From cb9c3c01fb67cc28eaa63b02c69a97a834ab4fad Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Mon, 12 Jun 2017 10:30:20 +0300 Subject: [PATCH 01/15] meta-intel: update to latest HEAD. * meta-intel 7e8f98a...86c55b1 (6): > iucode-tool: upgrade to 2.1.2 > rmc: add support for Broxton-M based Joule board (rev. 1F1) > rmc: add fingerprint for generic Broxton-M (rev. 1F1) > rmc-db: allow multiple fingerprint per board directory > layer.conf: Add LAYERSERIES_COMPAT markup to layer.conf > linux-intel/4.9: Update yocto-kernel-cache SRCREV Signed-off-by: Ismo Puustinen --- meta-intel | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-intel b/meta-intel index 7e8f98aa32..86c55b1296 160000 --- a/meta-intel +++ b/meta-intel @@ -1 +1 @@ -Subproject commit 7e8f98aa326f16edd679a95f7bb2daf4256479f3 +Subproject commit 86c55b1296a1c0b1fab6a3fd339bed0aafc92c07 From 73f92dfeca247b05de12ee45d12b54b3cb84d649 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Mon, 12 Jun 2017 10:32:42 +0300 Subject: [PATCH 02/15] refkit-config.inc: add nf_tables kernel feature. Signed-off-by: Ismo Puustinen --- meta-refkit-core/conf/distro/include/refkit-config.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-refkit-core/conf/distro/include/refkit-config.inc b/meta-refkit-core/conf/distro/include/refkit-config.inc index 049739bdc1..8ac750eace 100644 --- a/meta-refkit-core/conf/distro/include/refkit-config.inc +++ b/meta-refkit-core/conf/distro/include/refkit-config.inc @@ -87,6 +87,7 @@ REFKIT_IMAGE_MODE_VALID ??= "development production" KERNEL_FEATURES_append_refkit-config = " \ ${@ bb.utils.contains('DISTRO_FEATURES', 'dm-verity', ' features/device-mapper/dm-verity.scc', '', d) } \ ${@ bb.utils.contains('DISTRO_FEATURES', 'tpm1.2', ' features/tpm/tpm.scc', '', d) } \ + ${@ bb.utils.contains('DISTRO_FEATURES', 'refkit-firewall', ' features/nf_tables/nf_tables.scc', '', d) } \ " # Use UEFI-based "dsk" image format for machines supporting UEFI. From dc1390c5f0fe92f1d799ca309ad90892e0b0a3a8 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Thu, 13 Apr 2017 15:43:47 +0300 Subject: [PATCH 03/15] nftables-settings-default: new package. Signed-off-by: Ismo Puustinen --- .../files/99-network-device.rules | 1 + .../files/firewall-config-update.service | 9 ++ .../files/firewall-config.path | 14 +++ .../files/firewall-config.service | 12 +++ .../files/firewall-update.py | 87 +++++++++++++++++++ .../files/firewall-zones-update.service | 7 ++ .../files/firewall.conf | 2 + .../files/firewall.path | 9 ++ .../files/firewall.service | 19 ++++ .../files/firewall.template | 77 ++++++++++++++++ .../files/network-device-event@.service | 15 ++++ .../files/variables.ruleset | 16 ++++ .../files/zones.config | 4 + .../files/zones.template | 43 +++++++++ .../nftables-settings-default_0.1.bb | 58 +++++++++++++ 15 files changed, 373 insertions(+) create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/99-network-device.rules create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config-update.service create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.path create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.service create mode 100755 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-update.py create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-zones-update.service create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.conf create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.path create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.service create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/network-device-event@.service create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/variables.ruleset create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/zones.config create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/files/zones.template create mode 100644 meta-refkit-core/recipes-security/nftables-settings-default/nftables-settings-default_0.1.bb diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/99-network-device.rules b/meta-refkit-core/recipes-security/nftables-settings-default/files/99-network-device.rules new file mode 100644 index 0000000000..a6ed942e0e --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/99-network-device.rules @@ -0,0 +1 @@ +SUBSYSTEM=="net", ENV{SYSTEMD_WANTS}="network-device-event@$name.service" diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config-update.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config-update.service new file mode 100644 index 0000000000..d8e69c73f0 --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config-update.service @@ -0,0 +1,9 @@ +[Unit] +Description=Create firewall config if it doesn't exist +After=firewall-zones-update.service +Requires=firewall-zones-update.service +ConditionPathExists=!/run/firewall/firewall.ruleset + +[Service] +Type=oneshot +ExecStart=/usr/bin/firewall-update.py diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.path b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.path new file mode 100644 index 0000000000..a4d2662fec --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.path @@ -0,0 +1,14 @@ +[Unit] +Description=Track changes to firewall zone ruleset and service chains +# do not track paths before firewall service is enabled +After=firewall-config-update.service +# break down the ordering cycle with basic.target +DefaultDependencies=false + +[Path] +ReloadOnTrigger=true +PathChanged=/run/firewall/zones.ruleset +PathChanged=/usr/lib/firewall/services +PathChanged=/etc/firewall/services +PathChanged=/usr/lib/firewall/zones.config +PathChanged=/etc/firewall/zones.config diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.service new file mode 100644 index 0000000000..55506e3960 --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-config.service @@ -0,0 +1,12 @@ +[Unit] +Description=Update firewall settings + +[Service] +Type=simple + +# We can run firewall-update.py even though this service might have been +# activated via the same command. If there is no change, the +# zones.ruleset file isn't changed. + +ExecStart=/usr/bin/firewall-update.py +ExecReload=/usr/bin/firewall-update.py diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-update.py b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-update.py new file mode 100755 index 0000000000..e8359853b3 --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-update.py @@ -0,0 +1,87 @@ +#!/usr/bin/env python3 + +# TODO: allow defining the zones on-the-fly based on the configuration + +import os +import sys +import re +import fcntl +import configparser + +zonesConfigPaths = ["/usr/lib/firewall/zones.config", "/etc/firewall/zones.config"] +zonesTemplatePath = "/usr/lib/firewall/zones.template" +zonesRulesetPath = "/run/firewall/zones.ruleset" +servicePaths = ["/usr/lib/firewall/services", "/etc/firewall/services"] +configTemplatePath = "/usr/lib/firewall/firewall.template" +configRulesetPath = "/run/firewall/firewall.ruleset" + +# lock to prevent processing several events at once +lock = open("/run/firewall/config_flock", "w") +fcntl.lockf(lock, fcntl.LOCK_EX) + +# get available interfaces +interfaces = os.listdir("/sys/class/net") + +# map interfaces to zones according to configuration +config = configparser.ConfigParser() +files = config.read(zonesConfigPaths) + +def search_interfaces(key, conf): + ret = "" + if "match" in conf: + if key in conf["match"]: + r = re.compile(conf["match"][key]) + ifs = ", ".join([i for i in interfaces if r.search(i)]) + ret = "elements = { " + ifs + " }" + + return ret + +# run regexps on the interfaces +local_ifs = search_interfaces("ZONE_LOCAL", config) +lan_ifs = search_interfaces("ZONE_LAN", config) +wan_ifs = search_interfaces("ZONE_WAN", config) +dmz_ifs = search_interfaces("ZONE_DMZ", config) +vpn_ifs = search_interfaces("ZONE_VPN", config) +all_ifs = search_interfaces("ZONE_ALL", config) + +# read