocol: tcp
ingress:
  - cidr: 192.168.0.0/16
    except: 192.168.64.0/24
---
kind: NetworkDefaultActionConfig
ingress: allow/block
@smira smira added this to the v0.14 milestone Oct 22, 2021
@smira smira modified the milestones: v0.14, v0.15 Dec 6, 2021
@smira smira mentioned this issue Jan 31, 2022
Closed
@smira smira removed this from the v0.15 milestone Feb 21, 2022
@SixFive7 SixFive7 mentioned this issue Mar 15, 2022
Open
@smira smira mentioned this issue May 31, 2022
Closed
@smira smira mentioned this issue Aug 8, 2022
Closed
@reyvonger
Copy link

reyvonger commented Sep 21, 2022
edited
Loading

I will be very happy to implement this feature 😀

@smira smira mentioned this issue May 22, 2023
Open
@smira smira mentioned this issue Sep 20, 2023
Closed
@smira smira mentioned this issue Oct 10, 2023
Closed
@smira smira assigned smira and unassigned Ulexus Nov 7, 2023
smira added a commit to smira/talos that referenced this issue Nov 17, 2023
@smira
feat: implement nftables backend
5da5b74 
Implement initial set of backend controllers/resources to handle
nftables chains/rules etc.

Replace the KubeSpan nftables operations with controller-based.

See siderolabs#4421

Signed-off-by: Andrey Smirnov <[email protected]>
@smira smira mentioned this issue Nov 17, 2023
Merged
smira added a commit to smira/talos that referenced this issue Nov 17, 2023
@smira
feat: implement nftables backend
3b7c61a 
Implement initial set of backend controllers/resources to handle
nftables chains/rules etc.

Replace the KubeSpan nftables operations with controller-based.

See siderolabs#4421

Signed-off-by: Andrey Smirnov <[email protected]>
@frezbo frezbo mentioned this issue Nov 23, 2023
Closed
talos-bot pushed a commit that referenced this issue Nov 27, 2023
@smira
feat: implement nftables backend
e46e6a3 
Implement initial set of backend controllers/resources to handle
nftables chains/rules etc.

Replace the KubeSpan nftables operations with controller-based.

See #4421

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 28, 2023
@smira
feat: implement ingress firewall rules
6d20b58 
Fixes siderolabs#4421

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 28, 2023
@smira
feat: implement ingress firewall rules
75c8ca6 
Fixes siderolabs#4421

Signed-off-by: Andrey Smirnov <[email protected]>
@smira smira mentioned this issue Nov 28, 2023
Merged
smira added a commit to smira/talos that referenced this issue Nov 29, 2023
@smira
feat: improve nftables backend
1b63644 
Many changes to the nftables backend which will be used in the follow-up
PR with siderolabs#4421.

1. Add support for chain policy: drop/accept.
2. Properly handle match on all IPs in the set (`0.0.0.0/0` like).
3. Implement conntrack state matching.
4. Implement multiple ifname matching in a single rule.
5. Implement anonymous counters.

Signed-off-by: Andrey Smirnov <[email protected]>
@smira smira mentioned this issue Nov 29, 2023
Merged
smira added a commit to smira/talos that referenced this issue Nov 29, 2023
@smira
feat: improve nftables backend
6ced19a 
Many changes to the nftables backend which will be used in the follow-up
PR with siderolabs#4421.

1. Add support for chain policy: drop/accept.
2. Properly handle match on all IPs in the set (`0.0.0.0/0` like).
3. Implement conntrack state matching.
4. Implement multiple ifname matching in a single rule.
5. Implement anonymous counters.

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 29, 2023
@smira
feat: improve nftables backend
9a85217 
Many changes to the nftables backend which will be used in the follow-up
PR with siderolabs#4421.

1. Add support for chain policy: drop/accept.
2. Properly handle match on all IPs in the set (`0.0.0.0/0` like).
3. Implement conntrack state matching.
4. Implement multiple ifname matching in a single rule.
5. Implement anonymous counters.

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 29, 2023
@smira
feat: implement ingress firewall rules
ca9339f 
Fixes siderolabs#4421

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 30, 2023
@smira
feat: implement ingress firewall rules
4e38dff 
Fixes siderolabs#4421

See documentation for details on how to use the feature.

With `talosctl cluster create`, firewall can be easily test with
`--with-firewall=accept|block` (default mode).

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 30, 2023
@smira
feat: implement ingress firewall rules
0af04a0 
Fixes siderolabs#4421

See documentation for details on how to use the feature.

With `talosctl cluster create`, firewall can be easily test with
`--with-firewall=accept|block` (default mode).

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 30, 2023
@smira
feat: implement ingress firewall rules
dfdf826 
Fixes siderolabs#4421

See documentation for details on how to use the feature.

With `talosctl cluster create`, firewall can be easily test with
`--with-firewall=accept|block` (default mode).

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 30, 2023
@smira
feat: implement ingress firewall rules
36f97c8 
Fixes siderolabs#4421

See documentation for details on how to use the feature.

With `talosctl cluster create`, firewall can be easily test with
`--with-firewall=accept|block` (default mode).

Signed-off-by: Andrey Smirnov <[email protected]>
smira added a commit to smira/talos that referenced this issue Nov 30, 2023
@smira
feat: implement ingress firewall rules
d8a0ee4 
Fixes siderolabs#4421

See documentation for details on how to use the feature.

With `talosctl cluster create`, firewall can be easily test with
`--with-firewall=accept|block` (default mode).

Signed-off-by: Andrey Smirnov <[email protected]>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@smira smira

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: implement ingress firewall rules smira/talos
3 participants
@smira @Ulexus @reyvonger