Browse Source

return on allowed rule, drop on no match

sjohn/nft
Sean Johnson 1 year ago
parent
commit
1573624b04
  1. 32
      fwrules/chains/swarm_ingress.sls
  2. 50
      test/integration/swarm_ingress/fwrules.rb

32
fwrules/chains/swarm_ingress.sls

@ -27,6 +27,25 @@ include:
- name: {{ chain_name }}
- family: {{ family }}
{{ chain_name }} {{ family }} remove default return:
iptables.delete:
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- jump: RETURN
- require:
- iptables: {{ chain_name }} {{ family }}
{{ chain_name }} {{ family }} default drop:
iptables.insert:
- position: 1
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- jump: DROP
- require:
- iptables: {{ chain_name }} {{ family }}
{% for service, port, transport, sources in ports %}
{% set addresses, ipsets = salt["minion_net.split_ips_ipsets"](sources.get(family, [])) %}
@ -42,7 +61,7 @@ include:
- match: {{ ["set", transport] | tojson }}
- set: {{ set_name }} src
- dport: {{ port }}
- jump: ACCEPT
- jump: RETURN
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}
@ -58,18 +77,9 @@ include:
- match: {{ transport }}
- source: {{ addresses | join(",") }}
- dport: {{ port }}
- jump: ACCEPT
- jump: RETURN
- require:
- iptables: {{ chain_name }} {{ family }}
{% endif %}
{% endfor %}
{{ chain_name }} {{ family }} default deny:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- jump: DROP
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}

50
test/integration/swarm_ingress/fwrules.rb

@ -1,31 +1,33 @@
describe iptables do
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv4 src -m udp --dport 3478 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 6789 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8843 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8880 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8443 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 9090 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv4 src -m tcp --dport 9001 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv4 src -m udp --dport 3478 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 6789 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8843 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8880 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1883 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 1884 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 8443 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv4 src -m tcp --dport 9090 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv4 src -m tcp --dport 9001 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j RETURN" }
it { should have_rule "-A DOCKER-USER -j DROP" }
it { should_not have_rule "-A DOCKER-USER -j RETURN" }
end
describe ip6tables do
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv6 src -m udp --dport 3478 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 6789 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8843 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8880 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8443 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 9090 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv6 src -m tcp --dport 9001 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j ACCEPT" }
it { should have_rule "-A DOCKER-USER -p udp -m set --match-set management-ipv6 src -m udp --dport 3478 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 6789 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8843 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8880 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 8443 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 9090 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1884 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set management-ipv6 src -m tcp --dport 1883 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m set --match-set minions-ipv6 src -m tcp --dport 9001 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4884 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 4883 -j RETURN" }
it { should have_rule "-A DOCKER-USER -p tcp -m tcp --dport 8080 -j RETURN" }
it { should have_rule "-A DOCKER-USER -j DROP" }
it { should_not have_rule "-A DOCKER-USER -j RETURN" }
end
Loading…
Cancel
Save