Switch networking to nftablesnftables

4 files changed, 56 insertions, 51 deletions

diff --git a/jenkins/ansible/ferm.conf b/jenkins/ansible/ferm.conf
deleted file mode 100644
index 413f994..0000000
--- a/jenkins/ansible/ferm.conf
+++ /dev/null
@@ -1,38 +0,0 @@
-domain (ip ip6) {
-  table filter {
-    chain INPUT {
-      policy DROP;
-
-      # connection tracking
-      mod state state INVALID DROP;
-      mod state state (ESTABLISHED RELATED) ACCEPT;
-
-      # allow local packet
-      interface lo ACCEPT;
-
-      # respond to ping
-      proto icmp ACCEPT;
-
-      # allow SSH connections
-      proto tcp dport ssh ACCEPT;
-      # web
-      proto tcp mod multiport destination-ports (http https) ACCEPT;
-      # approx
-      proto tcp dport 9999 ACCEPT;
-    }
-
-    chain OUTPUT {
-      policy ACCEPT;
-    }
-
-    chain FORWARD {
-      policy ACCEPT;
-    }
-  }
-
-  table nat {
-    chain POSTROUTING {
-      saddr 10.0.0.0/8 MASQUERADE;
-    }
-  }
-}
diff --git a/jenkins/ansible/nftables.conf b/jenkins/ansible/nftables.conf
new file mode 100755
index 0000000..20cb2f1
--- /dev/null
+++ b/jenkins/ansible/nftables.conf
@@ -0,0 +1,40 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0
+		policy drop
+		iifname lo accept
+		counter ip protocol icmp accept
+		counter ip6 nexthdr icmpv6 accept
+		counter iifname "veth*" accept
+		counter ct state vmap { established : accept, related : accept, invalid : drop }
+		counter tcp dport { 22, 80, 443 } accept
+		counter drop
+	}
+
+	chain forward {
+		type filter hook forward priority 0
+		policy drop
+		counter ct state vmap { established : accept, related : accept, invalid : drop }
+		counter iifname "veth*" accept
+		counter drop
+	}
+
+	chain output {
+		type filter hook output priority 0
+		policy accept
+		counter accept
+	}
+}
+
+table ip nat {
+	chain postrouting {
+		type nat hook postrouting priority 100
+		policy accept
+		counter iifname "veth*" masquerade
+		counter
+	}
+}
diff --git a/jenkins/ansible/setup-buildd.yml b/jenkins/ansible/setup-buildd.yml
index c76c05e..ca6ed3b 100755
--- a/jenkins/ansible/setup-buildd.yml
+++ b/jenkins/ansible/setup-buildd.yml
@@ -15,11 +15,11 @@
       - dose-builddebcheck
       - dose-distcheck
       - dose-extra
-      - ferm
       - git
       - make
       - ncdu
       - newpid
+      - nftables
       - postgresql-common # for apt.postgresql.org.sh
       - sbuild
       - schroot
@@ -30,6 +30,7 @@
   - name: remove packages
     apt:
       name:
+      - ferm
       - joe
       - nano
       state: absent
@@ -178,18 +179,23 @@
       value: '1'
       sysctl_set: yes
 
-  - name: ferm.conf
+  - name: nftables.conf
     copy:
-      src: ferm.conf
-      dest: /etc/ferm/ferm.conf
-      mode: 0644
-    register: fermconf
+      src: nftables.conf
+      dest: /etc/nftables.conf
+      mode: 0755
+    register: nftablesconf
+    tags:
+      - nft
 
-  - name: reload ferm
+  - name: reload nftables
     service:
-      name: ferm
+      name: nftables
+      enabled: yes
       state: reloaded
-    when: fermconf is changed
+    when: nftablesconf is changed
+    tags:
+      - nft
 
   - name: run netns-setup
     shell: /usr/local/bin/netns-setup
diff --git a/jenkins/netns-setup b/jenkins/netns-setup
index 7913cff..f989d7e 100755
--- a/jenkins/netns-setup
+++ b/jenkins/netns-setup
@@ -23,7 +23,4 @@ for net in $(seq 1 $count); do
 	ip netns exec $ns ip r add default via $prefix.$net.1
 done
 
-iptables -vnL FORWARD | grep -q 'veth+' || \
-	iptables -A FORWARD -i veth+ -j ACCEPT
-#iptables -t nat -vnL POSTROUTING | grep -q 'MASQUERADE' || \
-#	iptables -t nat -A POSTROUTING -o wlan2 -j MASQUERADE
+# see also forwarding/masquerading rules in ansible/nftables.conf