Network: Firewall API

liqotech · Nov 15, 2023 · 76e2a4e · 76e2a4e
1 parent b802989
commit 76e2a4e
Show file tree

Hide file tree

Showing 8 changed files with 414 additions and 170 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -7,7 +7,7 @@ repos:
     - id: golangci-lint
       name: golangci-lint
       description: Fast linters runner for Go.
-      entry: golangci-lint run --new
+      entry: golangci-lint run --new-from-rev HEAD
       types: [go]
       language: golang
       require_serial: true

diff --git a/apis/networking/v1alpha1/firewall/chain_types.go b/apis/networking/v1alpha1/firewall/chain_types.go
@@ -0,0 +1,96 @@
+// Copyright 2019-2023 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package firewall
+
+import "math"
+
+// ChainType defines what this chain will be used for.
+// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types
+type ChainType string
+
+// Possible ChainType values.
+const (
+	ChainTypeFilter ChainType = "filter"
+	ChainTypeRoute  ChainType = "route"
+	ChainTypeNAT    ChainType = "nat"
+)
+
+// ChainPolicy defines what this chain default policy will be.
+type ChainPolicy string
+
+// Possible ChainPolicy values.
+const (
+	ChainPolicyDrop   ChainPolicy = "drop"
+	ChainPolicyAccept ChainPolicy = "accept"
+)
+
+// ChainHook specifies at which step in packet processing the Chain should be executed.
+// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_hooks
+type ChainHook string
+
+// Possible ChainHook values.
+var (
+	ChainHookPrerouting  ChainHook = "prerouting"
+	ChainHookInput       ChainHook = "input"
+	ChainHookForward     ChainHook = "forward"
+	ChainHookOutput      ChainHook = "output"
+	ChainHookPostrouting ChainHook = "postrouting"
+	ChainHookIngress     ChainHook = "ingress"
+)
+
+// ChainPriority orders the chain relative to Netfilter internal operations.
+// https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
+type ChainPriority int32
+
+// Possible ChainPriority values.
+// from /usr/include/linux/netfilter_ipv4.h.
+var (
+	ChainPriorityFirst           ChainPriority = math.MinInt32
+	ChainPriorityConntrackDefrag ChainPriority = -400
+	ChainPriorityRaw             ChainPriority = -300
+	ChainPrioritySELinuxFirst    ChainPriority = -225
+	ChainPriorityConntrack       ChainPriority = -200
+	ChainPriorityMangle          ChainPriority = -150
+	ChainPriorityNATDest         ChainPriority = -100
+	//nolint:revive // We need a variable with zero value.
+	ChainPriorityFilter           ChainPriority = 0
+	ChainPrioritySecurity         ChainPriority = 50
+	ChainPriorityNATSource        ChainPriority = 100
+	ChainPrioritySELinuxLast      ChainPriority = 225
+	ChainPriorityConntrackHelper  ChainPriority = 300
+	ChainPriorityConntrackConfirm ChainPriority = math.MaxInt32
+	ChainPriorityLast             ChainPriority = math.MaxInt32
+)
+
+// Chain is a chain of rules to be applied to a table.
+// +kubebuilder:object:generate=true
+type Chain struct {
+	// Name is the name of the chain.
+	Name string `json:"name,omitempty"`
+	// Rules is a list of rules to be applied to the chain.
+	Rules RulesSet `json:"rules,omitempty"`
+	// Type defines what this chain will be used for.
+	// +kubebuilder:validation:Enum="filter";"route";"nat"
+	Type ChainType `json:"type,omitempty"`
+	// Policy defines what this chain default policy will be.
+	// +kubebuilder:validation:Enum="drop";"accept"
+	Policy ChainPolicy `json:"policy,omitempty"`
+	// Hook specifies at which step in packet processing the Chain should be executed.
+	// +kubebuilder:validation:Enum="prerouting";"input";"forward";"output";"postrouting";"ingress"
+	Hook ChainHook `json:"hook,omitempty"`
+	// Priority orders the chain relative to Netfilter internal operations.
+	// +kubebuilder:default=0
+	Priority ChainPriority `json:"priority,omitempty"`
+}
diff --git a/apis/networking/v1alpha1/firewall/rules_types.go b/apis/networking/v1alpha1/firewall/rules_types.go
@@ -0,0 +1,41 @@
+// Copyright 2019-2023 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package firewall
+
+// NatRule is a rule to be applied to a NAT chain.
+// +kubebuilder:object:generate=true
+type NatRule struct {
+}
+
+// FilterRule is a rule to be applied to a filter chain.
+// +kubebuilder:object:generate=true
+type FilterRule struct {
+}
+
+// RouteRule is a rule to be applied to a route chain.
+// +kubebuilder:object:generate=true
+type RouteRule struct {
+}
+
+// RulesSet is a set of rules to be applied to a chain.
+// +kubebuilder:object:generate=true
+type RulesSet struct {
+	// NatRules is a list of rules to be applied to the chain.
+	NatRules []NatRule `json:"natRules,omitempty"`
+	// FilterRules is a list of rules to be applied to the chain.
+	FilterRules []FilterRule `json:"filterRules,omitempty"`
+	// RouteRules is a list of rules to be applied to the chain.
+	RouteRules []RouteRule `json:"routeRules,omitempty"`
+}
diff --git a/apis/networking/v1alpha1/firewall/table_types.go b/apis/networking/v1alpha1/firewall/table_types.go
@@ -0,0 +1,41 @@
+// Copyright 2019-2023 The Liqo Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package firewall
+
+// TableFamily specifies the family of the table.
+type TableFamily string
+
+// Possible TableFamily values.
+// https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
+const (
+	TableFamilyINet   TableFamily = "INET"
+	TableFamilyIPv4   TableFamily = "IPV4"
+	TableFamilyIPv6   TableFamily = "IPV6"
+	TableFamilyARP    TableFamily = "ARP"
+	TableFamilyNetdev TableFamily = "NETDEV"
+	TableFamilyBridge TableFamily = "BRIDGE"
+)
+
+// Table is a generic table to be applied to a chain.
+// +kubebuilder:object:generate=true
+type Table struct {
+	// Name is the name of the table.
+	Name string `json:"name,omitempty"`
+	// Chains is a list of chains to be applied to the table.
+	Chains []Chain `json:"chains,omitempty"`
+	// Family is the family of the table.
+	// +kubebuilder:validation:Enum="INET";"IPV4";"IPV6";"ARP";"NETDEV";"BRIDGE"
+	Family TableFamily `json:"family,omitempty"`
+}
diff --git a/apis/networking/v1alpha1/firewall/zz_generated.deepcopy.go b/apis/networking/v1alpha1/firewall/zz_generated.deepcopy.go