Merge pull request #883 from mheon/nftables

Initial draft of nftables support
containers · Jan 10, 2024 · 5366e8f · 5366e8f
2 parents 86ce937 + db43e53
commit 5366e8f
Show file tree

Hide file tree

Showing 11 changed files with 2,248 additions and 71 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -49,6 +49,7 @@ sha2 = "0.10.8"
 netlink-packet-utils = "0.5.2"
 netlink-packet-route = "0.18.1"
 netlink-packet-core = "0.7.0"
+nftables = "0.2.4"
 fs2 = "0.4.3"
 netlink-sys = "0.8.5"
 tokio = { version = "1.35", features = ["rt", "rt-multi-thread", "signal", "fs"] }

diff --git a/src/error/mod.rs b/src/error/mod.rs
@@ -81,6 +81,11 @@ pub enum NetavarkError {
     DHCPProxy(tonic::Status),
 
     List(NetavarkErrorList),
+
+    Nftables(nftables::helper::NftablesError),
+
+    SubnetParse(ipnet::AddrParseError),
+    AddrParse(std::net::AddrParseError),
 }
 
 /// Internal struct for JSON output
@@ -160,6 +165,9 @@ impl fmt::Display for NetavarkError {
                     Ok(())
                 }
             }
+            NetavarkError::Nftables(e) => write!(f, "nftables error: {e}"),
+            NetavarkError::SubnetParse(e) => write!(f, "parsing IP subnet error: {e}"),
+            NetavarkError::AddrParse(e) => write!(f, "parsing IP address error: {e}"),
         }
     }
 }
@@ -213,3 +221,21 @@ impl From<tonic::Status> for NetavarkError {
         NetavarkError::DHCPProxy(err)
     }
 }
+
+impl From<nftables::helper::NftablesError> for NetavarkError {
+    fn from(err: nftables::helper::NftablesError) -> Self {
+        NetavarkError::Nftables(err)
+    }
+}
+
+impl From<ipnet::AddrParseError> for NetavarkError {
+    fn from(err: ipnet::AddrParseError) -> Self {
+        NetavarkError::SubnetParse(err)
+    }
+}
+
+impl From<std::net::AddrParseError> for NetavarkError {
+    fn from(err: std::net::AddrParseError) -> Self {
+        NetavarkError::AddrParse(err)
+    }
+}
diff --git a/src/firewall/firewalld.rs b/src/firewall/firewalld.rs
@@ -4,7 +4,7 @@ use crate::network::internal_types;
 use crate::network::internal_types::{PortForwardConfig, TearDownNetwork, TeardownPortForward};
 use crate::network::types::PortMapping;
 use core::convert::TryFrom;
-use log::{debug, info};
+use log::{debug, info, warn};
 use std::collections::HashMap;
 use std::vec::Vec;
 use zbus::{
@@ -679,3 +679,70 @@ fn make_port_tuple(port: &PortMapping, addr: &str) -> (String, String, String, S
         to_return
     }
 }
+
+/// Check if firewalld is running.
+/// Not used within the firewalld driver, but by other drivers that may need to
+/// interact with firewalld.
+pub fn is_firewalld_running(conn: &Connection) -> bool {
+    conn.call_method(
+        Some("org.freedesktop.DBus"),
+        "/org/freedesktop/DBus",
+        Some("org.freedesktop.DBus"),
+        "GetNameOwner",
+        &"org.fedoraproject.FirewallD1",
+    )
+    .is_ok()
+}
+
+/// If possible, add a firewalld rule to allow traffic.
+/// Ignore all errors, beyond possibly logging them.
+/// Not used within the firewalld driver, but by other drivers that may need to
+/// interact with firewalld.
+pub fn add_firewalld_if_possible(net: &ipnet::IpNet) {
+    let conn = match Connection::system() {
+        Ok(conn) => conn,
+        Err(_) => return,
+    };
+    if !is_firewalld_running(&conn) {
+        return;
+    }
+    debug!("Adding firewalld rules for network {}", net.to_string());
+
+    match add_source_subnets_to_zone(&conn, "trusted", &[*net]) {
+        Ok(_) => {}
+        Err(e) => warn!(
+            "Error adding subnet {} from firewalld trusted zone: {}",
+            net.to_string(),
+            e
+        ),
+    }
+}
+
+/// If possible, remove a firewalld rule to allow traffic.
+/// Ignore all errors, beyond possibly logging them.
+/// Not used within the firewalld driver, but by other drivers that may need to
+/// interact with firewalld.
+pub fn rm_firewalld_if_possible(net: &ipnet::IpNet) {
+    let conn = match Connection::system() {
+        Ok(conn) => conn,
+        Err(_) => return,
+    };
+    if !is_firewalld_running(&conn) {
+        return;
+    }
+    debug!("Removing firewalld rules for IPs {}", net.to_string());
+    match conn.call_method(
+        Some("org.fedoraproject.FirewallD1"),
+        "/org/fedoraproject/FirewallD1",
+        Some("org.fedoraproject.FirewallD1.zone"),
+        "removeSource",
+        &("trusted", net.to_string()),
+    ) {
+        Ok(_) => {}
+        Err(e) => warn!(
+            "Error removing subnet {} from firewalld trusted zone: {}",
+            net.to_string(),
+            e
+        ),
+    };
+}
diff --git a/src/firewall/iptables.rs b/src/firewall/iptables.rs
@@ -10,8 +10,6 @@ use crate::network::internal_types::{
 };
 use iptables;
 use iptables::IPTables;
-use log::{debug, warn};
-use zbus::blocking::Connection;
 
