From 5a1560b7b69221bcb02634b311a938870d1d13ca Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Tue, 5 Nov 2024 15:33:56 +0100 Subject: [PATCH 1/4] Added notes where FRR Config is being applied --- controllers/firewall_controller.go | 1 + pkg/network/network.go | 1 + 2 files changed, 2 insertions(+) diff --git a/controllers/firewall_controller.go b/controllers/firewall_controller.go index dfbe504a..909afe47 100644 --- a/controllers/firewall_controller.go +++ b/controllers/firewall_controller.go @@ -115,6 +115,7 @@ func (r *FirewallReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c r.Log.Info("reconciling network settings") var errs []error + // Note: Right here the recocile updates the frr changed, err := network.ReconcileNetwork(f) if changed && err == nil { r.recordFirewallEvent(f, corev1.EventTypeNormal, "Network settings", "reconciliation succeeded (frr.conf)") diff --git a/pkg/network/network.go b/pkg/network/network.go index 9090303d..aa71e028 100644 --- a/pkg/network/network.go +++ b/pkg/network/network.go @@ -55,6 +55,7 @@ func GetNewNetworks(f *firewallv2.Firewall, oldNetworks []*models.V1MachineNetwo // ReconcileNetwork reconciles the network settings for a firewall // Changes both the FRR-Configuration and Nftable rules when network prefixes or FRR template changes +// Note: Right here the FRR Configs are being applied. func ReconcileNetwork(f *firewallv2.Firewall) (changed bool, err error) { tmpFile, err := tmpFile(frrConfig) if err != nil { From d23ded771bcf0e8a96d2699e571ec8cf66c05d76 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Wed, 6 Nov 2024 16:03:39 +0100 Subject: [PATCH 2/4] Add firewallDistance to NewFrrConfig --- go.mod | 8 ++++---- go.sum | 12 ++++++------ pkg/network/network.go | 1 + 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/go.mod b/go.mod index 7bac07f4..f0fe8396 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/metal-stack/firewall-controller/v2 -go 1.23 +go 1.23.0 require ( github.com/coreos/go-systemd/v22 v22.5.0 @@ -12,7 +12,7 @@ require ( github.com/metal-stack/firewall-controller-manager v0.4.3 github.com/metal-stack/metal-go v0.37.2 github.com/metal-stack/metal-lib v0.18.4 - github.com/metal-stack/metal-networker v0.45.2 + github.com/metal-stack/metal-networker v0.45.3-0.20241106150006-034e6adb5d6c github.com/metal-stack/v v1.0.3 github.com/miekg/dns v1.1.62 github.com/txn2/txeh v1.5.5 @@ -63,7 +63,7 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/mdlayher/netlink v1.7.2 // indirect github.com/mdlayher/socket v0.5.1 // indirect - github.com/metal-stack/metal-hammer v0.13.5 // indirect + github.com/metal-stack/metal-hammer v0.13.8-0.20241106143854-0826d3549873 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect @@ -77,7 +77,7 @@ require ( github.com/sagikazarmark/locafero v0.6.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/vishvananda/netns v0.0.4 // indirect - go.mongodb.org/mongo-driver v1.16.1 // indirect + go.mongodb.org/mongo-driver v1.17.1 // indirect go.uber.org/zap v1.27.0 // indirect golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect golang.org/x/mod v0.21.0 // indirect diff --git a/go.sum b/go.sum index 962ad7d9..af9511c2 100644 --- a/go.sum +++ b/go.sum @@ -115,12 +115,12 @@ github.com/metal-stack/firewall-controller-manager v0.4.3 h1:WU5bqD710gUtzyA2NdW github.com/metal-stack/firewall-controller-manager v0.4.3/go.mod h1:J/3LHcvfJCpEEC4yk+WD0exh3btaScCaFkzbnbOsqrY= github.com/metal-stack/metal-go v0.37.2 h1:SDIuV43y09kmwtHfsReOZoZ7c2F+lNP4iIhazfJL5tQ= github.com/metal-stack/metal-go v0.37.2/go.mod h1:3MJTYCS4YJz8D8oteTKhjpaAKNMMjMKYDrIy9awHGtQ= -github.com/metal-stack/metal-hammer v0.13.5 h1:uwEKOTUCeDXDBDH/Y6P58fkC2kwFqZb/akLbAhwmVuA= -github.com/metal-stack/metal-hammer v0.13.5/go.mod h1:k9jwhyyA2Q0ViyrhEpWRZLOigzbwu2V7XsMbUHJWxIM= +github.com/metal-stack/metal-hammer v0.13.8-0.20241106143854-0826d3549873 h1:5nHFcT4ekBvpkFhH/3UCy9i12EzkJxAjshfdiqOhq6w= +github.com/metal-stack/metal-hammer v0.13.8-0.20241106143854-0826d3549873/go.mod h1:L6jt2NWvUKXHD5dwfo9+8ylNz/8gOvxuGf9mNMNuceM= github.com/metal-stack/metal-lib v0.18.4 h1:7HnfSwSbrKNHU+i6i79YFk/eeuhBhwIEHWpGqS7pYCc= github.com/metal-stack/metal-lib v0.18.4/go.mod h1:Ctyi6zaXFr2NVrQZLFsDLnFCzupKnYErTtgRFKAsnbw= -github.com/metal-stack/metal-networker v0.45.2 h1:f1U9tzLPG17fthnQROHphKDKpeW//VDnCiNbtNwcm+A= -github.com/metal-stack/metal-networker v0.45.2/go.mod h1:DUjaql5THUSJd/7M1ZlcYgX/bllp1IhXwOFM+Nvkaus= +github.com/metal-stack/metal-networker v0.45.3-0.20241106150006-034e6adb5d6c h1:FXbRLxruvnGLrBVV68j5RkjJVPBRL6ICSQiGbKZViaU= +github.com/metal-stack/metal-networker v0.45.3-0.20241106150006-034e6adb5d6c/go.mod h1:SKz3+3RkimqZIl9F2N1idf4ojyYO1Nzb6QEVbHw98/g= github.com/metal-stack/v