Add nftables support (#16)

* Update Logs

Fix ipv4 regex

* Add nftables support

* Add example

Author: hypunk

README.md

@@ -40,7 +40,8 @@ You may use single-dc configuration, specify it's name as *dc* though.
 3. Change default [**iptables template**](samples/iptables.rules)
 ## Service
 4. Install & launch befw-firewalld service on every agent node
-5. Edit [sample configuration](samples/befw.conf) and place it to /etc/befw.conf
+5. Edit [sample configuration](samples/befw.conf) and place it to /etc/befw.conf.  Options:
+    - firewall (values: "nft"|"nftc7", default: "") - Change firewall provider: nft - nftables, nftc7 - legacy nftables 0.8 (centos7), otherwise - iptables/ipset
 6. Place [sample service](samples/service.json) to *services dir* and see what will happen
 ## Puppet/Hiera/PuppetDB
 *We use puppet to do items 3-6 and below as we have a huge puppet installation. Skip this if you don't.*

befw/config.go

@@ -25,7 +25,10 @@ import (
 )
 
 // Current firewall instance
-var fw firewall = newIPTables() // Can be configured
+var fw firewall = newIPTables() // Default. Will be reconfigured
+
+const cfg_fw_nftc7 = "nftc7"
+const cfg_fw_nft = "nft"
 
 var OverrideConfig = make(map[string]string)
 
@@ -97,6 +100,19 @@ func createConfig(configFile string) *config {
 		setConfigKVSeconds(&ret.Timeout.ConsulWatch, "consulwatch_timeout_sec", OverrideConfig, kv)
 		setConfigKVBool(&ret.NIDSEnable, "nids", OverrideConfig, kv)
 
+		// Get firewall provider
+		if val, ok := kv["firewall"]; ok {
+			if val == cfg_fw_nftc7 {
+				logging.LogInfo("Use nftables (nftc7 - for centos7) firewall")
+				fw = NewNFTc7()
+			} else if val == cfg_fw_nft {
+				logging.LogInfo("Use nftables (nft) firewall")
+				fw = NewNFT()
+			} else {
+				logging.LogInfo("Use iptables/ipset firewall")
+			}
+		}
+
 		if _, ok := kv["fail"]; ok {
 			logging.LogError("[Config] you must edit your Config file before proceed")
 		}

befw/fwiptables.go

@@ -19,13 +19,14 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/wgnet/befw/logging"
 	"io/ioutil"
 	"net"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
+
+	"github.com/wgnet/befw/logging"
 )
 
 // Implementation of REAL calls of iptables, ip6tables, ipset
@@ -47,7 +48,7 @@ type fwIPTables struct {
 type binIPTables interface {
 	// ipset
 	ipsetList(name string) (string, error)
-	ipsetRestore(name, rule string) error
+	ipsetRestore(name string, rule string) error
 	// iptables
 	iptablesList() (string, error)
 	iptablesRestore(rules string) error
@@ -134,6 +135,7 @@ func (fw *fwIPTables) KeepConsistent() error {
 
 // Apply state
 func (fw *fwIPTables) Apply(state *state) error {
+	logging.LogDebug("Apply state.")
 	fw.lock.Lock()
 	defer fw.lock.Unlock()
 	logging.LogDebug("Try to apply state")
@@ -214,7 +216,7 @@ func (fw *fwIPTables) rulesGenerate(state *state, applied map[string][]string, i
 		if ip6 {
 			name += V6
 		}
-		name = correctIPSetName(name)
+		name = correctIPSetName(name, 31)
 		strings.NewReplacer("{NAME}", name,
 			"{PRIORITY}", strconv.Itoa(set.Priority),
 			"{TARGET}", set.Target,
@@ -230,7 +232,7 @@ func (fw *fwIPTables) rulesGenerate(state *state, applied map[string][]string, i
 		if ip6 {
 			name += V6
 		}
-		name = correctIPSetName(name)
+		name = correctIPSetName(name, 31)
 		// Check template by service mode.
 		var templateRule string = templates.Line
 		if srv.Mode == MODE_ENFORCING {
@@ -272,8 +274,8 @@ func (fw *fwIPTables) rulesGenerate(state *state, applied map[string][]string, i
 // Generate text rules for 'ipset' command
 func (fw *fwIPTables) ipsetGenerate(name string, set []string) string {
 	result := new(strings.Builder)
-	name6 := correctIPSetName(name + V6)
-	name = correctIPSetName(name)
+	name6 := correctIPSetName(name+V6, 31)
+	name = correctIPSetName(name, 31)
 	tmp := fmt.Sprintf("tmp_%s", getRandomString())
 	tmp6 := fmt.Sprintf("tmp6_%s", getRandomString())
 
