nixos/{firewall,nat}: Standardize around an iptables-restore / nftables solution

[wkennington]

Right now we use a command defined set of firewall rules. This allows for mutability of rules during normal operation and a simple, flexible interface for users to add new firewall rules using iptables commands.

While this approach has worked in the past, it would be nice to standardize on a cleaner firewall interface using the iptables-restore or nftables utilities.

Personally I'd like to see nftables used for this, as it seems to be the future direction of the linux packet filtering stack.

[Shados]

I have a working iptables-restore based firewall.nix/nat.nix that I've been playing with/testing for a few weeks, could clean it up in the next few days and push it to github if you like.

I spoke to @edolstra about the idea previously and he mentioned there would be issues with packages that add/change iptables rules (e.g. libvirtd) getting their rules trashed by iptables-restore, currently my implementation just ignores this issue.

[lucabrunox]

I think there should be a common services.iptables configuration, used by
firewall, nat and others. Then iptables-restore shall be done in
services.iptables once for the unified rules.

On Fri, Sep 19, 2014 at 1:02 AM, Alexei Robyn notifications@github.com
wrote:

I have a working iptables-restore based firewall.nix/nat.nix that I've
been playing with/testing for a few weeks, could clean it up in the next
few days and push it to github if you like.

I spoke to @edolstra https://github.com/edolstra about the idea
previously and he mentioned there would be issues with packages that
add/change iptables rules (e.g. libvirtd) getting their rules trashed by
iptables-restore, currently my implementation just ignores this issue.

—
Reply to this email directly or view it on GitHub
#4155 (comment).

www.debian.org - The Universal Operating System

[Shados]

@lethalman I kind of like that the modules' naming in this case is more semantic rather than specifying the technologies involved, especially because it does mean they won't need to be arbitrarily renamed if the backend is changed.
OTOH, having them be named after the technology does mean you can keep around multiple backends simultaneously, which could I guess be useful for transitioning between them.

Also, keep in mind you can call iptables-restore just once from just one service but still have the configuration be spread across multiple modules if that provides for a cleaner interface.

[wmertens]

Iptables-restore trashes any stateful rules that were added. Running
containers adds rules, for example.

Wout.
On Sep 19, 2014 1:04 AM, "lethalman" notifications@github.com wrote:

I think there should be a common services.iptables configuration, used by
firewall, nat and others. Then iptables-restore shall be done in
services.iptables once for the unified rules.

On Fri, Sep 19, 2014 at 1:02 AM, Alexei Robyn notifications@github.com
wrote:

I have a working iptables-restore based firewall.nix/nat.nix that I've
been playing with/testing for a few weeks, could clean it up in the next
few days and push it to github if you like.

I spoke to @edolstra https://github.com/edolstra about the idea
previously and he mentioned there would be issues with packages that
add/change iptables rules (e.g. libvirtd) getting their rules trashed by
iptables-restore, currently my implementation just ignores this issue.

—
Reply to this email directly or view it on GitHub
#4155 (comment).

www.debian.org - The Universal Operating System

—
Reply to this email directly or view it on GitHub
#4155 (comment).

[CMCDragonkai]

Currently, are changes made to firewall/nat applied atomically (to prevent packet drops)? (this could be done using iptables-restore).

To deal with external services also modifying iptables, there might be a way to merge the modifications together. Would the ipset utility help? http://ipset.netfilter.org/index.html

[wkennington]

ipset only helps for ip address matches, not for generic iptables rules.
Unfortunately just using iptables-restore doesn't actually give you
atomicity in your rule chain as it just processes the clears / adds
internally. You would need to use a modern kernel with nftables to achieve
this effect. Unfortunately that is going to require users to port their
current config to a next generation nftables firewall. I think there is
something to be gained by having both implementations side by side and
phasing out the old one over the period of say a year.

On Mon, Sep 14, 2015 at 11:13 PM Roger Qiu notifications@github.com wrote:

Currently, are changes made to firewall/nat applied atomically (to prevent
packet drops)? (this could be done using iptables-restore).

To deal with external services also modifying iptables, there might be a
way to merge the modifications together. Would the ipset utility help?
http://ipset.netfilter.org/index.html

—
Reply to this email directly or view it on GitHub
#4155 (comment).

[Shados]

@wkennington iptables-restore does actually clear and apply the rules in a single transaction, and any errors simply result in the previous state continuing on as normal. There's no opportunity for packets to be incorrectly accepted or dropped. In what way is it not atomic?

[wkennington]

Ah, I didn't realize we had true atomic support with iptables-restore. At
any rate, I'm still not sure how you would account for externally applied
for rules yet.

On Tue, Sep 15, 2015, 03:57 Alexei Robyn notifications@github.com wrote:

@wkennington https://github.com/wkennington iptables-restore does
actually clear and apply the rules in a single transaction, and any errors
simply result in the previous state continuing on as normal. There's no
opportunity for packets to be incorrectly accepted or dropped. In what way
is it not atomic?

—
Reply to this email directly or view it on GitHub
#4155 (comment).

[lucabrunox]

Let's try to shrink the problem at least.

To address the external iptables rule I guess we need some intelligence in parsing iptables-save, in order to readd them in an eventual iptables-restore. Is that the only approach possible?

[wkennington]

What I'm worried about is how this will interact with
networking.firewall.extraCommands which expect the state of the firewall to
be flushed prior to being executed and therefore cannot be saved. Given
that this conflicts with the idea of parsing running rules to be saved, I
don't think you can come up with a strategy here that doesn't break
something. It would be better to create an entirely new interface with no
surprises and have users migrate.

On Tue, Sep 15, 2015, 11:09 lethalman notifications@github.com wrote:

Let's try to shrink the problem at least.

To address the external iptables rule I guess we need some intelligence in
parsing iptables-save, in order to readd them in an eventual
iptables-restore. Is that the only approach possible?

—
Reply to this email directly or view it on GitHub
#4155 (comment).

[edolstra]

Sacrificing extraCommands sounds acceptable if we get an atomically updated firewall in exchange.