fix nftables (firewall) mechanism

2024-03-05 11:16:27 +01:00
parent 42d80f9567
commit 6f025880ce
3 changed files with 36 additions and 3 deletions
--- a/install.py
+++ b/install.py
@ -149,6 +149,7 @@ def router(**opts):
    if not opts:
        return None
    try:
+        os.remove(join(TOOLS, 'to_system/etc/nftables.conf'))
        with open(f'{TOOLS}/requirements.txt') as f:
            pip_requirements['root']['tools'] = f.read()
    except FileNotFoundError:
@ -193,7 +194,7 @@ def pip():
                    os.remove(tmpname)
            else:
                print(pipcmd)
-            # unix_cmd(pipcmd, stdout=None)
+            unix_cmd(pipcmd, stdout=None)
            show.dirty = True


@ -506,7 +507,7 @@ def handle_config():
        if parser.has_section(section):
           servicecfg = service_func(**dict(parser[section]))
        else:
-           servicecfg = None
+           servicecfg = service_func()  # allow to handle missing service
        result = unix_cmd('systemctl show -p WantedBy -p ActiveState %s' % service, True)
        active = False
        enabled = False
@ -522,6 +523,12 @@ def handle_config():
            if enabled:
                unix_cmd('systemctl disable %s' % service)
                show.dirty = True
+            if service == 'router' and active or enabled:
+                if doit:
+                     shutil.copy(join(TOOLS, 'nftables.conf'), '/etc/nftables.conf')
+                else:
+                     print('cp nftables.conf /etc/nftables.conf')
+                unix_cmd('systemctl restart nftables')
        else:
            if not enabled:
                to_start[service] = 'enable'
--- a/nftables.conf
+++ b/nftables.conf
@ -0,0 +1,25 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+
+    # accept any localhost traffic
+    iif lo accept
+
+    # accept traffic originated from us
+    ct state established,related accept
+
+    # activate the following line to accept common local services
+    tcp dport { 22 } ct state new accept
+
+    # ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
+    meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
+    ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept
+
+    # count and drop any other traffic
+    counter drop
+  }
+}
--- a/router.py
+++ b/router.py
@ -423,7 +423,8 @@ class Service:
                with open('f{FIREWALL_CONF}.tmp', 'w') as f:
                    f.write(content.replace(prevline, line))
                os.rename('f{FIREWALL_CONF}.tmp', FIREWALL_CONF)
-                unix_cmd('systemctl enable --now nftables')
+                unix_cmd('systemctl restart nftables')
+                unix_cmd('systemctl enable nftables')
            else:
                print('need sudo rights to modify firewall')