RFE/RFD: lightweight integration of NFT sets for use in firewalls

[topimiettinen]

Is your feature request related to a problem? Please describe.
Integrating firewall rules with systemd services is difficult or impossible. There are BPF options but they aren't very nice to administrate. Also, kernel's netfilter system for cgroup matching is based on numeric cgroup IDs, which change every time a service is restarted, making them useless in systemd environment. Typically DNS information isn't available for firewalls.

Describe the solution you'd like
PID1, networkd and resolved should optionally put discovered network and cgroup ID information to NFT sets, for use with firewall rules.

• PID1 should put cgroupv2 IDs to NFT sets named using cgroup path like systemd.user.slice/user-1000.slice/user@1000.service/app.slice/, or perhaps to set specified with Service.CGroupNFTSet=systemd-app
• networkd should put interface IP address ranges and possibly other information (at the extreme, same as NetworkManager-dispatcher) to set named for example systemd-eth0-ipv4 or perhaps instead specified with Network.IPv4NFTSet=systemd-eth0-ipv4
• resolved should put DNS information from resolved to set named according to requesting service (see also resolved: access control feature #17126) or explicitly configured

Then the firewall rules can make arbitrarily complex use of the sets. Systemd would not need to gain further firewalling abilities besides the rather simple management of specific NFT sets.

Example NFT rules:

table inet filter {
        set systemd-eth0-ipv4 {
                type ipv4_addr;
                flags interval;
        }
        set systemd-app {
                type integer;
        }
        set systemd-timesyncd {
                type ipv4_addr;
        }

        chain service_x_input {
                ip saddr @systemd-eth0-ipv4 counter accept
                counter drop
        }
        chain service_y_input {
                meta cgroup @systemd-app counter accept
                counter drop
        }
        chain systemd_timesyncd_output {
                ip daddr @systemd-timesyncd counter accept
                counter reject with icmpx admin-prohibited
        }
}

Related discussion in #7327 and #21899.

Describe alternatives you've considered
Daemons to manage cgroup IDs:
https://github.com/helsinki-systems/nft_cgroupv2/
https://github.com/mk-fg/systemd-cgroup-nftables-policy-manager

IPSet module for Unbound DNS puts resolved A and AAAA addresses to IPSet (but it can't identify the calling service):
https://github.com/NLnetLabs/unbound/blob/master/ipset/ipset.c

[topimiettinen]

Benefit of using NFT sets compared to external daemons is that modifying the set is synchronous but very lightweight operation. For example, networkd can set the IP address from DHCP to the set before applying it to the interface, so there are no time windows where the set would be updated too late. This could easily happen if there's an external daemon listening to events (unless PID1 or networkd would wait while scripts execute and signal completion).

@poettering @yuwata @keszybz @bluca WDYT?

[yuwata]

Sounds nice!

[topimiettinen]

libnftnl is licensed under GPL2+. Would that be a problem?

Its dependency, libmnl is under LGPLv2.1+.

[bluca]

Yes, GPL2 library would be a problem, as the combined work after linking would be GPL2 as a whole - weird license choice for a library?

[topimiettinen]

Yes, GPL2 library would be a problem, as the combined work after linking would be GPL2 as a whole - weird license choice for a library?

Yes, not very inviting. Luckily our own sd-netlink already can process some netlink messages.

[poettering]

Conceptually the networkd ip address thing, and the cgroup id thing make sense to me. Not sure I am convinced by the resolved thing, it sucks for access control...

[poettering]

So we recently discussed whether we should add support to .network files to automatically load nft rules files on interface activation. i.e. that if networkd actviates foobar.network we also load the foobar.nft firewall.

It appears to me that the concept suggested here of maintaining NFT set objects is a more flexible approach, right?

i.e. what model is preferable: having a static firewall ruleset with dynamic sets – or having a dynamic firewall ruleset? It appears to me the former makes more sense.

Thoughts?

[topimiettinen]

I think the models are complementary. Loading rules on interface activation is useful for netdev rules, which can't use a set for the interface name. In other cases, set objects may contain information which can be used with static (but also per-interface) rules.

The per-interface rules can be implemented with no changes. Example:

# /etc/udev/rules.d/90-netfilter.rules 
SUBSYSTEM!="net", GOTO="netfilter_end"
ENV{SYSTEMD_WANTS}+="nftables-dev@$name.service"
LABEL="netfilter_end"

# /etc/systemd/system/nftables-dev@.service
[Unit]
Description=nftables for device %i
Documentation=man:nft(8) http://wiki.nftables.org
Wants=network-pre.target nftables.service
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no
After=nftables.service

[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/usr/sbin/nft -f /etc/nftables-%i.conf
ExecReload=/usr/sbin/nft -f /etc/nftables-%i.conf

[Install]
WantedBy=sysinit.target

# /etc/nftables-lan.conf 
#!/usr/sbin/nft -f

table netdev filter {
        chain lan_ingress {
                type filter hook ingress device lan priority filter; policy drop;
        }
}

flush chain netdev filter lan_ingress

table netdev filter {
        chain lan_ingress {
                type filter hook ingress device lan priority filter; policy drop;

                meta protocol vmap {
                     ip : jump validate_ipv4,
                     ip6 : jump validate_ipv6,
                     arp : jump validate_arp
                }
                counter log prefix "[netdev-lan-ingress] " flags all drop
        }
}

This uses static device name 'lan', but I suppose I could use @@DEVICE@@ insted and use sed to replace the interface name with %i and feed its output in a pipe to nft.

Some rules above (like validate_ipv4) are defined in static part.

[sta-c0000]

re: resolved and DNS query nft sets
I think just that is a great idea, I'm using dnsmasq v2.87 for this specific use case (easily backported to Debian bullseye).

As you might know dnsmasq v2.87 added the --nftset domain name option.
It's great because the nft sets are populated when, and only when, an actual DNS query is performed by the application / service with the ip addresses returned to them by the DNS reply. It's very efficient.

I had been trying to work out an allowlist firewall using systemd cgroupv2...
Instead I settled on forcing every service and application to use specific Linux users and or groups (one for every that requires any network resources).
nftables is indeed easier, more powerful and flexible, and now better for statistics.
I've detailed how I'm using nftables with dnsmasq nft sets (with some caveats) here: Group Allow-List Application Firewall