the zones template +with open(zonesTemplatePath, "r") as f: + data = f.read() + +output_data = data.format(local_interfaces=local_ifs, lan_interfaces=lan_ifs, + wan_interfaces=wan_ifs, dmz_interfaces=dmz_ifs, + vpn_interfaces=vpn_ifs, all_interfaces=all_ifs) + +# Do not write the ruleset file if it already exists and there is no change. +# This prevents unneccessary firewall setup changes. + +current_data = None + +if os.path.exists(zonesRulesetPath): + with open(zonesRulesetPath, "r", encoding="utf-8") as f: + current_data = f.read() + +if not current_data or current_data != output_data: + # different file content, write the ruleset file + with open(zonesRulesetPath, "w") as f: + f.write(output_data) + +if "--only-zones" in sys.argv: + # configured to run only zone update + sys.exit(0) + +# read the firewall template +with open(configTemplatePath, "r") as f: + data = f.read() + +serviceFiles = [] +for path in filter(os.path.exists, servicePaths): + serviceFiles += [os.path.realpath(os.path.join(path, f)) for f in os.listdir(path)] + +service_file_blob = "\n".join(['include "%s"' % f for f in serviceFiles]) + +output_data = data.format(service_chains=service_file_blob) + +# write the ruleset file +with open(configRulesetPath, "w") as f: + f.write(output_data) diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-zones-update.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-zones-update.service new file mode 100644 index 0000000000..cd3a4521f8 --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall-zones-update.service @@ -0,0 +1,7 @@ +[Unit] +Description=Create firewall zone configuration if it doesn't exist +ConditionPathExists=!/run/firewall/zones.ruleset + +[Service] +ExecStart=/usr/bin/firewall-update.py --only-zones +Type=oneshot diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.conf b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.conf new file mode 100644 index 0000000000..d73ba89722 --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.conf @@ -0,0 +1,2 @@ +# tmpfiles.d +d /run/firewall 0600 root root - - diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.path b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.path new file mode 100644 index 0000000000..7d8b285ba7 --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.path @@ -0,0 +1,9 @@ +[Unit] +Description=Track changes to firewall configuration + +[Path] +ReloadOnTrigger=true +PathChanged=/run/firewall/firewall.ruleset + +[Install] +WantedBy=network.target diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.service new file mode 100644 index 0000000000..669edfe79c --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.service @@ -0,0 +1,19 @@ +[Unit] +Description=nftables firewall +DefaultDependencies=false +Before=network-pre.target multi-user.target shutdown.target +Conflicts=shutdown.target + +# firewall-config-update makes sure that the firewall configuration has been created +After=firewall-config-update.service +# requires first-time update and also the configuration file tracking +Requires=firewall-config-update.service +Wants=firewall-config.path + +[Service] +Type=simple +ExecStart=/usr/sbin/nft -I /run/firewall -I /usr/lib/firewall -f /run/firewall/firewall.ruleset +ExecReload=/usr/sbin/nft -I /run/firewall -I /usr/lib/firewall -f /run/firewall/firewall.ruleset + +[Install] +WantedBy=network.target diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template new file mode 100644 index 0000000000..b3871e5676 --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/firewall.template @@ -0,0 +1,77 @@ +#!/usr/sbin/nft + +flush ruleset; + +include "variables.ruleset" + +table inet filter {{ + + include "zones.ruleset" + + map tcp_service_map {{ + type inet_service : verdict + }} + + map udp_service_map {{ + type inet_service : verdict + }} + + chain input {{ + # Run this later than service and application scripts (priority 1) + # and drop all packets that don't match to the the rules. + type filter hook input priority 1; policy drop; + + # Accept packets tagged by services and applications. + mark $accept_packet accept; + + # Accept packets belonging to established and related connections. + ct state established,related accept; + + # Allow packets to localhost interfaces. + iif @ZONE_LOCAL accept; + + # Check if the services have declared custom rules. + tcp dport vmap @tcp_service_map; + udp dport vmap @udp_service_map; + + # Allow some icmpv6 to make IPv6 work (see RFC 4890). This + # configuration is for an "end host firewall", protecting a + # single device. In order to use the device as a router or as a + # bridge, enable the relevant options as explained in the RFC. + # For home gateway router use, see RFC 6092. + + # Allow basic IPv6 functionality. + ip6 nexthdr icmpv6 icmpv6 type {{ + destination-unreachable, + packet-too-big, + time-exceeded, + parameter-problem, + echo-request, + echo-reply + }} accept; + + # Allow auto configuration support. + ip6 nexthdr icmpv6 icmpv6 type {{ + nd-neighbor-solicit, + nd-neighbor-advert, + nd-router-advert, + nd-router-solicit + }} ip6 hoplimit 255 accept; + + # Allow multicast listener discovery on link-local addresses. + ip6 nexthdr icmpv6 icmpv6 type {{ + mld-listener-query, + mld-listener-report, + mld-listener-reduction + }} ip6 saddr fe80::/10 accept; + + # Allow multicast router discovery messages on link-local + # addresses (hop limit 1). + ip6 nexthdr icmpv6 icmpv6 type {{ + nd-router-advert, + nd-router-solicit + }} ip6 hoplimit 1 ip6 saddr fe80::/10 accept; + }} +}} + +{service_chains} diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/network-device-event@.service b/meta-refkit-core/recipes-security/nftables-settings-default/files/network-device-event@.service new file mode 100644 index 0000000000..f188849d7d --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/network-device-event@.service @@ -0,0 +1,15 @@ +# Update firewall zones every time the network interfaces change (a VPN +# interface is started, USB network card is removed, etc). + +[Unit] +Description=Network device trigger (%I) +BindsTo=sys-subsystem-net-devices-%i.device +# no need to track changes to interfaces before firewall has been +# configured +After=sys-subsystem-net-devices-%i.device firewall.target + +[Service] +ExecStart=/usr/bin/firewall-update.py --only-zones +ExecStop=/usr/bin/firewall-update.py --only-zones +Type=forking +RemainAfterExit=yes diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/variables.ruleset b/meta-refkit-core/recipes-security/nftables-settings-default/files/variables.ruleset new file mode 100644 index 0000000000..f224d5637f --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/variables.ruleset @@ -0,0 +1,16 @@ +#!/usr/sbin/nft + +# The idea is that if a service is positively sure that a packet is +# meant for it _and_ it wants to accept it, it needs to tag it with the +# "accept_packet" mark. If the service thinks a packet doesn't belong +# to it, it just needs to accept it using the "accept" verdict. In a +# (rare) case when the service knows that a packet belongs to it but it +# needs to drop or reject it, the service can just use "drop" or +# "reject" verdicts to stop the packet processing. +# +# Note that it's harmless to select "accept" verdict in the recipe, +# since the packet will be processed by other chains too, and a "drop" +# or "reject" in any one of those is enough to drop or reject the +# packet. + +define accept_packet = 0x1 diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.config b/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.config new file mode 100644 index 0000000000..88a283a076 --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.config @@ -0,0 +1,4 @@ +[match] +ZONE_LAN=.* +ZONE_LOCAL=lo.* +ZONE_ALL=.* diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.template b/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.template new file mode 100644 index 0000000000..96eac5b99a --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/files/zones.template @@ -0,0 +1,43 @@ +#!/usr/sbin/nft + +# LOCAL zone -- loopback device and container virtual interfaces +set ZONE_LOCAL {{ + type iface_index + {local_interfaces} +}} + +# LAN zone -- the internal network +set ZONE_LAN {{ + type iface_index + {lan_interfaces} +}} + +# WAN zone -- typically the Internet +set ZONE_WAN {{ + type iface_index + {wan_interfaces} +}} + +# DMZ zone -- for instance a wireless LAN interface if those are without +# encryption or SSID password +set ZONE_DMZ {{ + type iface_index + {dmz_interfaces} +}} + +# VPN zone -- virtual VPN interfaces. Since VPN interfaces come and go +# dynamically, the interface indexes associated with interface names change. +# Whenever a new VPN interface is brought up, the service doing it should add +# the VPN interface to this set ("nft add element inet filter ZONE_VPN {{vpn0}}") +# and remove it after it's gone ("nft delete ..."). This is not needed if the +# dynamic loading of the firewall ruleset is enabled after any interface change. +set ZONE_VPN {{ + type iface_index + {vpn_interfaces} +}} + +# ALL zone -- all network interfaces +set ZONE_ALL {{ + type iface_index + {all_interfaces} +}} diff --git a/meta-refkit-core/recipes-security/nftables-settings-default/nftables-settings-default_0.1.bb b/meta-refkit-core/recipes-security/nftables-settings-default/nftables-settings-default_0.1.bb new file mode 100644 index 0000000000..15b4f0382c --- /dev/null +++ b/meta-refkit-core/recipes-security/nftables-settings-default/nftables-settings-default_0.1.bb @@ -0,0 +1,58 @@ +# Copyright (C) 2017 Intel. +# Released under the MIT license (see COPYING.MIT for the terms) + +DESCRIPTION = "Default nftables configuration." +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" + +inherit systemd + +RDEPENDS_${PN} = "python3 python3-re python3-fcntl" + +SRC_URI = " \ + file://firewall-update.py \ + file://zones.config \ + file://zones.template \ + file://firewall.template \ + file://firewall.conf \ + file://99-network-device.rules \ + file://firewall.service \ + file://firewall-config.path \ + file://firewall-config.service \ + file://firewall-config-update.service \ + file://firewall-zones-update.service \ + file://firewall.path \ + file://network-device-event@.service \ + file://variables.ruleset \ +" + +do_install() { + install -d ${D}${base_libdir}/udev/rules.d + install -d ${D}${libdir}/tmpfiles.d + install -d ${D}${libdir}/firewall/services + install -d ${D}${bindir} + install -d ${D}${systemd_unitdir}/system/ + + install -m 0644 ${WORKDIR}/*.service ${D}${systemd_unitdir}/system/ + install -m 0644 ${WORKDIR}/*.path ${D}${systemd_unitdir}/system/ + install -m 0755 ${WORKDIR}/firewall-update.py ${D}${bindir}/ + install -m 0644 ${WORKDIR}/zones.config ${D}${libdir}/firewall/ + install -m 0644 ${WORKDIR}/*.template ${D}${libdir}/firewall/ + install -m 0644 ${WORKDIR}/variables.ruleset ${D}${libdir}/firewall/ + install -m 0644 ${WORKDIR}/99-network-device.rules ${D}${base_libdir}/udev/rules.d/ + install -m 0644 ${WORKDIR}/firewall.conf ${D}${libdir}/tmpfiles.d/ +} + +FILES_${PN} = " \ + ${base_libdir}/udev/rules.d \ + ${libdir}/tmpfiles.d \ + ${libdir}/firewall/services \ + ${libdir}/firewall/* \ + ${bindir}/* \ + ${systemd_unitdir}/system/* \ +" + +SYSTEMD_SERVICE_${PN} = " \ + firewall.service \ + firewall.path \ +" From d6b1221989a04c5281d12cd49883f086cda2fab4 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Wed, 12 Apr 2017 14:31:46 +0300 Subject: [PATCH 04/15] nftables: no readline support and require settings. Compile nftables without readline support -- it's GPLv3 and not needed for non-interactive use. Depend on a virtual settings package. Signed-off-by: Ismo Puustinen --- meta-refkit-core/conf/distro/include/refkit-config.inc | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta-refkit-core/conf/distro/include/refkit-config.inc b/meta-refkit-core/conf/distro/include/refkit-config.inc index 8ac750eace..cf47e1403b 100644 --- a/meta-refkit-core/conf/distro/include/refkit-config.inc +++ b/meta-refkit-core/conf/distro/include/refkit-config.inc @@ -155,3 +155,12 @@ SYSTEMD_AUTO_ENABLE_forcevariable_pn-trousers_refkit-config = "enable" # usbutils depends directly on libusb1, not the obsolete compatibility. This removes dependency on libusb-compat. DEPENDS_remove_pn-libgphoto2_refkit-config = "virtual/libusb0" DEPENDS_append_pn-libgphoto2_refkit-config = " libusb1" + +# remove readline dependency from nftables +DEPENDS_remove_pn-nftables_refkit-config = "readline" +EXTRA_OECONF_append_pn-nftables_refkit-config = " --without-cli" + +# make nftables require a settings package +VIRTUAL-RUNTIME_nftables-settings ?= "nftables-settings-default" +RDEPENDS_nftables_append_refkit-config = " ${VIRTUAL-RUNTIME_nftables-settings}" + From 52927eacf050aa2af8b5bafd624628b69a38b308 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Thu, 13 Apr 2017 13:08:33 +0300 Subject: [PATCH 05/15] supported recipes: add nftables and nftables-settings-default. Signed-off-by: Ismo Puustinen --- meta-refkit/conf/distro/include/refkit-supported-recipes.txt | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt index 8b4e67b83a..89361c9705 100644 --- a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt +++ b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt @@ -222,7 +222,9 @@ libidn@core libinput@core libjpeg-turbo@core libmicrohttpd@soletta +libmnl@networking-layer libmpc@core +libnftnl@networking-layer libnl@core libogg@core libpam@core @@ -310,6 +312,8 @@ multipath-tools@openembedded-layer ncurses@core netbase@core nettle@core +nftables-settings-default@refkit-core +nftables@networking-layer nodejs@iotweb object-recognition-msgs@ros-layer ocl-icd@refkit-computervision From 208077afd9b1ba741df6bccafdd5f008e7b75e38 Mon Sep 17 00:00:00 2001 From: Simo Kuusela Date: Mon, 24 Apr 2017 12:03:36 +0300 Subject: [PATCH 06/15] meta-iotqa: Add nftables test Test dropping, rejecting and prerouting SSH with nftables. Signed-off-by: Simo Kuusela --- .../lib/oeqa/runtime/sanity/nftables.py | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 meta-iotqa/lib/oeqa/runtime/sanity/nftables.py diff --git a/meta-iotqa/lib/oeqa/runtime/sanity/nftables.py b/meta-iotqa/lib/oeqa/runtime/sanity/nftables.py new file mode 100644 index 0000000000..80058213ef --- /dev/null +++ b/meta-iotqa/lib/oeqa/runtime/sanity/nftables.py @@ -0,0 +1,64 @@ +import os +import subprocess +from time import sleep +from oeqa.oetest import oeRuntimeTest + +class NftablesTest(oeRuntimeTest): + + def check_ssh_connection(self): + '''Check SSH connection to DUT port 2222''' + process = subprocess.Popen(("ssh -o UserKnownHostsFile=/dev/null " \ + "-o ConnectTimeout=3 " \ + "-o StrictHostKeyChecking=no root@" + \ + self.target.ip +" -p 2222 ls").split(), + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT) + output, err = process.communicate() + output = output.decode("utf-8") + returncode = process.returncode + return returncode, output + + def add_test_table(self): + self.target.run("nft add table ip test") + self.target.run("nft add chain ip test input {type filter hook input priority 0\;}") + self.target.run("nft add chain ip test donothing") + self.target.run("nft add chain ip test prerouting {type nat hook prerouting priority 0 \;}") + self.target.run("nft add chain ip test postrouting {type nat hook postrouting priority 100 \;}") + + def delete_test_table(self): + self.target.run("nft delete table ip test") + + def test_reject(self): + '''Test rejecting SSH with nftables''' + self.add_test_table() + self.target.run("nft add rule ip test input tcp dport 2222 reject") + self.target.run("nft add rule ip test input goto donothing") + returncode, output = self.check_ssh_connection() + self.delete_test_table() + self.assertIn("Connection refused", output, msg="Error message: %s" % output) + + def test_drop(self): + '''Test dropping SSH with nftables''' + self.add_test_table() + self.target.run("nft add rule ip test input tcp dport 2222 drop") + self.target.run("nft add rule ip test input goto donothing") + returncode, output = self.check_ssh_connection() + self.delete_test_table() + self.assertIn("Connection timed out", output, msg="Error message: %s" % output) + + def test_redirect(self): + '''Test redirecting port''' + # Check that SSH can't connect to port 2222 + returncode, output = self.check_ssh_connection() + self.assertNotEqual(returncode, 0, msg="Error message: %s" % output) + + self.add_test_table() + self.target.run("nft add rule ip test prerouting tcp dport 2222 redirect to 22") + # Check that SSH can connect to port 2222 + returncode, output = self.check_ssh_connection() + self.assertEqual(returncode, 0, msg="Error message: %s" % output) + + self.delete_test_table() + # Check that SSH can't connect to port 2222 + returncode, output = self.check_ssh_connection() + self.assertNotEqual(returncode, 0, msg="Error message: %s" % output) From fa29b533bdd47bb8a3112e374769750b5d666e9f Mon Sep 17 00:00:00 2001 From: Simo Kuusela Date: Tue, 16 May 2017 09:26:48 +0300 Subject: [PATCH 07/15] meta-iotqa: Enable nftables test Signed-off-by: Simo Kuusela --- meta-iotqa/conf/test/refkit-image-common.manifest | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-iotqa/conf/test/refkit-image-common.manifest b/meta-iotqa/conf/test/refkit-image-common.manifest index ad569e8f10..5427506a22 100644 --- a/meta-iotqa/conf/test/refkit-image-common.manifest +++ b/meta-iotqa/conf/test/refkit-image-common.manifest @@ -9,3 +9,4 @@ oeqa.runtime.peripherals.mraa.mraa_hello oeqa.runtime.peripherals.mraa.mraa_gpio oeqa.runtime.multimedia.audio.alsa oeqa.runtime.peripherals.upm.upm +oeqa.runtime.sanity.nftables From e538a54f47993e0a33e96173f9cbb76f9ba6f669 Mon Sep 17 00:00:00 2001 From: Simo Kuusela Date: Tue, 16 May 2017 10:53:44 +0300 Subject: [PATCH 08/15] meta-iotqa: Disable nftables test with QEMU It doesn't work with the way QEMU is tested so disable it. Signed-off-by: Simo Kuusela --- meta-iotqa/conf/test/qemu.mask | 1 + 1 file changed, 1 insertion(+) diff --git a/meta-iotqa/conf/test/qemu.mask b/meta-iotqa/conf/test/qemu.mask index 7928e04788..c73e5fe87b 100644 --- a/meta-iotqa/conf/test/qemu.mask +++ b/meta-iotqa/conf/test/qemu.mask @@ -4,3 +4,4 @@ oeqa.runtime.connectivity.bluetooth.btcheck oeqa.runtime.connectivity.wifi.wifi_connect oeqa.runtime.peripherals.mraa.mraa_gpio oeqa.runtime.multimedia.audio.alsa +oeqa.runtime.sanity.nftables From 5727ef6041894e3f126b30288dd325cc25715cca Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Wed, 31 May 2017 10:02:03 +0300 Subject: [PATCH 09/15] systemd: add support for reloading configuration. A race condition in systemd .path handling prevented safe reloading of firewall rules. Signed-off-by: Ismo Puustinen --- ...service-allow-rerunning-reload-tasks.patch | 63 +++++++++++++++ ...0002-path-add-ReloadOnTrigger-option.patch | 79 +++++++++++++++++++ .../recipes-core/systemd/systemd_%.bbappend | 6 ++ 3 files changed, 148 insertions(+) create mode 100644 meta-refkit-core/recipes-core/systemd/files/0001-unit-service-allow-rerunning-reload-tasks.patch create mode 100644 meta-refkit-core/recipes-core/systemd/files/0002-path-add-ReloadOnTrigger-option.patch create mode 100644 meta-refkit-core/recipes-core/systemd/systemd_%.bbappend diff --git a/meta-refkit-core/recipes-core/systemd/files/0001-unit-service-allow-rerunning-reload-tasks.patch b/meta-refkit-core/recipes-core/systemd/files/0001-unit-service-allow-rerunning-reload-tasks.patch new file mode 100644 index 0000000000..f5dea90abf --- /dev/null +++ b/meta-refkit-core/recipes-core/systemd/files/0001-unit-service-allow-rerunning-reload-tasks.patch @@ -0,0 +1,63 @@ +From 9fc2a417a4725f6a63790adcc924ef7b03430a77 Mon Sep 17 00:00:00 2001 +From: Ismo Puustinen +Date: Tue, 25 Apr 2017 14:21:23 +0300 +Subject: [PATCH 1/2] unit, service: allow rerunning reload tasks. + +In case a "reload" job cannot be cleanly merged to a previous job of the +same type, the job state is set to be "waiting". This triggers +reprocessing which doesn't lead to anything due to safeguards in unit.c +and service.c. Relax the conditions so that reload jobs can be rerun +when merge isn't possible. + +Upstream-status: Submitted [https://github.com/systemd/systemd/pull/5839] + +Signed-off-by: Ismo Puustinen + +--- + src/core/service.c | 2 +- + src/core/unit.c | 7 ++----- + 2 files changed, 3 insertions(+), 6 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index a63c6d8..316a13e 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -2127,7 +2127,7 @@ static int service_reload(Unit *u) { + + assert(s); + +- assert(s->state == SERVICE_RUNNING || s->state == SERVICE_EXITED); ++ assert(s->state == SERVICE_RUNNING || s->state == SERVICE_EXITED || s->state == SERVICE_RELOAD); + + service_enter_reload(s); + return 1; +diff --git a/src/core/unit.c b/src/core/unit.c +index 25ea5a8..acece94 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -1706,9 +1706,9 @@ bool unit_can_stop(Unit *u) { + } + + /* Errors: ++ * -EINVAL: Unit is not loaded. + * -EBADR: This unit type does not support reloading. + * -ENOEXEC: Unit is not started. +- * -EAGAIN: An operation is already in progress. Retry later. + */ + int unit_reload(Unit *u) { + UnitActiveState state; +@@ -1723,10 +1723,7 @@ int unit_reload(Unit *u) { + return -EBADR; + + state = unit_active_state(u); +- if (state == UNIT_RELOADING) +- return -EALREADY; +- +- if (state != UNIT_ACTIVE) { ++ if (state != UNIT_ACTIVE && state != UNIT_RELOADING) { + log_unit_warning(u, "Unit cannot be reloaded because it is inactive."); + return -ENOEXEC; + } +-- +2.9.3 + diff --git a/meta-refkit-core/recipes-core/systemd/files/0002-path-add-ReloadOnTrigger-option.patch b/meta-refkit-core/recipes-core/systemd/files/0002-path-add-ReloadOnTrigger-option.patch new file mode 100644 index 0000000000..6837ccc60d --- /dev/null +++ b/meta-refkit-core/recipes-core/systemd/files/0002-path-add-ReloadOnTrigger-option.patch @@ -0,0 +1,79 @@ +From 001a6e9f17f47e7e710bf44abe043763c58bee11 Mon Sep 17 00:00:00 2001 +From: Ismo Puustinen +Date: Fri, 21 Apr 2017 16:03:49 +0300 +Subject: [PATCH 2/2] path: add ReloadOnTrigger option. + +Changes triggered by .path units cause the target unit to be started. +However, this causes events to be lost: if the target service is running +and another file event triggers the .path unit, the next job start +request gets merged in the previously running one. + +Add "ReloadOnTrigger" option to .path units. If enabled, the request to +the target unit is not "start", but "start_or_reload". In this case, if +the service is already started, future triggers to the .path unit will +cause reload events to the service. This limits the available service +types though, and can only be used with those services which can be +reloaded. + +Upstream-status: Submitted [https://github.com/systemd/systemd/pull/5839] + +Signed-off-by: Ismo Puustinen + +--- + src/core/load-fragment-gperf.gperf.m4 | 1 + + src/core/path.c | 6 +++++- + src/core/path.h | 2 ++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 +index cb9e6fe..b6f901d 100644 +--- a/src/core/load-fragment-gperf.gperf.m4 ++++ b/src/core/load-fragment-gperf.gperf.m4 +@@ -404,6 +404,7 @@ Path.DirectoryNotEmpty, config_parse_path_spec, 0, + Path.Unit, config_parse_trigger_unit, 0, 0 + Path.MakeDirectory, config_parse_bool, 0, offsetof(Path, make_directory) + Path.DirectoryMode, config_parse_mode, 0, offsetof(Path, directory_mode) ++Path.ReloadOnTrigger, config_parse_bool, 0, offsetof(Path, reload_on_trigger) + m4_dnl + CGROUP_CONTEXT_CONFIG_ITEMS(Slice)m4_dnl + m4_dnl +diff --git a/src/core/path.c b/src/core/path.c +index 83f794b..85be01c 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -464,6 +464,7 @@ static void path_enter_running(Path *p) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + Unit *trigger; + int r; ++ JobType type = JOB_START; + + assert(p); + +@@ -478,7 +479,10 @@ static void path_enter_running(Path *p) { + return; + } + +- r = manager_add_job(UNIT(p)->manager, JOB_START, trigger, JOB_REPLACE, &error, NULL); ++ if (p->reload_on_trigger) ++ type = JOB_RELOAD_OR_START; ++ ++ r = manager_add_job(UNIT(p)->manager, type, trigger, JOB_REPLACE, &error, NULL); + if (r < 0) + goto fail; + +diff --git a/src/core/path.h b/src/core/path.h +index 4230c8f..0bb0609 100644 +--- a/src/core/path.h ++++ b/src/core/path.h +@@ -79,6 +79,8 @@ struct Path { + bool make_directory; + mode_t directory_mode; + ++ bool reload_on_trigger; ++ + PathResult result; + }; + +-- +2.9.3 + diff --git a/meta-refkit-core/recipes-core/systemd/systemd_%.bbappend b/meta-refkit-core/recipes-core/systemd/systemd_%.bbappend new file mode 100644 index 0000000000..13854bc5fd --- /dev/null +++ b/meta-refkit-core/recipes-core/systemd/systemd_%.bbappend @@ -0,0 +1,6 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/files:" + +SRC_URI_append_refkit-config = "\ + file://0001-unit-service-allow-rerunning-reload-tasks.patch \ + file://0002-path-add-ReloadOnTrigger-option.patch \ +" From 9024af92db888ad4b074d302c76ed7f4048218ac Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Wed, 31 May 2017 10:03:14 +0300 Subject: [PATCH 10/15] iptables: removed iptables customizations. Signed-off-by: Ismo Puustinen --- .../files/default-ip6tables.rules | 15 ------- .../files/default-iptables.rules | 14 ------ .../iptables-settings-default_0.1.bb | 45 ------------------- .../iptables/files/ip6tables.service.in | 14 ------ .../iptables/files/iptables.service.in | 14 ------ .../iptables/iptables_%.bbappend | 30 ------------- 6 files changed, 132 deletions(-) delete mode 100644 meta-refkit-core/recipes-security/iptables-settings-default/files/default-ip6tables.rules delete mode 100644 meta-refkit-core/recipes-security/iptables-settings-default/files/default-iptables.rules delete mode 100644 meta-refkit-core/recipes-security/iptables-settings-default/iptables-settings-default_0.1.bb delete mode 100644 meta-refkit-core/recipes-security/iptables/files/ip6tables.service.in delete mode 100644 meta-refkit-core/recipes-security/iptables/files/iptables.service.in delete mode 100644 meta-refkit-core/recipes-security/iptables/iptables_%.bbappend diff --git a/meta-refkit-core/recipes-security/iptables-settings-default/files/default-ip6tables.rules b/meta-refkit-core/recipes-security/iptables-settings-default/files/default-ip6tables.rules deleted file mode 100644 index 757c95d16e..0000000000 --- a/meta-refkit-core/recipes-security/iptables-settings-default/files/default-ip6tables.rules +++ /dev/null @@ -1,15 +0,0 @@ -*filter -:INPUT DROP -:FORWARD DROP -:OUTPUT ACCEPT -# allow containers to access DNS service --A INPUT -i ve-+ -p udp -m udp --dport 53 -j ACCEPT --A INPUT -i lo -j ACCEPT -# allow DHCPv6 --A INPUT -s fe80::/10 -p udp -m udp --dport 546 -j ACCEPT --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A INPUT -p ipv6-icmp -j ACCEPT -# allow forwarding traffic to/from containers --A FORWARD -o ve-+ -j ACCEPT --A FORWARD -i ve-+ -j ACCEPT -COMMIT diff --git a/meta-refkit-core/recipes-security/iptables-settings-default/files/default-iptables.rules b/meta-refkit-core/recipes-security/iptables-settings-default/files/default-iptables.rules deleted file mode 100644 index 8945284755..0000000000 --- a/meta-refkit-core/recipes-security/iptables-settings-default/files/default-iptables.rules +++ /dev/null @@ -1,14 +0,0 @@ -*filter -:INPUT DROP -:FORWARD DROP -:OUTPUT ACCEPT -# allow containers to access DNS service --A INPUT -i ve-+ -p udp -m udp --dport 53 -j ACCEPT -# allow containers to access DHCP service --A INPUT -i ve-+ -p udp -m udp --dport 67 -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -# allow forwarding traffic to/from containers --A FORWARD -o ve-+ -j ACCEPT --A FORWARD -i ve-+ -j ACCEPT -COMMIT diff --git a/meta-refkit-core/recipes-security/iptables-settings-default/iptables-settings-default_0.1.bb b/meta-refkit-core/recipes-security/iptables-settings-default/iptables-settings-default_0.1.bb deleted file mode 100644 index 27c5c3d0d4..0000000000 --- a/meta-refkit-core/recipes-security/iptables-settings-default/iptables-settings-default_0.1.bb +++ /dev/null @@ -1,45 +0,0 @@ -# Copyright (C) 2016 Intel. -# Released under the MIT license (see COPYING.MIT for the terms) - -DESCRIPTION = "Default iptables and ip6tables settings." -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" - -SRC_URI = " \ - file://default-iptables.rules \ - file://default-ip6tables.rules \ -" - -inherit update-alternatives - -# use update-alternatives for letting several rulesets to be installed -# to the same sysroot -ALTERNATIVE_${PN} += "iptables.rules" -ALTERNATIVE_LINK_NAME[iptables.rules] = "${datadir}/iptables-settings/iptables.rules" -ALTERNATIVE_TARGET[iptables.rules] = "${datadir}/iptables-settings/default-iptables.rules" - -# update-alternatives does not add the generated files automatically to -# FILES_${PN} - -FILES_${PN} += "${datadir}/iptables-settings/" - -do_install() { - install -d ${D}${datadir}/iptables-settings - install -m 0644 ${WORKDIR}/default-iptables.rules ${D}${datadir}/iptables-settings/default-iptables.rules - - if ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'true', 'false', d)}; then - install -m 0644 ${WORKDIR}/default-ip6tables.rules ${D}${datadir}/iptables-settings/default-ip6tables.rules - fi -} - -python () { - # if we have IPv6 support, set the alternative variables - - datadir = d.getVar("datadir", True) - pn = d.getVar("PN", True) - - if bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'True', 'False', d): - d.appendVar('ALTERNATIVE_' + pn, ' ip6tables.rules') - d.setVarFlag('ALTERNATIVE_LINK_NAME', 'ip6tables.rules', datadir + '/iptables-settings/ip6tables.rules') - d.setVarFlag('ALTERNATIVE_TARGET', 'ip6tables.rules', datadir + '/iptables-settings/default-ip6tables.rules') -} diff --git a/meta-refkit-core/recipes-security/iptables/files/ip6tables.service.in b/meta-refkit-core/recipes-security/iptables/files/ip6tables.service.in deleted file mode 100644 index 41e8ac2d0b..0000000000 --- a/meta-refkit-core/recipes-security/iptables/files/ip6tables.service.in +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=ip6tables firewall -ConditionPathExists=/usr/share/iptables-settings/ip6tables.rules -DefaultDependencies=false -Before=network-pre.target multi-user.target shutdown.target -Conflicts=shutdown.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/sbin/ip6tables-restore {datadir}/iptables-settings/ip6tables.rules - -[Install] -WantedBy=network.target diff --git a/meta-refkit-core/recipes-security/iptables/files/iptables.service.in b/meta-refkit-core/recipes-security/iptables/files/iptables.service.in deleted file mode 100644 index 5068db16d5..0000000000 --- a/meta-refkit-core/recipes-security/iptables/files/iptables.service.in +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=iptables firewall -ConditionPathExists=/usr/share/iptables-settings/iptables.rules -DefaultDependencies=false -Before=network-pre.target multi-user.target shutdown.target -Conflicts=shutdown.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/sbin/iptables-restore {datadir}/iptables-settings/iptables.rules - -[Install] -WantedBy=network.target diff --git a/meta-refkit-core/recipes-security/iptables/iptables_%.bbappend b/meta-refkit-core/recipes-security/iptables/iptables_%.bbappend deleted file mode 100644 index 5d485b9e34..0000000000 --- a/meta-refkit-core/recipes-security/iptables/iptables_%.bbappend +++ /dev/null @@ -1,30 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/files:" - -SRC_URI_append_refkit-firewall = "\ - file://iptables.service.in \ - file://ip6tables.service.in \ -" - -inherit ${@bb.utils.contains('DISTRO_FEATURES', 'refkit-firewall', 'systemd', '', d)} - -# Depend on an iptables configuration. If no configuration is specified -# then use the default configuration. -VIRTUAL-RUNTIME_iptables-settings ?= "iptables-settings-default" -RDEPENDS_${PN}_append_refkit-firewall = " ${VIRTUAL-RUNTIME_iptables-settings}" - -do_install_append_refkit-firewall() { - install -d ${D}${systemd_unitdir}/system - - sed -e 's#{datadir}#${datadir}#' ${WORKDIR}/iptables.service.in > ${WORKDIR}/iptables.service - install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_unitdir}/system - - if ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'true', 'false', d)}; then - sed -e 's#{datadir}#${datadir}#' ${WORKDIR}/ip6tables.service.in > ${WORKDIR}/ip6tables.service - install -m 0644 ${WORKDIR}/ip6tables.service ${D}${systemd_unitdir}/system - fi -} - -SYSTEMD_SERVICE_${PN}_refkit-firewall = " \ - iptables.service \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ip6tables.service', '', d)} \ -" From bc33213e0f0ad22c76ba1d8cc20faefbb8568abe Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Wed, 31 May 2017 10:06:12 +0300 Subject: [PATCH 11/15] openssh: nftables support. Signed-off-by: Ismo Puustinen --- .../openssh/files/openssh-ipv4.conf | 6 ------ .../openssh/files/openssh-ipv6.conf | 6 ------ .../openssh/files/openssh-sshd.ruleset | 13 +++++++++++++ .../recipes-security/openssh/openssh_%.bbappend | 16 +++++----------- 4 files changed, 18 insertions(+), 23 deletions(-) delete mode 100644 meta-refkit-core/recipes-security/openssh/files/openssh-ipv4.conf delete mode 100644 meta-refkit-core/recipes-security/openssh/files/openssh-ipv6.conf create mode 100755 meta-refkit-core/recipes-security/openssh/files/openssh-sshd.ruleset diff --git a/meta-refkit-core/recipes-security/openssh/files/openssh-ipv4.conf b/meta-refkit-core/recipes-security/openssh/files/openssh-ipv4.conf deleted file mode 100644 index c51618aee0..0000000000 --- a/meta-refkit-core/recipes-security/openssh/files/openssh-ipv4.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -After=iptables.service - -[Socket] -ExecStartPre=/usr/sbin/iptables -w -A INPUT -p tcp --dport ssh -j ACCEPT -ExecStopPost=/usr/sbin/iptables -w -D INPUT -p tcp --dport ssh -j ACCEPT diff --git a/meta-refkit-core/recipes-security/openssh/files/openssh-ipv6.conf b/meta-refkit-core/recipes-security/openssh/files/openssh-ipv6.conf deleted file mode 100644 index ff023ef704..0000000000 --- a/meta-refkit-core/recipes-security/openssh/files/openssh-ipv6.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -After=ip6tables.service - -[Socket] -ExecStartPre=/usr/sbin/ip6tables -w -A INPUT -p tcp --dport ssh -j ACCEPT -ExecStopPost=/usr/sbin/ip6tables -w -D INPUT -p tcp --dport ssh -j ACCEPT diff --git a/meta-refkit-core/recipes-security/openssh/files/openssh-sshd.ruleset b/meta-refkit-core/recipes-security/openssh/files/openssh-sshd.ruleset new file mode 100755 index 0000000000..b1b6959fbf --- /dev/null +++ b/meta-refkit-core/recipes-security/openssh/files/openssh-sshd.ruleset @@ -0,0 +1,13 @@ +#!/usr/sbin/nft + +table inet filter { + include "zones.ruleset" + + chain openssh-sshd { + # accept connections from LAN + iif @ZONE_LAN accept; + } +} + +# if tcp port is 22, we'll jump to chain openssh-sshd +add element inet filter tcp_service_map {ssh : jump openssh-sshd}; diff --git a/meta-refkit-core/recipes-security/openssh/openssh_%.bbappend b/meta-refkit-core/recipes-security/openssh/openssh_%.bbappend index e4a50fef6c..9d64390dd1 100644 --- a/meta-refkit-core/recipes-security/openssh/openssh_%.bbappend +++ b/meta-refkit-core/recipes-security/openssh/openssh_%.bbappend @@ -1,22 +1,16 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/files:" -RDEPENDS_${PN}-sshd_append_refkit-firewall = " iptables" +RDEPENDS_${PN}-sshd_append_refkit-firewall = " nftables" SRC_URI_append_refkit-firewall = "\ - file://${PN}-ipv4.conf \ - file://${PN}-ipv6.conf \ + file://openssh-sshd.ruleset \ " do_install_append_refkit-firewall() { - install -d ${D}${systemd_unitdir}/system/sshd.socket.d - install -m 0644 ${WORKDIR}/${PN}-ipv4.conf ${D}${systemd_unitdir}/system/sshd.socket.d - if ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'true', 'false', d)}; then - install -m 0644 ${WORKDIR}/${PN}-ipv6.conf ${D}${systemd_unitdir}/system/sshd.socket.d - fi + install -d ${D}${libdir}/firewall/services + install -m 0644 ${WORKDIR}/openssh-sshd.ruleset ${D}${libdir}/firewall/services/ } FILES_${PN}_append_refkit-firewall = " \ - ${systemd_unitdir}/system/sshd.socket.d/${PN}-ipv4.conf \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', \ - '${systemd_unitdir}/system/sshd.socket.d/${PN}-ipv6.conf', '', d)} \ + ${libdir}/firewall/services/openssh-sshd.ruleset \ " From ad5203204c24602289cac46016129cd5668d51b1 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Wed, 31 May 2017 10:09:11 +0300 Subject: [PATCH 12/15] avahi: nftables support. Signed-off-by: Ismo Puustinen --- .../recipes-connectivity/avahi/avahi_%.bbappend | 17 ++++++----------- .../avahi/files/avahi-ipv4.conf | 6 ------ .../avahi/files/avahi-ipv6.conf | 6 ------ .../avahi/files/avahi.ruleset | 12 ++++++++++++ 4 files changed, 18 insertions(+), 23 deletions(-) delete mode 100644 meta-refkit-core/recipes-connectivity/avahi/files/avahi-ipv4.conf delete mode 100644 meta-refkit-core/recipes-connectivity/avahi/files/avahi-ipv6.conf create mode 100755 meta-refkit-core/recipes-connectivity/avahi/files/avahi.ruleset diff --git a/meta-refkit-core/recipes-connectivity/avahi/avahi_%.bbappend b/meta-refkit-core/recipes-connectivity/avahi/avahi_%.bbappend index 38773997c9..9eda74e8d2 100644 --- a/meta-refkit-core/recipes-connectivity/avahi/avahi_%.bbappend +++ b/meta-refkit-core/recipes-connectivity/avahi/avahi_%.bbappend @@ -12,11 +12,10 @@ FILES_${PN}_append_refkit-config = " \ " # add firewall support -RDEPENDS_${PN}_append_refkit-firewall += " iptables" +RDEPENDS_${PN}_append_refkit-firewall += " nftables" SRC_URI_append_refkit-firewall = "\ - file://${PN}-ipv4.conf \ - file://${PN}-ipv6.conf \ + file://avahi.ruleset \ " do_install_append_refkit-config() { @@ -25,15 +24,11 @@ do_install_append_refkit-config() { } do_install_append_refkit-firewall() { - install -d ${D}${systemd_unitdir}/system/avahi-daemon.socket.d - install -m 0644 ${WORKDIR}/${PN}-ipv4.conf ${D}${systemd_unitdir}/system/avahi-daemon.socket.d - if ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'true', 'false', d)}; then - install -m 0644 ${WORKDIR}/${PN}-ipv6.conf ${D}${systemd_unitdir}/system/avahi-daemon.socket.d - fi + install -d ${D}${libdir}/firewall/services + install -m 0644 ${WORKDIR}/avahi.ruleset ${D}${libdir}/firewall/services/ + } FILES_${PN}_append_refkit-firewall = " \ - ${systemd_unitdir}/system/avahi-daemon.socket.d/${PN}-ipv4.conf \ - ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', \ - '${systemd_unitdir}/system/avahi-daemon.socket.d/${PN}-ipv6.conf', '', d)} \ + ${libdir}/firewall/services/avahi.ruleset \ " diff --git a/meta-refkit-core/recipes-connectivity/avahi/files/avahi-ipv4.conf b/meta-refkit-core/recipes-connectivity/avahi/files/avahi-ipv4.conf deleted file mode 100644 index 7a65421d2f..0000000000 --- a/meta-refkit-core/recipes-connectivity/avahi/files/avahi-ipv4.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -After=iptables.service - -[Socket] -ExecStartPre=/usr/sbin/iptables -w -A INPUT -p udp -m udp --dport 5353 -j ACCEPT -ExecStopPost=/usr/sbin/iptables -w -D INPUT -p udp -m udp --dport 5353 -j ACCEPT diff --git a/meta-refkit-core/recipes-connectivity/avahi/files/avahi-ipv6.conf b/meta-refkit-core/recipes-connectivity/avahi/files/avahi-ipv6.conf deleted file mode 100644 index 3f542a9d13..0000000000 --- a/meta-refkit-core/recipes-connectivity/avahi/files/avahi-ipv6.conf +++ /dev/null @@ -1,6 +0,0 @@ -[Unit] -After=iptables.service - -[Socket] -ExecStartPre=/usr/sbin/ip6tables -w -A INPUT -p udp -m udp --dport 5353 -j ACCEPT -ExecStopPost=/usr/sbin/ip6tables -w -D INPUT -p udp -m udp --dport 5353 -j ACCEPT diff --git a/meta-refkit-core/recipes-connectivity/avahi/files/avahi.ruleset b/meta-refkit-core/recipes-connectivity/avahi/files/avahi.ruleset new file mode 100755 index 0000000000..c3ea51af87 --- /dev/null +++ b/meta-refkit-core/recipes-connectivity/avahi/files/avahi.ruleset @@ -0,0 +1,12 @@ +#!/usr/sbin/nft + +table inet filter { + include "zones.ruleset" + + chain avahi { + # allow multicast for clients in ZONE_LAN + iif @ZONE_LAN accept; + } +} + +add element inet filter udp_service_map {5353 : jump avahi}; From 7ac0d8bdc2209430542695e1c455fcef2e173cea Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Wed, 31 May 2017 12:56:28 +0300 Subject: [PATCH 13/15] docs: added firewall documentation. Signed-off-by: Ismo Puustinen --- doc/security.rst | 52 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/doc/security.rst b/doc/security.rst index 9eb6254639..88ebb3bf05 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -239,3 +239,55 @@ The signing tool uses a 2048bit RSA private key (``REFKIT_DB_KEY``) and a PEM formatted X.509 signature (``REFKIT_DB_CERT``). When deploying the DB keys on the device, use the DER formatted X.509. See ``meta-refkit/files/secureboot/gen-keys-helper.sh`` for more details on how the test keys can be created. +Firewall support +================ + +Default firewall is nftables. The default firewall ruleset itself is +quite basic: only incoming IPv4 and IPv6 traffic is filtered. +Applications must by themselves request the permissions they need by +dropping an nftables script to directory ``/usr/lib/firewall/services/`` +or ``/etc/firewall/services/``. The nftables script should be named with +the package name to avoid file name conflicts. + +There are two main ways for writing the script. First way is the +fastest, and is suitable for applications and services which only need +to have certain TCP or UDP port ranges open. The service has a chain +which contains the rules for processing the packet. The chain is then +added as a jump target to tcp map (``tcp_service_map``) or udp map +(``udp_service_map``), which map from port numbers or well-known +services to the chains. In this example, tcp port 22 (ssh) is mapped to +chain ``openssh-sshd``, which then accepts connections from LAN +interfaces. The interface definitions are included from +``zones.ruleset``. + +.. code:: nft + + #!/usr/sbin/nft + + table inet filter { + include "zones.ruleset" + chain openssh-sshd { + iif @ZONE_LAN accept; + } + } + + add element inet filter tcp_service_map {ssh : jump openssh-sshd}; + +The second way is to set up a new input chain with priority 0 and policy +``accept``. The chain must tag packets belonging to the service there +with mark ``accept_packet``. This method is especially suitable for +services which require network traffic other than tcp or udp, such as +ICMP packets. It carries a performance penalty, however. The following +example is equivalent with the previous example. + +.. code:: nft + + #!/usr/sbin/nft + + table inet filter { + include "zones.ruleset" + chain openssh-sshd { + type filter hook input priority 0; policy accept; + tcp dport ssh iif @ZONE_LAN mark set $accept_packet; + } + } From 25075f04094b706b0600ad7185a4427812eebb45 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Thu, 1 Jun 2017 14:09:34 +0300 Subject: [PATCH 14/15] connman: use nftables instead of iptables. Signed-off-by: Ismo Puustinen --- meta-refkit-core/conf/distro/include/refkit-config.inc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/meta-refkit-core/conf/distro/include/refkit-config.inc b/meta-refkit-core/conf/distro/include/refkit-config.inc index cf47e1403b..eb558ffee1 100644 --- a/meta-refkit-core/conf/distro/include/refkit-config.inc +++ b/meta-refkit-core/conf/distro/include/refkit-config.inc @@ -133,6 +133,10 @@ PACKAGECONFIG_pn-gstreamer1.0-plugins-bad_refkit-config ?= "" # Enable OpenCL. PACKAGECONFIG_append_pn-opencv_refkit-config = " opencl" +# Use nftables instead of iptables. +PACKAGECONFIG_remove_pn-connman_refkit-config = "iptables" +PACKAGECONFIG_append_pn-connman_refkit-config = " nftables" + ######################################################################### # Changes that normally are better suited for a .bbappend have # to be done here if the corresponding .bb file is not guaranteed From e13ae5ba27d2d1f8ae76e18af31c02fc92bc4db4 Mon Sep 17 00:00:00 2001 From: Ismo Puustinen Date: Tue, 18 Apr 2017 13:47:56 +0300 Subject: [PATCH 15/15] meta-iotqa: convert firewall handling to nftables. Signed-off-by: Ismo Puustinen --- .../lib/oeqa/runtime/core/iotivity/base.py | 11 +++++------ .../core/iotivity/iotvt_integration.py | 9 ++++----- .../core/iotivity/iotvt_integration_mnode.py | 6 ++---- .../oeqa/runtime/core/iotivity/iotvt_wifi.py | 6 ++---- .../nodejs/iotivity_node_upstream.py | 19 ++++++------------- .../oeqa/runtime/programming/nodejs/mqtt.py | 6 ++++-- .../runtime/programming/nodejs/rest_apis.py | 6 ++++-- 7 files changed, 27 insertions(+), 36 deletions(-) diff --git a/meta-iotqa/lib/oeqa/runtime/core/iotivity/base.py b/meta-iotqa/lib/oeqa/runtime/core/iotivity/base.py index 7dcf269a1b..4d761c20a9 100644 --- a/meta-iotqa/lib/oeqa/runtime/core/iotivity/base.py +++ b/meta-iotqa/lib/oeqa/runtime/core/iotivity/base.py @@ -27,13 +27,10 @@ def setUpClass(cls): # Set up firewall port_range_cmd = "cat /proc/sys/net/ipv4/ip_local_port_range" (status, output) = cls.tc.target.run(port_range_cmd) - port_range = "%s:%s" % tuple(output.split()) + port_range = output.split() - iptables_cmd = "/usr/sbin/ip6tables -w -A INPUT -s fe80::/10 \ - -p udp -m udp --dport %s -j ACCEPT" - cls.tc.target.run(iptables_cmd % "5683") - cls.tc.target.run(iptables_cmd % "5684") - cls.tc.target.run(iptables_cmd % port_range) + cls.tc.target.run("/usr/sbin/nft add chain inet filter iotivity { type filter hook input priority 0\; }") + cls.tc.target.run("/usr/sbin/nft add rule inet filter iotivity ip6 saddr fe80::/10 udp dport {5683, 5684, %s-%s} mark set 1" % (port_range[0], port_range[1])) # Start server resource_cmd = "/opt/iotivity/examples/resource/cpp/%s > /tmp/%s &" @@ -57,5 +54,7 @@ def setUpClass(cls): @classmethod def tearDownClass(cls): + cls.tc.target.run("/usr/sbin/nft flush chain inet filter iotivity") + cls.tc.target.run("/usr/sbin/nft delete chain inet filter iotivity") remove_user("iotivity-tester") cls.tc.target.run("killall simpleserver simpleclient") diff --git a/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_integration.py b/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_integration.py index dd59bac2f2..e2c69c1779 100644 --- a/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_integration.py +++ b/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_integration.py @@ -36,11 +36,10 @@ def setUpClass(cls): # Setup firewall accept for multicast (status, output) = cls.tc.target.run("cat /proc/sys/net/ipv4/ip_local_port_range") port_range = output.split() - cls.tc.target.run("/usr/sbin/iptables -w -A INPUT -p udp --dport 5683 -j ACCEPT") - cls.tc.target.run("/usr/sbin/iptables -w -A INPUT -p udp --dport 5684 -j ACCEPT") - cls.tc.target.run("/usr/sbin/ip6tables -w -A INPUT -s fe80::/10 -p udp -m udp --dport 5683 -j ACCEPT") - cls.tc.target.run("/usr/sbin/ip6tables -w -A INPUT -s fe80::/10 -p udp -m udp --dport 5684 -j ACCEPT") - cls.tc.target.run("/usr/sbin/ip6tables -w -A INPUT -s fe80::/10 -p udp -m udp --dport %s:%s -j ACCEPT" % (port_range[0], port_range[1])) + + cls.tc.target.run("/usr/sbin/nft add chain inet filter iotivity { type filter hook input priority 0\; }") + cls.tc.target.run("/usr/sbin/nft add rule inet filter iotivity udp dport {5683, 5684} mark set 1") + cls.tc.target.run("/usr/sbin/nft add rule inet filter iotivity ip6 saddr fe80::/10 udp dport {5683, 5684, %s-%s} mark set 1" % (port_range[0], port_range[1])) @classmethod def tearDownClass(cls): diff --git a/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_integration_mnode.py b/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_integration_mnode.py index d441df8ef5..e086d15122 100644 --- a/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_integration_mnode.py +++ b/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_integration_mnode.py @@ -37,10 +37,8 @@ def setUpClass(cls): add_group("tester", target=cls.tc.targets[1]) add_user("iotivity-tester", "tester", target=cls.tc.targets[1]) # Setup firewall accept for multicast, on both sides - run_as("root", "/usr/sbin/iptables -w -A INPUT -p udp --dport 5683 -j ACCEPT", target=cls.tc.targets[0]) - run_as("root", "/usr/sbin/iptables -w -A INPUT -p udp --dport 5684 -j ACCEPT", target=cls.tc.targets[0]) - run_as("root", "/usr/sbin/iptables -w -A INPUT -p udp --dport 5683 -j ACCEPT", target=cls.tc.targets[1]) - run_as("root", "/usr/sbin/iptables -w -A INPUT -p udp --dport 5684 -j ACCEPT", target=cls.tc.targets[1]) + run_as("root", "/usr/sbin/nft add rule inet filter input udp dport {5683, 5684} accept", target=cls.tc.targets[0]) + run_as("root", "/usr/sbin/nft add rule inet filter input udp dport {5683, 5684} accept", target=cls.tc.targets[1]) # check if image contains iotivity example applications (status, output) = run_as("root", "ls /opt/iotivity/examples/resource/", target=cls.tc.targets[0]) if "cpp" in output: diff --git a/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_wifi.py b/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_wifi.py index f87337d9e9..63562231a9 100644 --- a/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_wifi.py +++ b/meta-iotqa/lib/oeqa/runtime/core/iotivity/iotvt_wifi.py @@ -55,10 +55,8 @@ def setUpClass(cls): add_group("tester", target=cls.tc.targets[1]) add_user("iotivity-tester", "tester", target=cls.tc.targets[1]) # Setup firewall accept for multicast, on both sides - run_as("root", "/usr/sbin/iptables -w -A INPUT -p udp --dport 5683 -j ACCEPT", target=cls.tc.targets[0]) - run_as("root", "/usr/sbin/iptables -w -A INPUT -p udp --dport 5684 -j ACCEPT", target=cls.tc.targets[0]) - run_as("root", "/usr/sbin/iptables -w -A INPUT -p udp --dport 5683 -j ACCEPT", target=cls.tc.targets[1]) - run_as("root", "/usr/sbin/iptables -w -A INPUT -p udp --dport 5684 -j ACCEPT", target=cls.tc.targets[1]) + run_as("root", "/usr/sbin/nft add rule inet filter input udp dport {5683, 5684} accept", target=cls.tc.targets[0]) + run_as("root", "/usr/sbin/nft add rule inet filter input udp dport {5683, 5684} accept", target=cls.tc.targets[1]) # check if image contains iotivity example applications (status, output) = run_as("root", "ls /opt/iotivity/examples/resource/", target=cls.tc.targets[0]) diff --git a/meta-iotqa/lib/oeqa/runtime/programming/nodejs/iotivity_node_upstream.py b/meta-iotqa/lib/oeqa/runtime/programming/nodejs/iotivity_node_upstream.py index ca482633d6..6a0325c563 100644 --- a/meta-iotqa/lib/oeqa/runtime/programming/nodejs/iotivity_node_upstream.py +++ b/meta-iotqa/lib/oeqa/runtime/programming/nodejs/iotivity_node_upstream.py @@ -207,11 +207,9 @@ def setUp(self): # Set firewall rules (status, output) = self.target.run("cat /proc/sys/net/ipv4/ip_local_port_range") port_range = output.split() - self.target.run("/usr/sbin/iptables -w -A INPUT -p udp --dport 5683 -j ACCEPT") - self.target.run("/usr/sbin/iptables -w -A INPUT -p udp --dport 5684 -j ACCEPT") - self.target.run("/usr/sbin/ip6tables -w -A INPUT -s fe80::/10 -p udp -m udp --dport 5683 -j ACCEPT") - self.target.run("/usr/sbin/ip6tables -w -A INPUT -s fe80::/10 -p udp -m udp --dport 5684 -j ACCEPT") - self.target.run("/usr/sbin/ip6tables -w -A INPUT -s fe80::/10 -p udp -m udp --dport %s:%s -j ACCEPT" % (port_range[0], port_range[1])) + self.target.run("/usr/sbin/nft add chain inet filter iotivity { type filter hook input priority 0\; }") + self.target.run("/usr/sbin/nft add rule inet filter iotivity udp dport {5683, 5684} mark set 1") + self.target.run("/usr/sbin/nft add rule inet filter iotivity ip6 saddr fe80::/10 udp dport {5683, 5684, %s-%s} mark set 1" % (port_range[0], port_range[1])) def test_apprt_iotivitynode(self): @@ -261,13 +259,9 @@ def tearDown(self): @fn tearDown @param self ''' - (status, output) = self.target.run("cat /proc/sys/net/ipv4/ip_local_port_range") - port_range = output.split() - self.target.run("/usr/sbin/iptables -w -D INPUT -p udp --dport 5683 -j ACCEPT") - self.target.run("/usr/sbin/iptables -w -D INPUT -p udp --dport 5684 -j ACCEPT") - self.target.run("/usr/sbin/ip6tables -w -D INPUT -s fe80::/10 -p udp -m udp --dport 5683 -j ACCEPT") - self.target.run("/usr/sbin/ip6tables -w -D INPUT -s fe80::/10 -p udp -m udp --dport 5684 -j ACCEPT") - self.target.run("/usr/sbin/ip6tables -w -D INPUT -s fe80::/10 -p udp -m udp --dport %s:%s -j ACCEPT" % (port_range[0], port_range[1])) + + self.target.run("/usr/sbin/nft flush chain inet filter iotivity") + self.target.run("/usr/sbin/nft delete chain inet filter iotivity") sys.stdout.write("\nClean test files in device, eg: tests grunt-build") sys.stdout.flush() self.target_path = '/usr/lib/node_modules/iotivity-node/' @@ -295,4 +289,3 @@ def tearDown(self): # @} # @} ## - diff --git a/meta-iotqa/lib/oeqa/runtime/programming/nodejs/mqtt.py b/meta-iotqa/lib/oeqa/runtime/programming/nodejs/mqtt.py index cd2e847475..78dad72bee 100644 --- a/meta-iotqa/lib/oeqa/runtime/programming/nodejs/mqtt.py +++ b/meta-iotqa/lib/oeqa/runtime/programming/nodejs/mqtt.py @@ -65,7 +65,8 @@ def test_mqtt(self): @param return ''' # Enable the port 1883 - self.target.run('ip6tables -A INPUT -p tcp --dport 1883 -j ACCEPT') + self.target.run("/usr/sbin/nft add chain inet filter mqtt { type filter hook input priority 0\; }") + self.target.run("/usr/sbin/nft add rule inet filter mqtt tcp dport 1883 mark set 1") (status, output) = self.target.run("node /tmp/mqtt/mqtt.js") self.assertEqual(status, 0) self.assertTrue('error' not in output.lower()) @@ -82,4 +83,5 @@ def tearDown(self): os.system('rm -rf %s >/dev/null 2>&1' % os.path.join(target_file, 'node_modules')) self.target.run('rm -rf /tmp/node_modules') self.target.run('rm -rf /tmp/mqtt') - self.target.run('ip6tables -D INPUT -p tcp --dport 1883 -j ACCEPT') + self.target.run("/usr/sbin/nft flush chain inet filter mqtt") + self.target.run("/usr/sbin/nft delete chain inet filter mqtt") diff --git a/meta-iotqa/lib/oeqa/runtime/programming/nodejs/rest_apis.py b/meta-iotqa/lib/oeqa/runtime/programming/nodejs/rest_apis.py index dd58c33d55..6622323042 100644 --- a/meta-iotqa/lib/oeqa/runtime/programming/nodejs/rest_apis.py +++ b/meta-iotqa/lib/oeqa/runtime/programming/nodejs/rest_apis.py @@ -149,7 +149,8 @@ def setUpClass(cls): 'chmod +x /tmp/nodeunit-master/bin/nodeunit' ) - cls.tc.target.run("/usr/sbin/iptables -w -A INPUT -p udp --dport 5683 -j ACCEPT") + cls.tc.target.run("/usr/sbin/nft add chain inet filter rest_api { type filter hook input priority 0\; }") + cls.tc.target.run("/usr/sbin/nft add rule inet filter rest_api udp dport 5683 accept") cls.tc.target.run('/opt/iotivity/examples/resource/c/SimpleClientServer/ocserver -o 0') for api, api_js in cls.rest_api_js_files.items(): cls.tc.target.run('cd %s; node %s' % (cls.target_rest_api_dir, api_js) ) @@ -1502,4 +1503,5 @@ def tearDownClass(cls): cls.tc.target.run('rm -f /tmp/master.tar') cls.tc.target.run('rm -rf /tmp/modules') - cls.tc.target.run("/usr/sbin/iptables -w -D INPUT -p udp --dport 5683 -j ACCEPT") + cls.tc.target.run("/usr/sbin/nft flush chain inet filter rest_api") + cls.tc.target.run("/usr/sbin/nft delete chain inet filter rest_api")