firewall

package
v2.820.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 2, 2026 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Overview

Package firewall provides nftables-based firewall management for the BOSH agent.

The firewall protects access to: - Monit (port 2822 on localhost): Used by the agent to manage job processes - NATS (director's message bus): Used for agent-director communication

Security Model: The firewall uses UID-based matching (meta skuid 0) to allow only root processes to access these services. This blocks non-root BOSH job workloads (vcap user) while allowing the agent and operators to access monit/NATS.

This approach is simpler and more reliable than cgroup-based matching, which fails in nested container environments due to cgroup filesystem bind-mount issues.

enable-monit-access is a bosh agent command for BOSH jobs to add monit firewall rules to the new nftables-based firewall implemented in the bosh-agent.

Usage: 

bosh-agent enable-monit-access # Add firewall rule (cgroup preferred, UID fallback)

This binary serves as a replacement for the complex bash firewall setup logic that was previously in job service scripts.

Index

Constants

View Source 
const (
	TableName            = "bosh_agent"
	MonitChainName       = "monit_access"
	MonitJobsChainName   = "monit_access_jobs"
	NATSChainName        = "nats_access"
	MonitPort            = 2822
	MonitAccessLogPrefix = "bosh-monit-access: "
)

Variables

View Source 
var (
	ErrMonitJobsChainNotFound = fmt.Errorf("%s chain not found", MonitJobsChainName)
	ErrBoshTableNotFound      = fmt.Errorf("%s table not found", TableName)
)

Functions

func EnableMonitAccess 

func EnableMonitAccess(logger boshlog.Logger, command string)

Types

type DNSResolver 

type DNSResolver interface {
	LookupIP(host string) ([]net.IP, error)
}

DNSResolver abstracts DNS resolution for testing

type Manager 

type Manager interface {
	// SetupMonitFirewall creates firewall rules to protect monit (port 2822).
	// Only root (UID 0) is allowed to connect.
	SetupMonitFirewall() error

	// EnableMonitAccess enables monit access by adding firewall rules.
	// It first tries to use cgroup-based matching, then falls back to UID-based matching.
	EnableMonitAccess() error

	// SetupNATSFirewall creates firewall rules to protect NATS.
	// Only root (UID 0) is allowed to connect to the resolved NATS address.
	// This method resolves DNS and should be called before each connection attempt.
	SetupNATSFirewall(mbusURL string) error

	// Cleanup closes the nftables connection.
	Cleanup() error
}

Manager handles firewall setup

func NewNftablesFirewall 

func NewNftablesFirewall(logger boshlog.Logger) (Manager, error)

NewNftablesFirewall creates a new nftables-based firewall manager

func NewNftablesFirewallWithDeps 

func NewNftablesFirewallWithDeps(conn NftablesConn, resolver DNSResolver, userLookup UserLookup, logger boshlog.Logger) Manager

NewNftablesFirewallWithDeps creates a firewall manager with injected dependencies (for testing)

type NatsFirewallHook 

type NatsFirewallHook interface {
	// BeforeConnect is called before each NATS connection/reconnection attempt.
	// It resolves the NATS URL and updates firewall rules with the resolved IP.
	BeforeConnect(mbusURL string) error
}

NatsFirewallHook is called by the NATS handler before connection/reconnection. This allows DNS to be re-resolved, supporting HA failover scenarios.

type NftablesConn 

type NftablesConn interface {
	AddTable(t *nftables.Table) *nftables.Table
	AddChain(c *nftables.Chain) *nftables.Chain
	AddRule(r *nftables.Rule) *nftables.Rule
	DelRule(r *nftables.Rule) error
	GetRules(t *nftables.Table, c *nftables.Chain) ([]*nftables.Rule, error)
	ListTables() ([]*nftables.Table, error)
	ListChains() ([]*nftables.Chain, error)
	FlushChain(c *nftables.Chain)
	Flush() error
	CloseLasting() error
}

NftablesConn abstracts the nftables connection for testing

type NftablesFirewall 

type NftablesFirewall struct {
	// contains filtered or unexported fields
}

NftablesFirewall implements Manager and NatsFirewallHook using nftables with UID-based matching

func (*NftablesFirewall) BeforeConnect 

func (f *NftablesFirewall) BeforeConnect(mbusURL string) error

BeforeConnect implements NatsFirewallHook. Called before each NATS connection attempt.

func (*NftablesFirewall) Cleanup 

func (f *NftablesFirewall) Cleanup() error

func (*NftablesFirewall) EnableMonitAccess 

func (f *NftablesFirewall) EnableMonitAccess() error

func (*NftablesFirewall) SetupMonitFirewall 

func (f *NftablesFirewall) SetupMonitFirewall() error

SetupMonitFirewall creates firewall rules to protect monit (port 2822). Only root (UID 0) is allowed to connect by default. Jobs can add their own access rules to the monit_access_jobs chain.

Architecture:

  • monit_access_jobs: Regular chain for job-managed rules (never flushed by agent)
  • monit_access: Base chain with hook that jumps to jobs chain, then applies agent rules

This allows job rules to persist across agent restarts while ensuring agent rules are always up-to-date.

func (*NftablesFirewall) SetupNATSFirewall 

func (f *NftablesFirewall) SetupNATSFirewall(mbusURL string) error

SetupNATSFirewall creates firewall rules to protect NATS. This resolves DNS and should be called before each connection attempt.

type UserLookup added in v2.820.0 

type UserLookup func(username string) (*user.User, error)

Source Files

View all Source files

Directories

Path Synopsis
Code generated by counterfeiter.
 Code generated by counterfeiter.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.