Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall rules #233

Merged
merged 8 commits into from
Feb 16, 2024
Merged

Firewall rules #233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
dd2b9bb
Allow creation of firewall with egress/ingress rules
majst01 Feb 7, 2024
f957e4f
go-1.22
majst01 Feb 7, 2024
c68bacf
Samples and completion
majst01 Feb 9, 2024
287f439
Update
majst01 Feb 15, 2024
b13c9a8
Better
majst01 Feb 16, 2024
5968451
Revert completion changes
majst01 Feb 16, 2024
850a1bf
Revert completion changes
majst01 Feb 16, 2024
ac227b6
Fix
majst01 Feb 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions cmd/firewall.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package cmd
import (
"encoding/base64"
"fmt"
"os"
"time"

"github.com/metal-stack/metal-go/api/client/firewall"
Expand All @@ -13,6 +14,7 @@ import (
"github.com/metal-stack/metalctl/cmd/sorters"
"github.com/spf13/cobra"
"github.com/spf13/viper"
"gopkg.in/yaml.v3"
)

type firewallCmd struct {
Expand Down Expand Up @@ -44,6 +46,53 @@ func newFirewallCmd(c *config) *cobra.Command {
CreateCmdMutateFn: func(cmd *cobra.Command) {
c.addMachineCreateFlags(cmd, "firewall")
cmd.Aliases = []string{"allocate"}
cmd.Flags().String("firewall-rules-file", "", `firewall rules specified in a yaml file

Example:

$ metalctl firewall create ..mandatory args.. --firewall-rules-file rules.yaml

rules.yaml
---
egress:
- comment: allow outgoing https
ports:
- 443
protocol: TCP
to:
- 0.0.0.0/0
- comment: allow outgoing dns via tcp
ports:
- 53
protocol: TCP
to:
- 0.0.0.0/0
- comment: allow outgoing dns and ntp via udp
ports:
- 53
- 123
protocol: UDP
to:
- 0.0.0.0/0
ingress:
- comment: allow incoming ssh only to one ip
ports:
- 22
protocol: TCP
from:
- 0.0.0.0/0
- 1.2.3.4/32
to:
- 212.34.83.19/32
- comment: allow incoming https to all targets
ports:
- 80
- 433
protocol: TCP
from:
- 0.0.0.0/0

`)
},
ListCmdMutateFn: func(cmd *cobra.Command) {
cmd.Flags().String("id", "", "ID to filter [optional]")
Expand Down Expand Up @@ -162,6 +211,7 @@ func firewallResponseToCreate(r *models.V1FirewallResponse) *models.V1FirewallCr
Tags: r.Tags,
UserData: base64.StdEncoding.EncodeToString([]byte(allocation.UserData)),
UUID: pointer.SafeDeref(r.ID),
FirewallRules: allocation.FirewallRules,
}
}

Expand All @@ -171,6 +221,11 @@ func (c *firewallCmd) createRequestFromCLI() (*models.V1FirewallCreateRequest, e
return nil, fmt.Errorf("firewall create error:%w", err)
}

firewallRules, err := parseFirewallRulesFile()
if err != nil {
return nil, fmt.Errorf("firewall create error:%w", err)
}

return &models.V1FirewallCreateRequest{
Description: mcr.Description,
Filesystemlayoutid: mcr.Filesystemlayoutid,
Expand All @@ -186,8 +241,28 @@ func (c *firewallCmd) createRequestFromCLI() (*models.V1FirewallCreateRequest, e
Tags: mcr.Tags,
Networks: mcr.Networks,
Ips: mcr.Ips,
FirewallRules: firewallRules,
}, nil
}
func parseFirewallRulesFile() (*models.V1FirewallRules, error) {
if !viper.IsSet("firewall-rules-file") {
return nil, nil
}

firewallRulesFile := viper.GetString("firewall-rules-file")
if firewallRulesFile == "" {
return nil, nil
}

firewallRules, err := os.ReadFile(firewallRulesFile)
if err != nil {
return nil, err
}

var fwrules models.V1FirewallRules
err = yaml.Unmarshal(firewallRules, &fwrules)
return &fwrules, err
}

func (c *firewallCmd) firewallSSH(args []string) (err error) {
firewallID, err := genericcli.GetExactlyOneArg(args)
Expand Down
2 changes: 1 addition & 1 deletion cmd/firewall_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ import (
"github.com/metal-stack/metal-lib/pkg/net"
"github.com/metal-stack/metal-lib/pkg/pointer"
"github.com/metal-stack/metal-lib/pkg/testcommon"

"github.com/stretchr/testify/mock"
)

Expand Down Expand Up @@ -299,6 +298,7 @@ ID AGE HOSTNAME PROJECT NETWORKS IPS PARTITION
"--sshpublickey", pointer.FirstOrZero(want.Allocation.SSHPubKeys),
"--tags", strings.Join(want.Tags, ","),
"--userdata", want.Allocation.UserData,
"--firewall-rules-file", "",
}
assertExhaustiveArgs(t, args, commonExcludedFileArgs()...)
return args
Expand Down
127 changes: 87 additions & 40 deletions docs/metalctl_firewall_create.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,46 +9,93 @@ metalctl firewall create [flags]
### Options

```
--bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.
-d, --description string Description of the firewall to create. [optional]
-f, --file string filename of the create or update request in yaml format, or - for stdin.

Example:
$ metalctl firewall describe firewall-1 -o yaml > firewall.yaml
$ vi firewall.yaml
$ # either via stdin
$ cat firewall.yaml | metalctl firewall create -f -
$ # or via file
$ metalctl firewall create -f firewall.yaml

the file can also contain multiple documents and perform a bulk operation.

--filesystemlayout string Filesystemlayout to use during machine installation. [optional]
-h, --help help for create
-H, --hostname string Hostname of the firewall. [required]
-I, --id string ID of a specific firewall to allocate, if given, size and partition are ignored. Need to be set to reserved (--reserve) state before.
-i, --image string OS Image to install. [required]
--ips strings Sets the firewall's IP address. Usage: [--ips[=IPV4-ADDRESS[,IPV4-ADDRESS]...]]...
IPV4-ADDRESS specifies the IPv4 address to add.
It can only be used in conjunction with --networks.
-n, --name string Name of the firewall. [optional]
--networks strings Adds network(s). Usage: --networks NETWORK[:MODE][,NETWORK[:MODE]]... [--networks NETWORK[:MODE][,
NETWORK[:MODE]]...]...
NETWORK specifies the id of an existing network.
MODE can be omitted or one of:
auto IP address is automatically acquired from the given network
noauto No automatic IP address acquisition
-S, --partition string partition/datacenter where the firewall is created. [required, except for reserved machines]
-P, --project string Project where the firewall should belong to. [required]
-s, --size string Size of the firewall. [required, except for reserved machines]
--skip-security-prompts skips security prompt for bulk operations
-p, --sshpublickey string SSH public key for access via ssh and console. [optional]
Can be either the public key as string, or pointing to the public key file to use e.g.: "@~/.ssh/id_rsa.pub".
If ~/.ssh/[id_ed25519.pub | id_rsa.pub | id_dsa.pub] is present it will be picked as default, matching the first one in this order.
--tags strings tags to add to the firewall, use it like: --tags "tag1,tag2" or --tags "tag3".
--timestamps when used with --file (bulk operation): prints timestamps in-between the operations
--userdata string cloud-init.io compatible userdata. [optional]
Can be either the userdata as string, or pointing to the userdata file to use e.g.: "@/tmp/userdata.cfg".
--bulk-output when used with --file (bulk operation): prints results at the end as a list. default is printing results intermediately during the operation, which causes single entities to be printed in a row.
-d, --description string Description of the firewall to create. [optional]
-f, --file string filename of the create or update request in yaml format, or - for stdin.

Example:
$ metalctl firewall describe firewall-1 -o yaml > firewall.yaml
$ vi firewall.yaml
$ # either via stdin
$ cat firewall.yaml | metalctl firewall create -f -
$ # or via file
$ metalctl firewall create -f firewall.yaml

the file can also contain multiple documents and perform a bulk operation.

--filesystemlayout string Filesystemlayout to use during machine installation. [optional]
--firewall-rules-file string firewall rules specified in a yaml file

Example:

$ metalctl firewall create ..mandatory args.. --firewall-rules-file rules.yaml

rules.yaml
---
egress:
- comment: allow outgoing https
ports:
- 443
protocol: TCP
to:
- 0.0.0.0/0
- comment: allow outgoing dns via tcp
ports:
- 53
protocol: TCP
to:
- 0.0.0.0/0
- comment: allow outgoing dns and ntp via udp
ports:
- 53
- 123
protocol: UDP
to:
- 0.0.0.0/0
ingress:
- comment: allow incoming ssh only to one ip
ports:
- 22
protocol: TCP
from:
- 0.0.0.0/0
- 1.2.3.4/32
to:
- 212.34.83.19/32
- comment: allow incoming https to all targets
ports:
- 80
- 433
protocol: TCP
from:
- 0.0.0.0/0


-h, --help help for create
-H, --hostname string Hostname of the firewall. [required]
-I, --id string ID of a specific firewall to allocate, if given, size and partition are ignored. Need to be set to reserved (--reserve) state before.
-i, --image string OS Image to install. [required]
--ips strings Sets the firewall's IP address. Usage: [--ips[=IPV4-ADDRESS[,IPV4-ADDRESS]...]]...
IPV4-ADDRESS specifies the IPv4 address to add.
It can only be used in conjunction with --networks.
-n, --name string Name of the firewall. [optional]
--networks strings Adds network(s). Usage: --networks NETWORK[:MODE][,NETWORK[:MODE]]... [--networks NETWORK[:MODE][,
NETWORK[:MODE]]...]...
NETWORK specifies the id of an existing network.
MODE can be omitted or one of:
auto IP address is automatically acquired from the given network
noauto No automatic IP address acquisition
-S, --partition string partition/datacenter where the firewall is created. [required, except for reserved machines]
-P, --project string Project where the firewall should belong to. [required]
-s, --size string Size of the firewall. [required, except for reserved machines]
--skip-security-prompts skips security prompt for bulk operations
-p, --sshpublickey string SSH public key for access via ssh and console. [optional]
Can be either the public key as string, or pointing to the public key file to use e.g.: "@~/.ssh/id_rsa.pub".
If ~/.ssh/[id_ed25519.pub | id_rsa.pub | id_dsa.pub] is present it will be picked as default, matching the first one in this order.
--tags strings tags to add to the firewall, use it like: --tags "tag1,tag2" or --tags "tag3".
--timestamps when used with --file (bulk operation): prints timestamps in-between the operations
--userdata string cloud-init.io compatible userdata. [optional]
Can be either the userdata as string, or pointing to the userdata file to use e.g.: "@/tmp/userdata.cfg".
```

### Options inherited from parent commands
Expand Down
42 changes: 21 additions & 21 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ require (
github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 // indirect
github.com/aws/smithy-go v1.19.0 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cheggaaa/pb/v3 v3.1.4 // indirect
github.com/cheggaaa/pb/v3 v3.1.5 // indirect
github.com/coreos/go-iptables v0.7.0 // indirect
github.com/coreos/go-oidc/v3 v3.9.0 // indirect
github.com/coreos/go-systemd/v22 v22.5.0 // indirect
Expand All @@ -60,15 +60,15 @@ require (
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/fxamacker/cbor/v2 v2.5.0 // indirect
github.com/go-jose/go-jose/v3 v3.0.1 // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.3.0 // indirect
github.com/go-openapi/analysis v0.22.0 // indirect
github.com/go-openapi/analysis v0.22.2 // indirect
github.com/go-openapi/errors v0.21.0 // indirect
github.com/go-openapi/jsonpointer v0.20.2 // indirect
github.com/go-openapi/jsonreference v0.20.4 // indirect
github.com/go-openapi/loads v0.21.5 // indirect
github.com/go-openapi/spec v0.20.13 // indirect
github.com/go-openapi/spec v0.20.14 // indirect
github.com/go-openapi/swag v0.22.8 // indirect
github.com/go-openapi/validate v0.22.6 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
Expand All @@ -87,17 +87,17 @@ require (
github.com/gorilla/mux v1.8.1 // indirect
github.com/gorilla/securecookie v1.1.2 // indirect
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/hdevalence/ed25519consensus v0.1.0 // indirect
github.com/hdevalence/ed25519consensus v0.2.0 // indirect
github.com/icza/dyno v0.0.0-20230330125955-09f820a8d9c0 // indirect
github.com/illarion/gonotify v1.0.1 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 // indirect
github.com/insomniacslk/dhcp v0.0.0-20240204152450-ca2dc33955c1 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
github.com/jsimonetti/rtnetlink v1.4.0 // indirect
github.com/jszwec/csvutil v1.9.0 // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/jsimonetti/rtnetlink v1.4.1 // indirect
github.com/jszwec/csvutil v1.10.0 // indirect
github.com/klauspost/compress v1.17.6 // indirect
github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a // indirect
github.com/lestrrat-go/blackmagic v1.0.2 // indirect
github.com/lestrrat-go/httpcc v1.0.1 // indirect
Expand All @@ -114,16 +114,16 @@ require (
github.com/mdlayher/netlink v1.7.2 // indirect
github.com/mdlayher/sdnotify v1.0.0 // indirect
github.com/mdlayher/socket v0.5.0 // indirect
github.com/metal-stack/security v0.7.1 // indirect
github.com/miekg/dns v1.1.57 // indirect
github.com/metal-stack/security v0.7.2 // indirect
github.com/miekg/dns v1.1.58 // indirect
github.com/mitchellh/go-ps v1.0.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
github.com/pelletier/go-toml/v2 v2.1.1 // indirect
github.com/pierrec/lz4/v4 v4.1.19 // indirect
github.com/pierrec/lz4/v4 v4.1.21 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/rivo/uniseg v0.4.4 // indirect
github.com/rivo/uniseg v0.4.7 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/safchain/ethtool v0.3.0 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
Expand Down Expand Up @@ -154,17 +154,17 @@ require (
go.uber.org/zap v1.26.0 // indirect
go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
golang.org/x/crypto v0.18.0 // indirect
golang.org/x/exp v0.0.0-20240119083558-1b970713d09a // indirect
golang.org/x/mod v0.14.0 // indirect
golang.org/x/net v0.20.0 // indirect
golang.org/x/oauth2 v0.16.0 // indirect
golang.org/x/crypto v0.19.0 // indirect
golang.org/x/exp v0.0.0-20240213143201-ec583247a57a // indirect
golang.org/x/mod v0.15.0 // indirect
golang.org/x/net v0.21.0 // indirect
golang.org/x/oauth2 v0.17.0 // indirect
golang.org/x/sync v0.6.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/term v0.16.0 // indirect
golang.org/x/sys v0.17.0 // indirect
golang.org/x/term v0.17.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/tools v0.17.0 // indirect
golang.org/x/tools v0.18.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
Expand Down
Loading
Loading