From c9db9c1bc7a49024795ded4e7cb6b123c43e327f Mon Sep 17 00:00:00 2001 From: Grigoriy Mikhalkin Date: Wed, 30 Jun 2021 13:03:40 +0200 Subject: [PATCH] removed enableIDS flag --- api/v1/firewall_types.go | 4 +-- .../crd/bases/metal-stack.io_firewalls.yaml | 8 ++--- controllers/firewall_controller.go | 4 +-- go.mod | 2 +- go.sum | 14 ++++----- main.go | 31 +++++++++++-------- pkg/suricata/suricata.go | 11 +++---- 7 files changed, 38 insertions(+), 36 deletions(-) diff --git a/api/v1/firewall_types.go b/api/v1/firewall_types.go index fb7f91a4..e062b29c 100644 --- a/api/v1/firewall_types.go +++ b/api/v1/firewall_types.go @@ -81,8 +81,8 @@ type Data struct { EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"` // FirewallNetworks holds the networks known at the metal-api for this firewall machine FirewallNetworks []FirewallNetwork `json:"firewallNetworks,omitempty"` - // DisableSuricataIDS specifies if we need to enable IDS on the firewall machine - DisableSuricataIDS bool `json:"disableSuricataIDS,omitempty"` + // EnableIDS specifies if we need to enable IDS on the firewall machine + EnableIDS bool `json:"enableIDS,omitempty"` } // FirewallStatus defines the observed state of Firewall diff --git a/config/crd/bases/metal-stack.io_firewalls.yaml b/config/crd/bases/metal-stack.io_firewalls.yaml index 5e083144..9f6df4b8 100644 --- a/config/crd/bases/metal-stack.io_firewalls.yaml +++ b/config/crd/bases/metal-stack.io_firewalls.yaml @@ -53,10 +53,6 @@ spec: description: ControllerVersion holds the firewall-controller version to reconcile. type: string - disableSuricataIDS: - description: DisableSuricataIDS specifies if we need to enable IDS - on the firewall machine - type: boolean dryrun: description: DryRun if set to true, firewall rules are not applied type: boolean @@ -76,6 +72,10 @@ spec: - networkid type: object type: array + enableIDS: + description: EnableIDS specifies if we need to enable IDS on the firewall + machine + type: boolean firewallNetworks: description: FirewallNetworks holds the networks known at the metal-api for this firewall machine diff --git a/controllers/firewall_controller.go b/controllers/firewall_controller.go index ebc5bb12..1a8e20e0 100644 --- a/controllers/firewall_controller.go +++ b/controllers/firewall_controller.go @@ -143,7 +143,7 @@ func (r *FirewallReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { } log.Info("reconciling suricata config") - if err := r.Suricata.ReconcileSuricata(kb, !f.Spec.DisableSuricataIDS); err != nil { + if err := r.Suricata.ReconcileSuricata(kb, f.Spec.EnableIDS); err != nil { errors = multierror.Append(errors, err) } @@ -427,7 +427,7 @@ func (r *FirewallReconciler) updateStatus(ctx context.Context, f firewallv1.Fire f.Status.FirewallStats.DeviceStats = deviceStats idsStats := firewallv1.IDSStatsByDevice{} - if r.Suricata.EnableIDS { + if f.Spec.EnableIDS { ss, err := r.Suricata.InterfaceStats() if err != nil { return err diff --git a/go.mod b/go.mod index 5fb828a8..fd842965 100644 --- a/go.mod +++ b/go.mod @@ -16,7 +16,7 @@ require ( github.com/mdlayher/netlink v1.1.1 // indirect github.com/metal-stack/metal-go v0.14.0 github.com/metal-stack/metal-lib v0.7.2 - github.com/metal-stack/metal-networker v0.7.2 + github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a github.com/metal-stack/v v1.0.3 github.com/txn2/txeh v1.3.0 github.com/vishvananda/netlink v1.1.0 diff --git a/go.sum b/go.sum index 91e3cf1f..ea80963d 100644 --- a/go.sum +++ b/go.sum @@ -151,7 +151,7 @@ github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZ github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw= +github.com/dvyukov/go-fuzz v0.0.0-20201127111758-49e582c6c23d/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw= github.com/eapache/go-resiliency v1.1.0/go.mod h1:kFI+JgMyC7bLPUVY133qvEBtVayf5mFgVsvEsIPBvNs= github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= @@ -543,8 +543,8 @@ github.com/metal-stack/metal-go v0.14.0/go.mod h1:fk411K2KQ6sitmlG21YfbRfBzNaJGL github.com/metal-stack/metal-lib v0.6.9/go.mod h1:r8qhfX72eAzClR/pEaQvdwM//Otx9gegYoOphLPmmQ4= github.com/metal-stack/metal-lib v0.7.2 h1:vXuQnpoXJV4otCwLyB74MiiokaidAoAcNnivkG9/UTI= github.com/metal-stack/metal-lib v0.7.2/go.mod h1:eDBJ88yC8jUk+bAJXpF1Upw6j3lbbgv3UIF0D+llMec= -github.com/metal-stack/metal-networker v0.7.2 h1:jc2BXhCWXNaJtP4XvyW9rXeR5QUJ/CDTRIN9gaN5Gfo= -github.com/metal-stack/metal-networker v0.7.2/go.mod h1:eJkMkv0RmicEHFTk+QOPEHaaXnJCOdbYAe3gS4NTMNg= +github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a h1:vfnMxRFa+9gcdgCfUKIhdu5WfuXiwJ4oZi2XQRrV5rE= +github.com/metal-stack/metal-networker v0.7.1-0.20210708123945-d8907ab9938a/go.mod h1:IjlXMdBetE2i81VogBSSQKJFjwrskV6+6drPN/VPJqY= github.com/metal-stack/security v0.4.0/go.mod h1:C7kSrHwRcG+47375RJjhakN1LenbEJF9uQd4I50nZlY= github.com/metal-stack/security v0.5.1/go.mod h1:t7P93F6/iSDR729OS/3x5t69ewBCsHUYqRVaHb5nxjc= github.com/metal-stack/security v0.5.3/go.mod h1:t7P93F6/iSDR729OS/3x5t69ewBCsHUYqRVaHb5nxjc= @@ -983,7 +983,6 @@ golang.org/x/sys v0.0.0-20201009025420-dfb3f7c4e634/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201214210602-f9fddec55a1e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57 h1:F5Gozwx4I1xtr/sr/8CFbb57iKi3297KFs0QDbGN60A= golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -1062,9 +1061,8 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= +golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e h1:4nW4NLDYnU28ojHaHO8OVxFHk/aQ33U01a9cjED+pzE= golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY= -golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -1214,8 +1212,8 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.5 h1:nI5egYTGJakVyOryqLs1cQO5dO0ksin5XXs2pspk75k= honnef.co/go/tools v0.0.1-2020.1.5/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -inet.af/netaddr v0.0.0-20210707202901-70468d781e6c h1:ZNUX2CiFwNbN1VFaD4MQFmC8o5Rxc7BQW1P1K8kMpbE= -inet.af/netaddr v0.0.0-20210707202901-70468d781e6c/go.mod h1:z0nx+Dh+7N7CC8V5ayHtHGpZpxLQZZxkIaaz6HN65Ls= +inet.af/netaddr v0.0.0-20210403172118-1e1430f727e0 h1:ANl7piXB3SHmhwTNeTO0yl0yf4gO3/aaFjcBCdH9Ftg= +inet.af/netaddr v0.0.0-20210403172118-1e1430f727e0/go.mod h1:I2i9ONCXRZDnG1+7O8fSuYzjcPxHQXrIfzD/IkR87x4= k8s.io/api v0.18.6/go.mod h1:eeyxr+cwCjMdLAmr2W3RyDI0VvTawSg/3RFFBEnmZGI= k8s.io/api v0.18.9 h1:7VDtivqwbvLOf8hmXSd/PDSSbpCBq49MELg84EYBYiQ= k8s.io/api v0.18.9/go.mod h1:9u/h6sUh6FxfErv7QqetX1EB3yBMIYOBXzdcf0Gf0rc= diff --git a/main.go b/main.go index 29dfa01c..3bda57a9 100644 --- a/main.go +++ b/main.go @@ -24,10 +24,13 @@ import ( "os" "time" - "github.com/metal-stack/firewall-controller/pkg/suricata" - "github.com/metal-stack/metal-lib/pkg/sign" "github.com/metal-stack/v" + + "github.com/metal-stack/firewall-controller/controllers" + "github.com/metal-stack/firewall-controller/controllers/crd" + "github.com/metal-stack/firewall-controller/pkg/suricata" + apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" "k8s.io/apimachinery/pkg/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" @@ -35,9 +38,6 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/log/zap" - "github.com/metal-stack/firewall-controller/controllers" - "github.com/metal-stack/firewall-controller/controllers/crd" - firewallv1 "github.com/metal-stack/firewall-controller/api/v1" // +kubebuilder:scaffold:imports ) @@ -63,18 +63,23 @@ func main() { var ( metricsAddr string enableLeaderElection bool - enableIDS bool enableSignatureCheck bool hostsFile string ) - flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") - flag.BoolVar(&enableLeaderElection, "enable-leader-election", false, + + fs := flag.NewFlagSet("", flag.ContinueOnError) + fs.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") + fs.BoolVar(&enableLeaderElection, "enable-leader-election", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") - flag.BoolVar(&enableIDS, "enable-IDS", true, "Set this to false to exclude IDS.") - flag.StringVar(&hostsFile, "hosts-file", "/etc/hosts", "The hosts file to manipulate for the droptailer.") - flag.BoolVar(&enableSignatureCheck, "enable-signature-check", true, "Set this to false to ignore signature checking.") - flag.Parse() + fs.StringVar(&hostsFile, + "hosts-file", "/etc/hosts", "The hosts file to manipulate for the droptailer.") + fs.BoolVar(&enableSignatureCheck, + "enable-signature-check", true, "Set this to false to ignore signature checking.") + if err := fs.Parse(os.Args[1:]); err != nil { + // Log error but continue program execution + setupLog.Error(err, "error parsing flags") + } ctrl.SetLogger(zap.New(zap.UseDevMode(true))) @@ -161,7 +166,7 @@ func main() { Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("Firewall"), Scheme: mgr.GetScheme(), - Suricata: suricata.New(enableIDS), + Suricata: suricata.New(), EnableSignatureCheck: enableSignatureCheck, CAPubKey: caPubKey, }).SetupWithManager(mgr); err != nil { diff --git a/pkg/suricata/suricata.go b/pkg/suricata/suricata.go index 5ba4d8c8..6bb95a5c 100644 --- a/pkg/suricata/suricata.go +++ b/pkg/suricata/suricata.go @@ -20,7 +20,7 @@ const ( type Suricata struct { socket string - EnableIDS bool + enableIDS bool } type InterfaceStats map[string]InterFaceStat @@ -31,10 +31,9 @@ type InterFaceStat struct { Pkts int } -func New(enableIDS bool) *Suricata { +func New() *Suricata { return &Suricata{ - socket: defaultSocket, - EnableIDS: enableIDS, + socket: defaultSocket, } } @@ -66,7 +65,7 @@ func (s *Suricata) InterfaceStats() (*InterfaceStats, error) { } func (s *Suricata) ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) error { - if enableIDS != s.EnableIDS { + if enableIDS != s.enableIDS { configurator := netconf.FirewallConfigurator{ CommonConfigurator: netconf.CommonConfigurator{ Kb: kb, @@ -78,7 +77,7 @@ func (s *Suricata) ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) e if err := s.restart(); err != nil { return fmt.Errorf("failed to restart suricata: %w", err) } - s.EnableIDS = enableIDS + s.enableIDS = enableIDS } return nil