 pub(crate) const MAX_HASH_SIZE: usize = 13;
 
@@ -64,7 +62,7 @@ impl firewall::FirewallDriver for IptablesDriver {
 
                 create_network_chains(chains)?;
 
-                add_firewalld_if_possible(&network);
+                firewalld::add_firewalld_if_possible(&network);
             }
         }
         Ok(())
@@ -106,7 +104,7 @@ impl firewall::FirewallDriver for IptablesDriver {
                 }
 
                 if tear.complete_teardown {
-                    rm_firewalld_if_possible(&network)
+                    firewalld::rm_firewalld_if_possible(&network)
                 }
             }
         }
@@ -216,64 +214,3 @@ impl firewall::FirewallDriver for IptablesDriver {
         Result::Ok(())
     }
 }
-
-/// Check if firewalld is running
-fn is_firewalld_running(conn: &Connection) -> bool {
-    conn.call_method(
-        Some("org.freedesktop.DBus"),
-        "/org/freedesktop/DBus",
-        Some("org.freedesktop.DBus"),
-        "GetNameOwner",
-        &"org.fedoraproject.FirewallD1",
-    )
-    .is_ok()
-}
-
-/// If possible, add a firewalld rule to allow traffic.
-/// Ignore all errors, beyond possibly logging them.
-fn add_firewalld_if_possible(net: &ipnet::IpNet) {
-    let conn = match Connection::system() {
-        Ok(conn) => conn,
-        Err(_) => return,
-    };
-    if !is_firewalld_running(&conn) {
-        return;
-    }
-    debug!("Adding firewalld rules for network {}", net.to_string());
-
-    match firewalld::add_source_subnets_to_zone(&conn, "trusted", &[*net]) {
-        Ok(_) => {}
-        Err(e) => warn!(
-            "Error adding subnet {} from firewalld trusted zone: {}",
-            net.to_string(),
-            e
-        ),
-    }
-}
-
-// If possible, remove a firewalld rule to allow traffic.
-// Ignore all errors, beyond possibly logging them.
-fn rm_firewalld_if_possible(net: &ipnet::IpNet) {
-    let conn = match Connection::system() {
-        Ok(conn) => conn,
-        Err(_) => return,
-    };
-    if !is_firewalld_running(&conn) {
-        return;
-    }
-    debug!("Removing firewalld rules for IPs {}", net.to_string());
-    match conn.call_method(
-        Some("org.fedoraproject.FirewallD1"),
-        "/org/fedoraproject/FirewallD1",
-        Some("org.fedoraproject.FirewallD1.zone"),
-        "removeSource",
-        &("trusted", net.to_string()),
-    ) {
-        Ok(_) => {}
-        Err(e) => warn!(
-            "Error removing subnet {} from firewalld trusted zone: {}",
-            net.to_string(),
-            e
-        ),
-    };
-}
diff --git a/src/firewall/mod.rs b/src/firewall/mod.rs
@@ -8,6 +8,7 @@ use zbus::blocking::Connection;
 pub mod firewalld;
 pub mod fwnone;
 pub mod iptables;
+pub mod nft;
 pub mod state;
 mod varktables;
 
@@ -108,9 +109,7 @@ pub fn get_supported_firewall_driver(
             }
             FirewallImpl::Nftables => {
                 info!("Using nftables firewall driver");
-                Err(NetavarkError::msg(
-                    "nftables support presently not available",
-                ))
+                nft::new()
             }
             FirewallImpl::Fwnone => {
                 info!("Not using firewall");