firewalld: integration

On distributions using FirewallD like Fedora, we need to register the new IP to FirewallD. See https://fedoraproject.org/wiki/FirewallD Related to: rkt/rkt#2206
kinvolk-archives · Mar 21, 2016 · 28b2cac · 28b2cac
1 parent 6f6f6f5
commit 28b2cac
Show file tree

Hide file tree

Showing 4 changed files with 82 additions and 1 deletion.
diff --git a/Documentation/ptp.md b/Documentation/ptp.md
@@ -17,6 +17,9 @@ The traffic of the container interface will be routed through the interface of t
 	},
 	"dns": {
 		"nameservers": [ "10.1.1.1", "8.8.8.8" ]
+	},
+	"firewalld": {
+		"zone": "trusted"
 	}
 }
 
@@ -28,3 +31,4 @@ The traffic of the container interface will be routed through the interface of t
 * `mtu` (integer, optional): explicitly set MTU to the specified value. Defaults to value chosen by the kernel.
 * `ipam` (dictionary, required): IPAM configuration to be used for this network.
 * `dns` (dictionary, optional): DNS information to return as described in the [Result](/SPEC.md#result).
+* `firewalld` (dictionary, optional): [FirewallD](https://fedoraproject.org/wiki/FirewallD)'s configuration to be used for this network.
diff --git a/pkg/firewalld/firewalld.go b/pkg/firewalld/firewalld.go
@@ -0,0 +1,61 @@
+// Copyright 2016 CNI authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package firewalld provides functions to integrate with Fedora's FirewallD.
+// See https://fedoraproject.org/wiki/FirewallD
+package firewalld
+
+import (
+	"net"
+
+	"github.com/godbus/dbus"
+)
+
+const (
+	firewalldName          = "org.fedoraproject.FirewallD1"
+	firewalldPath          = "/org/fedoraproject/FirewallD1"
+	firewalldZoneInterface = "org.fedoraproject.FirewallD1.zone"
+)
+
+func AddTrustedSource(source net.IP, zone string) error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return err
+	}
+
+	firewalldObj := conn.Object(firewalldName, firewalldPath)
+	var res string
+	err = firewalldObj.Call(firewalldZoneInterface+".addSource", 0, zone, source.String()).Store(&res)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func RemoveTrustedSource(source net.IP, zone string) error {
+	conn, err := dbus.SystemBus()
+	if err != nil {
+		return err
+	}
+
+	firewalldObj := conn.Object(firewalldName, firewalldPath)
+	var res string
+	err = firewalldObj.Call(firewalldZoneInterface+".removeSource", 0, zone, source.String()).Store(&res)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/pkg/types/types.go b/pkg/types/types.go
@@ -62,7 +62,10 @@ type NetConf struct {
 	IPAM struct {
 		Type string `json:"type,omitempty"`
 	} `json:"ipam,omitempty"`
-	DNS DNS `json:"dns"`
+	DNS       DNS `json:"dns"`
+	FirewallD struct {
+		Zone string `json:"zone,omitempty"`
+	} `json:"firewalld,omitempty"`
 }
 
 // Result is what gets returned from the plugin (via stdout) to the caller

diff --git a/plugins/main/ptp/ptp.go b/plugins/main/ptp/ptp.go
@@ -25,6 +25,7 @@ import (
 
 	"github.com/vishvananda/netlink"
 
+	"github.com/appc/cni/pkg/firewalld"
 	"github.com/appc/cni/pkg/ip"
 	"github.com/appc/cni/pkg/ipam"
 	"github.com/appc/cni/pkg/ns"
@@ -177,6 +178,12 @@ func cmdAdd(args *skel.CmdArgs) error {
 		return err
 	}
 
+	if conf.FirewallD.Zone != "" {
+		if err = firewalld.AddTrustedSource(result.IP4.IP.IP, conf.FirewallD.Zone); err != nil {
+			return err
+		}
+	}
+
 	if conf.IPMasq {
 		h := sha512.Sum512([]byte(args.ContainerID))
 		chain := fmt.Sprintf("CNI-%s-%x", conf.Name, h[:8])
@@ -213,6 +220,12 @@ func cmdDel(args *skel.CmdArgs) error {
 		}
 	}
 
+	if conf.FirewallD.Zone != "" {
+		if err = firewalld.RemoveTrustedSource(ipn.IP, conf.FirewallD.Zone); err != nil {
+			return err
+		}
+	}
+
 	return ipam.ExecDel(conf.IPAM.Type, args.StdinData)
 }