From 5030fd9bb07a8a10f5f52dffbb7ae8720e9902ba Mon Sep 17 00:00:00 2001 From: Lee Smet Date: Mon, 3 Jul 2023 11:46:03 +0200 Subject: [PATCH] Revert SMTP patches and RMB patch This reverts commit bd1363349cce9241b3be0f6bdb5a178714b3fe02. This reverts commit dc1f27872547482636937568567ecd8a601767f7. This reverts commit cf84a0e09526c071d532fda6ac756807aeb86625. Signed-off-by: Lee Smet --- bins/packages/rmb/rmb.sh | 4 ++-- cmds/modules/networkd/nft.go | 42 ++++++++++-------------------------- 2 files changed, 13 insertions(+), 33 deletions(-) diff --git a/bins/packages/rmb/rmb.sh b/bins/packages/rmb/rmb.sh index cdd395c57..63c7a6aeb 100644 --- a/bins/packages/rmb/rmb.sh +++ b/bins/packages/rmb/rmb.sh @@ -1,5 +1,5 @@ -RMB_VERSION="1.0.6" -RMB_CHECKSUM="0a864b3bd6b8b8ca762f1024052f73ed" +RMB_VERSION="1.0.5" +RMB_CHECKSUM="c6ce07170300c149d4cca6523f4081c4" RMB_LINK="https://github.com/threefoldtech/rmb-rs/releases/download/v${RMB_VERSION}/rmb-peer" download_rmb() { diff --git a/cmds/modules/networkd/nft.go b/cmds/modules/networkd/nft.go index db05f9b72..d1dc1175f 100644 --- a/cmds/modules/networkd/nft.go +++ b/cmds/modules/networkd/nft.go @@ -12,45 +12,25 @@ func ensureHostFw(ctx context.Context) error { log.Info().Msg("ensuring existing host nft rules") cmd := exec.CommandContext(ctx, "/bin/sh", "-c", - ` -nft 'add table inet filter' -nft 'add table arp filter' -nft 'add table bridge filter' - -# duo to a bug we had we need to make sure those chains are -# deleted and then recreated later -nft 'delete chain inet filter input' -nft 'delete chain inet filter forward' -nft 'delete chain inet filter output' - -nft 'delete chain bridge filter input' -nft 'delete chain bridge filter forward' -nft 'delete chain bridge filter output' - -nft 'delete chain arp filter input' -nft 'delete chain arp filter output' - -# recreate chains correctly + `nft 'add table inet filter' nft 'add chain inet filter input { type filter hook input priority filter; policy accept; }' -nft 'add chain inet filter forward { type filter hook forward priority filter; policy accept; }' -nft 'add chain inet filter output { type filter hook output priority filter; policy accept; }' -nft 'add chain inet filter prerouting { type filter hook prerouting priority filter; policy accept; }' +nft 'add chain inet filter forward { type filter hook input priority filter; policy accept; }' +nft 'add chain inet filter output { type filter hook input priority filter; policy accept; }' +nft 'add table arp filter' nft 'add chain arp filter input { type filter hook input priority filter; policy accept; }' -nft 'add chain arp filter output { type filter hook output priority filter; policy accept; }' +nft 'add chain arp filter output { type filter hook input priority filter; policy accept; }' +nft 'add table bridge filter' nft 'add chain bridge filter input { type filter hook input priority filter; policy accept; }' -nft 'add chain bridge filter forward { type filter hook forward priority filter; policy accept; }' +nft 'add chain bridge filter forward { type filter hook input priority filter; policy accept; }' nft 'add chain bridge filter prerouting { type filter hook prerouting priority filter; policy accept; }' nft 'add chain bridge filter postrouting { type filter hook postrouting priority filter; policy accept; }' -nft 'add chain bridge filter output { type filter hook output priority filter; policy accept; }' - +nft 'add chain bridge filter output { type filter hook input priority filter; policy accept; }' nft 'flush chain bridge filter forward' -nft 'flush chain inet filter forward' -nft 'flush chain inet filter prerouting' - -# drop smtp traffic for hidden nodes -nft 'add rule inet filter prerouting iifname "b-*" tcp dport {25, 587, 465} reject with icmp type admin-prohibited' +# nft 'add rule bridge filter forward icmpv6 type nd-router-advert drop' +# nft 'add rule bridge filter forward ip6 version 6 udp sport 547 drop' +# nft 'add rule bridge filter forward ip version 4 udp sport 67 drop' `) if err := cmd.Run(); err != nil {