From 7356f8ebcb6b0e4c06018c748b7c5771b41e007e Mon Sep 17 00:00:00 2001 From: "William A. Kennington III" Date: Wed, 15 Dec 2021 02:21:52 -0800 Subject: meta-google: nftables: Make rule loading atomic This ensures that all of the rules are processed and unexpected packets are not allowed or blocked by the kernel at any time. Change-Id: Ia7bb1d7f604f8ed1bd9759a23e370d20cb0c690d Signed-off-by: William A. Kennington III --- .../ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in | 2 +- meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in | 4 +--- .../recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh | 4 +--- meta-google/recipes-google/nftables/files/nft-configure.sh | 14 +++++++++----- meta-google/recipes-google/nftables/files/nftables.service | 1 + 5 files changed, 13 insertions(+), 12 deletions(-) (limited to 'meta-google') diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in index 677ef28c3..9d9f7899e 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-br-deprecated-ips.sh.in @@ -88,7 +88,7 @@ EOF else printf '%s' "$nfcontents" >"$rfile" fi - systemctl reset-failed nftables && systemctl --no-block restart nftables || true + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_ncsi_br_deprecated_ips_hook() { diff --git a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in index 30b2b65e4..074ec5785 100644 --- a/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in +++ b/meta-google/recipes-google/ncsi/files/gbmc-ncsi-nft.sh.in @@ -46,9 +46,7 @@ gbmc_ncsi_nft_update() { mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" - echo 'Restarting nftables' >&2 - systemctl reset-failed nftables - systemctl --no-block restart nftables + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_ncsi_nft_hook() { diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh index 980f7b6d6..ca4e15a1f 100644 --- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh +++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh @@ -37,9 +37,7 @@ gbmc_br_nft_update() { mkdir -p -m 755 "$(dirname "$rfile")" printf '%s' "$contents" >"$rfile" - echo 'Restarting nftables' >&2 - systemctl reset-failed nftables - systemctl --no-block restart nftables + systemctl reset-failed nftables && systemctl --no-block reload-or-restart nftables || true } gbmc_br_nft_hook() { diff --git a/meta-google/recipes-google/nftables/files/nft-configure.sh b/meta-google/recipes-google/nftables/files/nft-configure.sh index 05bb23d8b..8c8e058b7 100644 --- a/meta-google/recipes-google/nftables/files/nft-configure.sh +++ b/meta-google/recipes-google/nftables/files/nft-configure.sh @@ -8,10 +8,14 @@ for dir in /run/nftables /etc/nftables /usr/share/nftables; do done let i+=1 done -rc=0 -nft flush ruleset || rc=$? + +rules="" +trap 'rm -f -- "$rules"' TERM INT EXIT ERR +rules="$(mktemp)" || exit +echo 'flush ruleset' >"$rules" for key in $(printf "%s\n" "${!basemap[@]}" | sort -r); do - echo "Executing ${basemap[$key]}" >&2 - nft -f "${basemap[$key]}" || rc=$? + echo "Loading ${basemap[$key]}" >&2 + echo '' >>"$rules" + cat "${basemap[$key]}" >>"$rules" done -exit $rc +nft -f "$rules" || exit diff --git a/meta-google/recipes-google/nftables/files/nftables.service b/meta-google/recipes-google/nftables/files/nftables.service index 770a3d3ac..1a93812b8 100644 --- a/meta-google/recipes-google/nftables/files/nftables.service +++ b/meta-google/recipes-google/nftables/files/nftables.service @@ -5,6 +5,7 @@ Before=network-pre.target Type=oneshot RemainAfterExit=yes ExecStart=/usr/libexec/nft-configure.sh +ExecReload=/usr/libexec/nft-configure.sh ExecStop=/usr/sbin/nft flush ruleset [Install] -- cgit v1.2.3