redirect-ports: migrate to using NFTables

https://github.com/status-im/infra-misc/issues/301 Signed-off-by: Jakub Sokołowski <jakub@status.im>
2024-09-18 17:59:20 +02:00 · 2024-09-18 17:59:20 +02:00 · d44e790c0e
parent 7f3f50d381
commit d44e790c0e
5 changed files with 32 additions and 29 deletions
--- a/ansible/group_vars/nimbus.sepolia.yml
+++ b/ansible/group_vars/nimbus.sepolia.yml
@ -116,7 +116,7 @@ bootstrap__firewall_nftables: true
 # Open Ports
 open_ports_list:
    nginx:
-      - { port: ['80','443'],  comment: 'Nginx' }
+      - { port: 443,           comment: 'Nginx' }
    smart-metrics:
      - { port: '{{ smart_metrics_listen_port }}', comment: 'SMART Metrics', ipset: 'metrics.hq',    iifname: 'wg0' }
    geth-node:
--- a/ansible/host_vars/linux-01.ih-eu-mda1.nimbus.sepolia.yml
+++ b/ansible/host_vars/linux-01.ih-eu-mda1.nimbus.sepolia.yml
@ -13,9 +13,10 @@ test_api_beacon_node_branch: |-

 # WARNING: This will change if number of nodes changes.
 redirect_ports:
-  - src: 80
+  public-beacon-api:
+    src: 80
    dst: '{{ test_api_beacon_node_rest_port }}'
-    comment: 'Public Beacon API ({{ test_api_beacon_node_branch }}-{{ test_api_beacon_node_rest_index }})'
+    comment: 'Public Beacon API ({{ test_api_beacon_node_branch }}-0{{ test_api_beacon_node_rest_index|int - 1 }})'

 # Era files hosting
 era_files_domain: 'sepolia.era.nimbus.team'
--- a/ansible/roles/redirect-ports/defaults/main.yml
+++ b/ansible/roles/redirect-ports/defaults/main.yml
@ -1,3 +1,4 @@
 ---
+redirect_interface: '{{ ansible_default_ipv4.interface }}'
 redirect_ports: []
 #  - { src: 80, dst: 8080 }
--- a/ansible/roles/redirect-ports/handlers/main.yml
+++ b/ansible/roles/redirect-ports/handlers/main.yml
@ -1,3 +1,5 @@
 ---
- name: Save iptables rules
-  shell: iptables-save > /etc/iptables/rules.v4
+- name: Reload nftables
+  service:
+    name:  'nftables'
+    state: 'reloaded'
--- a/ansible/roles/redirect-ports/tasks/main.yml
+++ b/ansible/roles/redirect-ports/tasks/main.yml
@ -1,28 +1,27 @@
 ---
- name: 'Enable redirected {{ item.dst }} port'
-  iptables:
-    comment: '{{ item.comment | default("Open {{ item.dst }}") }}'
-    chain: 'SERVICES'
-    jump: 'ACCEPT'
-    source: '0.0.0.0/0'
-    protocol: '{{ item.protocol | default("tcp") }}'
-    destination_port: '{{ item.dst | string | mandatory }}'
-  with_items: '{{ redirect_ports }}'
+- name: 'Redirect {{ rule.value.src }} to {{ rule.value.dst }}'
+  copy:
+    dest: '/etc/nft.conf.d/services/{{ rule.key }}.nft'
+    content: |
+      #!/usr/sbin/nft -f
+      # Managed with Ansible: redirect-ports
+      tcp dport { {{ rule.value.src | mandatory }}, {{ rule.value.dst | mandatory }} } accept comment "{{ rule.value.comment }}"
+  with_dict: '{{ redirect_ports | mandatory }}'
+  loop_control:
+    loop_var: 'rule'
+    label: '{{ rule.key }}'
  notify:
-    - Save iptables rules
+    - Reload nftables

- name: 'Redirect {{ item.src }} to {{ item.dst }}'
-  iptables:
-    comment: '{{ item.comment | default("Redirect {{ item.src }} to {{ item.dst }}") }}'
-    table: 'nat'
-    chain: 'PREROUTING'
-    jump: 'REDIRECT'
-    action: insert
-    protocol: '{{ item.protocol | default("tcp") }}'
-    match: '{{ item.protocol | default("tcp") }}'
-    destination_port: '{{ item.src | string | mandatory }}'
-    to_ports: '{{ item.dst | string | mandatory }}'
-    in_interface: '{{ ansible_default_ipv4.interface }}'
-  with_items: '{{ redirect_ports }}'
+- name: 'Redirect {{ rule.value.src }} to {{ rule.value.dst }}'
+  copy:
+    dest: '/etc/nft.conf.d/prerouting/{{ rule.key }}.nft'
+    content: |
+      #!/usr/sbin/nft -f
+      iifname {{ redirect_interface }} tcp dport {{ rule.value.src | mandatory }} redirect to {{ rule.value.dst | mandatory }} comment "{{ rule.value.comment }}"
+  with_dict: '{{ redirect_ports | mandatory }}'
+  loop_control:
+    loop_var: 'rule'
+    label: '{{ rule.key }}'
  notify:
-    - Save iptables rules
+    - Reload nftables