3 роки тому · e1724dda70
--- a/_modules/ffho_netfilter.py
+++ b/_modules/ffho_netfilter.py
@@ -153,8 +153,8 @@ def generate_nat_policy (roles, config_context):
 
				 
			
 
				 
			
 
				 def _active_urpf (iface, iface_config):
			
 
				-	# Ignore loopback
			
 
				-	if iface == "lo":
			
 
				+	# Ignore loopbacks
			
 
				+	if iface == 'lo' or iface_config.get ('link-type', '') == 'dummy':
			
 
				 		return False
			
 
				 
			
 
				 	# Forcefully enable uRPF via tags on Netbox interface?
			
@@ -232,3 +232,15 @@ def allow_dhcp (fw_policy, roles):
 
				 			return True
			
 
				 
			
 
				 	return False
			
 
				+
			
 
				+
			
 
				+#
			
 
				+# Get a list of interfaces to allow VXLAN encapsulated traffic on
			
 
				+def get_vxlan_interfaces (interfaces):
			
 
				+	vxlan_ifaces = []
			
 
				+
			
 
				+	for iface in interfaces:
			
 
				+		if interfaces[iface].get ('batman_connect_sites'):
			
 
				+			vxlan_ifaces.append (iface)
			
 
				+
			
 
				+	return vxlan_ifaces
			
--- a/nftables/nftables.conf.tmpl
+++ b/nftables/nftables.conf.tmpl
@@ -19,6 +19,7 @@
 
				 {%- set nat_policy = salt['ffho_netfilter.generate_nat_policy'](roles, nf_cc) %}
			
 
				 {%- set urpf = salt['ffho_netfilter.generate_urpf_policy'](node_config['ifaces']) %}
			
 
				 {%- set allow_dhcp = salt['ffho_netfilter.allow_dhcp'](fw_policy, roles) %}
			
 
				+{%- set vxlan_ifaces = salt['ffho_netfilter.get_vxlan_interfaces'](node_config['ifaces']) %}
			
 
				 
			
 
				 flush ruleset
			
 
				 
			
@@ -37,7 +38,9 @@ table ip filter {
 
				 		iifname "lo" counter accept
			
 
				 		udp dport 0 counter drop
			
 
				 		tcp dport 7 counter drop comment "Ignore echo protocol queries"
			
 
				+{%- if vxlan_ifaces %}
			
 
				 		udp dport 4789 jump vxlan
			
 
				+{%- endif %}
			
 
				 		jump urpf
			
 
				 		ip protocol icmp jump icmp_chain
			
 
				 		ct state invalid counter drop
			
@@ -123,12 +126,14 @@ table ip filter {
 
				 {%- endfor %}
			
 
				 	}
			
 
				 
			
 
				+{%- if vxlan_ifaces %}
			
 
				 	chain vxlan {
			
 
				-{%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
			
 
				+  {%- for iface in vxlan_ifaces %}
			
 
				 		iif {{ iface }} accept
			
 
				-{%- endfor %}
			
 
				+  {%- endfor %}
			
 
				 		counter drop
			
 
				 	}
			
 
				+{%- endif %}
			
 
				 
			
 
				 	chain log-drop {
			
 
				 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "
			
@@ -156,7 +161,9 @@ table ip6 filter {
 
				 		type filter hook input priority 0; policy drop;
			
 
				 		iifname "lo" counter accept
			
 
				 		tcp dport 7 counter drop comment "Ignore echo protocol queries"
			
 
				+{%- if vxlan_ifaces %}
			
 
				 		udp dport 4789 jump vxlan
			
 
				+{%- endif %}
			
 
				 		jump urpf
			
 
				 		meta l4proto icmpv6 jump icmp_chain
			
 
				 		ct state invalid counter drop
			
@@ -245,12 +252,14 @@ table ip6 filter {
 
				 {%- endfor %}
			
 
				 	}
			
 
				 
			
 
				+{%- if vxlan_ifaces %}
			
 
				 	chain vxlan {
			
 
				-{%- for iface in node_config['ifaces'] if node_config['ifaces'][iface].get ('batman_connect_sites') %}
			
 
				+  {%- for iface in vxlan_ifaces %}
			
 
				 		iif {{ iface }} accept
			
 
				-{%- endfor %}
			
 
				+  {%- endfor %}
			
 
				 		counter drop
			
 
				 	}
			
 
				+{%- endif %}
			
 
				 
			
 
				 	chain log-drop {
			
 
				 		limit rate 1/second burst 3 packets counter log prefix "netfilter: "