move nft pkg to netbase

- remove nft pkgs from both network/netlight pkgs
- move lansecurity rules template from cmds

Author: Omarabdul3ziz

pkg/netbase/nft/lansecurity.tmpl

@@ -0,0 +1,17 @@
+flush chain inet filter forward;
+
+table inet filter {
+    chain forward {
+        type filter hook forward priority filter; policy accept;
+
+        # @th,16,16 is raw expression for sport/dport in transport header
+        # used due to limitation on the installed nft v0.9.1
+        meta l4proto { tcp, udp } @th,16,16 { 9650, 9651 } accept;
+
+        # accept traffic to only default gateway
+        ip daddr {{.GatewayIP}} accept;
+
+        # drop traffic to all other ips on the subnet
+        ip daddr {{.SubnetIP}} drop;
+    }
+}

pkg/netbase/nft/nft.go

@@ -0,0 +1,83 @@
+package nft
+
+import (
+	"fmt"
+	"io"
+	"os/exec"
+
+	_ "embed"
+
+	"github.com/containernetworking/plugins/pkg/ns"
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
+	"github.com/threefoldtech/zosbase/pkg/netlight/namespace"
+	"github.com/vishvananda/netlink"
+)
+
+//go:embed lansecurity.tmpl
+var lanSecurityTmpl string
+
+// Apply applies the ntf configuration contained in the reader r
+// if ns is specified, the nft command is execute in the network namespace names ns
+func Apply(r io.Reader, ns string) error {
+	var cmd *exec.Cmd
+
+	if ns != "" {
+		cmd = exec.Command("ip", "netns", "exec", ns, "nft", "-f", "-")
+	} else {
+		cmd = exec.Command("nft", "-f", "-")
+	}
+
+	cmd.Stdin = r
+
+	out, err := cmd.CombinedOutput()
+	if err != nil {
+		log.Error().Err(err).Str("output", string(out)).Msg("error during nft")
+		if eerr, ok := err.(*exec.ExitError); ok {
+			return errors.Wrapf(err, "failed to execute nft: %v", string(eerr.Stderr))
+		}
+		return errors.Wrap(err, "failed to execute nft")
+	}
+	return nil
+}
+
+// DropTrafficToLAN drops all the outgoing traffic to any peers on
+// the same lan network, but allow dicovery port for ygg/myc by accepting
+// traffic to/from dest/src ports.
+func DropTrafficToLAN(netns string) error {
+	var dgw netlink.Neigh
+
+	toRun := func(_ ns.NetNS) error {
+		var err error
+		dgw, err = getDefaultGW()
+		return err
+	}
+
+	if netns != "" {
+		nss, err := namespace.GetByName(netns)
+		if err != nil {
+			return fmt.Errorf("failed to get namespace %q", netns)
+		}
+		defer nss.Close()
+
+		if err := nss.Do(toRun); err != nil {
+			return fmt.Errorf("failed to execute in namespace %q: %w", netns, err)
+		}
+	} else {
+		if err := toRun(nil); err != nil {
+			return fmt.Errorf("failed to get default gateway: %w", err)
+		}
+	}
+
+	if !dgw.IP.IsPrivate() {
+		log.Warn().Msg("skip LAN security. default gateway is public")
+		return nil
+	}
+
+	rules, err := renderRulesTemplate(lanSecurityTmpl, dgw)
+	if err != nil {
+		return fmt.Errorf("failed to render nft rules template: %w", err)
+	}
+
+	return Apply(rules, netns)
+}

