The firewall::service class and subsequent nftables::service supports various parameters to allow specific source/destination ports and IPs.
For the work in T300152 it would be useful to also support ACLs based on the source interface.
In the meantime the workaround is to use nftables::file::input but this is more brittle.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | ayounsi | T300152 Investigate Ganeti in routed mode | |||
| Open | None | T355042 Add source interface to firewall::service puppet class |
We only need this on the ganeti hosts itself? Then I would add support for this only for the nftables provider (and make it fail() in Puppet if used with the ferm provider), I'm reluctant to add new functionality for the Ferm provider at this point...
Actually, after looking into it for a bit, I think we should rather not add this to firewall::service, which is specifically made to allow access for a given service only. For the case like routed ganeti where we enable traffic froma given interface(s) we can simply use nftables::file or nftables:f:ile::input, that's exactly what these were made for. It's comparable to the special cases we previously configured with ferm::rule (as opposed to ferm::service). Using nft:file::input doesn't seem brittle to me, do you have a specific risk in mind?
The goal here is to not only use nftables::service with the interface parameter, but use it in addition to the other parameters, for example to only allow DHCP requests from the guest VMs :
nftables::service { 'dhcp-requests':
proto => 'udp',
port => 67,
sint => 'tap*',
}Using nftable:file is prone to typoes as it doesn't benefit from the service's validation.