firewall

package
v2.817.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 26, 2026 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package firewall provides nftables-based firewall management for the BOSH agent.

The firewall protects access to: - Monit (port 2822 on localhost): Used by the agent to manage job processes - NATS (director's message bus): Used for agent-director communication

Security Model: The firewall uses UID-based matching (meta skuid 0) to allow only root processes to access these services. This blocks non-root BOSH job workloads (vcap user) while allowing the agent and operators to access monit/NATS.

This approach is simpler and more reliable than cgroup-based matching, which fails in nested container environments due to cgroup filesystem bind-mount issues.

enable-monit-access is a bosh agent command for BOSH jobs to add monit firewall rules to the new nftables-based firewall implemented in the bosh-agent.

Usage: 

bosh-agent enable-monit-access # Add firewall rule (cgroup preferred, UID fallback)

This binary serves as a replacement for the complex bash firewall setup logic that was previously in job service scripts.

Index

Constants

View Source 
const (
	TableName            = "bosh_agent"
	MonitChainName       = "monit_access"
	MonitJobsChainName   = "monit_access_jobs"
	NATSChainName        = "nats_access"
	MonitPort            = 2822
	MonitAccessLogPrefix = "bosh-monit-access: "
)

Variables

View Source 
var (
	ErrMonitJobsChainNotFound = fmt.Errorf("%s chain not found", MonitJobsChainName)
	ErrBoshTableNotFound      = fmt.Errorf("%s table not found", TableName)
)

Functions

func EnableMonitAccess 

func EnableMonitAccess(logger boshlog.Logger, command string)

Types

type DNSResolver 

type DNSResolver interface {
	LookupIP(host string) ([]net.IP, error)
}

DNSResolver abstracts DNS resolution for testing

type Manager 

type Manager interface {
	// SetupMonitFirewall creates firewall rules to protect monit (port 2822).
	// Only root (UID 0) is allowed to connect.
	SetupMonitFirewall() error

	// EnableMonitAccess enables monit access by adding firewall rules.
	// It first tries to use cgroup-based matching, then falls back to UID-based matching.
	EnableMonitAccess() error

	// SetupNATSFirewall creates firewall rules to protect NATS.
	// Only root (UID 0) is allowed to connect to the resolved NATS address.
	// This method resolves DNS and should be called before each connection attempt.
	SetupNATSFirewall(mbusURL string) error

	// Cleanup closes the nftables connection.
	Cleanup() error
}

Manager handles firewall setup

func NewNftablesFirewall 

func NewNftablesFirewall(logger boshlog.Logger) (Manager, error)

NewNftablesFirewall creates a new nftables-based firewall manager

func NewNftablesFirewallWithDeps 

func NewNftablesFirewallWithDeps(conn NftablesConn, resolver DNSResolver, logger boshlog.Logger) Manager

NewNftablesFirewallWithDeps creates a firewall manager with injected dependencies (for testing)

type NatsFirewallHook 

type NatsFirewallHook interface {
	// BeforeConnect is called before each NATS connection/reconnection attempt.
	// It resolves the NATS URL and updates firewall rules with the resolved IP.
	BeforeConnect(mbusURL string) error
}

NatsFirewallHook is called by the NATS handler before connection/reconnection. This allows DNS to be re-resolved, supporting HA failover scenarios.

type NftablesConn 

type NftablesConn interface {
	AddTable(t *nftables.Table) *nftables.Table
	AddChain(c *nftables.Chain) *nftables.Chain
	AddRule(r *nftables.Rule) *nftables.Rule
	DelRule(r *nftables.Rule) error
	GetRules(t *nftables.Table, c *nftables.Chain) ([]*nftables.Rule, error)
	ListTables() ([]*nftables.Table, error)
	ListChains() ([]*nftables.Chain, error)
	FlushChain(c *nftables.Chain)
	Flush() error
	CloseLasting() error
}

NftablesConn abstracts the nftables connection for testing

type NftablesFirewall 

type NftablesFirewall struct {
	// contains filtered or unexported fields
}

NftablesFirewall implements Manager and NatsFirewallHook using nftables with UID-based matching

func (*NftablesFirewall) BeforeConnect 

func (f *NftablesFirewall) BeforeConnect(mbusURL string) error

BeforeConnect implements NatsFirewallHook. Called before each NATS connection attempt.

func (*NftablesFirewall) Cleanup 

func (f *NftablesFirewall) Cleanup() error

func (*NftablesFirewall) EnableMonitAccess 

func (f *NftablesFirewall) EnableMonitAccess() error

func (*NftablesFirewall) SetupMonitFirewall 

func (f *NftablesFirewall) SetupMonitFirewall() error

SetupMonitFirewall creates firewall rules to protect monit (port 2822). Only root (UID 0) is allowed to connect by default. Jobs can add their own access rules to the monit_access_jobs chain.

Architecture:

  • monit_access_jobs: Regular chain for job-managed rules (never flushed by agent)
  • monit_access: Base chain with hook that jumps to jobs chain, then applies agent rules

This allows job rules to persist across agent restarts while ensuring agent rules are always up-to-date.

func (*NftablesFirewall) SetupNATSFirewall 

func (f *NftablesFirewall) SetupNATSFirewall(mbusURL string) error

SetupNATSFirewall creates firewall rules to protect NATS. This resolves DNS and should be called before each connection attempt.

Source Files

View all Source files

Directories

Path Synopsis
Code generated by counterfeiter.
 Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.