Merge pull request #56 from random-archer/vvl-nftables

initrd nftables service

Author: Andrei-Pozolotin

.azure.yml

@@ -45,7 +45,7 @@ jobs:
 #
   - template: tool/azure/steps-cache.yml
     parameters: # change to reset cache
-      cache_version: V16
+      cache_version: V17
 #
   - bash: env|sort|grep CACHE
     displayName: review caches
@@ -70,6 +70,10 @@ jobs:
   - template: tool/azure/steps-image.yml
     parameters:
       image_path: test/unitada
+#
+  - template: tool/azure/steps-image.yml
+    parameters:
+      image_path: test/nftables
 #
   - bash: machinectl --all --full
     displayName: review machines

PKGBUILD

@@ -0,0 +1,30 @@
+#
+# manual build: cd $repo ; makepkg -e ;
+#
+
+pkgname=mkinitcpio-systemd-tool
+pkgver=build
+pkgrel=$(date +%s)
+pkgdesc="Provisioning tool for systemd in initramfs (systemd-tool)"
+arch=('any')
+url="https://github.com/random-archer/mkinitcpio-systemd-tool"
+license=('Apache')
+depends=('mkinitcpio' 'systemd')
+optdepends=('cryptsetup: for initrd-cryptsetup.service'
+            'dropbear: for initrd-dropbear.service'
+            'busybox: for initrd-tinysshd.service'
+            'tinyssh: for initrd-tinysshd.service'
+            'tinyssh-convert: for initrd-tinysshd.service'
+            'mc: for initrd-debug-progs.service')
+conflicts=('mkinitcpio-dropbear' 'mkinitcpio-tinyssh')
+backup=("etc/${pkgname}/config/crypttab"
+        "etc/${pkgname}/config/fstab"
+        "etc/${pkgname}/network/initrd-network.network" )
+#source=("$pkgname-$pkgver.tar.gz::https://github.com/random-archer/${pkgname}/archive/v${pkgver}.tar.gz")
+#install="${pkgname}.install"
+#sha512sums=()
+
+package() {
+  cd ..
+  make DESTDIR="$pkgdir/" PREFIX='/usr' install
+}

src/initrd-nftables.conf

@@ -0,0 +1,72 @@
+#!/usr/bin/nft -f
+
+# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool
+
+# Provides firewall when running inside initrd
+# see: https://wiki.archlinux.org/index.php/Nftables
+
+# file location in initramfs:
+# /etc/nftables.conf
+
+# file location in real-root:
+# /etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf
+
+# note:
+# * more nft examples are in /usr/share/nftables/
+# * make sure SSHD_PORT matches dropbear or tinysshd
+
+define SSHD_PORT = 22
+
+table inet filter {
+	set knockd4-allow {
+		type ipv4_addr
+		timeout 7d
+	}
+	set knockd4-step2 {
+		type ipv4_addr
+		timeout 5s
+	}
+	set knockd4-step1 {
+		type ipv4_addr
+		timeout 5s
+	}
+	set knockd6-allow {
+		type ipv6_addr
+		timeout 7d
+	}
+	set knockd6-step2 {
+		type ipv6_addr
+		timeout 5s
+	}
+	set knockd6-step1 {
+		type ipv6_addr
+		timeout 5s
+	}
+	chain input {
+		type filter hook input priority 0; policy drop;
+		ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept
+		ip6 nexthdr icmpv6 icmpv6 type echo-request counter drop
+		ip protocol icmp icmp type echo-request limit rate 1/second accept
+		ip protocol icmp icmp type echo-request counter drop
+		ct state {established, related} accept
+		ct state invalid drop
+		tcp dport $SSHD_PORT ip saddr @knockd4-allow accept
+		ip saddr @knockd4-step2 tcp dport $SSHD_PORT set add ip saddr @knockd4-allow
+		ip saddr @knockd4-step1 tcp dport $SSHD_PORT set add ip saddr @knockd4-step2
+		tcp dport $SSHD_PORT set add ip saddr @knockd4-step1
+		tcp dport $SSHD_PORT ip6 saddr @knockd6-allow accept
+		ip6 saddr @knockd6-step2 tcp dport $SSHD_PORT set add ip6 saddr @knockd6-allow
+		ip6 saddr @knockd6-step1 tcp dport $SSHD_PORT set add ip6 saddr @knockd6-step2
+		tcp dport $SSHD_PORT set add ip6 saddr @knockd6-step1
+		ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
+		ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
+		reject
+	}
+	chain forward {
+		type filter hook forward priority 0; policy accept;
+		accept
+	}
+	chain output {
+		type filter hook output priority 0; policy accept;
+	}
+}

