Inicio Explorar Ayuda
Registro Iniciar sesión
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Archivos Incidencias 0 Pull Requests 0
Explorar el Código

nftables: Allow OSPF only on interfaces which should form an adjacency

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm hace 2 años
padre
1fa7f5166b
commit
876ef52736
Se han modificado 2 ficheros con 22 adiciones y 2 borrados
Dividir vista Mostrar estadísticas de diff
  1. 13 0
      _modules/ffho_netfilter.py
  2. 9 2
      nftables/nftables.conf.tmpl

+ 13 - 0
_modules/ffho_netfilter.py
Ver fichero 

@@ -295,6 +295,19 @@ def generate_urpf_policy (interfaces):
 
 	return sorted_urpf
 
 
 
+#
 
+# Get a list of interfaces which will form OSPF adjacencies
 
+def get_ospf_active_interface (node_config):
 
+	ifaces = []
 
+
 
+	ospf_ifaces = ffho_net.get_ospf_interface_config (node_config, "doesnt_matter_here")
 
+
 
+	for iface in ffho_net.get_interface_list (ospf_ifaces):
 
+		if not ospf_ifaces[iface].get ('stub', False):
 
+			ifaces.append (iface)
 
+
 
+	return ifaces
 
+
 
 #
 
 # Get a list of interfaces to allow VXLAN encapsulated traffic on
 
 def get_vxlan_interfaces (interfaces):

+ 9 - 2
nftables/nftables.conf.tmpl
Ver fichero 

@@ -16,6 +16,7 @@
 
 {%- set forward = salt['ffho_netfilter.generate_forward_policy'](fw_config, node_config) %}
 
 {%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](node_config) %}
 
 {%- set urpf = salt['ffho_netfilter.generate_urpf_policy'](node_config['ifaces']) %}
 
+{%- set ospf_ifaces = salt['ffho_netfilter.get_ospf_active_interface'](node_config) %}
 
 {%- set vxlan_ifaces = salt['ffho_netfilter.get_vxlan_interfaces'](node_config['ifaces']) %}
 
 
 flush ruleset
 
@@ -44,8 +45,11 @@ table ip filter {
 
 		jump admin_access
 
 		jump monitoring
 
 		tcp dport 22 counter jump ssh
 
+{%- if ospf_ifaces %}
 
+		{#- ifname sets are introduced in nftables 2.11 #}
 
+		meta l4proto ospf iif { {{ ospf_ifaces|join(', ') }} } counter accept
 
+{%- endif %}
 
 {%- if 'router' in roles %}
 
-		ip daddr { 224.0.0.5, 224.0.0.6 } meta l4proto ospf counter accept
 
 		tcp dport 179 counter jump bgp
 
 {%- endif %}
 
 		ct state related,established counter accept
 
@@ -162,8 +166,11 @@ table ip6 filter {
 
 		jump admin_access
 
 		jump monitoring
 
 		tcp dport 22 counter jump ssh
 
+{%- if ospf_ifaces %}
 
+		{#- ifname sets are introduced in nftables 2.11 #}
 
+		meta l4proto ospf iif { {{ ospf_ifaces|join(', ') }} } counter accept
 
+{%- endif %}
 
 {%- if 'router' in roles %}
 
-		ip6 saddr fe80::/64 ip6 daddr { fe80::/10, ff02::5, ff02::6 } meta l4proto ospf counter accept
 
 		tcp dport 179 counter jump bgp
 
 {%- endif %}
 
 		ct state related,established counter accept