@@ -288,8 +290,12 @@ func (fw *fwIPTables) ipsetGenerate(name string, set []string) string {
 	// 2. Fill tmp ipset
 	for _, cidr := range set {
 		_, nt, e := net.ParseCIDR(cidr)
-		if e != nil || nt == nil {
-			logging.LogWarning("[IPT] Skip set. Can't parse CIDR: ", cidr)
+		if e != nil {
+			logging.LogWarning("[IPT] Skip set. Can't parse as CIDR: ", cidr)
+			continue
+		}
+		if nt == nil {
+			logging.LogWarning("[IPT] Skip set. No CIDR mask: ", cidr)
 			continue
 		}
 		if isIPv6(cidr) {
@@ -323,7 +329,7 @@ func (fw *fwIPTables) ipsetGenerate(name string, set []string) string {
 func (this *config) newRules() *IptablesRules {
 	rules := defaultRules()
 	if data, e := ioutil.ReadFile(this.RulesPath); e != nil {
-		logging.LogWarning("[IPT] Can't read", this.RulesPath, "; using default:", e.Error())
+		logging.LogWarning("[IPT] Can't read ", this.RulesPath, "; using default: ", e.Error())
 	} else {
 		if e := json.Unmarshal(data, rules); e != nil {
 			logging.LogWarning("[IPT] Can't parse", this.RulesPath, "; using default:", e.Error())
@@ -486,6 +492,7 @@ func (fw *fwIPTables) rules6Restore() error {
 
 // Return state of ipset
 func (b *binRealIPTables) ipsetList(name string) (string, error) {
+	name = correctIPSetName(name, 31)
 	out, err := run(nil, "ipset", "-o", "save", "list", name)
 	if err != nil {
 		logging.LogWarning("[IPT] Failed to get list of ipset:", name, out)

befw/fwiptables_test.go

@@ -40,7 +40,8 @@ type mockIPTables struct {
 }
 
 func TestKeepConsistent(t *testing.T) {
-	s, fw, mock := dummyState()
+	s := testDummyState()
+	fw, mock := mockFirewallIPTables()
 
 	// Initialization: Apply generated rules
 	fw.Apply(&s)
@@ -109,7 +110,8 @@ func TestKeepConsistent(t *testing.T) {
 }
 
 func TestApply(t *testing.T) {
-	s, fw, _ := dummyState()
+	s := testDummyState()
+	fw, _ := mockFirewallIPTables()
 	fw.Apply(&s)
 
 	// Expect patterns in output
@@ -153,7 +155,7 @@ func TestApply(t *testing.T) {
 		"swap tmp_[a-zA-Z0-9]* C",
 	}, t)
 
-	// Unexpect pattrins in ipset output
+	// Unexpect patterns in ipset output
 	unexpects(ipsetResult, []string{"add tmp_[a-zA-Z0-9]* 42\\.2\\.3\\.4",
 		"add tmp_[a-zA-Z0-9]* 5\\.1\\.",
 	}, t)
@@ -181,7 +183,8 @@ func TestApply(t *testing.T) {
 }
 
 func TestRulesGenerate(t *testing.T) {
-	s, fw, _ := dummyState()
+	s := testDummyState()
+	fw, _ := mockFirewallIPTables()
 	test := fw.rulesGenerate(&s, s.StaticIPSets, false)
 
 	// Expect patterns in output
@@ -198,7 +201,8 @@ func TestRulesGenerate(t *testing.T) {
 }
 
 func TestIpsetGenerateServices(t *testing.T) {
-	s, fw, _ := dummyState()
+	s := testDummyState()
+	fw, _ := mockFirewallIPTables()
 
 	var result string = ""
 	for _, srv := range s.NodeServices {
@@ -220,7 +224,8 @@ func TestIpsetGenerateServices(t *testing.T) {
 }
 
 func TestIpsetGenerateStaticSetList(t *testing.T) {
-	s, fw, _ := dummyState()
+	s := testDummyState()
+	fw, _ := mockFirewallIPTables()
 	var result string = ""
 	for name, set := range s.StaticIPSets {
 		result += fw.ipsetGenerate(name, set)
@@ -235,7 +240,8 @@ func TestIpsetGenerateStaticSetList(t *testing.T) {
 }
 
 func TestIpsetGenerateConstSetList(t *testing.T) {
-	s, fw, _ := dummyState()
+	s := testDummyState()
+	fw, _ := mockFirewallIPTables()
 
