首頁 探索 說明
註冊 登入
FreifunkHochstift
/
ffho-salt-public
2
0
複刻 2
Files 問題管理 0 合併請求 0
瀏覽代碼

nftables: Only generate VXLAN roles when required

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm 2 年之前
父節點
ea5aef8de8
當前提交
e1724dda70
共有 2 個文件被更改,包括 27 次插入6 次删除
分割檢視 顯示文件統計
  1. 14 2
      _modules/ffho_netfilter.py
  2. 13 4
      nftables/nftables.conf.tmpl

+ 14 - 2
_modules/ffho_netfilter.py
查看文件 

@@ -153,8 +153,8 @@ def generate_nat_policy (roles, config_context):
 
 
 
 def _active_urpf (iface, iface_config):
 
-	# Ignore loopback
 
-	if iface == "lo":
 
+	# Ignore loopbacks
 
+	if iface == 'lo' or iface_config.get ('link-type', '') == 'dummy':
 
 		return False
 
 
 	# Forcefully enable uRPF via tags on Netbox interface?
 
@@ -232,3 +232,15 @@ def allow_dhcp (fw_policy, roles):
 
 			return True
 
 
 	return False
 
+
 
+
 
+#
 
+# Get a list of interfaces to allow VXLAN encapsulated traffic on
 
+def get_vxlan_interfaces (interfaces):
 
+	vxlan_ifaces = []
 
+
 
+	for iface in interfaces:
 
+		if interfaces[iface].get ('batman_connect_sites'):
 
+			vxlan_ifaces.append (iface)
 
+
 
+	return vxlan_ifaces

+ 13 - 4
nftables/nftables.conf.tmpl
查看文件 

@@ -19,6 +19,7 @@
 
 {%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](roles, nf_cc) %}
 
 {%- set urpf = salt['ffho_netfilter.generate_urpf_policy'](node_config['ifaces']) %}
 
 {%- set allow_dhcp = salt['ffho_netfilter.allow_dhcp'](fw_policy, roles) %}
 
+{%- set vxlan_ifaces = salt['ffho_netfilter.get_vxlan_interfaces'](node_config['ifaces']) %}
 
 
 flush ruleset
 
 
@@ -37,7 +38,9 @@ table ip filter {
 
 		iifname "lo" counter accept
 
 		udp dport 0 counter drop
 
 		tcp dport 7 counter drop comment "Ignore echo protocol queries"
 
+{%- if vxlan_ifaces %}
 
 		udp dport 4789 jump vxlan
 
+{%- endif %}
 
 		jump urpf
 
 		ip protocol icmp jump icmp_chain
 
 		ct state invalid counter drop
 
@@ -123,12 +126,14 @@ table ip filter {
 
 {%- endfor %}
 
 	}
 
 
+{%- if vxlan_ifaces %}
 
 	chain vxlan {
 
-{%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
 
+  {%- for iface in vxlan_ifaces %}
 
 		iif {{ iface }} accept
 
-{%- endfor %}
 
+  {%- endfor %}
 
 		counter drop
 
 	}
 
+{%- endif %}
 
 
 	chain log-drop {
 
 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
 
@@ -156,7 +161,9 @@ table ip6 filter {
 
 		type filter hook input priority 0; policy drop;
 
 		iifname "lo" counter accept
 
 		tcp dport 7 counter drop comment "Ignore echo protocol queries"
 
+{%- if vxlan_ifaces %}
 
 		udp dport 4789 jump vxlan
 
+{%- endif %}
 
 		jump urpf
 
 		meta l4proto icmpv6 jump icmp_chain
 
 		ct state invalid counter drop
 
@@ -245,12 +252,14 @@ table ip6 filter {
 
 {%- endfor %}
 
 	}
 
 
+{%- if vxlan_ifaces %}
 
 	chain vxlan {
 
-{%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
 
+  {%- for iface in vxlan_ifaces %}
 
 		iif {{ iface }} accept
 
-{%- endfor %}
 
+  {%- endfor %}
 
 		counter drop
 
 	}
 
+{%- endif %}
 
 
 	chain log-drop {
 
 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "