mbox series

[v5,0/6] nftables firewall support

Message ID 20241204182913.4085670-1-fiona.klute@gmx.de
Headers show
Series nftables firewall support | expand

Message

Fiona Klute Dec. 4, 2024, 6:29 p.m. UTC
From: "Fiona Klute (WIWA)" <fiona.klute@gmx.de>

This series builds on two patches I've sent previously before, with
the main goal of supporting firewall configuration through an nftables
rules file. Offering the choice of iptables-nft as the default
iptables implementation (smilar to e.g. update-alternatives on Debian)
makes it easier to integrate that with legacy applications that rely
on the iptables command (e.g. Docker).

Changes v4 -> v5:
* nftables init script: run any target only if rules file exists
* iptables init script: run any target only if rules file exists,
  except for "save" (which may be used to create it)
* rename series to clarify that nftables firewall support is
  non-existent otherwise
* v4 for reference:
  https://patchwork.ozlabs.org/project/buildroot/list/?series=416810

Changes v3 -> v4:
* set ip6tables symlinks when selecting nftables compat

Changes v2 -> v3:
* move change from "iptables -F" to "iptables --flush" to the correct
  patch (3/6)

Changes v1 -> v2:
* add patches 3-6
* clarify comments & commit messages
* nftables init script: Warning about missing flush in ruleset on reload
* nftables init script: check for rules file only on start
* nftables init script: return nft return code from start/stop functions
* iptables init script: start only if rules file exists
* add tests for init scripts
* use long form options in init scripts
* fix typecheck warnings

Fiona Klute (WIWA) (6):
  package/nftables: add init script
  package/iptables: optionally default to nftables compat
  package/iptables: check for rules in init script
  support/testing: test for nftables init script
  support/testing: include init script in iptables test
  support/testing: fix MyPy warnings about BRConfigTest

 .checkpackageignore                           |  1 -
 DEVELOPERS                                    |  1 +
 package/iptables/Config.in                    | 12 ++++
 package/iptables/S35iptables                  | 16 +++--
 package/iptables/iptables.mk                  | 13 +++-
 package/nftables/S35nftables                  | 67 +++++++++++++++++++
 package/nftables/nftables.mk                  |  5 ++
 support/testing/infra/basetest.py             |  4 +-
 .../testing/tests/package/test_iptables.py    | 18 +++++
 .../testing/tests/package/test_nftables.py    | 37 +++++++++-
 .../rootfs-overlay/etc/nftables.conf          |  8 +++
 11 files changed, 172 insertions(+), 10 deletions(-)
 create mode 100644 package/nftables/S35nftables
 create mode 100644 support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf

Comments

Fiona Klute Jan. 15, 2025, 11:11 a.m. UTC | #1
Hi,

is there anything I can do to get this series merged? Having a proper
firewall is important, and I'd rather get it into shape and merged than
keep carrying local patches. :-)

AFAIK the only open question is if the current approach of warning on
reload if the rules file doesn't contain a flush (to replace current
rules, instead of adding to them) is good, or if doing a flush
unconditionally, or nothing at all is better. I can quickly adjust that
if needed.

Patchwork link for the series:
https://patchwork.ozlabs.org/project/buildroot/list/?series=435291

Best regards,
Fiona

Am 04.12.24 um 19:29 schrieb Fiona Klute:
> From: "Fiona Klute (WIWA)" <fiona.klute@gmx.de>
>
> This series builds on two patches I've sent previously before, with
> the main goal of supporting firewall configuration through an nftables
> rules file. Offering the choice of iptables-nft as the default
> iptables implementation (smilar to e.g. update-alternatives on Debian)
> makes it easier to integrate that with legacy applications that rely
> on the iptables command (e.g. Docker).
>
> Changes v4 -> v5:
> * nftables init script: run any target only if rules file exists
> * iptables init script: run any target only if rules file exists,
>    except for "save" (which may be used to create it)
> * rename series to clarify that nftables firewall support is
>    non-existent otherwise
> * v4 for reference:
>    https://patchwork.ozlabs.org/project/buildroot/list/?series=416810
>
> Changes v3 -> v4:
> * set ip6tables symlinks when selecting nftables compat
>
> Changes v2 -> v3:
> * move change from "iptables -F" to "iptables --flush" to the correct
>    patch (3/6)
>
> Changes v1 -> v2:
> * add patches 3-6
> * clarify comments & commit messages
> * nftables init script: Warning about missing flush in ruleset on reload
> * nftables init script: check for rules file only on start
> * nftables init script: return nft return code from start/stop functions
> * iptables init script: start only if rules file exists
> * add tests for init scripts
> * use long form options in init scripts
> * fix typecheck warnings
>
> Fiona Klute (WIWA) (6):
>    package/nftables: add init script
>    package/iptables: optionally default to nftables compat
>    package/iptables: check for rules in init script
>    support/testing: test for nftables init script
>    support/testing: include init script in iptables test
>    support/testing: fix MyPy warnings about BRConfigTest
>
>   .checkpackageignore                           |  1 -
>   DEVELOPERS                                    |  1 +
>   package/iptables/Config.in                    | 12 ++++
>   package/iptables/S35iptables                  | 16 +++--
>   package/iptables/iptables.mk                  | 13 +++-
>   package/nftables/S35nftables                  | 67 +++++++++++++++++++
>   package/nftables/nftables.mk                  |  5 ++
>   support/testing/infra/basetest.py             |  4 +-
>   .../testing/tests/package/test_iptables.py    | 18 +++++
>   .../testing/tests/package/test_nftables.py    | 37 +++++++++-
>   .../rootfs-overlay/etc/nftables.conf          |  8 +++
>   11 files changed, 172 insertions(+), 10 deletions(-)
>   create mode 100644 package/nftables/S35nftables
>   create mode 100644 support/testing/tests/package/test_nftables/rootfs-overlay/etc/nftables.conf
>