src/initrd-nftables.service

@@ -0,0 +1,35 @@
+# This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool
+
+# Provides firewall when running inside initrd
+# see: https://wiki.archlinux.org/index.php/Nftables
+
+# service dependencies:
+# - https://www.archlinux.org/packages/community/x86_64/nftables
+
+[Unit]
+Description=Initrd Firewall Service
+Documentation=https://github.com/random-archer/mkinitcpio-systemd-tool/blob/master/README.md
+ConditionPathExists=/etc/initrd-release
+DefaultDependencies=no
+Before=initrd-network.service
+
+[Service]
+# reproduce default nftables.service
+Type=oneshot
+ExecStart=/usr/bin/nft -f /etc/nftables.conf
+ExecReload=/usr/bin/nft flush ruleset ';' include '"/etc/nftables.conf"'
+ExecStop=/usr/bin/nft flush ruleset
+RemainAfterExit=yes
+
+[Install]
+# activate by reverse dependency
+WantedBy=initrd-network.service
+
+[X-SystemdTool]
+
+# include nftables binaries
+InitrdCall=add_all_modules /netfilter/nft_*
+InitrdCall=add_all_modules /netfilter/nf_tables*
+
+# provision firewall settings in initrd
+InitrdPath=/etc/nftables.conf source=/etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf   replace=yes

tool/image/arch/base/build.py

@@ -3,6 +3,8 @@
 #
 # build basic archux image
 #
+# note:
+# * using azure cache, update `azure.yml/.../cache_version` when changing this file
 
 from nspawn.build import *
 
@@ -69,9 +71,7 @@
    # provide host sshd keys
    "openssh "
    # build/install deps
-   "sed "
-   "grep "
-   "make "
+   "base-devel "
    # core package deps
    "linux "
    "mkinitcpio "
@@ -83,6 +83,8 @@
    "tinyssh-convert "
    # initrd-cryptsetup.service
    "cryptsetup "
+   # initrd-nftables.service
+   "nftables "
 )
 
 # enable services

tool/image/test/cryptsetup/etc/systemd/system/initrd-debug-progs.service.d/override.conf

@@ -8,10 +8,11 @@ InitrdBinary=/usr/bin/strace
 InitrdBinary=/usr/bin/cryptsetup
 
 # dependency reporter
-InitrdBinary=/usr/bin/systemd-analyze 
+InitrdBinary=/usr/bin/systemd-analyze
 
 # serial console resizer
 InitrdBinary=/usr/bin/resize
 
 # qemu guest drivers
+InitrdCall=add_module e1000
 InitrdCall=add_all_modules /virtio/

tool/image/test/cryptsetup/setup.py

@@ -29,3 +29,6 @@
 #     MACVLAN=network_face,
 #     Capability='all',
 # )
+
+# configure machine ssh access
+WITH(BindReadOnly="/root/.ssh/authorized_keys")

tool/image/test/cryptsetup/verify.py

@@ -14,6 +14,7 @@
 project_root = os.popen("git rev-parse --show-toplevel").read().strip()
 python_module = f"{project_root}/tool/module"
 sys.path.insert(0, python_module)
+from arkon_config import kernel_version
 from arkon_config import cryptsetup_machine
 from machine_unit import MachineUnit
 
@@ -51,7 +52,7 @@
     "/bin/swapon",
     "/bin/swapoff",
 
-    "/usr/lib/modules/5.5.6-arch1-1/kernel/dm-crypt.ko",
+    f"/usr/lib/modules/{kernel_version}/kernel/dm-crypt.ko",
 
     "/usr/lib/udev/rules.d/10-dm.rules",
     "/usr/lib/udev/rules.d/11-dm-initramfs.rules",

tool/image/test/dropbear/setup.py

@@ -21,3 +21,6 @@
 
 # container name
 MACHINE(name=dropbear_machine)
+
+# configure machine ssh access
+WITH(BindReadOnly="/root/.ssh/authorized_keys")

tool/image/test/nftables/build.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+
+#
+# build nftables image
+#
+
+from nspawn.build import *
+
+import os
+import sys
+
+# import shared config
+project_root = os.popen("git rev-parse --show-toplevel").read().strip()
+python_module = f"{project_root}/tool/module"
+sys.path.insert(0, python_module)
+from arkon_config import base_image_url
+from arkon_config import nftables_image_url
+
+# declare image identity
+IMAGE(url=nftables_image_url)
+
+# provision dependency image
+PULL(url=base_image_url)
+
+# copy local resources
+COPY(path="/etc")
+
+# publish image
+PUSH()