nixos-firewall-tool: add nftables support (#324615)

2024-10-18 23:57:39 +02:00 · 2024-10-18 23:57:39 +02:00 · f0bc4f6bbf
commit f0bc4f6bbf
parent 02b61c1506 9d662d95ee
8 changed files with 92 additions and 14 deletions
--- a/maintainers/maintainer-list.nix
+++ b/maintainers/maintainer-list.nix
@ -7608,6 +7608,12 @@
    githubId = 91987;
    name = "Jim Garrison";
  };
+  garyguo = {
+    email = "gary@garyguo.net";
+    github = "nbdd0121";
+    githubId = 4065244;
+    name = "Gary Guo";
+  };
  gavin = {
    email = "gavin.rogers@holo.host";
    github = "gavinrogers";
@ -18709,6 +18715,12 @@
    githubId = 141248;
    name = "Ramses";
  };
+  rvfg = {
+    email = "i@rvf6.com";
+    github = "duament";
+    githubId = 30264485;
+    name = "Rvfg";
+  };
  rvl = {
    email = "dev+nix@rodney.id.au";
    github = "rvl";
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -720,6 +720,8 @@
  This saves UPS battery and ensures that host(s) get back up again when power comes back, even in the scenario when the UPS would have had enough capacity to keep power on during the whole power outage.
  If you like the old behaviour of keeping the UPSs on (and emptying the battery) after the host(s) have shut down, and risk not getting a power cycle event to get the host(s) back up, set `power.ups.upsmon.settings.POWERDOWNFLAG = null;`.

+- `nixos-firewall-tool` now supports nftables in addition to iptables and is installed by default when NixOS firewall is enabled.
+
 - Support for *runner registration tokens* has been [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/380872)
  in `gitlab-runner` 15.6 and is expected to be removed in `gitlab-runner` 18.0. Configuration of existing runners
  should be changed to using *runner authentication tokens* by configuring
--- a/nixos/modules/services/networking/firewall-iptables.nix
+++ b/nixos/modules/services/networking/firewall-iptables.nix
@ -297,7 +297,6 @@ in
      }
    ];

-    environment.systemPackages = [ pkgs.nixos-firewall-tool ];
    networking.firewall.checkReversePath = lib.mkIf (!kernelHasRPFilter) (lib.mkDefault false);

    systemd.services.firewall = {
--- a/nixos/modules/services/networking/firewall-nftables.nix
+++ b/nixos/modules/services/networking/firewall-nftables.nix
@ -81,6 +81,13 @@ in

    networking.nftables.tables."nixos-fw".family = "inet";
    networking.nftables.tables."nixos-fw".content = ''
+        set temp-ports {
+          comment "Temporarily opened ports"
+          type inet_proto . inet_service
+          flags interval
+          auto-merge
+        }
+
        ${lib.optionalString (cfg.checkReversePath != false) ''
          chain rpfilter {
            type filter hook prerouting priority mangle + 10; policy drop;
@ -147,6 +154,8 @@ in
            ''
          ) cfg.allInterfaces)}

+          meta l4proto . th dport @temp-ports accept
+
          ${lib.optionalString cfg.allowPing ''
            icmp type echo-request ${lib.optionalString (cfg.pingLimit != null) "limit rate ${cfg.pingLimit}"} accept comment "allow ping"
          ''}
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -274,7 +274,10 @@ in

    networking.firewall.trustedInterfaces = [ "lo" ];

-    environment.systemPackages = [ cfg.package ] ++ cfg.extraPackages;
+    environment.systemPackages = [
+      cfg.package
+      pkgs.nixos-firewall-tool
+    ] ++ cfg.extraPackages;

    boot.kernelModules = (lib.optional cfg.autoLoadConntrackHelpers "nf_conntrack")
      ++ map (x: "nf_conntrack_${x}") cfg.connectionTrackingModules;
--- a/nixos/tests/firewall.nix
+++ b/nixos/tests/firewall.nix
@ -3,14 +3,31 @@
 import ./make-test-python.nix ( { pkgs, nftables, ... } : {
  name = "firewall" + pkgs.lib.optionalString nftables "-nftables";
  meta = with pkgs.lib.maintainers; {
-    maintainers = [ ];
+    maintainers = [ rvfg garyguo ];
  };

