-
-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/{firewall,nat}: Standardize around an iptables-restore / nftables solution #4155
Comments
I have a working iptables-restore based firewall.nix/nat.nix that I've been playing with/testing for a few weeks, could clean it up in the next few days and push it to github if you like. I spoke to @edolstra about the idea previously and he mentioned there would be issues with packages that add/change iptables rules (e.g. libvirtd) getting their rules trashed by iptables-restore, currently my implementation just ignores this issue. |
I think there should be a common services.iptables configuration, used by On Fri, Sep 19, 2014 at 1:02 AM, Alexei Robyn notifications@github.com
www.debian.org - The Universal Operating System |
@lethalman I kind of like that the modules' naming in this case is more semantic rather than specifying the technologies involved, especially because it does mean they won't need to be arbitrarily renamed if the backend is changed. Also, keep in mind you can call iptables-restore just once from just one service but still have the configuration be spread across multiple modules if that provides for a cleaner interface. |
Iptables-restore trashes any stateful rules that were added. Running Wout.
|
Currently, are changes made to firewall/nat applied atomically (to prevent packet drops)? (this could be done using iptables-restore). To deal with external services also modifying iptables, there might be a way to merge the modifications together. Would the ipset utility help? http://ipset.netfilter.org/index.html |
ipset only helps for ip address matches, not for generic iptables rules. On Mon, Sep 14, 2015 at 11:13 PM Roger Qiu notifications@github.com wrote:
|
@wkennington iptables-restore does actually clear and apply the rules in a single transaction, and any errors simply result in the previous state continuing on as normal. There's no opportunity for packets to be incorrectly accepted or dropped. In what way is it not atomic? |
Ah, I didn't realize we had true atomic support with iptables-restore. At On Tue, Sep 15, 2015, 03:57 Alexei Robyn notifications@github.com wrote:
|
Let's try to shrink the problem at least. To address the external iptables rule I guess we need some intelligence in parsing iptables-save, in order to readd them in an eventual iptables-restore. Is that the only approach possible? |
What I'm worried about is how this will interact with On Tue, Sep 15, 2015, 11:09 lethalman notifications@github.com wrote:
|
Sacrificing |
That's utterly terrible given the only way to configure a marginally Again, this is why a new interface needs to be made. There is no reason why On Tue, Sep 15, 2015, 11:42 Eelco Dolstra notifications@github.com wrote:
|
What about when you need atomicity between iproute2 mutation and iptables mutation? Often for complex networks you would setup an virtual interfaces, network namespaces... etc, and then change the iptable rules. How can we compose these actions together into a single atomic change? @wkennington a new interface in the Nix language that abstracts over iptables/nftables? Would this mean that all servers will need to migrate to to this nix abstraction so that the point of synchronisation is at the nix language and not all over the place, where the network rules can diverge from what is specified in the nix configuration? |
(triage) any new leads? |
It would be quite nice to have something like |
I had a short discussion about this yesterday on the IRC channel with @cleverca22. There are other issues here like how this would interact with AFAICS there are basically two options:
For the
|
There should be a way for a program to lock iptables, while changing something else at the same time, and then unlock it. Other programs should then queue their iptable changes. Perhaps this can allow one to compose atomic network changes? |
Hmm, this sounds overkill and risky. Since firewall rules usually don't change often, wouldn't it be enough to apply our rules with iptables-restore and then reload the services that need to add custom rules ? |
that is one of the options i had on IRC a related option, is to patch the docker scripts to make a hook that returns a fragment of an iptables-restore file, and then you concat the output of all of the hooks and the real firewall, and pipe the final result into iptables-restore, but now docker has to provide that hook, and reload the firewall.service target to apply changes |
This is not a new problem. Every daemon that changes firewall rules has to deal with admins trashing the rules (just google Rather than trying to make service-specific workarounds, I think it would be sufficient to make declarative rules easier to filter out. Here is what I suggest:
This would allow arbitrarily complex firewall setups, apply them atomically, and interact seamlessly with daemons like fail2ban. Further steps may be:
|
Even simpler: we could instead append |
Any news on this issue? |
Some should combine these comments into an RFC so we can collaborate there
and close this issue. I have my plate full right now, any volunteers?
… |
Thank you for your contributions. This has been automatically marked as stale because it has had no activity for 180 days. If this is still important to you, we ask that you leave a comment below. Your comment can be as simple as "still important to me". This lets people see that at least one person still cares about this. Someone will have to do this at most twice a year if there is no other activity. Here are suggestions that might help resolve this more quickly:
|
still definitely important |
I marked this as stale due to inactivity. → More info |
Still important. I have my plate full with other RFC stuff right now, but am happy to help however I can short of driving that process. |
Is it possible to atomically replace individual tables inside nftables? The currently proposed If that's possible, one way out of this could be to have a NixOS-firewall specific nftables table. Other things could still mock around with |
That's a good idea. I don't know offhand, I'll wait for someone else to chime in and if nobody else does we should research it. |
Right now we use a command defined set of firewall rules. This allows for mutability of rules during normal operation and a simple, flexible interface for users to add new firewall rules using iptables commands.
While this approach has worked in the past, it would be nice to standardize on a cleaner firewall interface using the iptables-restore or nftables utilities.
Personally I'd like to see nftables used for this, as it seems to be the future direction of the linux packet filtering stack.
The text was updated successfully, but these errors were encountered: