From 1e48c1007ef6ce674a7714e9be5c03354b4327ba Mon Sep 17 00:00:00 2001 From: Antonio Ojea Date: Sun, 2 Feb 2025 15:11:20 +0000 Subject: [PATCH] nf2go: convert nftables rules to golang code One of the biggest barriers to adopt the netlink format for nftables is the complexity of writing bytecode. This commits adds a tool that allows to take an nftables dump and generate the corresponding golang code and validating that the generated code produces the exact same output. Change-Id: I491b35e0d8062de33c67091dd4126d843b231838 Signed-off-by: Antonio Ojea --- internal/nf2go/main.go | 299 +++++++++++++++++ internal/nf2go/rules.txt | 550 ++++++++++++++++++++++++++++++++ internal/nf2go/rules_simple.txt | 17 + 3 files changed, 866 insertions(+) create mode 100644 internal/nf2go/main.go create mode 100644 internal/nf2go/rules.txt create mode 100644 internal/nf2go/rules_simple.txt diff --git a/internal/nf2go/main.go b/internal/nf2go/main.go new file mode 100644 index 0000000..2599cef --- /dev/null +++ b/internal/nf2go/main.go @@ -0,0 +1,299 @@ +package main + +import ( + "bytes" + "context" + "fmt" + "io" + "io/ioutil" + "log" + "os" + "os/exec" + "path/filepath" + "regexp" + "runtime" + "strings" + "time" + + "github.com/google/go-cmp/cmp" + "github.com/google/nftables" + "github.com/vishvananda/netns" +) + +func main() { + args := os.Args[1:] + if len(args) != 1 { + log.Fatalf("need to specify the file to read the \"nft list ruleset\" dump") + } + + filename := args[0] + + runtime.LockOSThread() + defer runtime.UnlockOSThread() + + // Create a new network namespace + ns, err := netns.New() + if err != nil { + log.Fatalf("netns.New() failed: %v", err) + } + n, err := nftables.New(nftables.WithNetNSFd(int(ns))) + if err != nil { + log.Fatalf("nftables.New() failed: %v", err) + } + + scriptOutput, err := applyNFTRuleset(filename) + if err != nil { + log.Fatalf("Failed to apply nftables script: %v\noutput:%s", err, scriptOutput) + } + + var buf bytes.Buffer + // Helper function to print to the file + pf := func(format string, a ...interface{}) { + _, err := fmt.Fprintf(&buf, format, a...) + if err != nil { + log.Fatal(err) + } + } + + pf("// Code generated by nft2go. DO NOT EDIT.\n") + pf("package main\n\n") + pf("import (\n") + pf("\t\"fmt\"\n") + pf("\t\"log\"\n") + pf("\t\"github.com/google/nftables\"\n") + pf("\t\"github.com/google/nftables/expr\"\n") + pf(")\n\n") + pf("func main() {\n") + pf("\tn, err:= nftables.New()\n") + pf("\tif err!= nil {\n") + pf("\t\tlog.Fatal(err)\n") + pf("\t}\n\n") + pf("\n") + pf("\tvar expressions []expr.Any\n") + pf("\tvar chain *nftables.Chain\n") + pf("\tvar table *nftables.Table\n") + + tables, err := n.ListTables() + if err != nil { + log.Fatalf("ListTables failed: %v", err) + } + + chains, err := n.ListChains() + if err != nil { + log.Fatal(err) + } + + for _, table := range tables { + log.Printf("processing table: %s", table.Name) + + pf("\ttable = n.AddTable(&nftables.Table{Family: %s,Name: \"%s\"})\n", TableFamilyString(table.Family), table.Name) + for _, chain := range chains { + if chain.Table.Name != table.Name { + continue + } + + sets, err := n.GetSets(table) + if err != nil { + log.Fatal(err) + } + for _, set := range sets { + // TODO datatype and the other options + pf("\tn.AddSet(&nftables.Set{\n") + pf("\t\tTable: table,\n") + pf("\t\tName: \"%s\",\n", set.Name) + pf("\t}, nil)\n") + } + + pf("\tchain = n.AddChain(&nftables.Chain{Name: \"%s\", Table: table, Type: %s, Hooknum: %s, Priority: %s})\n", + chain.Name, ChainTypeString(chain.Type), ChainHookRef(chain.Hooknum), ChainPrioRef(chain.Priority)) + + rules, err := n.GetRules(table, chain) + if err != nil { + log.Fatal(err) + } + + for _, rule := range rules { + pf("\texpressions = []expr.Any{\n") + for _, exp := range rule.Exprs { + pf("\t\t%#v,\n", exp) + } + pf("\t\t}\n") + pf("\tn.AddRule(&nftables.Rule{\n") + pf("\t\tTable: table,\n") + pf("\t\tChain: chain,\n") + pf("\t\tExprs: expressions,\n") + pf("\t})\n") + } + } + } + + pf("\n\tif err:= n.Flush(); err!= nil {\n") + pf("\t\tlog.Fatal(err)\n") + pf("\t}\n\n") + pf("\tfmt.Println(\"nft ruleset applied.\")\n") + pf("}\n") + + // Program nftables using your Go code + if err := flushNFTRuleset(); err != nil { + log.Fatalf("Failed to flush nftables ruleset: %v", err) + } + + // Create the output file + // Create a temporary directory + tempDir, err := ioutil.TempDir("", "nftables_gen") + if err != nil { + log.Fatal(err) + } + defer os.RemoveAll(tempDir) // Clean up the temporary directory + + // Create the temporary Go file + tempGoFile := filepath.Join(tempDir, "nftables_recreate.go") + f, err := os.Create(tempGoFile) + if err != nil { + log.Fatal(err) + } + defer f.Close() + + mw := io.MultiWriter(f, os.Stdout) + buf.WriteTo(mw) + + // Format the generated code + log.Printf("formating file: %s", tempGoFile) + cmd := exec.Command("gofmt", "-w", "-s", tempGoFile) + output, err := cmd.CombinedOutput() + if err != nil { + log.Fatalf("gofmt error: %v\nOutput: %s", err, output) + } + + // Run the generated code + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + defer cancel() + + log.Printf("executing file: %s", tempGoFile) + cmd = exec.CommandContext(ctx, "go", "run", tempGoFile) + output, err = cmd.CombinedOutput() + if err != nil { + log.Fatalf("Execution error: %v\nOutput: %s", err, output) + } + + // Retrieve nftables state using nft + log.Printf("obtain current ruleset: %s", tempGoFile) + actualOutput, err := listNFTRuleset() + if err != nil { + log.Fatalf("Failed to list nftables ruleset: %v\noutput:%s", err, actualOutput) + } + + expectedOutput, err := os.ReadFile(filename) + if err != nil { + log.Fatalf("Failed to list nftables ruleset: %v\noutput:%s", err, actualOutput) + } + + if !compareMultilineStringsIgnoreIndentation(string(expectedOutput), actualOutput) { + log.Printf("Expected output:\n%s", string(expectedOutput)) + log.Printf("Actual output:\n%s", actualOutput) + + log.Fatalf("nftables ruleset mismatch:\n%s", cmp.Diff(string(expectedOutput), actualOutput)) + } + + if err := flushNFTRuleset(); err != nil { + log.Fatalf("Failed to flush nftables ruleset: %v", err) + } +} + +func applyNFTRuleset(scriptPath string) (string, error) { + cmd := exec.Command("nft", "--debug=netlink", "-f", scriptPath) + out, err := cmd.CombinedOutput() + if err != nil { + return string(out), err + } + return strings.TrimSpace(string(out)), nil +} + +func listNFTRuleset() (string, error) { + cmd := exec.Command("nft", "list", "ruleset") + out, err := cmd.CombinedOutput() + if err != nil { + return string(out), err + } + return strings.TrimSpace(string(out)), nil +} + +func flushNFTRuleset() error { + cmd := exec.Command("nft", "flush", "ruleset") + return cmd.Run() +} + +func ChainHookRef(hookNum *nftables.ChainHook) string { + i := uint32(0) + if hookNum != nil { + i = uint32(*hookNum) + } + switch i { + case 0: + return "nftables.ChainHookPrerouting" + case 1: + return "nftables.ChainHookInput" + case 2: + return "nftables.ChainHookForward" + case 3: + return "nftables.ChainHookOutput" + case 4: + return "nftables.ChainHookPostrouting" + case 5: + return "nftables.ChainHookIngress" + case 6: + return "nftables.ChainHookEgress" + } + return "" +} + +func ChainPrioRef(priority *nftables.ChainPriority) string { + i := int32(0) + if priority != nil { + i = int32(*priority) + } + return fmt.Sprintf("nftables.ChainPriorityRef(%d)", i) +} + +func ChainTypeString(chaintype nftables.ChainType) string { + switch chaintype { + case nftables.ChainTypeFilter: + return "nftables.ChainTypeFilter" + case nftables.ChainTypeRoute: + return "nftables.ChainTypeRoute" + case nftables.ChainTypeNAT: + return "nftables.ChainTypeNAT" + default: + return "nftables.ChainTypeFilter" + } +} + +func TableFamilyString(family nftables.TableFamily) string { + switch family { + case nftables.TableFamilyUnspecified: + return "nftables.TableFamilyUnspecified" + case nftables.TableFamilyINet: + return "nftables.TableFamilyINet" + case nftables.TableFamilyIPv4: + return "nftables.TableFamilyIPv4" + case nftables.TableFamilyIPv6: + return "nftables.TableFamilyIPv6" + case nftables.TableFamilyARP: + return "nftables.TableFamilyARP" + case nftables.TableFamilyNetdev: + return "nftables.TableFamilyNetdev" + case nftables.TableFamilyBridge: + return "nftables.TableFamilyBridge" + default: + return "nftables.TableFamilyIPv4" + } +} + +func compareMultilineStringsIgnoreIndentation(str1, str2 string) bool { + // Remove all indentation from both strings + re := regexp.MustCompile(`(?m)^\s+`) + str1 = re.ReplaceAllString(str1, "") + str2 = re.ReplaceAllString(str2, "") + + return str1 == str2 +} diff --git a/internal/nf2go/rules.txt b/internal/nf2go/rules.txt new file mode 100644 index 0000000..0028c1a --- /dev/null +++ b/internal/nf2go/rules.txt @@ -0,0 +1,550 @@ +table ip nat { + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + counter packets 769 bytes 46239 jump KUBE-SERVICES + ip daddr 192.168.8.1 counter packets 0 bytes 0 jump DOCKER_OUTPUT + } + + chain INPUT { + type nat hook input priority 100; policy accept; + } + + chain OUTPUT { + type nat hook output priority -100; policy accept; + counter packets 245348 bytes 14721139 jump KUBE-SERVICES + ip daddr 192.168.8.1 counter packets 122 bytes 9151 jump DOCKER_OUTPUT + } + + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + counter packets 246110 bytes 14766910 jump KUBE-POSTROUTING + ip daddr 192.168.8.1 counter packets 0 bytes 0 jump DOCKER_POSTROUTING + } + + chain DOCKER_OUTPUT { + ip daddr 192.168.8.1 tcp dport 53 counter packets 0 bytes 0 dnat to 127.0.0.11:36405 + ip daddr 192.168.8.1 udp dport 53 counter packets 122 bytes 9151 dnat to 127.0.0.11:39066 + } + + chain DOCKER_POSTROUTING { + ip saddr 127.0.0.11 tcp sport 36405 counter packets 0 bytes 0 snat to 192.168.8.1:53 + ip saddr 127.0.0.11 udp sport 39066 counter packets 0 bytes 0 snat to 192.168.8.1:53 + } + + chain KUBE-KUBELET-CANARY { + } + + chain KUBE-PROXY-CANARY { + } + + chain KUBE-SERVICES { + meta l4proto tcp ip daddr 10.96.0.10 tcp dport 9153 counter packets 0 bytes 0 jump KUBE-SVC-JD5MR3NA4I4DYORP + meta l4proto udp ip daddr 10.96.0.10 udp dport 53 counter packets 0 bytes 0 jump KUBE-SVC-TCOU7JCQXEZGVUNU + meta l4proto tcp ip daddr 10.96.106.185 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-D5JKTLXOFYHV5HQZ + meta l4proto tcp ip daddr 10.96.70.203 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-IB3WK5BQ64FMB5FP + meta l4proto tcp ip daddr 10.96.0.10 tcp dport 53 counter packets 13 bytes 780 jump KUBE-SVC-ERIFXISQEP7F7OF4 + meta l4proto tcp ip daddr 10.96.86.60 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-QUBDBT4PCRU7S2PI + meta l4proto tcp ip daddr 10.96.184.88 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-ZD23KKVZJDKFKTCE + meta l4proto tcp ip daddr 10.96.149.162 tcp dport 443 counter packets 0 bytes 0 jump KUBE-SVC-WHNIZNLB5XFXIX2C + meta l4proto tcp ip daddr 10.96.225.221 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-ROH4UCJ7RVN2OSM4 + meta l4proto tcp ip daddr 10.96.50.119 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-SB7WEE53EMIXFNKY + meta l4proto tcp ip daddr 10.96.230.205 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-OJLEMCF5KYSTXAAJ + meta l4proto tcp ip daddr 10.96.149.162 tcp dport 15014 counter packets 0 bytes 0 jump KUBE-SVC-XHUBMW47Y5G3ICIS + meta l4proto tcp ip daddr 10.96.83.127 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-4MYBDLPZ2DFGC5Z6 + meta l4proto tcp ip daddr 10.96.245.249 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-53SQRANQXVHTJ6HK + meta l4proto tcp ip daddr 10.96.85.31 tcp dport 9090 counter packets 0 bytes 0 jump KUBE-SVC-VVO7BBXOSCJQDQML + meta l4proto tcp ip daddr 10.96.0.1 tcp dport 443 counter packets 0 bytes 0 jump KUBE-SVC-NPX46M4PTMTKRN6Y + meta l4proto tcp ip daddr 10.96.113.49 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-SVC-COV23IKAKYWND6VU + meta l4proto tcp ip daddr 10.96.149.162 tcp dport 15010 counter packets 0 bytes 0 jump KUBE-SVC-NVNLZVDQSGQUD3NM + meta l4proto tcp ip daddr 10.96.231.15 tcp dport 3000 counter packets 0 bytes 0 jump KUBE-SVC-XUJLWDDTZEWKLHU6 + meta l4proto tcp ip daddr 10.96.149.162 tcp dport 15012 counter packets 2 bytes 120 jump KUBE-SVC-CG3LQLBYYHBKATGN + fib daddr type local counter packets 329 bytes 19740 jump KUBE-NODEPORTS + } + + chain KUBE-POSTROUTING { + meta mark & 0x00004000 != 0x00004000 counter packets 1593 bytes 95580 return + counter packets 13 bytes 780 meta mark set mark xor 0x4000 + counter packets 13 bytes 780 masquerade fully-random + } + + chain KUBE-NODEPORTS { + meta l4proto tcp tcp dport 30207 counter packets 0 bytes 0 jump KUBE-EXT-VVO7BBXOSCJQDQML + meta l4proto tcp tcp dport 31182 counter packets 0 bytes 0 jump KUBE-EXT-XUJLWDDTZEWKLHU6 + } + + chain KUBE-MARK-MASQ { + counter packets 13 bytes 780 meta mark set mark or 0x4000 + } + + chain KUBE-SVC-COV23IKAKYWND6VU { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.113.49 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-UYFG3BP6SBY2ENL5 + } + + chain KUBE-SVC-OJLEMCF5KYSTXAAJ { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.230.205 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-4Y5RNE5AMASHQ2OZ + } + + chain KUBE-SVC-4MYBDLPZ2DFGC5Z6 { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.83.127 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-VLSRDM63ATDZAA3A + } + + chain KUBE-SVC-53SQRANQXVHTJ6HK { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.245.249 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta random & 2147483647 < 715827883 counter packets 0 bytes 0 jump KUBE-SEP-AYXBHI7HU6SF34DI + meta random & 2147483647 < 1073741824 counter packets 