pkg/netbase/nft/utils.go

@@ -0,0 +1,82 @@
+package nft
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"text/template"
+
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
+	"github.com/vishvananda/netlink"
+)
+
+func getDefaultGW() (netlink.Neigh, error) {
+	routes, err := netlink.RouteList(nil, netlink.FAMILY_V4)
+	if err != nil {
+		return netlink.Neigh{}, fmt.Errorf("failed to list routes: %v", err)
+	}
+
+	var defaultRoute *netlink.Route
+	for _, route := range routes {
+		if route.Dst == nil {
+			defaultRoute = &route
+			break
+		}
+	}
+
+	if defaultRoute == nil {
+		return netlink.Neigh{}, fmt.Errorf("default route not found")
+	}
+
+	if defaultRoute.Gw == nil {
+		return netlink.Neigh{}, fmt.Errorf("default route has no gateway")
+	}
+
+	neighs, err := netlink.NeighList(0, netlink.FAMILY_V4)
+	if err != nil {
+		return netlink.Neigh{}, fmt.Errorf("failed to list neighbors: %v", err)
+	}
+
+	for _, neigh := range neighs {
+		if neigh.IP.Equal(defaultRoute.Gw) {
+			return neigh, nil
+		}
+	}
+
+	return netlink.Neigh{}, errors.New("failed to get default gw")
+}
+
+func getNetworkRange(ip netlink.Neigh) string {
+	mask := ip.IP.DefaultMask()
+	network := ip.IP.Mask(mask)
+	ones, _ := mask.Size()
+	networkRange := fmt.Sprintf("%s/%d", network.String(), ones)
+
+	return networkRange
+}
+
+func renderRulesTemplate(tmpl string, gateway netlink.Neigh) (io.Reader, error) {
+	GatewayIP := gateway.IP.String()
+	SubnetIP := getNetworkRange(gateway)
+
+	log.Debug().
+		Str("GatewayIP", GatewayIP).
+		Str("SubnetIP", SubnetIP).
+		Msg("drop traffic to lan with the default gateway")
+
+	templ, err := template.New("lanSecurityRules").Parse(tmpl)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create template: %w", err)
+	}
+
+	var buf bytes.Buffer
+	if err := templ.Execute(&buf, map[string]string{
+		"GatewayIP": GatewayIP,
+		"SubnetIP":  SubnetIP,
+	}); err != nil {
+		return nil, fmt.Errorf("failed to execute template: %w", err)
+	}
+
+	return &buf, nil
+}

pkg/netlight/nft/nft.go

@@ -14,9 +14,9 @@ import (
 	"github.com/threefoldtech/zosbase/pkg/netlight/bridge"
 	"github.com/threefoldtech/zosbase/pkg/netlight/ifaceutil"
 	"github.com/threefoldtech/zosbase/pkg/netlight/namespace"
-	"github.com/threefoldtech/zosbase/pkg/netlight/nft"
 	"github.com/threefoldtech/zosbase/pkg/netlight/options"
 	"github.com/threefoldtech/zosbase/pkg/netlight/tuntap"
+	"github.com/threefoldtech/zosbase/pkg/netbase/nft"
 	"github.com/threefoldtech/zosbase/pkg/zinit"
 	"github.com/vishvananda/netlink"
 )

pkg/netlight/resource/resource.go

@@ -13,10 +13,10 @@ import (
 	"github.com/cenkalti/backoff/v3"
 	"github.com/threefoldtech/zosbase/pkg/gridtypes"
 	"github.com/threefoldtech/zosbase/pkg/kernel"
+	"github.com/threefoldtech/zosbase/pkg/netbase/nft"
 	"github.com/threefoldtech/zosbase/pkg/network/bridge"
 	"github.com/threefoldtech/zosbase/pkg/network/dhcp"
 	"github.com/threefoldtech/zosbase/pkg/network/ifaceutil"
-	"github.com/threefoldtech/zosbase/pkg/network/nft"
 	"github.com/threefoldtech/zosbase/pkg/network/options"
 	"github.com/threefoldtech/zosbase/pkg/network/types"
 	"github.com/threefoldtech/zosbase/pkg/network/yggdrasil"

pkg/network/ndmz/dualstack.go

@@ -28,9 +28,9 @@ import (
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/rs/zerolog/log"
 	"github.com/threefoldtech/zosbase/pkg"
+	"github.com/threefoldtech/zosbase/pkg/netbase/nft"
 	"github.com/threefoldtech/zosbase/pkg/network/bridge"
 	"github.com/threefoldtech/zosbase/pkg/network/namespace"
-	"github.com/threefoldtech/zosbase/pkg/network/nft"
 	"github.com/threefoldtech/zosbase/pkg/network/wireguard"
 	"github.com/vishvananda/netlink"
 )

pkg/network/nft/nft.go

@@ -6,9 +6,9 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
+	"github.com/threefoldtech/zosbase/pkg/netbase/nft"
 	"github.com/threefoldtech/zosbase/pkg/network/ifaceutil"
 	"github.com/threefoldtech/zosbase/pkg/network/namespace"
-	"github.com/threefoldtech/zosbase/pkg/network/nft"
 )
 
 var _nft = `