v1.0.3 h1:Sh2oBlnxrCUD+mVpzfC8HiqL045YWkxs0gpTvkjppqs= github.com/metal-stack/v v1.0.3/go.mod h1:YTahEu7/ishwpYKnp/VaW/7nf8+PInogkfGwLcGPdXg= github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ= @@ -193,8 +193,8 @@ github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1Y github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4l8= -go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= +go.mongodb.org/mongo-driver v1.17.1 h1:Wic5cJIwJgSpBhe3lx3+/RybR5PiYRMpVFgO7cOHyIM= +go.mongodb.org/mongo-driver v1.17.1/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.4.0 h1:VcM4ZOtdbR4f6VXfiOpwpVJDL6lCReaZ6mw31wqh7KU= diff --git a/pkg/network/network.go b/pkg/network/network.go index aa71e028..3b15fa18 100644 --- a/pkg/network/network.go +++ b/pkg/network/network.go @@ -70,6 +70,7 @@ func ReconcileNetwork(f *firewallv2.Firewall) (changed bool, err error) { return false, fmt.Errorf("failed to init networker config: %w", err) } c.Networks = GetNewNetworks(f, c.Networks) + c.FirewallDistance = uint8(f.Distance) a := netconf.NewFrrConfigApplier(netconf.Firewall, *c, tmpFile) tpl := netconf.MustParseTpl(netconf.TplFirewallFRR) From eb2cfa14f91e112a724fda322d5402d032e9793b Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Fri, 22 Nov 2024 13:40:09 +0100 Subject: [PATCH 3/4] Added Firewall Distance to firewall-controller monitor reconciler --- controllers/firewall_monitor_controller.go | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/controllers/firewall_monitor_controller.go b/controllers/firewall_monitor_controller.go index 1722cc89..dd2cc57b 100644 --- a/controllers/firewall_monitor_controller.go +++ b/controllers/firewall_monitor_controller.go @@ -24,12 +24,14 @@ import ( // FirewallMonitorReconciler reconciles a firewall monitor object type FirewallMonitorReconciler struct { ShootClient client.Client + SeedClient client.Client Recorder record.EventRecorder Log logr.Logger - FirewallName string - Namespace string + FirewallName string + Namespace string + SeedNamespace string IDSEnabled bool Interval time.Duration @@ -57,6 +59,9 @@ func (r *FirewallMonitorReconciler) SetupWithManager(mgr ctrl.Manager) error { return false }, }). + WithEventFilter(predicate.NewPredicateFuncs(func(object client.Object) bool { + return object.GetNamespace() == r.Namespace && object.GetName() == r.FirewallName + })). Complete(r) } @@ -70,6 +75,13 @@ func (r *FirewallMonitorReconciler) Reconcile(ctx context.Context, req ctrl.Requ return ctrl.Result{}, err } + f := &firewallv2.Firewall{} + if err := r.SeedClient.Get(ctx, req.NamespacedName, f); err != nil { + return ctrl.Result{}, fmt.Errorf("error retrieving resource: %w", err) + } + + r.Log.Info("firewall fetched from Seed in Monitor", "Fw Distance", f.Distance, "Fw Name", f.Name) + idsStats := firewallv2.IDSStatsByDevice{} if r.IDSEnabled { s := suricata.New() @@ -119,8 +131,8 @@ func (r *FirewallMonitorReconciler) Reconcile(ctx context.Context, req ctrl.Requ ControllerVersion: v.Version, NftablesExporterVersion: "", // TODO Updated: metav1.NewTime(now), - Distance: 0, - DistanceSupported: false, + Distance: f.Distance, + DistanceSupported: true, } if !r.seedUpdated.IsZero() { From a26834476dba3360956be67e0272ae088c27c974 Mon Sep 17 00:00:00 2001 From: Honigeintopf Date: Fri, 22 Nov 2024 14:02:46 +0100 Subject: [PATCH 4/4] Add Distance SeedClient to Monitor --- main.go | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/main.go b/main.go index a210c1c5..3c97da07 100644 --- a/main.go +++ b/main.go @@ -205,7 +205,9 @@ func main() { panic(err) } - shootClient, err := controllerclient.New(shootConfig, controllerclient.Options{Scheme: scheme}) + shootClient, err := controllerclient.New(shootConfig, controllerclient.Options{ + Scheme: scheme, + }) if err != nil { l.Error("unable to create shoot client", "error", err) panic(err) @@ -214,12 +216,14 @@ func main() { updater := updater.New(ctrl.Log.WithName("updater"), shootMgr.GetEventRecorderFor("FirewallController")) fwmReconciler := &controllers.FirewallMonitorReconciler{ - ShootClient: shootMgr.GetClient(), - Log: ctrl.Log.WithName("controllers").WithName("FirewallMonitorReconciler"), - Recorder: shootMgr.GetEventRecorderFor("FirewallMonitorController"), - IDSEnabled: enableIDS, - FirewallName: firewallName, - Namespace: firewallv2.FirewallShootNamespace, + ShootClient: shootMgr.GetClient(), + SeedClient: seedMgr.GetClient(), + Log: ctrl.Log.WithName("controllers").WithName("FirewallMonitorReconciler"), + Recorder: shootMgr.GetEventRecorderFor("FirewallMonitorController"), + IDSEnabled: enableIDS, + FirewallName: firewallName, + Namespace: firewallv2.FirewallShootNamespace, + SeedNamespace: seedNamespace, } // Firewall Reconciler