New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: updownv2: improved firewall script #1283
base: master
Are you sure you want to change the base?
Conversation
Just two quick questions:
|
Because the behaviour is entirely incompatible with the current one and I do not want to break existing installations. It should be an explicite choice to use this new implementation. That could probably be done via VICI too, but it wouldn't be as easy or straight forward to use because running a script for each event is relatively commonly used to implement customizable behaviour. Having a different process connect to the daemon is not that common. It is more the exception. |
A new behavior could be triggered by a prefix in the
The vici client could basically be the plugin you intend to write here and call a script anyway you or the user likes (might even be easier to implement in e.g. Python than in C). The user would then not have to bother with the client itself, other than enabling it e.g. via |
I want to keep the changes relatively minimal and without having to, for now, think about coexistence with existing code in the updown plugin. It's why right now at least it's its own plugin. I can of course merge it back into the updown one and have a condition to chnage the behaviour as you proposed. If I find a good way to port the updown mechanics to VICI I could of course do that. I presume that would also imply that regardless of the actual execution time of the program receiving the VICI messages there will be a race condition between the script doing whatever needs to be done locally to enable proper processing of traffic (disregarding iptables/XFRM) and the peer sending the first packets over the CHILD_SA. I guess for proper integration into a system with such preconditions would require some integral changes to delay the sending of the final message for confirmation of the CHILD_SA eastablishment. The ike-update case is handled once for all CHILD_SAs, that's enabled by the most critical part of the updownv2 plugin: the CHILD_SAs are listed in apropriately named variables; so basically the variable name has to be constructed within the script handling the events needs to build the variable names first (because the number of CHILD_SAs per IKE_SA is variable of course). With the current code in the plugin all cases should be handleable properly, even make before break (you can construct a unique key per CHILD_SA with the SPIs and put them into the comment field in nftables or the comment match in iptables, then match on them when you remove the rules). |
WIP progress for an updown plugin and script that enable correct handling of inserting of forwarding rules or whatever else users want to do
TODO