Merge branch 'feature/nftables' into master

collect/sentinel/sentinel-dynfw-c-client/files/init.nftables

@@ -9,6 +9,8 @@ CERT_KEY="/etc/sentinel_dynfw_server.pub"
 teardown_firewall() {
     nft flush set inet "turris-sentinel" dynfw_4 2>/dev/null
     nft flush set inet "turris-sentinel" dynfw_6 2>/dev/null
+    nft flush set inet "turris-sentinel" dynfw_4_wl 2>/dev/null
+    nft flush set inet "turris-sentinel" dynfw_6_wl 2>/dev/null
 }
 
 start_service() {

collect/sentinel/sentinel-dynfw-c-client/files/sentinel-firewall.nftables.sh

@@ -1,24 +1,45 @@
 #!/bin/sh
-set -e
 . "${0%/*}/common.sh"
 . /lib/functions.sh
 
-dynfw_block() {
-    local config_section="$1"
-    local zone enabled
-    config_get zone "$config_section" "name"
-    config_get_bool enabled "$config_section" "sentinel_dynfw" "0"
-    [ "$enabled" = "1" ] || return 0
+report_operation "Dynamic blocking setup"
 
-    report_operation "Dynamic blocking on zone '$zone'"
+config_load "sentinel"
 
-    # Recreate the sets
-    nft add set inet turris-sentinel dynfw_4 '{ type ipv4_addr; comment "IPv4 addresses blocked by Turris Sentinel"  ; }'
-    nft add set inet turris-sentinel dynfw_6 '{ type ipv6_addr; flags interval; comment "IPv6 addresses blocked by Turris Sentinel" ; }'
+config_get_bool enabled "dynfw" enabled 1
+[ "$enabled" -eq 1 ] || return
 
-    nft add rule inet turris-sentinel dynfw_block_zone_"${zone}" ip saddr @dynfw_4 drop
-    nft add rule inet turris-sentinel dynfw_block_zone_"${zone}" ip6 saddr @dynfw_6 drop
+wl_list_cb() {
+    local val="$1"
+    if echo "$val" | grep -q "^[0-9.]*$"; then
+        nft add element inet turris-sentinel dynfw_4_wl "{ $val }"
+    elif echo "$val" | grep -q "^[0-9a-fA-F:]*/*[0-9]*$"; then
+        nft add element inet turris-sentinel dynfw_6_wl "{ $val }"
+    else
+        echo "Invalid ip address $val" >&2
+    fi
 }
 
-config_load "firewall"
-config_foreach dynfw_block "zone"
+# Recreate the sets
+nft add set inet turris-sentinel dynfw_4_wl '{ type ipv4_addr; comment "IPv4 addresses ignored by Turris Sentinel" ; }'
+nft add set inet turris-sentinel dynfw_6_wl '{ type ipv6_addr; flags interval; comment "IPv6 addresses ignored by Turris Sentinel" ; }'
+nft add set inet turris-sentinel dynfw_4 '{ type ipv4_addr; comment "IPv4 addresses blocked by Turris Sentinel" ; }'
+nft add set inet turris-sentinel dynfw_6 '{ type ipv6_addr; flags interval; comment "IPv6 addresses blocked by Turris Sentinel" ; }'
+
+# Fill the whitelist
+nft flush set inet "turris-sentinel" dynfw_4_wl 2>/dev/null
+nft flush set inet "turris-sentinel" dynfw_6_wl 2>/dev/null
+config_list_foreach "dynfw" whitelist wl_list_cb
+
+# Setup the blocking chain
+nft flush chain inet turris-sentinel dynfw_block
+nft -f - << EOF
+table inet turris-sentinel {
+        chain dynfw_block {
+                ip saddr @dynfw_4_wl accept
+                ip6 saddr @dynfw_6_wl accept
+                ip saddr @dynfw_4 drop
+                ip6 saddr @dynfw_6 drop
+        }
+}
+EOF

collect/sentinel/sentinel-dynfw-c-client/files/uci-defaults

@@ -6,9 +6,5 @@ set -e
 uci -q delete firewall.sentinel_dynfw_client || :
 uci -q delete firewall.sentinel_dynfw_client_ipset || :
 
-
-# Enable for default wan interface
-config_firewall_default_enable "sentinel_dynfw"
-
 # Always reload firewall to use latest version of sentinel-firewall script
 /etc/init.d/firewall reload

collect/sentinel/sentinel-firewall/Makefile

@@ -8,7 +8,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sentinel-firewall
-PKG_VERSION:=0.1.4
+PKG_VERSION:=0.1.5
 PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_MAINTAINER:=CZ.NIC <[email protected]>

collect/sentinel/sentinel-firewall/files/common_nftables.sh

@@ -29,19 +29,21 @@ setup_zone() {
 
     # Setup port-forwarding infrastructure for minipots in turris-sentinel table
     nft delete chain inet turris-sentinel minipots_dstnat_"$zone" 2> /dev/null || :
-    nft add chain inet turris-sentinel minipots_dstnat_"$zone"
+    nft add chain inet turris-sentinel minipots_dstnat_"$zone" '{ comment "Minipots port forwarding"; }'
     nft add set inet turris-sentinel "${zone}_ips_6" "{ type ipv6_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
     nft add rule inet turris-sentinel minipots_dstnat iifname $wan_if ip6 daddr @${zone}_ips_6 jump minipots_dstnat_"$zone" \
         comment "\"!sentinel: port redirection for minipots\""
     nft add set inet turris-sentinel "${zone}_ips_4" "{ type ipv4_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
     nft add rule inet turris-sentinel minipots_dstnat iifname $wan_if ip daddr @${zone}_ips_4 jump minipots_dstnat_"$zone" \
         comment "\"!sentinel: port redirection for minipots\""
+    INTERFACE="$zone" /etc/hotplug.d/iface/90-wan-ip wan
 
     # Setup blocking infrastructure
     nft delete chain inet turris-sentinel dynfw_block_zone_"$zone" 2> /dev/null || :
-    nft add chain inet turris-sentinel dynfw_block_zone_"$zone"
+    nft delete chain inet turris-sentinel dynfw_block 2> /dev/null || :
+    nft add chain inet turris-sentinel dynfw_block '{ comment "DynFW blocking chain"; }'
     for hook in input forward; do
-        nft add rule inet turris-sentinel dynfw_block_hook_"${hook}" iifname $wan_if jump dynfw_block_zone_"$zone" \
+        nft add rule inet turris-sentinel dynfw_block_hook_"${hook}" iifname $wan_if jump dynfw_block \
             comment "\"!sentinel: blocking malicious traffic\""
     done
 }
@@ -69,7 +71,7 @@ firewall_cleanup() {
     done
 
     # Recreate a clean turris-sentinel table
-    nft delete table turris-sentinel 2> /dev/null || :
+    nft delete table inet turris-sentinel 2> /dev/null || :
     nft add table inet turris-sentinel
     nft flush table inet turris-sentinel
 
@@ -105,4 +107,3 @@ port_redirect() {
     nft insert rule inet turris-sentinel minipots_dstnat_"$zone" meta nfproto \{ ipv4, ipv6 \} \
         tcp dport "$port" meta mark set "$MAGIC_NUMBER" redirect to "$local_port" comment "\"!sentinel: $description port redirect\""
 }
-