-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
machine configuration to manage firewall #4421
Comments
Closed
I will be very happy to implement this feature 😀 |
smira
added a commit
to smira/talos
that referenced
this issue
Nov 17, 2023
Implement initial set of backend controllers/resources to handle nftables chains/rules etc. Replace the KubeSpan nftables operations with controller-based. See siderolabs#4421 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 17, 2023
Implement initial set of backend controllers/resources to handle nftables chains/rules etc. Replace the KubeSpan nftables operations with controller-based. See siderolabs#4421 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
talos-bot
pushed a commit
that referenced
this issue
Nov 27, 2023
Implement initial set of backend controllers/resources to handle nftables chains/rules etc. Replace the KubeSpan nftables operations with controller-based. See #4421 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 28, 2023
Fixes siderolabs#4421 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 28, 2023
Fixes siderolabs#4421 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 29, 2023
Many changes to the nftables backend which will be used in the follow-up PR with siderolabs#4421. 1. Add support for chain policy: drop/accept. 2. Properly handle match on all IPs in the set (`0.0.0.0/0` like). 3. Implement conntrack state matching. 4. Implement multiple ifname matching in a single rule. 5. Implement anonymous counters. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 29, 2023
Many changes to the nftables backend which will be used in the follow-up PR with siderolabs#4421. 1. Add support for chain policy: drop/accept. 2. Properly handle match on all IPs in the set (`0.0.0.0/0` like). 3. Implement conntrack state matching. 4. Implement multiple ifname matching in a single rule. 5. Implement anonymous counters. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 29, 2023
Many changes to the nftables backend which will be used in the follow-up PR with siderolabs#4421. 1. Add support for chain policy: drop/accept. 2. Properly handle match on all IPs in the set (`0.0.0.0/0` like). 3. Implement conntrack state matching. 4. Implement multiple ifname matching in a single rule. 5. Implement anonymous counters. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 29, 2023
Fixes siderolabs#4421 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 30, 2023
Fixes siderolabs#4421 See documentation for details on how to use the feature. With `talosctl cluster create`, firewall can be easily test with `--with-firewall=accept|block` (default mode). Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 30, 2023
Fixes siderolabs#4421 See documentation for details on how to use the feature. With `talosctl cluster create`, firewall can be easily test with `--with-firewall=accept|block` (default mode). Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 30, 2023
Fixes siderolabs#4421 See documentation for details on how to use the feature. With `talosctl cluster create`, firewall can be easily test with `--with-firewall=accept|block` (default mode). Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 30, 2023
Fixes siderolabs#4421 See documentation for details on how to use the feature. With `talosctl cluster create`, firewall can be easily test with `--with-firewall=accept|block` (default mode). Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
smira
added a commit
to smira/talos
that referenced
this issue
Nov 30, 2023
Fixes siderolabs#4421 See documentation for details on how to use the feature. With `talosctl cluster create`, firewall can be easily test with `--with-firewall=accept|block` (default mode). Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
See https://github.com/sbezverk/nftableslib
First goal: define minimal but usable rule configuration we could put to the machine configuration. Format should be extensible in the future if we want to expand later.
ingress:
sectionNetworkDefaultAction
is appliedThe text was updated successfully, but these errors were encountered: