-
Notifications
You must be signed in to change notification settings - Fork 27
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #56 from random-archer/vvl-nftables
initrd nftables service
- Loading branch information
Showing
27 changed files
with
466 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# | ||
# manual build: cd $repo ; makepkg -e ; | ||
# | ||
|
||
pkgname=mkinitcpio-systemd-tool | ||
pkgver=build | ||
pkgrel=$(date +%s) | ||
pkgdesc="Provisioning tool for systemd in initramfs (systemd-tool)" | ||
arch=('any') | ||
url="https://github.com/random-archer/mkinitcpio-systemd-tool" | ||
license=('Apache') | ||
depends=('mkinitcpio' 'systemd') | ||
optdepends=('cryptsetup: for initrd-cryptsetup.service' | ||
'dropbear: for initrd-dropbear.service' | ||
'busybox: for initrd-tinysshd.service' | ||
'tinyssh: for initrd-tinysshd.service' | ||
'tinyssh-convert: for initrd-tinysshd.service' | ||
'mc: for initrd-debug-progs.service') | ||
conflicts=('mkinitcpio-dropbear' 'mkinitcpio-tinyssh') | ||
backup=("etc/${pkgname}/config/crypttab" | ||
"etc/${pkgname}/config/fstab" | ||
"etc/${pkgname}/network/initrd-network.network" ) | ||
#source=("$pkgname-$pkgver.tar.gz::https://github.com/random-archer/${pkgname}/archive/v${pkgver}.tar.gz") | ||
#install="${pkgname}.install" | ||
#sha512sums=() | ||
|
||
package() { | ||
cd .. | ||
make DESTDIR="$pkgdir/" PREFIX='/usr' install | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
#!/usr/bin/nft -f | ||
|
||
# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool | ||
|
||
# Provides firewall when running inside initrd | ||
# see: https://wiki.archlinux.org/index.php/Nftables | ||
|
||
# file location in initramfs: | ||
# /etc/nftables.conf | ||
|
||
# file location in real-root: | ||
# /etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf | ||
|
||
# note: | ||
# * more nft examples are in /usr/share/nftables/ | ||
# * make sure SSHD_PORT matches dropbear or tinysshd | ||
|
||
define SSHD_PORT = 22 | ||
|
||
table inet filter { | ||
set knockd4-allow { | ||
type ipv4_addr | ||
timeout 7d | ||
} | ||
set knockd4-step2 { | ||
type ipv4_addr | ||
timeout 5s | ||
} | ||
set knockd4-step1 { | ||
type ipv4_addr | ||
timeout 5s | ||
} | ||
set knockd6-allow { | ||
type ipv6_addr | ||
timeout 7d | ||
} | ||
set knockd6-step2 { | ||
type ipv6_addr | ||
timeout 5s | ||
} | ||
set knockd6-step1 { | ||
type ipv6_addr | ||
timeout 5s | ||
} | ||
chain input { | ||
type filter hook input priority 0; policy drop; | ||
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept | ||
ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop | ||
ip protocol icmp icmp type echo-request limit rate 1/second accept | ||
ip protocol icmp icmp type echo-request counter drop | ||
ct state {established, related} accept | ||
ct state invalid drop | ||
tcp dport $SSHD_PORT ip saddr @knockd4-allow accept | ||
ip saddr @knockd4-step2 tcp dport $SSHD_PORT set add ip saddr @knockd4-allow | ||
ip saddr @knockd4-step1 tcp dport $SSHD_PORT set add ip saddr @knockd4-step2 | ||
tcp dport $SSHD_PORT set add ip saddr @knockd4-step1 | ||
tcp dport $SSHD_PORT ip6 saddr @knockd6-allow accept | ||
ip6 saddr @knockd6-step2 tcp dport $SSHD_PORT set add ip6 saddr @knockd6-allow | ||
ip6 saddr @knockd6-step1 tcp dport $SSHD_PORT set add ip6 saddr @knockd6-step2 | ||
tcp dport $SSHD_PORT set add ip6 saddr @knockd6-step1 | ||
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept | ||
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept | ||
reject | ||
} | ||
chain forward { | ||
type filter hook forward priority 0; policy accept; | ||
accept | ||
} | ||
chain output { | ||
type filter hook output priority 0; policy accept; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool | ||
|
||
# Provides firewall when running inside initrd | ||
# see: https://wiki.archlinux.org/index.php/Nftables | ||
|
||
# service dependencies: | ||
# - https://www.archlinux.org/packages/community/x86_64/nftables | ||
|
||
[Unit] | ||
Description=Initrd Firewall Service | ||
Documentation=https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/README.md | ||
ConditionPathExists=/etc/initrd-release | ||
DefaultDependencies=no | ||
Before=initrd-network.service | ||
|
||
[Service] | ||
# reproduce default nftables.service | ||
Type=oneshot | ||
ExecStart=/usr/bin/nft -f /etc/nftables.conf | ||
ExecReload=/usr/bin/nft flush ruleset ';' include '"/etc/nftables.conf"' | ||
ExecStop=/usr/bin/nft flush ruleset | ||
RemainAfterExit=yes | ||
|
||
[Install] | ||
# activate by reverse dependency | ||
WantedBy=initrd-network.service | ||
|
||
[X-SystemdTool] | ||
|
||
# include nftables binaries | ||
InitrdCall=add_all_modules /netfilter/nft_* | ||
InitrdCall=add_all_modules /netfilter/nf_tables* | ||
|
||
# provision firewall settings in initrd | ||
InitrdPath=/etc/nftables.conf source=/etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf replace=yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
#!/usr/bin/env python | ||
|
||
# | ||
# build nftables image | ||
# | ||
|
||
from nspawn.build import * | ||
|
||
import os | ||
import sys | ||
|
||
# import shared config | ||
project_root = os.popen("git rev-parse --show-toplevel").read().strip() | ||
python_module = f"{project_root}/tool/module" | ||
sys.path.insert(0, python_module) | ||
from arkon_config import base_image_url | ||
from arkon_config import nftables_image_url | ||
|
||
# declare image identity | ||
IMAGE(url=nftables_image_url) | ||
|
||
# provision dependency image | ||
PULL(url=base_image_url) | ||
|
||
# copy local resources | ||
COPY(path="/etc") | ||
|
||
# publish image | ||
PUSH() |
19 changes: 19 additions & 0 deletions
19
tool/image/test/nftables/etc/mkinitcpio-systemd-tool/config/crypttab
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool | ||
|
||
# crypttab: mappings for encrypted partitions in initramfs | ||
# file location in real root: /etc/mkinitcpio-systemd-tool/config/crypttab | ||
# file location in initramfs: /etc/crypttab | ||
|
||
# crypttab format: | ||
# https://wiki.archlinux.org/index.php/Dm-crypt/System_configuration#crypttab | ||
|
||
# how crypttab is used by systemd | ||
# https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html | ||
# https://github.com/systemd/systemd/blob/master/src/cryptsetup/cryptsetup-generator.c | ||
|
||
# note: use password=none to force cryptsetup password agent prompt | ||
|
||
# provide here mapper partition UUID (instead of kernel command line) | ||
|
||
# <mapper-name> <block-device> <password/keyfile> <crypto-options> | ||
booter_root UUID=00000000-feed-face-0000-added0facade none luks,x-systemd.device-timeout=10s |
20 changes: 20 additions & 0 deletions
20
tool/image/test/nftables/etc/mkinitcpio-systemd-tool/config/fstab
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool | ||
|
||
# fstab: mappings for direct partitions in initramfs | ||
# file location in real root: /etc/mkinitcpio-systemd-tool/config/fstab | ||
# file location in initramfs: /etc/fstab | ||
|
||
# fstab format: | ||
# https://wiki.archlinux.org/index.php/Fstab | ||
|
||
# how fstab is used by systemd | ||
# https://www.freedesktop.org/software/systemd/man/systemd-fstab-generator.html | ||
# https://github.com/systemd/systemd/blob/master/src/fstab-generator/fstab-generator.c | ||
|
||
# note: provide /sysroot folder inside initramfs disk image | ||
# note: remove "root=/dev/mapper/root" stanza from kernel command line | ||
|
||
# provide here root partition mapping (instead of kernel command line) | ||
|
||
# <block-device> <mount-point> <fs-type> <mount-options> <dump> <fsck> | ||
/dev/mapper/booter_root /sysroot auto x-systemd.device-timeout=9999h 0 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# | ||
# https://wiki.archlinux.org/index.php/Mkinitcpio | ||
# | ||
|
||
HOOKS="base autodetect modconf block filesystems keyboard systemd systemd-tool" |
21 changes: 21 additions & 0 deletions
21
tool/image/test/nftables/etc/systemd/system/initrd-debug-progs.service.d/override.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
|
||
[X-SystemdTool] | ||
|
||
# debug support | ||
InitrdBinary=/usr/bin/strace | ||
|
||
# manual crypto mount | ||
InitrdBinary=/usr/bin/cryptsetup | ||
|
||
# dependency reporter | ||
InitrdBinary=/usr/bin/systemd-analyze | ||
|
||
# serial console resizer | ||
InitrdBinary=/usr/bin/resize | ||
|
||
# debug network | ||
InitrdBinary=/usr/bin/networkctl | ||
|
||
# qemu guest drivers | ||
InitrdCall=add_module e1000 | ||
InitrdCall=add_all_modules /virtio/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
|
||
add system unit overrides |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
#!/usr/bin/env python | ||
|
||
# | ||
# setup nftables machine | ||
# | ||
|
||
from nspawn.setup import * | ||
|
||
import os | ||
import sys | ||
|
||
# import shared config | ||
project_root = os.popen("git rev-parse --show-toplevel").read().strip() | ||
python_module = f"{project_root}/tool/module" | ||
sys.path.insert(0, python_module) | ||
from arkon_config import nftables_machine | ||
from arkon_config import nftables_image_url | ||
|
||
# invoke image identity | ||
IMAGE(url=nftables_image_url) | ||
|
||
# container name | ||
MACHINE(name=nftables_machine) | ||
|
||
# configure machine ssh access | ||
WITH(BindReadOnly="/root/.ssh/authorized_keys") |
2 changes: 2 additions & 0 deletions
2
tool/image/test/nftables/test_base/etc/systemd/system/reamde.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
|
||
add text files to assert against |
2 changes: 2 additions & 0 deletions
2
tool/image/test/nftables/test_base/usr/lib/systemd/system/readme.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
|
||
add text files to assert against |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
#!/usr/bin/env python | ||
|
||
# | ||
# terminate machine | ||
# | ||
|
||
import os | ||
import sys | ||
import time | ||
|
||
this_dir = os.path.dirname(os.path.abspath(__file__)) | ||
|
||
command = f"{this_dir}/setup.py --action desure" | ||
|
||
os.system(command) |
Oops, something went wrong.