incusd/firewall: Add basic rules on nftables

This aligns the behavior with OVN where the most basic connectivity for
the purpose of obtaining IP addresses and DNS should be allowed.

Closes #1919

Signed-off-by: Stéphane Graber <[email protected]>

Author: stgraber

internal/server/device/nic_bridged.go

@@ -1182,11 +1182,50 @@ func (d *nicBridged) setFilters() (err error) {
 	defer revert.Fail()
 	revert.Add(func() { d.removeFilters(config) })
 
-	IPv4Nets, IPv6Nets, err := allowedIPNets(config)
+	ipv4Nets, ipv6Nets, err := allowedIPNets(config)
 	if err != nil {
 		return err
 	}
 
+	var ipv4DNS []string
+	var ipv6DNS []string
+
+	if d.network != nil {
+		netConfig := d.network.Config()
+
+		ipv4DNS = []string{}
+		ipv6DNS = []string{}
+
+		// Pull directly configured DNS name servers (if any).
+		nsList := util.SplitNTrimSpace(netConfig["dns.nameservers"], ",", -1, false)
+		for _, ns := range nsList {
+			if ns == "" {
+				continue
+			}
+
+			nsIP := net.ParseIP(ns)
+			if nsIP == nil {
+				return fmt.Errorf("Invalid DNS nameserver")
+			}
+
+			if nsIP.To4() == nil {
+				ipv4DNS = append(ipv4DNS, ns)
+			} else {
+				ipv6DNS = append(ipv6DNS, ns)
+			}
+		}
+
+		// Add IPv4 router.
+		if netConfig["ipv4.address"] != "" && netConfig["ipv4.address"] != "none" {
+			ipv4DNS = append(ipv4DNS, strings.Split(netConfig["ipv4.address"], "/")[0])
+		}
+
+		// Add IPv6 router.
+		if netConfig["ipv6.address"] != "" && netConfig["ipv6.address"] != "none" {
+			ipv6DNS = append(ipv6DNS, strings.Split(netConfig["ipv6.address"], "/")[0])
+		}
+	}
+
 	var aclRules []firewallDrivers.ACLRule
 	var aclNames []string
 	if config["security.acls"] != "" {
@@ -1202,10 +1241,9 @@ func (d *nicBridged) setFilters() (err error) {
 		if err != nil {
 			return err
 		}
-
 	}
 
-	err = d.state.Firewall.InstanceSetupBridgeFilter(d.inst.Project().Name, d.inst.Name(), d.name, d.config["parent"], d.config["host_name"], d.config["hwaddr"], IPv4Nets, IPv6Nets, d.network != nil, util.IsTrue(config["security.mac_filtering"]), aclRules)
+	err = d.state.Firewall.InstanceSetupBridgeFilter(d.inst.Project().Name, d.inst.Name(), d.name, d.config["parent"], d.config["host_name"], d.config["hwaddr"], ipv4Nets, ipv6Nets, ipv4DNS, ipv6DNS, d.network != nil, util.IsTrue(config["security.mac_filtering"]), aclRules)
 	if err != nil {
 		return err
 	}

internal/server/firewall/drivers/drivers_nftables.go

@@ -401,7 +401,7 @@ func (d Nftables) instanceDeviceLabel(projectName, instanceName, deviceName stri
 }
 
 // InstanceSetupBridgeFilter sets up the filter rules to apply bridged device IP filtering.
-func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, parentManaged bool, macFiltering bool, aclRules []ACLRule) error {
+func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, IPv4DNS []string, IPv6DNS []string, parentManaged bool, macFiltering bool, aclRules []ACLRule) error {
 	deviceLabel := d.instanceDeviceLabel(projectName, instanceName, deviceName)
 
 	mac, err := net.ParseMAC(hwAddr)
@@ -480,6 +480,10 @@ func (d Nftables) InstanceSetupBridgeFilter(projectName string, instanceName str
 	tplFields["aclOutAcceptRules"] = nftRules.outAcceptRules
 	tplFields["aclOutDefaultRule"] = nftRules.defaultOutRule
 
+	// Required for basic connectivity
+	tplFields["dnsIPv4"] = IPv4DNS
+	tplFields["dnsIPv6"] = IPv6DNS
+
 	err = d.applyNftConfig(nftablesInstanceBridgeFilter, tplFields)
 	if err != nil {
 		return fmt.Errorf("Failed adding bridge filter rules for instance device %q (%s): %w", deviceLabel, tplFields["family"], err)

internal/server/firewall/drivers/drivers_nftables_templates.go

@@ -190,6 +190,24 @@ chain in{{.chainSeparator}}{{.deviceLabel}} {
 	{{ if or .aclInDropRules .aclInRejectRules .aclInAcceptRules .aclOutDropRules .aclOutAcceptRules .aclInDefaultRule }}
 	ct state established,related accept
 
+	{{ if .dnsIPv4 }}
+	{{ range .dnsIPv4 }}
+	iifname "{{$.hostName}}" ip daddr "{{.}}" tcp dport 53 accept
+	iifname "{{$.hostName}}" ip daddr "{{.}}" udp dport 53 accept
+	{{ end }}
+	{{ end }}
+
+	{{ if .dnsIPv6 }}
+	{{ range .dnsIPv6 }}
+	iifname "{{$.hostName}}" ip6 daddr "{{.}}" tcp dport 53 accept
+	iifname "{{$.hostName}}" ip6 daddr "{{.}}" udp dport 53 accept
+	{{ end }}
+	{{ end }}
+
+	iifname "{{.hostName}}" ether type ip ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp dport 67 accept
+	iifname "{{.hostName}}" ether type ip6 ip6 saddr fe80::/10 ip6 daddr ff02::1:2 udp dport 547 accept
+	iifname "{{.hostName}}" ether type ip6 ip6 saddr fe80::/10 ip6 daddr ff02::2 icmpv6 type 133 accept
+
 	iifname "{{.hostName}}" ether type arp accept
 	iifname "{{.hostName}}" ip6 nexthdr ipv6-icmp icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } accept
 	{{ end }}
@@ -323,6 +341,10 @@ chain out{{.chainSeparator}}{{.deviceLabel}} {
 	oifname "{{.hostName}}" ether type arp accept
 	oifname "{{.hostName}}" ip6 nexthdr ipv6-icmp icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert } accept
 
+	oifname "{{.hostName}}" udp sport 67 udp dport 68 accept
+	oifname "{{.hostName}}" ip6 saddr fe80::/10 udp sport 547 accept
+	oifname "{{.hostName}}" ip6 saddr fe80::/10 icmpv6 type {1, 2, 3, 4, 128, 134, 135, 136, 143} accept
+
 	# Network ACLs
 	{{ range .aclOutDropRules}}
 	{{.}}

internal/server/firewall/drivers/drivers_xtables.go

@@ -811,7 +811,7 @@ func (d Xtables) instanceDeviceIPTablesComment(projectName string, instanceName
 // If the parent bridge is managed by Incus then parentManaged argument should be true so that the rules added can
 // use the iptablesChainACLFilterPrefix chain. If not they are added to the main filter chains directly (which only
 // works for unmanaged bridges because those don't support ACLs).
-func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, parentManaged bool, macFiltering bool, aclRules []ACLRule) error {
+func (d Xtables) InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, IPv4DNS []string, IPv6DNS []string, parentManaged bool, macFiltering bool, aclRules []ACLRule) error {
 	if len(aclRules) > 0 {
 		return fmt.Errorf("ACL rules not supported for xtables bridge filtering")
 	}

internal/server/firewall/firewall_interface.go

@@ -27,7 +27,7 @@ type Firewall interface {
 	NetworkApplyAddressSets(sets []drivers.AddressSet, nftTable string) error
 	NetworkDeleteAddressSetsIfUnused(nftTable string) error
 
-	InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, parentManaged bool, macFiltering bool, aclRules []drivers.ACLRule) error
+	InstanceSetupBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet, IPv4DNS []string, IPv6DNS []string, parentManaged bool, macFiltering bool, aclRules []drivers.ACLRule) error
 	InstanceClearBridgeFilter(projectName string, instanceName string, deviceName string, parentName string, hostName string, hwAddr string, IPv4Nets []*net.IPNet, IPv6Nets []*net.IPNet) error
 
 	InstanceSetupProxyNAT(projectName string, instanceName string, deviceName string, forward *drivers.AddressForward) error