Skip to content

Commit

Permalink
Merge pull request #56 from random-archer/vvl-nftables
Browse files Browse the repository at this point in the history
initrd nftables service
  • Loading branch information
Andrei-Pozolotin authored Apr 9, 2020
2 parents c11c916 + f0eca7f commit b5b9b79
Show file tree
Hide file tree
Showing 27 changed files with 466 additions and 21 deletions.
6 changes: 5 additions & 1 deletion .azure.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:
#
- template: tool/azure/steps-cache.yml
parameters: # change to reset cache
cache_version: V16
cache_version: V17
#
- bash: env|sort|grep CACHE
displayName: review caches
Expand All @@ -70,6 +70,10 @@ jobs:
- template: tool/azure/steps-image.yml
parameters:
image_path: test/unitada
#
- template: tool/azure/steps-image.yml
parameters:
image_path: test/nftables
#
- bash: machinectl --all --full
displayName: review machines
Expand Down
30 changes: 30 additions & 0 deletions PKGBUILD
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
#
# manual build: cd $repo ; makepkg -e ;
#

pkgname=mkinitcpio-systemd-tool
pkgver=build
pkgrel=$(date +%s)
pkgdesc="Provisioning tool for systemd in initramfs (systemd-tool)"
arch=('any')
url="https://github.com/random-archer/mkinitcpio-systemd-tool"
license=('Apache')
depends=('mkinitcpio' 'systemd')
optdepends=('cryptsetup: for initrd-cryptsetup.service'
'dropbear: for initrd-dropbear.service'
'busybox: for initrd-tinysshd.service'
'tinyssh: for initrd-tinysshd.service'
'tinyssh-convert: for initrd-tinysshd.service'
'mc: for initrd-debug-progs.service')
conflicts=('mkinitcpio-dropbear' 'mkinitcpio-tinyssh')
backup=("etc/${pkgname}/config/crypttab"
"etc/${pkgname}/config/fstab"
"etc/${pkgname}/network/initrd-network.network" )
#source=("$pkgname-$pkgver.tar.gz::https://github.com/random-archer/${pkgname}/archive/v${pkgver}.tar.gz")
#install="${pkgname}.install"
#sha512sums=()

package() {
cd ..
make DESTDIR="$pkgdir/" PREFIX='/usr' install
}
72 changes: 72 additions & 0 deletions src/initrd-nftables.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
#!/usr/bin/nft -f

# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

# Provides firewall when running inside initrd
# see: https://wiki.archlinux.org/index.php/Nftables

# file location in initramfs:
# /etc/nftables.conf

# file location in real-root:
# /etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf

# note:
# * more nft examples are in /usr/share/nftables/
# * make sure SSHD_PORT matches dropbear or tinysshd

define SSHD_PORT = 22

table inet filter {
set knockd4-allow {
type ipv4_addr
timeout 7d
}
set knockd4-step2 {
type ipv4_addr
timeout 5s
}
set knockd4-step1 {
type ipv4_addr
timeout 5s
}
set knockd6-allow {
type ipv6_addr
timeout 7d
}
set knockd6-step2 {
type ipv6_addr
timeout 5s
}
set knockd6-step1 {
type ipv6_addr
timeout 5s
}
chain input {
type filter hook input priority 0; policy drop;
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request counter drop
ct state {established, related} accept
ct state invalid drop
tcp dport $SSHD_PORT ip saddr @knockd4-allow accept
ip saddr @knockd4-step2 tcp dport $SSHD_PORT set add ip saddr @knockd4-allow
ip saddr @knockd4-step1 tcp dport $SSHD_PORT set add ip saddr @knockd4-step2
tcp dport $SSHD_PORT set add ip saddr @knockd4-step1
tcp dport $SSHD_PORT ip6 saddr @knockd6-allow accept
ip6 saddr @knockd6-step2 tcp dport $SSHD_PORT set add ip6 saddr @knockd6-allow
ip6 saddr @knockd6-step1 tcp dport $SSHD_PORT set add ip6 saddr @knockd6-step2
tcp dport $SSHD_PORT set add ip6 saddr @knockd6-step1
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
reject
}
chain forward {
type filter hook forward priority 0; policy accept;
accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
35 changes: 35 additions & 0 deletions src/initrd-nftables.service
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