0 bytes 0 jump KUBE-SEP-PBXQV3T6XQVEVBGL + counter packets 0 bytes 0 jump KUBE-SEP-WLEZNEPJCJLP5SOM + } + + chain KUBE-EXT-VVO7BBXOSCJQDQML { + counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SVC-VVO7BBXOSCJQDQML + } + + chain KUBE-SVC-VVO7BBXOSCJQDQML { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.85.31 tcp dport 9090 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-6ZOGXI2ZCDJV5G4O + } + + chain KUBE-SVC-NPX46M4PTMTKRN6Y { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.0.1 tcp dport 443 counter packets 29 bytes 1740 jump KUBE-MARK-MASQ + counter packets 30 bytes 1800 jump KUBE-SEP-B5DUEXKFRYN46BFH + } + + chain KUBE-SEP-B5DUEXKFRYN46BFH { + ip saddr 192.168.8.4 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 30 bytes 1800 dnat to 192.168.8.4:6443 + } + + chain KUBE-EXT-XUJLWDDTZEWKLHU6 { + counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SVC-XUJLWDDTZEWKLHU6 + } + + chain KUBE-SVC-XUJLWDDTZEWKLHU6 { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.231.15 tcp dport 3000 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-AEOIAT7KXYABTON5 + } + + chain KUBE-SVC-D5JKTLXOFYHV5HQZ { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.106.185 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-IRX4MQBX4KRVQAZU + } + + chain KUBE-SVC-IB3WK5BQ64FMB5FP { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.70.203 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-ME7B5OZS3EMRJJUS + } + + chain KUBE-SVC-SB7WEE53EMIXFNKY { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.50.119 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-UBXSLXFPFJOARYRN + } + + chain KUBE-SVC-QUBDBT4PCRU7S2PI { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.86.60 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-ENYDTZIVOME6TBBV + } + + chain KUBE-SVC-ZD23KKVZJDKFKTCE { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.184.88 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-5KXO57AZTMNCDCVX + } + + chain KUBE-SVC-ROH4UCJ7RVN2OSM4 { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.225.221 tcp dport 9080 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-YMBKJHKN7Y2F6666 + } + + chain KUBE-SEP-YMBKJHKN7Y2F6666 { + ip saddr 10.244.1.189 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.189:9080 + } + + chain KUBE-SEP-5KXO57AZTMNCDCVX { + ip saddr 10.244.1.189 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.189:9080 + } + + chain KUBE-SEP-UBXSLXFPFJOARYRN { + ip saddr 10.244.1.108 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.108:9080 + } + + chain KUBE-SEP-ENYDTZIVOME6TBBV { + ip saddr 10.244.1.108 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.108:9080 + } + + chain KUBE-SEP-6ZOGXI2ZCDJV5G4O { + ip saddr 10.244.1.9 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.9:9090 + } + + chain KUBE-SEP-UYFG3BP6SBY2ENL5 { + ip saddr 10.244.1.215 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.215:9080 + } + + chain KUBE-SEP-4Y5RNE5AMASHQ2OZ { + ip saddr 10.244.2.98 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.2.98:9080 + } + + chain KUBE-SEP-VLSRDM63ATDZAA3A { + ip saddr 10.244.1.237 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.237:9080 + } + + chain KUBE-SEP-AYXBHI7HU6SF34DI { + ip saddr 10.244.1.131 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.131:9080 + } + + chain KUBE-SEP-PBXQV3T6XQVEVBGL { + ip saddr 10.244.1.215 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.215:9080 + } + + chain KUBE-SEP-WLEZNEPJCJLP5SOM { + ip saddr 10.244.2.98 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.2.98:9080 + } + + chain KUBE-SEP-AEOIAT7KXYABTON5 { + ip saddr 10.244.1.13 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.13:3000 + } + + chain KUBE-SEP-IRX4MQBX4KRVQAZU { + ip saddr 10.244.1.237 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.237:9080 + } + + chain KUBE-SEP-ME7B5OZS3EMRJJUS { + ip saddr 10.244.1.131 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.1.131:9080 + } + + chain KUBE-SVC-WHNIZNLB5XFXIX2C { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.149.162 tcp dport 443 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-22OJIEOUHUS2VH36 + } + + chain KUBE-SEP-22OJIEOUHUS2VH36 { + ip saddr 10.244.2.88 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.2.88:15017 + } + + chain KUBE-SVC-XHUBMW47Y5G3ICIS { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.149.162 tcp dport 15014 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-N6BCKY3MRNRV2ZJ2 + } + + chain KUBE-SEP-N6BCKY3MRNRV2ZJ2 { + ip saddr 10.244.2.88 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.2.88:15014 + } + + chain KUBE-SVC-CG3LQLBYYHBKATGN { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.149.162 tcp dport 15012 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 259 bytes 15540 jump KUBE-SEP-E675BOVPZS3XINT6 + } + + chain KUBE-SEP-E675BOVPZS3XINT6 { + ip saddr 10.244.2.88 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 259 bytes 15540 dnat to 10.244.2.88:15012 + } + + chain KUBE-SVC-NVNLZVDQSGQUD3NM { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.149.162 tcp dport 15010 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + counter packets 0 bytes 0 jump KUBE-SEP-E2OCVXQ5RANXZKNO + } + + chain KUBE-SEP-E2OCVXQ5RANXZKNO { + ip saddr 10.244.2.88 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.2.88:15010 + } + + chain KUBE-SVC-ERIFXISQEP7F7OF4 { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.0.10 tcp dport 53 counter packets 1718 bytes 103080 jump KUBE-MARK-MASQ + meta random & 2147483647 < 1073741824 counter packets 875 bytes 52500 jump KUBE-SEP-IH2TMTJLEHQTEXG4 + counter packets 843 bytes 50580 jump KUBE-SEP-QHHO2BBHA2W6ABVA + } + + chain KUBE-SEP-IH2TMTJLEHQTEXG4 { + ip saddr 10.244.0.44 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 875 bytes 52500 dnat to 10.244.0.44:53 + } + + chain KUBE-SVC-JD5MR3NA4I4DYORP { + meta l4proto tcp ip saddr != 10.244.0.0/16 ip daddr 10.96.0.10 tcp dport 9153 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta random & 2147483647 < 1073741824 counter packets 0 bytes 0 jump KUBE-SEP-KTQ44RRS25IYXDAU + counter packets 0 bytes 0 jump KUBE-SEP-SWQQGKEGIJFNRJRL + } + + chain KUBE-SEP-KTQ44RRS25IYXDAU { + ip saddr 10.244.0.44 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.0.44:9153 + } + + chain KUBE-SVC-TCOU7JCQXEZGVUNU { + meta l4proto udp ip saddr != 10.244.0.0/16 ip daddr 10.96.0.10 udp dport 53 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta random & 2147483647 < 1073741824 counter packets 2 bytes 171 jump KUBE-SEP-YGFHBW2DM6N3IEK3 + counter packets 0 bytes 0 jump KUBE-SEP-W3GSBK4IMEBEFHPJ + } + + chain KUBE-SEP-YGFHBW2DM6N3IEK3 { + ip saddr 10.244.0.44 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto udp counter packets 2 bytes 171 dnat to 10.244.0.44:53 + } + + chain KUBE-SEP-QHHO2BBHA2W6ABVA { + ip saddr 10.244.0.63 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 843 bytes 50580 dnat to 10.244.0.63:53 + } + + chain KUBE-SEP-SWQQGKEGIJFNRJRL { + ip saddr 10.244.0.63 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto tcp counter packets 0 bytes 0 dnat to 10.244.0.63:9153 + } + + chain KUBE-SEP-W3GSBK4IMEBEFHPJ { + ip saddr 10.244.0.63 counter packets 0 bytes 0 jump KUBE-MARK-MASQ + meta l4proto udp counter packets 0 bytes 0 dnat to 10.244.0.63:53 + } +} +table ip mangle { + chain KUBE-IPTABLES-HINT { + } + + chain KUBE-KUBELET-CANARY { + } + + chain KUBE-PROXY-CANARY { + } +} +table ip filter { + chain KUBE-FIREWALL { + ip saddr != 127.0.0.0/8 ip daddr 127.0.0.0/8 ct status dnat counter packets 0 bytes 0 drop + } + + chain OUTPUT { + type filter hook output priority filter; policy accept; + ct state new counter packets 245383 bytes 14723644 jump KUBE-PROXY-FIREWALL + ct state new counter packets 245383 bytes 14723644 jump KUBE-SERVICES + counter packets 3043981 bytes 2633914697 jump KUBE-FIREWALL + } + + chain INPUT { + type filter hook input priority filter; policy accept; + ct state new counter packets 47332 bytes 2840200 jump KUBE-PROXY-FIREWALL + counter packets 3210147 bytes 435991279 jump KUBE-NODEPORTS + ct state new counter packets 47332 bytes 2840200 jump KUBE-EXTERNAL-SERVICES + counter packets 3210791 bytes 436579809 jump KUBE-FIREWALL + } + + chain KUBE-KUBELET-CANARY { + } + + chain KUBE-PROXY-CANARY { + } + + chain KUBE-EXTERNAL-SERVICES { + } + + chain FORWARD { + type filter hook forward priority filter; policy accept; + ct state new counter packets 774 bytes 46491 jump KUBE-PROXY-FIREWALL + counter packets 287624 bytes 35538980 jump KUBE-FORWARD + ct state new counter packets 774 bytes 46491 jump KUBE-SERVICES + ct state new counter packets 774 bytes 46491 jump KUBE-EXTERNAL-SERVICES + } + + chain KUBE-NODEPORTS { + } + + chain KUBE-SERVICES { + meta l4proto tcp ip daddr 10.96.65.65 tcp dport 80 counter packets 0 bytes 0 reject + } + + chain KUBE-FORWARD { + meta mark & 0x00004000 == 0x00004000 counter packets 0 bytes 0 accept + ct state related,established counter packets 1866 bytes 233783 accept + } + + chain KUBE-PROXY-FIREWALL { + } +} +table ip6 mangle { + chain KUBE-IPTABLES-HINT { + } + + chain KUBE-KUBELET-CANARY { + } + + chain KUBE-PROXY-CANARY { + } +} +table ip6 nat { + chain KUBE-KUBELET-CANARY { + } + + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + counter packets 0 bytes 0 jump KUBE-POSTROUTING + } + + chain KUBE-PROXY-CANARY { + } + + chain KUBE-SERVICES { + ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump KUBE-NODEPORTS + } + + chain OUTPUT { + type nat hook output priority -100; policy accept; + counter packets 0 bytes 0 jump KUBE-SERVICES + } + + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + counter packets 0 bytes 0 jump KUBE-SERVICES + } + + chain KUBE-POSTROUTING { + meta mark & 0x00004000 != 0x00004000 counter packets 0 bytes 0 return + counter packets 0 bytes 0 meta mark set mark xor 0x4000 + counter packets 0 bytes 0 + } + + chain KUBE-NODEPORTS { + } + + chain KUBE-MARK-MASQ { + counter packets 0 bytes 0 meta mark set mark or 0x4000 + } +} +table ip6 filter { + chain KUBE-KUBELET-CANARY { + } + + chain KUBE-PROXY-CANARY { + } + + chain KUBE-EXTERNAL-SERVICES { + } + + chain INPUT { + type filter hook input priority filter; policy accept; + counter packets 8 bytes 552 jump KUBE-FIREWALL + ct state new counter packets 0 bytes 0 jump KUBE-PROXY-FIREWALL + counter packets 8 bytes 552 jump KUBE-NODEPORTS + ct state new counter packets 0 bytes 0 jump KUBE-EXTERNAL-SERVICES + } + + chain FORWARD { + type filter hook forward priority filter; policy accept; + ct state new counter packets 0 bytes 0 jump KUBE-PROXY-FIREWALL + counter packets 0 bytes 0 jump KUBE-FORWARD + ct state new counter packets 0 bytes 0 jump KUBE-SERVICES + ct state new counter packets 0 bytes 0 jump KUBE-EXTERNAL-SERVICES + } + + chain KUBE-NODEPORTS { + } + + chain KUBE-SERVICES { + } + + chain OUTPUT { + type filter hook output priority filter; policy accept; + counter packets 139 bytes 7888 jump KUBE-FIREWALL + ct state new counter packets 0 bytes 0 jump KUBE-PROXY-FIREWALL + ct state new counter packets 0 bytes 0 jump KUBE-SERVICES + } + + chain KUBE-FORWARD { + meta mark & 0x00004000 == 0x00004000 counter packets 0 bytes 0 accept + ct state related,established counter packets 0 bytes 0 accept + } + + chain KUBE-PROXY-FIREWALL { + } + + chain KUBE-FIREWALL { + } +} +table inet kindnet-network-policies { + set podips-v4 { + type ipv4_addr + } + + set podips-v6 { + type ipv6_addr + } + + chain postrouting { + type filter hook postrouting priority srcnat - 5; policy accept; + udp dport 53 accept + meta l4proto ipv6-icmp accept + meta skuid 0 accept + ct state established,related accept + ip saddr @podips-v4 queue flags bypass to 102 + ip daddr @podips-v4 queue flags bypass to 102 + ip6 saddr @podips-v6 queue flags bypass to 102 + ip6 daddr @podips-v6 queue flags bypass to 102 + } + + chain prerouting { + type filter hook prerouting priority dstnat + 5; policy accept; + meta l4proto != udp accept + udp dport != 53 accept + ip saddr @podips-v4 queue flags bypass to 102 + ip daddr @podips-v4 queue flags bypass to 102 + ip6 saddr @podips-v6 queue flags bypass to 102 + ip6 daddr @podips-v6 queue flags bypass to 102 + } +} +table inet kindnet-dnscache { + set set-v4-nameservers { + type ipv4_addr + elements = { 10.96.0.10 } + } + + chain prerouting { + type filter hook prerouting priority raw; policy accept; + ip saddr 10.244.2.0/24 ip daddr @set-v4-nameservers udp dport 53 queue flags bypass to 103 + } + + chain output { + type filter hook output priority raw; policy accept; + meta mark 0x0000006e udp sport 53 notrack + } +} +table inet kindnet-ipmasq { + set noMasqV4 { + type ipv4_addr + flags interval + auto-merge + elements = { 10.244.0.0/24, 10.244.1.0/24, + 10.244.2.0/24 } + } + + set noMasqV6 { + type ipv6_addr + flags interval + auto-merge + } + + chain postrouting { + type nat hook postrouting priority srcnat - 10; policy accept; + ct state established,related accept + fib saddr type local accept + ip daddr @noMasqV4 accept + ip6 daddr @noMasqV6 accept + masquerade + } +} diff --git a/internal/nf2go/rules_simple.txt b/internal/nf2go/rules_simple.txt new file mode 100644 index 0000000..44f3d82 --- /dev/null +++ b/internal/nf2go/rules_simple.txt @@ -0,0 +1,17 @@ +table ip filter { + chain output { + type filter hook output priority 100; policy accept; + } + + chain input { + type filter hook input priority 0; policy accept; + iifname "lan0" accept + iifname "wan0" drop + } + + chain forward { + type filter hook forward priority 0; policy drop; + iifname "lan0" oifname "wan0" accept + iifname "wan0" oifname "lan0" ct state related,established accept + } +} \ No newline at end of file