 	// Check expectations
 	expects := []string{"swap tmp_", "destroy tmp_", "create tmp_"}
@@ -255,7 +261,8 @@ func TestIpsetGenerateConstSetList(t *testing.T) {
 
 // Test IPv6 support (ipset)
 func TestIpsetV6(t *testing.T) {
-	s, fw, _ := dummyState()
+	s := testDummyState()
+	fw, _ := mockFirewallIPTables()
 	name := "TestService"
 	srv6 := asService(name, []string{"22/tcp"}, []string{"4.4.4.4/28", "::1:5ee:bad:c0de/80"})
 	s.NodeServices = append(s.NodeServices, srv6)
@@ -290,7 +297,8 @@ func TestIpsetV6(t *testing.T) {
 }
 
 func TestIptablesV6(t *testing.T) {
-	s, fw, _ := dummyState()
+	s := testDummyState()
+	fw, _ := mockFirewallIPTables()
 
 	// Exist v6
 	name := "TestService"
@@ -310,25 +318,29 @@ func TestIptablesV6(t *testing.T) {
 
 // ==========[ Util Func ]==========
 
-func dummyState() (state, *fwIPTables, *mockIPTables) {
+func testDummyState() state {
 	// State:
 	s := state{
 		StaticIPSets: map[string][]string{
 			"A": []string{"1.2.3.1/32", "0.0.0.0/0", "10.10.10.10/28", "192.168.1.1/32", "42.2.3.4", "::0/0"},
 			"B": []string{"1.2.3.2/32", "0.0.0.0/0", "10.10.10.10/28", "192.168.1.1/32", "42.2.3.4"},
 		},
 		NodeServices: []bService{
-			asService("B", []string{"10/tcp", "8080:8090"}, []string{"1.2.3.3/32", "0.0.0.0/0", "10.0.0.0/12", "5.1.1.3/32", "42.2.3.4"}),
+			asService("B", []string{"10/tcp", "8080:8090", "443/tcp", "443/tcp"}, []string{"1.2.3.3/32", "0.0.0.0/0", "10.0.0.0/12", "5.1.1.3/32", "42.2.3.4"}),
 			asService("C", []string{"20/tcp", "8085:9090"}, []string{"1.2.3.4/32", "10.0.0.0/12", "1.2.3.6/32", "43.2.3.4", "5.1.1.4/32"}),
-			asService("D", []string{"30/tcp"}, []string{"1.2.3.4/32", "10.0.0.0/12", "1.2.3.6/32", "43.2.3.4", "5.1.1.4/32"}),
-			asService("E", []string{}, []string{"1.2.3.4/32", "10.0.0.0/12", "1.2.3.6/32", "43.2.3.4", "5.1.1.4/32"}),
+			asService("test.srv2.stg-hiera_tcp_19080", []string{"30/tcp"}, []string{"1.2.3.4/32", "10.0.0.0/12", "1.2.3.6/32", "43.2.3.4", "5.1.1.4/32"}),
+			asService("ThiS_is_very_and_Very_LONG_service", []string{}, []string{"1.2.3.4/32", "10.0.0.0/12", "1.2.3.6/32", "43.2.3.4", "5.1.1.4/32"}),
 		},
 	}
 	s.Config = &config{
 		StaticSetList: staticIPSetList,
 	}
 	s.fillMandatoryIPSet()
 
+	return s
+}
+
+func mockFirewallIPTables() (*fwIPTables, *mockIPTables) {
 	// Firewall:
 	var fw *fwIPTables = newIPTables()
 	mock := mockIPTables{
@@ -339,7 +351,7 @@ func dummyState() (state, *fwIPTables, *mockIPTables) {
 
 	// ipset
 	mock.mockIpsetList = func(name string) (string, error) { return mock.ipsets[name], nil }
-	mock.mockIpsetRestore = func(name, rules string) error { mock.ipsets[name] = rules; return nil }
+	mock.mockIpsetRestore = func(name string, rules string) error { mock.ipsets[name] = rules; return nil }
 	// iptables
 	mock.mockIptablesList = func() (string, error) { return mock.rules, nil }
 	mock.mockIptablesRestore = func(rules string) error { mock.rules = rules; return nil }
@@ -348,7 +360,7 @@ func dummyState() (state, *fwIPTables, *mockIPTables) {
 	mock.mockIp6tablesRestore = func(rules string) error { mock.rules6 = rules; return nil }
 
 	fw.bin = &mock
-	return s, fw, &mock
+	return fw, &mock
 }
 
 func asService(name string, ports []string, clients []string) bService {