feat: improve nftables backend

Many changes to the nftables backend which will be used in the follow-up PR with siderolabs#4421. 1. Add support for chain policy: drop/accept. 2. Properly handle match on all IPs in the set (`0.0.0.0/0` like). 3. Implement conntrack state matching. 4. Implement multiple ifname matching in a single rule. 5. Implement anonymous counters. Signed-off-by: Andrey Smirnov <[email protected]>
MindTooth · Nov 29, 2023 · 9a85217 · 9a85217
1 parent db4e253
commit 9a85217
Show file tree

Hide file tree

Showing 21 changed files with 2,710 additions and 1,169 deletions.
diff --git a/api/api.descriptors b/api/api.descriptors
diff --git a/api/resource/definitions/enums/enums.proto b/api/resource/definitions/enums/enums.proto
@@ -77,6 +77,15 @@ enum NethelpersBondXmitHashPolicy {
   BOND_XMIT_POLICY_ENCAP34 = 4;
 }
 
+// NethelpersConntrackState is a conntrack state.
+enum NethelpersConntrackState {
+  NETHELPERS_CONNTRACKSTATE_UNSPECIFIED = 0;
+  CONNTRACK_STATE_NEW = 8;
+  CONNTRACK_STATE_RELATED = 4;
+  CONNTRACK_STATE_ESTABLISHED = 2;
+  CONNTRACK_STATE_INVALID = 1;
+}
+
 // NethelpersDuplex wraps ethtool.Duplex for YAML marshaling.
 enum NethelpersDuplex {
   HALF = 0;
@@ -259,8 +268,10 @@ enum NethelpersPrimaryReselect {
 // NethelpersProtocol is a inet protocol.
 enum NethelpersProtocol {
   NETHELPERS_PROTOCOL_UNSPECIFIED = 0;
+  PROTOCOL_ICMP = 1;
   PROTOCOL_TCP = 6;
   PROTOCOL_UDP = 17;
+  PROTOCOL_ICM_PV6 = 58;
 }
 
 // NethelpersRouteFlag wraps RTM_F_* constants.

diff --git a/api/resource/definitions/network/network.proto b/api/resource/definitions/network/network.proto
@@ -179,6 +179,7 @@ message NfTablesChainSpec {
   talos.resource.definitions.enums.NethelpersNfTablesChainHook hook = 2;
   talos.resource.definitions.enums.NethelpersNfTablesChainPriority priority = 3;
   repeated NfTablesRule rules = 4;
+  talos.resource.definitions.enums.NethelpersNfTablesVerdict policy = 5;
 }
 
 // NfTablesClampMSS describes the TCP MSS clamping operation.
@@ -190,10 +191,15 @@ message NfTablesClampMSS {
   fixed32 mtu = 1;
 }
 
+// NfTablesConntrackStateMatch describes the match on the connection tracking state.
+message NfTablesConntrackStateMatch {
+  repeated uint32 states = 1;
+}
+
 // NfTablesIfNameMatch describes the match on the interface name.
 message NfTablesIfNameMatch {
-  string interface_name = 1;
   talos.resource.definitions.enums.NethelpersMatchOperator operator = 2;
+  repeated string interface_names = 3;
 }
 
 // NfTablesLayer4Match describes the match on the transport layer protocol.
@@ -203,6 +209,11 @@ message NfTablesLayer4Match {
   NfTablesPortMatch match_destination_port = 3;
 }
 
+// NfTablesLimitMatch describes the match on the packet rate.
+message NfTablesLimitMatch {
+  uint64 packet_rate_per_second = 1;
+}
+
 // NfTablesMark encodes packet mark match/update operation.
 //
 // When used as a match computes the following condition:
@@ -232,6 +243,9 @@ message NfTablesRule {
   NfTablesLayer4Match match_layer4 = 7;
   NfTablesIfNameMatch match_i_if_name = 8;
   NfTablesClampMSS clamp_mss = 9;
+  NfTablesLimitMatch match_limit = 10;
+  NfTablesConntrackStateMatch match_conntrack_state = 11;
+  bool anon_counter = 12;
 }
 
 // NodeAddressFilterSpec describes a filter for NodeAddresses.