From 4d85cd7e4be45a130cedf50ea176bd369bcfd31e Mon Sep 17 00:00:00 2001
From: Jeltz <jeltz@auro.re>
Date: Thu, 13 Jan 2022 13:59:49 +0100
Subject: [PATCH] Fix some nftables issues

---
 .../templates/nftables.d/10-vars.conf.j2      | 19 ++++++++--
 .../templates/nftables.d/40-input.conf.j2     | 10 ++---
 .../templates/nftables.d/50-output.conf.j2    |  6 +--
 .../templates/nftables.d/60-forward.conf.j2   | 38 +++++++++----------
 .../templates/nftables.d/70-nat.conf.j2       | 26 ++++++-------
 5 files changed, 54 insertions(+), 45 deletions(-)

diff --git a/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2 b/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
index 3757bd4..d640463 100644
--- a/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/10-vars.conf.j2
@@ -59,10 +59,21 @@ define egress_internet_ipv4 = {
 	$bastion_ipv4,
 }
 
+define aurore_ipv4 = {
+	10.0.0.0/8,
+	45.66.108.0/22,
+}
+
+define need_nat_ipv4 = {
+	10.0.0.0/8,
+}
+
+define nat_public_ipv4 = 45.66.111.10
+
 # FIXME: bad ipv6 address
-define log_ipv6 = 2a09:6840:128::241/128
-define log_ipv4 = 10.128.0.241
+define log_infra_ipv6 = 2a09:6840:128::241/128
+define log_infra_ipv4 = 10.128.0.241
 
 # FIXME: bad ipv6 address
-define prom_infra_v6 = 2a09:6840:128::67/128
-define prom_infra_v4 = 10.128.0.67
+define prom_infra_ipv6 = 2a09:6840:128::67/128
+define prom_infra_ipv4 = 10.128.0.67
diff --git a/roles/nftables_infra/templates/nftables.d/40-input.conf.j2 b/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
index 3297c63..a7b8333 100644
--- a/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/40-input.conf.j2
@@ -4,17 +4,17 @@ table inet input {
 
 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
-			related: counter accept,
-			invalid: counter drop,
+			established: accept,
+			related: accept,
+			invalid: drop,
 		}
 	}
 
 	chain input_from_server {
 		jump conntrack
 
-		ip6 saddr $prom_infra_ipv6 dport 9100 accept
-		ip saddr $prom_infra_ipv4 dport 9100 accept
+		ip6 saddr $prom_infra_ipv6 tcp dport 9100 accept
+		ip saddr $prom_infra_ipv4 tcp dport 9100 accept
 	}
 
 	chain input_from_backbone {
diff --git a/roles/nftables_infra/templates/nftables.d/50-output.conf.j2 b/roles/nftables_infra/templates/nftables.d/50-output.conf.j2
index 3cd9235..ee9840e 100644
--- a/roles/nftables_infra/templates/nftables.d/50-output.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/50-output.conf.j2
@@ -4,9 +4,9 @@ table inet output {
 
 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
-			related: counter accept,
-			invalid: counter drop,
+			established: accept,
+			related: accept,
+			invalid: drop,
 		}
 	}
 
diff --git a/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2 b/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
index 9cb3e10..f15813b 100644
--- a/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/60-forward.conf.j2
@@ -4,9 +4,9 @@ table inet forward {
 
 	chain conntrack {
 		ct state vmap {
-			established: counter accept,
-			related: counter accept,
-			invalid: counter drop,
+			established: accept,
+			related: accept,
+			invalid: drop,
 		}
 	}
 
@@ -27,11 +27,11 @@ table inet forward {
 			udp dport 514 counter accept
 		}
 
-		ip6 saddr $prom_infra_v6 tcp dport 9100 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept
 
-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 
 	chain forward_to_backbone {
@@ -40,21 +40,21 @@ table inet forward {
 	chain forward_to_ups {
 		jump conntrack
 
-		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept
 
-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 
 	chain forward_to_bmc {
 		jump conntrack
 
-		ip6 saddr $prom_infra_v6 udp dport 161 counter accept
-		ip saddr $prom_infra_v4 udp dport 161 counter accept
+		ip6 saddr $prom_infra_ipv6 udp dport 161 counter accept
+		ip saddr $prom_infra_ipv4 udp dport 161 counter accept
 
-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 
 	chain forward_to_pve {
@@ -63,8 +63,8 @@ table inet forward {
 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
 
-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 
 	chain forward_to_router {
@@ -73,8 +73,8 @@ table inet forward {
 		ip6 saddr $prom_infra_ipv6 tcp dport 9100 counter accept
 		ip saddr $prom_infra_ipv4 tcp dport 9100 counter accept
 
-		ip6 saddr $bastion_ipv6 dport ssh accept
-		ip saddr $bastion_ipv4 dport ssh accept
+		ip6 saddr $bastion_ipv6 tcp dport ssh accept
+		ip saddr $bastion_ipv4 tcp dport ssh accept
 	}
 
 	chain forward_to_internet {
diff --git a/roles/nftables_infra/templates/nftables.d/70-nat.conf.j2 b/roles/nftables_infra/templates/nftables.d/70-nat.conf.j2
index 5ef48fe..dd6fa6a 100644
--- a/roles/nftables_infra/templates/nftables.d/70-nat.conf.j2
+++ b/roles/nftables_infra/templates/nftables.d/70-nat.conf.j2
@@ -2,20 +2,18 @@
 
 table ip nat {
 
-	# chain prerouting {
-	# 	type nat hook prerouting dstnat
-	# 	polict accept
-	# }
+	chain postrouting {
+		type nat hook postrouting priority srcnat
+		policy accept
 
-	# chain postrouting {
-	# 	type nat hook postrouting priority srcnat
-	# 	policy accept
-	# 
-	# 	iif lo return
-	# 
-	# 	meta pkttype unicast \
-	# 		ip saddr $nat_v4 ip daddr != $saclay_v4 \
-	# 		snat $snat_any_v4 persistent
-	# }
+		iif lo return
+
+		# Is there any other way to do that?
+		meta pkttype { multicast, broadcast } return
+		ip daddr 224.0.0.0/24 return
+
+		ip saddr $need_nat_ipv4 ip daddr != $aurore_ipv4 \
+			snat $nat_public_ipv4 persistent
+	}
 
 }