-
Notifications
You must be signed in to change notification settings - Fork 296
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'igornovg/icbn-firewall' into 'master'
feat(BOUN-935): ic-boundary: add firewall generator Add a bit dirty firewall generator to replace similar `control-plane` functionality to be able to remove it from BN. * This stuff is to be removed from the code after we move to a a decentralized BN * The feature is optional and is enabled only if `--nftables-system-replicas-path` CLI parameter is specified * Firewall rules are only updated when a new registry version is published and contain all system nodes. This is nicer than `control-plane` that persisted them with every routing table change, which is not needed at all and only caused too many restarts when the network is flaky. * Use `reload` instead of `restart` for `nftables` which does not involve flushing all the rules first and re-adding them. See `ExecStop` below ```plaintext # /usr/lib/systemd/system/nftables.service ... ExecStart=/usr/sbin/nft -f /etc/nftables.conf ExecReload=/usr/sbin/nft -f /etc/nftables.conf ExecStop=/usr/sbin/nft flush ruleset ``` See merge request dfinity-lab/public/ic!15733
- Loading branch information
Showing
4 changed files
with
135 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,79 @@ | ||
// TODO remove after moving to a decentralized BN | ||
|
||
use std::{ | ||
fs, | ||
io::{BufWriter, Write}, | ||
path::PathBuf, | ||
process::{Command, Stdio}, | ||
}; | ||
|
||
use anyhow::{Context, Error}; | ||
use ic_registry_subnet_type::SubnetType; | ||
|
||
use crate::snapshot::RegistrySnapshot; | ||
|
||
#[derive(Debug, Clone, PartialEq)] | ||
pub struct Rule {} | ||
|
||
pub struct SystemdReloader { | ||
bin_path: PathBuf, | ||
service: String, | ||
command: String, | ||
} | ||
|
||
impl SystemdReloader { | ||
pub fn new(bin_path: PathBuf, service: &str, command: &str) -> Self { | ||
Self { | ||
bin_path, | ||
service: service.into(), | ||
command: command.into(), | ||
} | ||
} | ||
|
||
pub async fn reload(&self) -> Result<(), Error> { | ||
let mut child = Command::new(&self.bin_path) | ||
.args([&self.command, &self.service]) | ||
.stdout(Stdio::piped()) | ||
.stderr(Stdio::null()) | ||
.spawn()?; | ||
|
||
child.wait()?; | ||
|
||
Ok(()) | ||
} | ||
} | ||
|
||
pub struct FirewallGenerator { | ||
path: PathBuf, | ||
var: String, | ||
} | ||
|
||
impl FirewallGenerator { | ||
pub fn new(path: PathBuf, var: String) -> Self { | ||
Self { path, var } | ||
} | ||
|
||
pub fn generate(&self, r: RegistrySnapshot) -> Result<(), Error> { | ||
let mut inner: Vec<u8> = Vec::new(); | ||
let mut buf = BufWriter::new(&mut inner); | ||
|
||
// Retain system subnets only | ||
let subnets = r | ||
.subnets | ||
.iter() | ||
.filter(|&subnet| subnet.subnet_type == SubnetType::System); | ||
|
||
buf.write_all(format!("define {} = {{\n", self.var).as_bytes())?; | ||
for subnet in subnets { | ||
for node in &subnet.nodes { | ||
buf.write_all(format!(" {},\n", &node.addr).as_bytes())?; | ||
} | ||
} | ||
buf.write_all("}".as_bytes())?; | ||
|
||
buf.flush()?; | ||
drop(buf); | ||
|
||
fs::write(&self.path, inner).context("failed to write firewall rules") | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters