sentinel-firewall: Use only device ip addresses

Limit Sentinel minipots only to the ip addresses of the router itself.
turris-cz · Nov 7, 2024 · b45bb28 · b45bb28
1 parent b8be4a3
commit b45bb28
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/collect/sentinel/sentinel-firewall/Makefile b/collect/sentinel/sentinel-firewall/Makefile
@@ -68,6 +68,8 @@ define Package/sentinel-firewall-nftables/install
 	$(INSTALL_DATA) ./files/common_nftables.sh $(1)/usr/libexec/sentinel/firewall.d/common.sh
 	$(INSTALL_DIR) $(1)/etc/uci-defaults
 	$(INSTALL_BIN) ./files/uci-defaults $(1)/etc/uci-defaults/99-sentinel-firewall
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/iface
+	$(INSTALL_BIN) ./files/90-wan-ip $(1)/etc/hotplug.d/iface/90-wan-ip
 	$(INSTALL_DIR) $(1)/lib/functions
 	$(INSTALL_DATA) ./files/functions.sh $(1)/lib/functions/sentinel-firewall.sh
 endef

diff --git a/collect/sentinel/sentinel-firewall/files/90-wan-ip b/collect/sentinel/sentinel-firewall/files/90-wan-ip
@@ -0,0 +1,17 @@
+if [ "$INTERFACE" = "wan" ]; then
+    zone="wan"
+    nft add set inet turris-sentinel "${zone}_ips_6" "{ type ipv6_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
+    nft flush set inet turris-sentinel "${zone}_ips_6"
+    for dev in $(ifstatus wan | jsonfilter -e '@.device'); do
+        for ip in $(ip a s dev "$dev" | sed -n 's|.*inet6 \([0-9a-f:]*\)/.*|\1|p'); do
+            nft add element inet turris-sentinel "${zone}_ips_6" "{ $ip }"
+        done
+    done
+    nft add set inet turris-sentinel "${zone}_ips_4" "{ type ipv4_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
+    nft flush set inet turris-sentinel "${zone}_ips_4"
+    for dev in $(ifstatus wan | jsonfilter -e '@.device'); do
+        for ip in $(ip a s dev "$dev" | sed -n 's|.*inet \([0-9.]*\)/.*|\1|p'); do
+            nft add element inet turris-sentinel "${zone}_ips_4" "{ $ip }"
+        done
+    done
+fi
diff --git a/collect/sentinel/sentinel-firewall/files/common_nftables.sh b/collect/sentinel/sentinel-firewall/files/common_nftables.sh
@@ -30,7 +30,11 @@ setup_zone() {
     # Setup port-forwarding infrastructure for minipots in turris-sentinel table
     nft delete chain inet turris-sentinel minipots_dstnat_"$zone" 2> /dev/null || :
     nft add chain inet turris-sentinel minipots_dstnat_"$zone"
-    nft add rule inet turris-sentinel minipots_dstnat iifname $wan_if jump minipots_dstnat_"$zone" \
+    nft add set inet turris-sentinel "${zone}_ips_6" "{ type ipv6_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
+    nft add rule inet turris-sentinel minipots_dstnat iifname $wan_if ip6 daddr @${zone}_ips_6 jump minipots_dstnat_"$zone" \
+        comment "\"!sentinel: port redirection for minipots\""
+    nft add set inet turris-sentinel "${zone}_ips_4" "{ type ipv4_addr; comment \"IPv4 addresses in zone $zone\"  ; }"
+    nft add rule inet turris-sentinel minipots_dstnat iifname $wan_if ip daddr @${zone}_ips_4 jump minipots_dstnat_"$zone" \
         comment "\"!sentinel: port redirection for minipots\""
 
     # Setup blocking infrastructure