From d27c7cf405c0943b3ab1190b135bd96c84131056 Mon Sep 17 00:00:00 2001 From: Grigoriy Mikhalkin Date: Tue, 29 Jun 2021 19:23:15 +0200 Subject: [PATCH] restart suricata service --- controllers/firewall_controller.go | 11 ++-- main.go | 9 ++- pkg/network/suricata.go | 15 ----- pkg/suricata/stats.go | 53 ----------------- pkg/suricata/suricata.go | 94 ++++++++++++++++++++++++++++++ 5 files changed, 106 insertions(+), 76 deletions(-) delete mode 100644 pkg/network/suricata.go delete mode 100644 pkg/suricata/stats.go create mode 100644 pkg/suricata/suricata.go diff --git a/controllers/firewall_controller.go b/controllers/firewall_controller.go index 3a4d080a..5a33c8f2 100644 --- a/controllers/firewall_controller.go +++ b/controllers/firewall_controller.go @@ -57,7 +57,7 @@ type FirewallReconciler struct { recorder record.EventRecorder Log logr.Logger Scheme *runtime.Scheme - EnableIDS bool + Suricata *suricata.Suricata EnableSignatureCheck bool CAPubKey *rsa.PublicKey } @@ -143,7 +143,9 @@ func (r *FirewallReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) { } log.Info("reconciling suricata config") - network.ReconcileSuricata(kb, f.Spec.EnableSuricataIDS) + if err := r.Suricata.ReconcileSuricata(kb, f.Spec.EnableSuricataIDS); err != nil { + errors = multierror.Append(errors, err) + } log.Info("reconciling firewall services") if err = r.reconcileFirewallServices(ctx, f, log); err != nil { @@ -424,9 +426,8 @@ func (r *FirewallReconciler) updateStatus(ctx context.Context, f firewallv1.Fire f.Status.FirewallStats.DeviceStats = deviceStats idsStats := firewallv1.IDSStatsByDevice{} - if r.EnableIDS { // checks the CLI-flag - s := suricata.New() - ss, err := s.InterfaceStats() + if r.Suricata.EnableIDS { + ss, err := r.Suricata.InterfaceStats() if err != nil { return err } diff --git a/main.go b/main.go index 9d680f55..1d0362db 100644 --- a/main.go +++ b/main.go @@ -24,8 +24,8 @@ import ( "os" "time" - "github.com/metal-stack/firewall-controller/controllers" - "github.com/metal-stack/firewall-controller/controllers/crd" + "github.com/metal-stack/firewall-controller/pkg/suricata" + "github.com/metal-stack/metal-lib/pkg/sign" "github.com/metal-stack/v" apiextensions "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1" @@ -35,6 +35,9 @@ import ( ctrl "sigs.k8s.io/controller-runtime" "sigs.k8s.io/controller-runtime/pkg/log/zap" + "github.com/metal-stack/firewall-controller/controllers" + "github.com/metal-stack/firewall-controller/controllers/crd" + firewallv1 "github.com/metal-stack/firewall-controller/api/v1" // +kubebuilder:scaffold:imports ) @@ -158,7 +161,7 @@ func main() { Client: mgr.GetClient(), Log: ctrl.Log.WithName("controllers").WithName("Firewall"), Scheme: mgr.GetScheme(), - EnableIDS: enableIDS, + Suricata: suricata.New(enableIDS), EnableSignatureCheck: enableSignatureCheck, CAPubKey: caPubKey, }).SetupWithManager(mgr); err != nil { diff --git a/pkg/network/suricata.go b/pkg/network/suricata.go deleted file mode 100644 index de839215..00000000 --- a/pkg/network/suricata.go +++ /dev/null @@ -1,15 +0,0 @@ -package network - -import ( - "github.com/metal-stack/metal-networker/pkg/netconf" -) - -func ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) { - configurator := netconf.FirewallConfigurator{ - CommonConfigurator: netconf.CommonConfigurator{ - Kb: kb, - }, - EnableIDS: enableIDS, - } - configurator.ConfigureSuricata() -} diff --git a/pkg/suricata/stats.go b/pkg/suricata/stats.go deleted file mode 100644 index 63b47ff9..00000000 --- a/pkg/suricata/stats.go +++ /dev/null @@ -1,53 +0,0 @@ -package suricata - -import ( - "context" - - "github.com/ks2211/go-suricata/client" -) - -// defaultSocket to communicate with suricata -const defaultSocket = "/run/suricata-command.socket" - -type Suricata struct { - socket string -} - -type InterfaceStats map[string]InterFaceStat - -type InterFaceStat struct { - Drop int - InvalidChecksums int - Pkts int -} - -func New() Suricata { - return Suricata{socket: defaultSocket} -} - -func (s *Suricata) InterfaceStats() (*InterfaceStats, error) { - suricata, err := client.CreateSocket(s.socket) - if err != nil { - return nil, err - } - defer suricata.Close() - - ifaces, err := suricata.IFaceListCommand(context.Background()) - if err != nil { - return nil, err - } - result := InterfaceStats{} - for _, iface := range ifaces.Ifaces { - stat, err := suricata.IFaceStatCommand(context.Background(), client.IFaceStatRequest{IFace: iface}) - if err != nil { - return nil, err - } - result[iface] = InterFaceStat{ - Drop: stat.Drop, - InvalidChecksums: stat.InvalidChecksums, - Pkts: stat.Pkts, - } - } - - return &result, nil -} diff --git a/pkg/suricata/suricata.go b/pkg/suricata/suricata.go new file mode 100644 index 00000000..5ba4d8c8 --- /dev/null +++ b/pkg/suricata/suricata.go @@ -0,0 +1,94 @@ +package suricata + +import ( + "context" + "fmt" + "os/exec" + + "github.com/metal-stack/metal-networker/pkg/netconf" + + "github.com/ks2211/go-suricata/client" +) + +const ( + suricataService = "suricata.service" + systemctlBin = "/bin/systemctl" + + // defaultSocket to communicate with suricata + defaultSocket = "/run/suricata-command.socket" +) + +type Suricata struct { + socket string + EnableIDS bool +} + +type InterfaceStats map[string]InterFaceStat + +type InterFaceStat struct { + Drop int + InvalidChecksums int + Pkts int +} + +func New(enableIDS bool) *Suricata { + return &Suricata{ + socket: defaultSocket, + EnableIDS: enableIDS, + } +} + +func (s *Suricata) InterfaceStats() (*InterfaceStats, error) { + suricata, err := client.CreateSocket(s.socket) + if err != nil { + return nil, err + } + defer suricata.Close() + + ifaces, err := suricata.IFaceListCommand(context.Background()) + if err != nil { + return nil, err + } + result := InterfaceStats{} + for _, iface := range ifaces.Ifaces { + stat, err := suricata.IFaceStatCommand(context.Background(), client.IFaceStatRequest{IFace: iface}) + if err != nil { + return nil, err + } + result[iface] = InterFaceStat{ + Drop: stat.Drop, + InvalidChecksums: stat.InvalidChecksums, + Pkts: stat.Pkts, + } + } + + return &result, nil +} + +func (s *Suricata) ReconcileSuricata(kb netconf.KnowledgeBase, enableIDS bool) error { + if enableIDS != s.EnableIDS { + configurator := netconf.FirewallConfigurator{ + CommonConfigurator: netconf.CommonConfigurator{ + Kb: kb, + }, + EnableIDS: enableIDS, + } + configurator.ConfigureSuricata() + + if err := s.restart(); err != nil { + return fmt.Errorf("failed to restart suricata: %w", err) + } + s.EnableIDS = enableIDS + } + + return nil +} + +func (s *Suricata) restart() error { + c := exec.Command(systemctlBin, "restart", suricataService) + err := c.Run() + if err != nil { + return fmt.Errorf("could not reload suricata service, err: %w", err) + } + return nil +}