Merge pull request #1139 from skalenetwork/develop

2.9.0 beta
skalenetwork · Jan 3, 2025 · f0a8591 · f0a8591
2 parents 1e3a280 + 59235f8
commit f0a8591
Show file tree

Hide file tree

Showing 14 changed files with 583 additions and 54 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,19 +1,20 @@
 FROM python:3.11-bookworm
 
-RUN apt-get update && apt-get install -y wget git libxslt-dev iptables kmod swig
+RUN apt-get update && apt-get install -y wget git libxslt-dev iptables kmod swig nftables python3-nftables
 
 RUN mkdir /usr/src/admin
 WORKDIR /usr/src/admin
 
 COPY requirements.txt ./
 COPY requirements-dev.txt ./
 
-RUN pip3 install --no-cache-dir -r requirements.txt
+RUN pip3 install -r requirements.txt
 
 COPY . .
 
 RUN update-alternatives --set iptables /usr/sbin/iptables-legacy && \
     update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 
 
-ENV PYTHONPATH="/usr/src/admin"
+ENV PYTHONPATH="/usr/src/admin":/usr/lib/python3/dist-packages/
+
 ENV COLUMNS=80
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.8.0
+2.9.0
diff --git a/core/schains/firewall/__init__.py b/core/schains/firewall/__init__.py
@@ -19,6 +19,7 @@
 
 from .firewall_manager import SChainFirewallManager  # noqa
 from .iptables import IptablesController  # noqa
+from .nftables import NFTablesController  # noqa
 from .rule_controller import SChainRuleController  # noqa
 from .types import IRuleController  # noqa
 from .utils import get_default_rule_controller  # noqa
diff --git a/core/schains/firewall/firewall_manager.py b/core/schains/firewall/firewall_manager.py
@@ -22,6 +22,7 @@
 from typing import Iterable, Optional
 
 from core.schains.firewall.iptables import IptablesController
+from core.schains.firewall.nftables import NFTablesController
 from core.schains.firewall.types import (
     IFirewallManager,
     IHostFirewallController,
@@ -70,6 +71,11 @@ def update_rules(self, rules: Iterable[SChainRule]) -> None:
         rules_to_remove = actual_rules - expected_rules
         self.add_rules(rules_to_add)
         self.remove_rules(rules_to_remove)
+        self.save_rules()
+
+    def save_rules(self) -> None:
+        """ Saves rules into persistent storage """
+        self.host_controller.save_rules()
 
     def add_rules(self, rules: Iterable[SChainRule]) -> None:
         logger.debug('Adding rules %s', rules)
@@ -83,8 +89,17 @@ def remove_rules(self, rules: Iterable[SChainRule]) -> None:
 
     def flush(self) -> None:
         self.remove_rules(self.rules)
+        self.host_controller.cleanup()
 
 
 class IptablesSChainFirewallManager(SChainFirewallManager):
     def create_host_controller(self) -> IptablesController:
         return IptablesController()
+
+
+class NFTSchainFirewallManager(SChainFirewallManager):
+    def create_host_controller(self) -> NFTablesController:
+        nc_controller = NFTablesController(chain=self.name)
+        nc_controller.create_table()
+        nc_controller.create_chain(self.first_port, self.last_port)
+        return nc_controller
diff --git a/core/schains/firewall/iptables.py b/core/schains/firewall/iptables.py
@@ -139,3 +139,9 @@ def from_ip_network(cls, ip: str) -> str:
     @classmethod
     def to_ip_network(cls, ip: str) -> str:
         return str(ipaddress.ip_network(ip))
+
+    def save_rules(self) -> None:
+        raise NotImplementedError('save_rules is not implemented for iptables host controller')
+
+    def cleanup(self) -> None:
+        raise NotImplementedError('cleanup is not implemented for iptables host controller')