Skip to content

Commit

Permalink
allow to disable/enable ids logs
Browse files Browse the repository at this point in the history
  • Loading branch information
GrigoriyMikhalkin committed Jul 22, 2021
1 parent 686a7e0 commit 5f8b2cf
Show file tree
Hide file tree
Showing 5 changed files with 42 additions and 11 deletions.
2 changes: 2 additions & 0 deletions api/v1/firewall_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,8 @@ type Data struct {
EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`
// FirewallNetworks holds the networks known at the metal-api for this firewall machine
FirewallNetworks []FirewallNetwork `json:"firewallNetworks,omitempty"`
// EnableSuricataIDS specifies if we need to enable IDS on the firewall machine
EnableSuricataIDS bool `json:"enableSuricataIDS,omitempty"`
}

// FirewallStatus defines the observed state of Firewall
Expand Down
4 changes: 4 additions & 0 deletions config/crd/bases/metal-stack.io_firewalls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,10 @@ spec:
- networkid
type: object
type: array
enableSuricataIDS:
description: EnableSuricataIDS specifies if we need to enable IDS
on the firewall machine
type: boolean
firewallNetworks:
description: FirewallNetworks holds the networks known at the metal-api
for this firewall machine
Expand Down
12 changes: 8 additions & 4 deletions controllers/firewall_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,15 @@ import (

"github.com/hashicorp/go-multierror"

mn "github.com/metal-stack/metal-lib/pkg/net"
networking "k8s.io/api/networking/v1"

firewallv1 "github.com/metal-stack/firewall-controller/api/v1"
"github.com/metal-stack/firewall-controller/pkg/collector"
"github.com/metal-stack/firewall-controller/pkg/network"
"github.com/metal-stack/firewall-controller/pkg/nftables"
"github.com/metal-stack/firewall-controller/pkg/suricata"
"github.com/metal-stack/firewall-controller/pkg/updater"
mn "github.com/metal-stack/metal-lib/pkg/net"
networking "k8s.io/api/networking/v1"
)

// FirewallReconciler reconciles a Firewall object
Expand Down Expand Up @@ -130,17 +131,20 @@ func (r *FirewallReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
}

log.Info("reconciling network settings")
changed, err := network.ReconcileNetwork(f, log)
kb := network.GetUpdatedKnowledgeBase(f)
changed, err := network.ReconcileNetwork(kb)
if changed && err == nil {
r.recorder.Event(&f, corev1.EventTypeNormal, "Network settings", "reconcilation succeeded (frr.conf)")
} else if changed && err != nil {
r.recorder.Event(&f, corev1.EventTypeWarning, "Network settings", fmt.Sprintf("reconcilation failed (frr.conf): %v", err))
}

if err != nil {
errors = multierror.Append(errors, err)
}

log.Info("reconciling suricata config")
network.ReconcileSuricata(kb, f.Spec.EnableSuricataIDS)

log.Info("reconciling firewall services")
if err = r.reconcileFirewallServices(ctx, f); err != nil {
errors = multierror.Append(errors, err)
Expand Down
20 changes: 13 additions & 7 deletions pkg/network/network.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import (
"path/filepath"
"text/template"

"github.com/go-logr/logr"
firewallv1 "github.com/metal-stack/firewall-controller/api/v1"
"github.com/metal-stack/metal-go/api/models"
"github.com/metal-stack/metal-networker/pkg/netconf"
Expand All @@ -22,11 +21,12 @@ const (
//go:embed *.tpl
var templates embed.FS

// ReconcileNetwork reconciles the network settings for a firewall
// in the current stage it only changes the FRR-Configuration when network prefixes or FRR template changes
func ReconcileNetwork(f firewallv1.Firewall, log logr.Logger) (bool, error) {
kb := netconf.NewKnowledgeBase(MetalKnowledgeBase)
func GetKnowledgeBase() netconf.KnowledgeBase {
return netconf.NewKnowledgeBase(MetalKnowledgeBase)
}

func GetUpdatedKnowledgeBase(f firewallv1.Firewall) netconf.KnowledgeBase {
kb := GetKnowledgeBase()
networkMap := map[string]firewallv1.FirewallNetwork{}
for _, n := range f.Spec.FirewallNetworks {
if n.Networktype == nil {
Expand All @@ -43,6 +43,12 @@ func ReconcileNetwork(f firewallv1.Firewall, log logr.Logger) (bool, error) {
}
kb.Networks = newNetworks

return kb
}

// ReconcileNetwork reconciles the network settings for a firewall
// Changes both the FRR-Configuration and Nftable rules when network prefixes or FRR template changes
func ReconcileNetwork(kb netconf.KnowledgeBase) (changed bool, err error) {
tmpFile, err := tmpFile(FrrConfig)
if err != nil {
return false, fmt.Errorf("error during network reconcilation %v: %w", tmpFile, err)
Expand All @@ -57,12 +63,12 @@ func ReconcileNetwork(f firewallv1.Firewall, log logr.Logger) (bool, error) {
return false, fmt.Errorf("error during network reconcilation: %v: %w", tmpFile, err)
}

changed, err := a.Apply(*tpl, tmpFile, FrrConfig, true)
changed, err = a.Apply(*tpl, tmpFile, FrrConfig, true)
if err != nil {
return changed, fmt.Errorf("error during network reconcilation: %v: %w", tmpFile, err)
}

return changed, nil
return
}

func tmpFile(file string) (string, error) {
Expand Down
15 changes: 15 additions & 0 deletions pkg/network/suricata.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
package network

import (
"github.com/metal-stack/metal-networker/pkg/netconf"
)

func ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) {
configurator := netconf.FirewallConfigurator{
CommonConfigurator: netconf.CommonConfigurator{
Kb: kb,
},
EnableIDS: enableIDS,
}
configurator.ConfigureSuricata()
}

0 comments on commit 5f8b2cf

Please sign in to comment.