firewall: add nftables backend

Resolves: containernetworking#461 Signed-off-by: Paul Greenberg <greenpau@outlook.com>
greenpau · Mar 16, 2020 · e7653d0 · e7653d0
1 parent 47a9fd8
commit e7653d0
Show file tree

Hide file tree

Showing 3 changed files with 448 additions and 0 deletions.
diff --git a/plugins/meta/firewall/README.md b/plugins/meta/firewall/README.md
@@ -133,3 +133,99 @@ of the container as shown:
 - `-s 10.88.0.2 -m conntrack --ctstate RELATED,ESTABLISHED -j CNI-FORWARD`
 - `-d 10.88.0.2 -j CNI-FORWARD`
 
+## nftables backend rule structure
+
+The prerequisite for the backend is the existence of `filter` table and
+the existence of `FORWARD` chain in the table.
+
+A sample standalone config list (with the file extension `.conflist`) using
+`nftables` backend might look like:
+
+```json
+{
+   "cniVersion": "0.4.0",
+   "name": "podman",
+   "plugins": [
+      {
+         "type": "bridge",
+         "bridge": "cni-podman0",
+         "isGateway": true,
+         "ipMasq": true,
+         "ipam": {
+            "type": "host-local",
+            "routes": [
+               {
+                  "dst": "0.0.0.0/0"
+               }
+            ],
+            "ranges": [
+               [
+                  {
+                     "subnet": "192.168.124.0/24",
+                     "gateway": "192.168.124.1"
+                  }
+               ]
+            ]
+         }
+      },
+      {
+         "type": "portmap",
+         "capabilities": {
+            "portMappings": true
+         }
+      },
+      {
+         "type": "firewall",
+         "backend": "nftables"
+      }
+   ]
+}
+```
+
+Prior to the invocation of CNI `firewall` plugin, the `FORWARD` chain in `filter` table is:
+
+```
+$ nft list chain ip filter FORWARD -a
+table ip filter {
+        chain FORWARD { # handle 2
+                type filter hook forward priority 0; policy drop;
+                oifname "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept # handle 51
+                iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept # handle 52
+                iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept # handle 53
+                log prefix "IPv4 FORWARD drop: " flags all # handle 54
+                counter packets 10 bytes 630 drop # handle 55
+        }
+}
+```
+
+After starting a container, the plugin executes the following commands based
+on the configuration above. Please note that `position 51` refers to the handle
+at the top of the chain.
+
+```
+nft insert rule filter FORWARD position 51 oifname "cni-podman0" ip daddr 192.168.124.0/24 ct state established,related counter packets 0 bytes 0 accept
+nft insert rule filter FORWARD position 51 iifname "cni-podman0" ip saddr 192.168.124.0/24 counter packets 0 bytes 0 accept
+nft insert rule filter FORWARD position 51 iifname "cni-podman0" oifname "cni-podman0" counter packets 0 bytes 0 accept
+```
+
+After the plugin's execution, the chain looks like this:
+
+```
+$ nft list chain ip filter FORWARD -a
+table ip filter {
+        chain FORWARD { # handle 2
+                type filter hook forward priority 0; policy drop;
+                oifname "cni-podman0" ip daddr 192.168.124.0/24 ct state established,related counter packets 100 bytes 113413 accept # handle 71
+                iifname "cni-podman0" ip saddr 192.168.124.0/24 counter packets 124 bytes 12996 accept # handle 72
+                iifname "cni-podman0" oifname "cni-podman0" counter packets 0 bytes 0 accept # handle 73
+                oifname "virbr0" ip daddr 192.168.122.0/24 ct state established,related counter packets 0 bytes 0 accept # handle 51
+                iifname "virbr0" ip saddr 192.168.122.0/24 counter packets 0 bytes 0 accept # handle 52
+                iifname "virbr0" oifname "virbr0" counter packets 0 bytes 0 accept # handle 53
+                log prefix "IPv4 FORWARD drop: " flags all # handle 54
+                counter packets 10 bytes 630 drop # handle 55
+        }
+}
+```
+
+Subsequent executions of the plugin do not create additional rules in the chain, unless
+the CNI network configuration changes.
diff --git a/plugins/meta/firewall/firewall.go b/plugins/meta/firewall/firewall.go
@@ -97,6 +97,8 @@ func getBackend(conf *FirewallNetConf) (FirewallBackend, error) {
 	switch conf.Backend {
 	case "iptables":
 		return newIptablesBackend(conf)
+	case "nftables":
+		return newNftablesBackend(conf)
 	case "firewalld":
 		return newFirewalldBackend(conf)
 	}