Skip to content

Commit

Permalink
removed enableIDS flag
Browse files Browse the repository at this point in the history
  • Loading branch information
GrigoriyMikhalkin committed Jul 22, 2021
1 parent 5de1c95 commit c9db9c1
Show file tree
Hide file tree
Showing 7 changed files with 38 additions and 36 deletions.
4 changes: 2 additions & 2 deletions api/v1/firewall_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,8 @@ type Data struct {
EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`
// FirewallNetworks holds the networks known at the metal-api for this firewall machine
FirewallNetworks []FirewallNetwork `json:"firewallNetworks,omitempty"`
// DisableSuricataIDS specifies if we need to enable IDS on the firewall machine
DisableSuricataIDS bool `json:"disableSuricataIDS,omitempty"`
// EnableIDS specifies if we need to enable IDS on the firewall machine
EnableIDS bool `json:"enableIDS,omitempty"`
}

// FirewallStatus defines the observed state of Firewall
Expand Down
8 changes: 4 additions & 4 deletions config/crd/bases/metal-stack.io_firewalls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,6 @@ spec:
description: ControllerVersion holds the firewall-controller version
to reconcile.
type: string
disableSuricataIDS:
description: DisableSuricataIDS specifies if we need to enable IDS
on the firewall machine
type: boolean
dryrun:
description: DryRun if set to true, firewall rules are not applied
type: boolean
Expand All @@ -76,6 +72,10 @@ spec:
- networkid
type: object
type: array
enableIDS:
description: EnableIDS specifies if we need to enable IDS on the firewall
machine
type: boolean
firewallNetworks:
description: FirewallNetworks holds the networks known at the metal-api
for this firewall machine
Expand Down
4 changes: 2 additions & 2 deletions controllers/firewall_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,7 @@ func (r *FirewallReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
}

log.Info("reconciling suricata config")
if err := r.Suricata.ReconcileSuricata(kb, !f.Spec.DisableSuricataIDS); err != nil {
if err := r.Suricata.ReconcileSuricata(kb, f.Spec.EnableIDS); err != nil {
errors = multierror.Append(errors, err)
}

Expand Down Expand Up @@ -427,7 +427,7 @@ func (r *FirewallReconciler) updateStatus(ctx context.Context, f firewallv1.Fire
f.Status.FirewallStats.DeviceStats = deviceStats

idsStats := firewallv1.IDSStatsByDevice{}
if r.Suricata.EnableIDS {
if f.Spec.EnableIDS {
ss, err := r.Suricata.InterfaceStats()
if err != nil {
return err
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ require (
github.com/mdlayher/netlink v1.1.1 // indirect
github.com/metal-stack/metal-go v0.14.0
github.com/metal-stack/metal-lib v0.7.2
github.com/metal-stack/metal-networker v0.7.2
github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a
github.com/metal-stack/v v1.0.3
github.com/txn2/txeh v1.3.0
github.com/vishvananda/netlink v1.1.0
Expand Down
14 changes: 6 additions & 8 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZ
github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
github.com/dvyukov/go-fuzz v0.0.0-20201127111758-49e582c6c23d/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs=
github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU=
github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I=
Expand Down Expand Up @@ -543,8 +543,8 @@ github.com/metal-stack/metal-go v0.14.0/go.mod h1:fk411K2KQ6sitmlG21YfbRfBzNaJGL
github.com/metal-stack/metal-lib v0.6.9/go.mod h1:r8qhfX72eAzClR/pEaQvdwM//Otx9gegYoOphLPmmQ4=
github.com/metal-stack/metal-lib v0.7.2 h1:vXuQnpoXJV4otCwLyB74MiiokaidAoAcNnivkG9/UTI=
github.com/metal-stack/metal-lib v0.7.2/go.mod h1:eDBJ88yC8jUk+bAJXpF1Upw6j3lbbgv3UIF0D+llMec=
github.com/metal-stack/metal-networker v0.7.2 h1:jc2BXhCWXNaJtP4XvyW9rXeR5QUJ/CDTRIN9gaN5Gfo=
github.com/metal-stack/metal-networker v0.7.2/go.mod h1:eJkMkv0RmicEHFTk+QOPEHaaXnJCOdbYAe3gS4NTMNg=
github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a h1:vfnMxRFa+9gcdgCfUKIhdu5WfuXiwJ4oZi2XQRrV5rE=
github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a/go.mod h1:IjlXMdBetE2i81VogBSSQKJFjwrskV6+6drPN/VPJqY=
github.com/metal-stack/security v0.4.0/go.mod h1:C7kSrHwRcG+47375RJjhakN1LenbEJF9uQd4I50nZlY=
github.com/metal-stack/security v0.5.1/go.mod h1:t7P93F6/iSDR729OS/3x5t69ewBCsHUYqRVaHb5nxjc=
github.com/metal-stack/security v0.5.3/go.mod h1:t7P93F6/iSDR729OS/3x5t69ewBCsHUYqRVaHb5nxjc=
Expand Down Expand Up @@ -983,7 +983,6 @@ golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 h1:F5Gozwx4I1xtr/sr/8CFbb57iKi3297KFs0QDbGN60A=
golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
Expand Down Expand Up @@ -1062,9 +1061,8 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc
golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e h1:4nW4NLDYnU28ojHaHO8OVxFHk/aQ33U01a9cjED+pzE=
golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY=
golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
Expand Down Expand Up @@ -1214,8 +1212,8 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k=
honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
inet.af/netaddr v0.0.0-20210707202901-70468d781e6c h1:ZNUX2CiFwNbN1VFaD4MQFmC8o5Rxc7BQW1P1K8kMpbE=
inet.af/netaddr v0.0.0-20210707202901-70468d781e6c/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls=
inet.af/netaddr v0.0.0-20210403172118-1e1430f727e0 h1:ANl7piXB3SHmhwTNeTO0yl0yf4gO3/aaFjcBCdH9Ftg=
inet.af/netaddr v0.0.0-20210403172118-1e1430f727e0/go.mod h1:I2i9ONCXRZDnG1+7O8fSuYzjcPxHQXrIfzD/IkR87x4=
k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI=
k8s.io/api v0.18.9 h1:7VDtivqwbvLOf8hmXSd/PDSSbpCBq49MELg84EYBYiQ=
k8s.io/api v0.18.9/go.mod h1:9u/h6sUh6FxfErv7QqetX1EB3yBMIYOBXzdcf0Gf0rc=
Expand Down
31 changes: 18 additions & 13 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,20 +24,20 @@ import (
"os"
"time"

"github.com/metal-stack/firewall-controller/pkg/suricata"

"github.com/metal-stack/metal-lib/pkg/sign"
"github.com/metal-stack/v"

"github.com/metal-stack/firewall-controller/controllers"
"github.com/metal-stack/firewall-controller/controllers/crd"
"github.com/metal-stack/firewall-controller/pkg/suricata"

apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
"k8s.io/apimachinery/pkg/runtime"
clientgoscheme "k8s.io/client-go/kubernetes/scheme"
_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
ctrl "sigs.k8s.io/controller-runtime"
"sigs.k8s.io/controller-runtime/pkg/log/zap"

"github.com/metal-stack/firewall-controller/controllers"
"github.com/metal-stack/firewall-controller/controllers/crd"

firewallv1 "github.com/metal-stack/firewall-controller/api/v1"
// +kubebuilder:scaffold:imports
)
Expand All @@ -63,18 +63,23 @@ func main() {
var (
metricsAddr string
enableLeaderElection bool
enableIDS bool
enableSignatureCheck bool
hostsFile string
)
flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
flag.BoolVar(&enableLeaderElection, "enable-leader-election", false,

fs := flag.NewFlagSet("", flag.ContinueOnError)
fs.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
fs.BoolVar(&enableLeaderElection, "enable-leader-election", false,
"Enable leader election for controller manager. "+
"Enabling this will ensure there is only one active controller manager.")
flag.BoolVar(&enableIDS, "enable-IDS", true, "Set this to false to exclude IDS.")
flag.StringVar(&hostsFile, "hosts-file", "/etc/hosts", "The hosts file to manipulate for the droptailer.")
flag.BoolVar(&enableSignatureCheck, "enable-signature-check", true, "Set this to false to ignore signature checking.")
flag.Parse()
fs.StringVar(&hostsFile,
"hosts-file", "/etc/hosts", "The hosts file to manipulate for the droptailer.")
fs.BoolVar(&enableSignatureCheck,
"enable-signature-check", true, "Set this to false to ignore signature checking.")
if err := fs.Parse(os.Args[1:]); err != nil {
// Log error but continue program execution
setupLog.Error(err, "error parsing flags")
}

ctrl.SetLogger(zap.New(zap.UseDevMode(true)))

Expand Down Expand Up @@ -161,7 +166,7 @@ func main() {
Client: mgr.GetClient(),
Log: ctrl.Log.WithName("controllers").WithName("Firewall"),
Scheme: mgr.GetScheme(),
Suricata: suricata.New(enableIDS),
Suricata: suricata.New(),
EnableSignatureCheck: enableSignatureCheck,
CAPubKey: caPubKey,
}).SetupWithManager(mgr); err != nil {
Expand Down
11 changes: 5 additions & 6 deletions pkg/suricata/suricata.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ const (

type Suricata struct {
socket string
EnableIDS bool
enableIDS bool
}

type InterfaceStats map[string]InterFaceStat
Expand All @@ -31,10 +31,9 @@ type InterFaceStat struct {
Pkts int
}

func New(enableIDS bool) *Suricata {
func New() *Suricata {
return &Suricata{
socket: defaultSocket,
EnableIDS: enableIDS,
socket: defaultSocket,
}
}

Expand Down Expand Up @@ -66,7 +65,7 @@ func (s *Suricata) InterfaceStats() (*InterfaceStats, error) {
}

func (s *Suricata) ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) error {
if enableIDS != s.EnableIDS {
if enableIDS != s.enableIDS {
configurator := netconf.FirewallConfigurator{
CommonConfigurator: netconf.CommonConfigurator{
Kb: kb,
Expand All @@ -78,7 +77,7 @@ func (s *Suricata) ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) e
if err := s.restart(); err != nil {
return fmt.Errorf("failed to restart suricata: %w", err)
}
s.EnableIDS = enableIDS
s.enableIDS = enableIDS
}

return nil
Expand Down

0 comments on commit c9db9c1

Please sign in to comment.