# Provides firewall when running inside initrd
# see: https://wiki.archlinux.org/index.php/Nftables

# service dependencies:
# - https://www.archlinux.org/packages/community/x86_64/nftables

[Unit]
Description=Initrd Firewall Service
Documentation=https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/README.md
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no
Before=initrd-network.service

[Service]
# reproduce default nftables.service
Type=oneshot
ExecStart=/usr/bin/nft -f /etc/nftables.conf
ExecReload=/usr/bin/nft flush ruleset ';' include '"/etc/nftables.conf"'
ExecStop=/usr/bin/nft flush ruleset
RemainAfterExit=yes

[Install]
# activate by reverse dependency
WantedBy=initrd-network.service

[X-SystemdTool]

# include nftables binaries
InitrdCall=add_all_modules /netfilter/nft_*
InitrdCall=add_all_modules /netfilter/nf_tables*

# provision firewall settings in initrd
InitrdPath=/etc/nftables.conf source=/etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf replace=yes
8 changes: 5 additions & 3 deletions tool/image/arch/base/build.py
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
#
# build basic archux image
#
# note:
# * using azure cache, update `azure.yml/.../cache_version` when changing this file

from nspawn.build import *

Expand Down Expand Up @@ -69,9 +71,7 @@
# provide host sshd keys
"openssh "
# build/install deps
"sed "
"grep "
"make "
"base-devel "
# core package deps
"linux "
"mkinitcpio "
Expand All @@ -83,6 +83,8 @@
"tinyssh-convert "
# initrd-cryptsetup.service
"cryptsetup "
# initrd-nftables.service
"nftables "
)

# enable services
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,11 @@ InitrdBinary=/usr/bin/strace
InitrdBinary=/usr/bin/cryptsetup

# dependency reporter
InitrdBinary=/usr/bin/systemd-analyze
InitrdBinary=/usr/bin/systemd-analyze

# serial console resizer
InitrdBinary=/usr/bin/resize

# qemu guest drivers
InitrdCall=add_module e1000
InitrdCall=add_all_modules /virtio/
3 changes: 3 additions & 0 deletions tool/image/test/cryptsetup/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,3 +29,6 @@
# MACVLAN=network_face,
# Capability='all',
# )

# configure machine ssh access
WITH(BindReadOnly="/root/.ssh/authorized_keys")
3 changes: 2 additions & 1 deletion tool/image/test/cryptsetup/verify.py
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
project_root = os.popen("git rev-parse --show-toplevel").read().strip()
python_module = f"{project_root}/tool/module"
sys.path.insert(0, python_module)
from arkon_config import kernel_version
from arkon_config import cryptsetup_machine
from machine_unit import MachineUnit

Expand Down Expand Up @@ -51,7 +52,7 @@
"/bin/swapon",
"/bin/swapoff",

"/usr/lib/modules/5.5.6-arch1-1/kernel/dm-crypt.ko",
f"/usr/lib/modules/{kernel_version}/kernel/dm-crypt.ko",

"/usr/lib/udev/rules.d/10-dm.rules",
"/usr/lib/udev/rules.d/11-dm-initramfs.rules",
Expand Down
3 changes: 3 additions & 0 deletions tool/image/test/dropbear/setup.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,3 +21,6 @@

# container name
MACHINE(name=dropbear_machine)

# configure machine ssh access
WITH(BindReadOnly="/root/.ssh/authorized_keys")
29 changes: 29 additions & 0 deletions tool/image/test/nftables/build.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#!/usr/bin/env python

#
# build nftables image
#

from nspawn.build import *

import os
import sys

# import shared config
project_root = os.popen("git rev-parse --show-toplevel").read().strip()
python_module = f"{project_root}/tool/module"
sys.path.insert(0, python_module)
from arkon_config import base_image_url
from arkon_config import nftables_image_url

# declare image identity
IMAGE(url=nftables_image_url)

# provision dependency image
PULL(url=base_image_url)

# copy local resources
COPY(path="/etc")

# publish image
PUSH()
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

# crypttab: mappings for encrypted partitions in initramfs
# file location in real root: /etc/mkinitcpio-systemd-tool/config/crypttab
# file location in initramfs: /etc/crypttab

# crypttab format:
# https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#crypttab

# how crypttab is used by systemd
# https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html
# https://github.com/systemd/systemd/blob/master/src/cryptsetup/cryptsetup-generator.c

# note: use password=none to force cryptsetup password agent prompt

# provide here mapper partition UUID (instead of kernel command line)

# <mapper-name> <block-device> <password/keyfile> <crypto-options>
booter_root UUID=00000000-feed-face-0000-added0facade none luks,x-systemd.device-timeout=10s
20 changes: 20 additions & 0 deletions tool/image/test/nftables/etc/mkinitcpio-systemd-tool/config/fstab
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool

# fstab: mappings for direct partitions in initramfs
# file location in real root: /etc/mkinitcpio-systemd-tool/config/fstab
# file location in initramfs: /etc/fstab

# fstab format:
# https://wiki.archlinux.org/index.php/Fstab

# how fstab is used by systemd
# https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html
# https://github.com/systemd/systemd/blob/master/src/fstab-generator/fstab-generator.c

# note: provide /sysroot folder inside initramfs disk image
# note: remove "root=/dev/mapper/root" stanza from kernel command line

# provide here root partition mapping (instead of kernel command line)

# <block-device> <mount-point> <fs-type> <mount-options> <dump> <fsck>
/dev/mapper/booter_root /sysroot auto x-systemd.device-timeout=9999h 0 1
5 changes: 5 additions & 0 deletions tool/image/test/nftables/etc/mkinitcpio.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
#
# https://wiki.archlinux.org/index.php/Mkinitcpio
#

HOOKS="base autodetect modconf block filesystems keyboard systemd systemd-tool"
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@

[X-SystemdTool]

# debug support
InitrdBinary=/usr/bin/strace

# manual crypto mount
InitrdBinary=/usr/bin/cryptsetup

# dependency reporter
InitrdBinary=/usr/bin/systemd-analyze

# serial console resizer
InitrdBinary=/usr/bin/resize

# debug network
InitrdBinary=/usr/bin/networkctl

# qemu guest drivers
InitrdCall=add_module e1000
InitrdCall=add_all_modules /virtio/
2 changes: 2 additions & 0 deletions tool/image/test/nftables/etc/systemd/system/readme.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@

add system unit overrides
26 changes: 26 additions & 0 deletions tool/image/test/nftables/setup.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#!/usr/bin/env python

#
# setup nftables machine
#

from nspawn.setup import *

import os
import sys

# import shared config
project_root = os.popen("git rev-parse --show-toplevel").read().strip()
python_module = f"{project_root}/tool/module"
sys.path.insert(0, python_module)
from arkon_config import nftables_machine
from arkon_config import nftables_image_url

# invoke image identity
IMAGE(url=nftables_image_url)

# container name
MACHINE(name=nftables_machine)

# configure machine ssh access
WITH(BindReadOnly="/root/.ssh/authorized_keys")
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@

add text files to assert against
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@

add text files to assert against
15 changes: 15 additions & 0 deletions tool/image/test/nftables/unsetup.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/usr/bin/env python

#
# terminate machine
#

import os
import sys
import time

this_dir = os.path.dirname(os.path.abspath(__file__))

command = f"{this_dir}/setup.py --action desure"

os.system(command)
Loading

0 comments on commit b5b9b79

Please sign in to comment.