diff options
| -rw-r--r-- | jenkins/ansible/ferm.conf | 38 | ||||
| -rwxr-xr-x | jenkins/ansible/nftables.conf | 40 | ||||
| -rwxr-xr-x | jenkins/ansible/setup-buildd.yml | 24 | ||||
| -rwxr-xr-x | jenkins/netns-setup | 5 |
4 files changed, 56 insertions, 51 deletions
diff --git a/jenkins/ansible/ferm.conf b/jenkins/ansible/ferm.conf deleted file mode 100644 index 413f994..0000000 --- a/jenkins/ansible/ferm.conf +++ /dev/null @@ -1,38 +0,0 @@ -domain (ip ip6) { - table filter { - chain INPUT { - policy DROP; - - # connection tracking - mod state state INVALID DROP; - mod state state (ESTABLISHED RELATED) ACCEPT; - - # allow local packet - interface lo ACCEPT; - - # respond to ping - proto icmp ACCEPT; - - # allow SSH connections - proto tcp dport ssh ACCEPT; - # web - proto tcp mod multiport destination-ports (http https) ACCEPT; - # approx - proto tcp dport 9999 ACCEPT; - } - - chain OUTPUT { - policy ACCEPT; - } - - chain FORWARD { - policy ACCEPT; - } - } - - table nat { - chain POSTROUTING { - saddr 10.0.0.0/8 MASQUERADE; - } - } -} diff --git a/jenkins/ansible/nftables.conf b/jenkins/ansible/nftables.conf new file mode 100755 index 0000000..20cb2f1 --- /dev/null +++ b/jenkins/ansible/nftables.conf @@ -0,0 +1,40 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0 + policy drop + iifname lo accept + counter ip protocol icmp accept + counter ip6 nexthdr icmpv6 accept + counter iifname "veth*" accept + counter ct state vmap { established : accept, related : accept, invalid : drop } + counter tcp dport { 22, 80, 443 } accept + counter drop + } + + chain forward { + type filter hook forward priority 0 + policy drop + counter ct state vmap { established : accept, related : accept, invalid : drop } + counter iifname "veth*" accept + counter drop + } + + chain output { + type filter hook output priority 0 + policy accept + counter accept + } +} + +table ip nat { + chain postrouting { + type nat hook postrouting priority 100 + policy accept + counter iifname "veth*" masquerade + counter + } +} diff --git a/jenkins/ansible/setup-buildd.yml b/jenkins/ansible/setup-buildd.yml index c76c05e..ca6ed3b 100755 --- a/jenkins/ansible/setup-buildd.yml +++ b/jenkins/ansible/setup-buildd.yml @@ -15,11 +15,11 @@ - dose-builddebcheck - dose-distcheck - dose-extra - - ferm - git - make - ncdu - newpid + - nftables - postgresql-common # for apt.postgresql.org.sh - sbuild - schroot @@ -30,6 +30,7 @@ - name: remove packages apt: name: + - ferm - joe - nano state: absent @@ -178,18 +179,23 @@ value: '1' sysctl_set: yes - - name: ferm.conf + - name: nftables.conf copy: - src: ferm.conf - dest: /etc/ferm/ferm.conf - mode: 0644 - register: fermconf + src: nftables.conf + dest: /etc/nftables.conf + mode: 0755 + register: nftablesconf + tags: + - nft - - name: reload ferm + - name: reload nftables service: - name: ferm + name: nftables + enabled: yes state: reloaded - when: fermconf is changed + when: nftablesconf is changed + tags: + - nft - name: run netns-setup shell: /usr/local/bin/netns-setup diff --git a/jenkins/netns-setup b/jenkins/netns-setup index 7913cff..f989d7e 100755 --- a/jenkins/netns-setup +++ b/jenkins/netns-setup @@ -23,7 +23,4 @@ for net in $(seq 1 $count); do ip netns exec $ns ip r add default via $prefix.$net.1 done -iptables -vnL FORWARD | grep -q 'veth+' || \ - iptables -A FORWARD -i veth+ -j ACCEPT -#iptables -t nat -vnL POSTROUTING | grep -q 'MASQUERADE' || \ -# iptables -t nat -A POSTROUTING -o wlan2 -j MASQUERADE +# see also forwarding/masquerading rules in ansible/nftables.conf |