Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewall.py complete revamp #2011

Open
wants to merge 14 commits into
base: dev
Choose a base branch
from
Open

firewall.py complete revamp #2011

wants to merge 14 commits into from

Conversation

Salamandar
Copy link
Contributor

@Salamandar Salamandar commented Dec 9, 2024

The problem

dumb code

Solution

  • rewrite the firewall.yml config:
    • Remove the differentiation between ipv4 and ipv6
    • Remove the "Both" parameter for tcp/udp (just call it twice! most of the time it's tcp only anyways)
    • Closing a port does NOT remove it from the list -> users can close a port, while apps at remove time should remove it.
    • Opening a port can be passed a comment that will be shown on the web UI, and on UPnP config.
  • Write the config only when necessary
  • Apply (reload) only when necessary
  • Fix UPnP discovery (open a specific UDP port for this purpose)
  • Use nftables via regen_conf

Left to do

  • test !
  • adapt the webadmin -> see Adapt webadmin to the new firewall API yunohost-admin#606
  • Manage the migration between iptables and nftables -> nothing to do : iptables already use the kernel nf_tables so nftables pick it up automatically
  • Change the fail2ban configuration to use nftables -> Tested, validated.
  • Fix translations
  • Update doc (also now manifest takes a upnp value, and yunohost firewall is-open <port>)
  • Run post_iptable_rules hook on nftables reload/start
  • Check that apps calling directly iptables work (Actually in bookworm the iptables command is already in a compat mode with nftables)
    • hotspot
    • vpnclient
    • wireguard
  • Patch apps calling yunohost firewall allow/disallow -> Maybe actually keep it for a while ?

How to test

uuuuuuuh how to what now ?

src/firewall.py Fixed Show fixed Hide fixed
src/firewall.py Fixed Show fixed Hide fixed
src/migrations/0032_firewall_config.py Fixed Show fixed Hide fixed
src/migrations/0032_firewall_config.py Fixed Show fixed Hide fixed
@Salamandar Salamandar force-pushed the firewall branch 3 times, most recently from de93d8f to 11a4e65 Compare December 9, 2024 11:12
src/firewall.py Fixed Show fixed Hide fixed
.gitignore Outdated Show resolved Hide resolved
conf/yunohost/firewall.yml Outdated Show resolved Hide resolved
conf/yunohost/firewall.yml Outdated Show resolved Hide resolved
conf/yunohost/firewall.yml Outdated Show resolved Hide resolved
conf/yunohost/firewall.yml Outdated Show resolved Hide resolved
conf/yunohost/firewall.yml Outdated Show resolved Hide resolved
hooks/conf_regen/01-yunohost Show resolved Hide resolved
share/actionsmap.yml Outdated Show resolved Hide resolved
share/actionsmap.yml Outdated Show resolved Hide resolved
share/actionsmap.yml Outdated Show resolved Hide resolved
src/firewall.py Show resolved Hide resolved
@Salamandar Salamandar force-pushed the firewall branch 6 times, most recently from fe9be82 to ecb24d0 Compare December 17, 2024 10:17
src/utils/resources.py Fixed Show fixed Hide fixed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants