Open
Conversation
zpe-reneneumann
approved these changes
Sep 14, 2025
Spiritual successor to firewall (v1), allowing (almost) atomic chain/ rule creation/update/deletion in the ipv4/ipv6 nat/firewall tables. It does a diff between the current and defined/desired ruleset, and executes nodegrid cli commands to transition from former to later. This is done as atomically as possible, to reduce the possibility for an error to leave the device's firewall in a half-configured/-updated state, leaving it potentially vulnerable or unreachable. Updates and Deletions are straight forward: queue them using `set` and `delete` commands, and then apply them all in one go with a single `commit` command. Additions are more complicated because the required `add` command starts edit-mode, and the `save` command to leave it will always implicitly do a commit. To make this work, first create all required new objects as no-ops so even when committed they do not change the effective behaviour. For chains that is easy, because new chains (and any new rules in it) can't be referenced by the current ruleset yet. Rules need to be numbered gap-less increasing from zero, so new rules can only be appended at the end of a chain; never inserted in the middle. Instead of creating the new no-op rules using some impossible-to-match conditions, use the `RETURN` target to exit the chain, as it would do without the no-op rule present anyway. The actual rule contents will then be applied in one go together with all the other updates and deletions. And even of that fails for some reason, the created and committed no-op chains/rules don't change the previous behaviour of the firewall ruleset. Config transactions allow an automatic rollback after 30s if not confirmed, for example when the device becomes unreachable due to a flawed firewall ruleset. But that timeout is fixed, and depending on the amount of changes/commands could be too short. Since the rollback will be to the last committed state and thus also revert any queued changes, only the final `commit` command needs to be in the config transaction. Should a rollback be triggered, it will revert all updates and deletions but keep the already-committed no-op additions. The actual atomicity of the whole process depends solely on how atomic the commit implementation in the nodegrid cli is. But no matter how good it is, iptable updates can by design never be fully atomic; one of the many advantages of nftables, where full/true atomicity is possible. This should still be considered PoC quality, requiring further review.
m-hau
force-pushed
the
feature/firewallv3
branch
from
f36b43b to
c9a9e51
Compare
For some reason from v6.0.35 onward you can't set `target=LOG` and `log_level` in one `set` statement anymore. You have to now first `set target=LOG` and only then can `set loglevel=…`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Spiritual successor to firewall (v1), allowing (almost) atomic chain/ rule creation/update/deletion in the ipv4/ipv6 nat/firewall tables. It does a diff between the current and defined/desired ruleset, and executes nodegrid cli commands to transition from former to later. This is done as atomically as possible, to reduce the possibility for an error to leave the device's firewall in a half-configured/-updated state, leaving it potentially vulnerable or unreachable.
Updates and Deletions are straight forward: queue them using
setanddeletecommands, and then apply them all in one go with a singlecommitcommand. Additions are more complicated because the requiredaddcommand starts edit-mode, and thesavecommand to leave it will always implicitly do a commit. To make this work, first create all required new objects as no-ops so even when committed they do not change the effective behaviour. For chains that is easy, because new chains (and any new rules in it) can't be referenced by the current ruleset yet. Rules need to be numbered gap-less increasing from zero, so new rules can only be appended at the end of a chain; never inserted in the middle. Instead of creating the new no-op rules using some impossible-to-match conditions, use theRETURNtarget to exit the chain, as it would do without the no-op rule present anyway. The actual rule contents will then be applied in one go together with all the other updates and deletions. And even of that fails for some reason, the created and committed no-op chains/rules don't change the previous behaviour of the firewall ruleset.Config transactions allow an automatic rollback after 30s if not confirmed, for example when the device becomes unreachable due to a flawed firewall ruleset. But that timeout is fixed, and depending on the amount of changes/commands could be too short. Since the rollback will be to the last committed state and thus also revert any queued changes, only the final
commitcommand needs to be in the config transaction. Should a rollback be triggered, it will revert all updates and deletions but keep the already-committed no-op additions.The actual atomicity of the whole process depends solely on how atomic the commit implementation in the nodegrid cli is. But no matter how good it is, iptable updates can by design never be fully atomic; one of the many advantages of nftables, where full/true atomicity is possible.
This should still be considered PoC quality, requiring further review.