search

aporeto-inc / trireme-lib

Simple, scalable and secure application segmentation
https://trireme.io
Apache License 2.0
300 stars 51 forks source link

fix: make any work #879

Closed sibicramesh closed 5 years ago

sibicramesh commented 5 years ago

--> UDP nfq rules takes precedence over external networks. --> Introduced ! tcp rule for all ext nets.

sibicramesh commented 5 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "any",
    "component": "trireme-lib",
    "pr-id": "879",
    "commit-sha": "684a6dd8d882d87fb53c58b4c1638a9bd4bc315d"
  },
  {
    "project": "any",
    "component": "enforcerd",
    "pr-id": "1400",
    "commit-sha": "30d29d335b14172b03680baac88f0f77ecda0923"
  }
]
sibicramesh commented 5 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "any",
    "component": "enforcerd",
    "pr-id": "1400",
    "commit-sha": "ef9c9630410cdcff61bda2c330e6ccb331f37c36"
  },
  {
    "project": "any",
    "component": "trireme-lib",
    "pr-id": "879",
    "commit-sha": "684a6dd8d882d87fb53c58b4c1638a9bd4bc315d"
  }
]
sibicramesh commented 5 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "any",
    "component": "enforcerd",
    "pr-id": "1400",
    "commit-sha": "29b889bedf5524c082bd0933a0371a2f5aaacf52"
  },
  {
    "project": "any",
    "component": "trireme-lib",
    "pr-id": "879",
    "commit-sha": "f00ba1c677ac57fb5bd444bf8f7e0cae7a605a90"
  }
]
codecov[bot] commented 5 years ago

Codecov Report

Merging #879 into master will increase coverage by 0.06%. The diff coverage is 93.54%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #879      +/-   ##
==========================================
+ Coverage   55.98%   56.05%   +0.06%     
==========================================
  Files         110      110              
  Lines       11069    11091      +22     
==========================================
+ Hits         6197     6217      +20     
- Misses       4268     4269       +1     
- Partials      604      605       +1
Impacted Files Coverage Δ
...ontroller/internal/supervisor/iptablesctrl/acls.go 64.32% <93.54%> (+1.61%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update a887c5c...0ac81c7. Read the comment docs.

sibicramesh commented 5 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "any",
    "component": "enforcerd",
    "pr-id": "1400",
    "commit-sha": "619212e05b33e8a9c26d9653216925a7105e7a14"
  },
  {
    "project": "any",
    "component": "trireme-lib",
    "pr-id": "879",
    "commit-sha": "218151520e27c7d37efed28fae6a825425133a08"
  },
  {
    "project": "any",
    "component": "apotests",
    "pr-id": "2278",
    "commit-sha": "185dc7637f7b5a2180688849b3fa74b4e72b03bb"
  }
]
sibicramesh commented 5 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "any",
    "component": "enforcerd",
    "pr-id": "1400",
    "commit-sha": "619212e05b33e8a9c26d9653216925a7105e7a14"
  },
  {
    "project": "any",
    "component": "trireme-lib",
    "pr-id": "879",
    "commit-sha": "b67733247cd5cec4ba9b0a2aab65734602e1e8a4"
  },
  {
    "project": "any",
    "component": "apotests",
    "pr-id": "2278",
    "commit-sha": "185dc7637f7b5a2180688849b3fa74b4e72b03bb"
  }
]
sibicramesh commented 5 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "any",
    "component": "enforcerd",
    "pr-id": "1400",
    "commit-sha": "eeef6dd77ce7d2daaf343e89681e1dfa47a48608"
  },
  {
    "project": "any",
    "component": "trireme-lib",
    "pr-id": "879",
    "commit-sha": "4a6a2aadc846b864b23a71d2584ab26e97976c9b"
  },
  {
    "project": "any",
    "component": "apotests",
    "pr-id": "2283",
    "commit-sha": "3aa356dadd616ed7c2a8b87ae21f5e6a765c069c"
  }
]
dstiliadis commented 5 years ago

@sibicramesh here is how I think the ACLs can look to make this work. This is for Net side (similarly for app side)

The first 4 after the example ANY are moved from the TRI-Net ACL that doesn't need them any more

Chain TRI-Net (1 references)
 pkts bytes target     prot opt in     out     source               destination
  291 19773 TRI-Prx-Net  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  291 19773 TRI-UID-Net  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  291 19773 TRI-Pid-Net  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  291 19773 TRI-Svc-Net  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  291 19773 TRI-Hst-Net  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain TRI-Net-8231IATg8r-0 (1 references)
 pkts bytes target     prot opt in     out     source               destination
  0     0 ACCEPT      any -- * * 0.0.0.0/0 0.0.0.0/ match-set TRI-v4-ANY_IPS(blah...) 
  0     0 NFQUEUE    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TRI-v4-TargetUDP src STRING match  "n30njxq7bmiwr6dtxq" ALGO name bm TO 65535 NFQUEUE balance 24:27 bypass
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            connmark match  0xeeee tcp flags:!0x12/0x12
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TRI-v4-TargetTCP src tcp flags:0x12/0x12 NFQUEUE balance 24:27 bypass
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TRI-v4-TargetTCP src tcp option=34 flags:0x12/0x02 NFQUEUE balance 16:19 bypass
    0     0 NFLOG      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TRI-v4-ext-yJfpo8231WF5s src state NEW ! match-set TRI-v4-TargetTCP src multiport dports 1:65535 state NEW nflog-prefix  "4289237891:5d85c5b4d5f54a8525e9abf1:5d80305cd5f54a025f9b545c:3" nflog-group 11
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TRI-v4-ext-yJfpo8231WF5s src state NEW ! match-set TRI-v4-TargetTCP src multiport dports 1:65535
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TRI-v4-TargetTCP src tcp flags:0x12/0x02 NFQUEUE balance 16:19
    0     0 NFQUEUE    tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TRI-v4-TargetTCP src tcp flags:0x12/0x10 NFQUEUE balance 20:23
    0     0 NFQUEUE    udp  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set TRI-v4-TargetUDP src limit: avg 1000/sec burst 5 NFQUEUE balance 16:19
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            state ESTABLISHED /* TCP-Established-Connections */
    0     0 NFLOG      all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW nflog-prefix  "4289237891:default:default:6" nflog-group 11
    0     0 NFLOG      all  --  *      *       0.0.0.0/0            0.0.0.0/0            ! state NEW nflog-prefix  "4289237891:default:default:10" nflog-group 11
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
sibicramesh commented 5 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "any",
    "component": "apotests",
    "pr-id": "2283",
    "commit-sha": "239b33d26309b85a58932650920372fc9eff8372"
  },
  {
    "project": "any",
    "component": "enforcerd",
    "pr-id": "1400",
    "commit-sha": "866b5d4ebea21611e57c8d35edd50b6dba504f95"
  },
  {
    "project": "any",
    "component": "trireme-lib",
    "pr-id": "879",
    "commit-sha": "67a17b7f6eaad56926af0f7d1d69ac95c681025d"
  }
]