Cleanup nftables chain after schain removal

skalenetwork · Dec 26, 2024 · 0aacca3 · 0aacca3
1 parent 517a3a8
commit 0aacca3
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 1 deletion.
diff --git a/core/schains/firewall/firewall_manager.py b/core/schains/firewall/firewall_manager.py
@@ -89,6 +89,7 @@ def remove_rules(self, rules: Iterable[SChainRule]) -> None:
 
     def flush(self) -> None:
         self.remove_rules(self.rules)
+        self.host_controller.cleanup()
 
 
 class IptablesSChainFirewallManager(SChainFirewallManager):

diff --git a/core/schains/firewall/iptables.py b/core/schains/firewall/iptables.py
@@ -140,5 +140,8 @@ def from_ip_network(cls, ip: str) -> str:
     def to_ip_network(cls, ip: str) -> str:
         return str(ipaddress.ip_network(ip))
 
-    def save_rules(self):
+    def save_rules(self) -> None:
         raise NotImplementedError('save_rules is not implemented for iptables host controller')
+
+    def cleanup(self) -> None:
+        raise NotImplementedError('cleanup is not implemented for iptables host controller')
diff --git a/core/schains/firewall/nftables.py b/core/schains/firewall/nftables.py
@@ -119,6 +119,25 @@ def create_chain(self, first_port: int, last_port: int) -> None:
             )
             self.add_schain_drop_rule(first_port, last_port)
 
+    def delete_chain(self) -> None:
+        if self.has_chain(self.chain):
+            logger.info('Removing chain %s', self.chain)
+            self.run_json_cmd(
+                self._compose_json(
+                    [
+                        {
+                            'delete': {
+                                'chain': {
+                                    'family': self.FAMILY,
+                                    'table': self.table,
+                                    'name': self.chain
+                                }
+                            }
+                        }
+                    ]
+                )
+            )
+
     @property
     def chains(self) -> list[dict]:
         output = self.run_cmd('list chains')
@@ -334,3 +353,6 @@ def save_rules(self) -> None:
         nft_chain_path = os.path.join(NFT_CHAIN_BASE_PATH, f'{self.chain}.conf')
         with open(nft_chain_path, 'w') as nft_chain_file:
             nft_chain_file.write(chain_rules)
+
+    def cleanup(self) -> None:
+        self.delete_chain()
diff --git a/core/schains/firewall/types.py b/core/schains/firewall/types.py
@@ -92,6 +92,10 @@ def has_rule(self, rule: SChainRule) -> bool:  # pragma: no cover
     def save_rules(self) -> None:  # pragma: no cover
         pass
 
+    @abstractmethod
+    def cleanup(self) -> None:  # pragma: no cover
+        pass
+
 
 class IFirewallManager(ABC):
     @property