dumplingmiku/ubicloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
jeremy-webshell
ubicloud/rhizome/host/bin/setup-nftables.rb
Furkan Sahin 250a6778d1 Fix setup-nftables for VmHosts without additional subnets 
The empty set intialization in the nftables setup is causing issues when
vmhost does not have any additional subnet. With this commit, we are
fixing this issue. In case the subnet is added later on, we already
create a new strand to repopulate the set, therefore this is safe.
2024-03-26 09:40:53 +01:00

50 lines
1.4 KiB
Ruby
Executable File
Raw Permalink Blame History

#!/bin/env ruby
# frozen_string_literal: true
require_relative "../../common/lib/util"
require "fileutils"
require "json"
unless (additional_ip_addresses = ARGV.shift)
puts "additional IP addresses didn't get passed"
additional_ip_addresses = "[]"
end
# setup blocking unused ip addresses
NFTABLES_PATH = "/etc/nftables.d/0.conf"
FileUtils.mkdir_p("/etc/nftables.d")
FileUtils.touch(NFTABLES_PATH)
ip_ranges_to_block = JSON.parse(additional_ip_addresses)
safe_write_to_file(NFTABLES_PATH, <<SETUP_ADDITIONAL_IP_BLOCKING)
#!/usr/sbin/nft -f
table inet drop_unused_ip_packets;
delete table inet drop_unused_ip_packets;
table inet drop_unused_ip_packets {
set allowed_ipv4_addresses {
type ipv4_addr;
}
set blocked_ipv4_addresses {
type ipv4_addr;
flags interval;
#{ip_ranges_to_block.empty? ? "" : "elements = {#{ip_ranges_to_block.join(",")}}"}
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
ip daddr @allowed_ipv4_addresses accept
ip daddr @blocked_ipv4_addresses drop
}
}
SETUP_ADDITIONAL_IP_BLOCKING
File.open("/etc/nftables.conf", File::APPEND | File::RDWR) do |f|
# Necessary to keep this idempotent
break if f.each_line.any? { |line| line.include?("include \"/etc/nftables.d/*.conf") }
f.write("include \"/etc/nftables.d/*.conf\"\n")
end
r "systemctl enable nftables"
r "systemctl start nftables"
Reference in New Issue View Git Blame Copy Permalink