Skip to content

Commit

Permalink
restart suricata service
Browse files Browse the repository at this point in the history
  • Loading branch information
GrigoriyMikhalkin committed Jul 22, 2021
1 parent 5f8b2cf commit 5de1c95
Show file tree
Hide file tree
Showing 7 changed files with 112 additions and 82 deletions.
4 changes: 2 additions & 2 deletions api/v1/firewall_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,8 @@ type Data struct {
EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`
// FirewallNetworks holds the networks known at the metal-api for this firewall machine
FirewallNetworks []FirewallNetwork `json:"firewallNetworks,omitempty"`
// EnableSuricataIDS specifies if we need to enable IDS on the firewall machine
EnableSuricataIDS bool `json:"enableSuricataIDS,omitempty"`
// DisableSuricataIDS specifies if we need to enable IDS on the firewall machine
DisableSuricataIDS bool `json:"disableSuricataIDS,omitempty"`
}

// FirewallStatus defines the observed state of Firewall
Expand Down
8 changes: 4 additions & 4 deletions config/crd/bases/metal-stack.io_firewalls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,10 @@ spec:
description: ControllerVersion holds the firewall-controller version
to reconcile.
type: string
disableSuricataIDS:
description: DisableSuricataIDS specifies if we need to enable IDS
on the firewall machine
type: boolean
dryrun:
description: DryRun if set to true, firewall rules are not applied
type: boolean
Expand All @@ -72,10 +76,6 @@ spec:
- networkid
type: object
type: array
enableSuricataIDS:
description: EnableSuricataIDS specifies if we need to enable IDS
on the firewall machine
type: boolean
firewallNetworks:
description: FirewallNetworks holds the networks known at the metal-api
for this firewall machine
Expand Down
11 changes: 6 additions & 5 deletions controllers/firewall_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ type FirewallReconciler struct {
recorder record.EventRecorder
Log logr.Logger
Scheme *runtime.Scheme
EnableIDS bool
Suricata *suricata.Suricata
EnableSignatureCheck bool
CAPubKey *rsa.PublicKey
}
Expand Down Expand Up @@ -143,7 +143,9 @@ func (r *FirewallReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
}

log.Info("reconciling suricata config")
network.ReconcileSuricata(kb, f.Spec.EnableSuricataIDS)
if err := r.Suricata.ReconcileSuricata(kb, !f.Spec.DisableSuricataIDS); err != nil {
errors = multierror.Append(errors, err)
}

log.Info("reconciling firewall services")
if err = r.reconcileFirewallServices(ctx, f); err != nil {
Expand Down Expand Up @@ -425,9 +427,8 @@ func (r *FirewallReconciler) updateStatus(ctx context.Context, f firewallv1.Fire
f.Status.FirewallStats.DeviceStats = deviceStats

idsStats := firewallv1.IDSStatsByDevice{}
if r.EnableIDS { // checks the CLI-flag
s := suricata.New()
ss, err := s.InterfaceStats()
if r.Suricata.EnableIDS {
ss, err := r.Suricata.InterfaceStats()
if err != nil {
return err
}
Expand Down
9 changes: 6 additions & 3 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@ import (
"os"
"time"

"github.com/metal-stack/firewall-controller/controllers"
"github.com/metal-stack/firewall-controller/controllers/crd"
"github.com/metal-stack/firewall-controller/pkg/suricata"

"github.com/metal-stack/metal-lib/pkg/sign"
"github.com/metal-stack/v"
apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
Expand All @@ -35,6 +35,9 @@ import (
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/log/zap"

"github.com/metal-stack/firewall-controller/controllers"
"github.com/metal-stack/firewall-controller/controllers/crd"

firewallv1 "github.com/metal-stack/firewall-controller/api/v1"
// +kubebuilder:scaffold:imports
)
Expand Down Expand Up @@ -158,7 +161,7 @@ func main() {
Client: mgr.GetClient(),
Log: ctrl.Log.WithName("controllers").WithName("Firewall"),
Scheme: mgr.GetScheme(),
EnableIDS: enableIDS,
Suricata: suricata.New(enableIDS),
EnableSignatureCheck: enableSignatureCheck,
CAPubKey: caPubKey,
}).SetupWithManager(mgr); err != nil {
Expand Down
15 changes: 0 additions & 15 deletions pkg/network/suricata.go

This file was deleted.

53 changes: 0 additions & 53 deletions pkg/suricata/stats.go

This file was deleted.

94 changes: 94 additions & 0 deletions pkg/suricata/suricata.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
package suricata

import (
"context"
"fmt"
"os/exec"

"github.com/metal-stack/metal-networker/pkg/netconf"

"github.com/ks2211/go-suricata/client"
)

const (
suricataService = "suricata.service"
systemctlBin = "/bin/systemctl"

// defaultSocket to communicate with suricata
defaultSocket = "/run/suricata-command.socket"
)

type Suricata struct {
socket string
EnableIDS bool
}

type InterfaceStats map[string]InterFaceStat

type InterFaceStat struct {
Drop int
InvalidChecksums int
Pkts int
}

func New(enableIDS bool) *Suricata {
return &Suricata{
socket: defaultSocket,
EnableIDS: enableIDS,
}
}

func (s *Suricata) InterfaceStats() (*InterfaceStats, error) {
suricata, err := client.CreateSocket(s.socket)
if err != nil {
return nil, err
}
defer suricata.Close()

ifaces, err := suricata.IFaceListCommand(context.Background())
if err != nil {
return nil, err
}
result := InterfaceStats{}
for _, iface := range ifaces.Ifaces {
stat, err := suricata.IFaceStatCommand(context.Background(), client.IFaceStatRequest{IFace: iface})
if err != nil {
return nil, err
}
result[iface] = InterFaceStat{
Drop: stat.Drop,
InvalidChecksums: stat.InvalidChecksums,
Pkts: stat.Pkts,
}
}

return &result, nil
}

func (s *Suricata) ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) error {
if enableIDS != s.EnableIDS {
configurator := netconf.FirewallConfigurator{
CommonConfigurator: netconf.CommonConfigurator{
Kb: kb,
},
EnableIDS: enableIDS,
}
configurator.ConfigureSuricata()

if err := s.restart(); err != nil {
return fmt.Errorf("failed to restart suricata: %w", err)
}
s.EnableIDS = enableIDS
}

return nil
}

func (s *Suricata) restart() error {
c := exec.Command(systemctlBin, "restart", suricataService)
err := c.Run()
if err != nil {
return fmt.Errorf("could not reload suricata service, err: %w", err)
}
return nil
}

0 comments on commit 5de1c95

Please sign in to comment.