  nodes =
    { walled =
        { ... }:
-        { networking.firewall.enable = true;
-          networking.firewall.logRefusedPackets = true;
+        { networking.firewall = {
+            enable = true;
+            logRefusedPackets = true;
+            # Syntax smoke test, not actually verified otherwise
+            allowedTCPPorts = [ 25 993 8005 ];
+            allowedTCPPortRanges = [
+              { from = 980; to = 1000; }
+              { from = 990; to = 1010; }
+              { from = 8000; to = 8010; }
+            ];
+            interfaces.eth0 = {
+              allowedTCPPorts = [ 10003 ];
+              allowedTCPPortRanges = [ { from = 10000; to = 10005; } ];
+            };
+            interfaces.eth3 = {
+              allowedUDPPorts = [ 10003 ];
+              allowedUDPPortRanges = [ { from = 10000; to = 10005; } ];
+            };
+          };
          networking.nftables.enable = nftables;
          services.httpd.enable = true;
          services.httpd.adminAddr = "foo@example.org";
@ -48,6 +65,14 @@ import ./make-test-python.nix ( { pkgs, nftables, ... } : {
    walled.succeed("curl -v http://attacker/ >&2")
    walled.succeed("ping -c 1 attacker >&2")

+    # Open tcp port 80 at runtime
+    walled.succeed("nixos-firewall-tool open tcp 80")
+    attacker.succeed("curl -v http://walled/ >&2")
+
+    # Reset the firewall
+    walled.succeed("nixos-firewall-tool reset")
+    attacker.fail("curl --fail --connect-timeout 2 http://walled/ >&2")
+
    # If we stop the firewall, then connections should succeed.
    walled.stop_job("${unit}")
    attacker.succeed("curl -v http://walled/ >&2")
--- a/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh
+++ b/pkgs/by-name/ni/nixos-firewall-tool/nixos-firewall-tool.sh
@ -2,10 +2,19 @@

 set -euo pipefail

+# Detect if iptables or nftables-based firewall is used.
+if [[ -e /etc/systemd/system/firewall.service ]]; then
+    BACKEND=iptables
+elif [[ -e /etc/systemd/system/nftables.service ]]; then
+    BACKEND=nftables
+else
+    echo "nixos-firewall-tool: cannot detect firewall backend" >&2
+    exit 1
+fi
+
 ip46tables() {
  iptables -w "$@"
  ip6tables -w "$@"
-
 }

 show_help() {
@ -36,13 +45,34 @@ case $1 in
    protocol="$2"
    port="$3"

-    ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
+    case $BACKEND in
+        iptables)
+            ip46tables -I nixos-fw -p "$protocol" --dport "$port" -j nixos-fw-accept
+            ;;
+        nftables)
+            nft add element inet nixos-fw "temp-ports" "{ $protocol . $port }"
+            ;;
+    esac
  ;;
  "show")
-    ip46tables --numeric --list nixos-fw
+    case $BACKEND in
+        iptables)
+            ip46tables --numeric --list nixos-fw
+            ;;
+        nftables)
+            nft list table inet nixos-fw
+            ;;
+    esac
  ;;
  "reset")
-    systemctl restart firewall.service
+    case $BACKEND in
+        iptables)
+            systemctl restart firewall.service
+            ;;
+        nftables)
+            nft flush set inet nixos-fw "temp-ports"
+            ;;
+    esac
  ;;
  -h|--help|help)
    show_help
--- a/pkgs/by-name/ni/nixos-firewall-tool/package.nix
+++ b/pkgs/by-name/ni/nixos-firewall-tool/package.nix
@ -1,15 +1,13 @@
-{ writeShellApplication, iptables, lib }:
+{ writeShellApplication, lib }:

 writeShellApplication {
  name = "nixos-firewall-tool";
+
  text = builtins.readFile ./nixos-firewall-tool.sh;
-  runtimeInputs = [
-    iptables
-  ];

  meta = with lib; {
    description = "Temporarily manipulate the NixOS firewall";
    license = licenses.mit;
-    maintainers = with maintainers; [ clerie ];
+    maintainers = with maintainers; [ clerie rvfg garyguo ];
  };
 }