Apply outbound restriction in exam_mode on macvtap interfaces too

2025-12-17 13:24:24 +01:00 · 2025-12-17 13:24:24 +01:00 · 1f45184d0c
commit 1f45184d0c
parent a986254abc
3 changed files with 57 additions and 0 deletions
--- a/roles/lmn_exam/templates/no-way-out-nftable.j2
+++ b/roles/lmn_exam/templates/no-way-out-nftable.j2
@ -0,0 +1,41 @@
+#!/usr/bin/bash
+
+set -eu
+
+interfaces=$(/usr/bin/ip link | /usr/bin/sed -En 's/.*(macvtap-.*)@.*/\1/p')
+gateway=$(/usr/bin/ip route list default | /usr/bin/head -1 | /usr/bin/cut -f 3 -d " ")
+
+filterchain=""
+for interface in ${interfaces}; do
+  filterchain=$(cat <<- EOF
+${filterchain}
+
+    chain filterin_${interface} {
+        type filter hook ingress device ${interface} priority filter; policy drop;
+        ip saddr \$allowed_ipv4 accept
+        ip saddr ${gateway} accept;
+        ip saddr 255.255.255.255 accept;
+    }
+
+    chain filterout_${interface} {
+        type filter hook egress device ${interface} priority filter; policy drop;
+        ip daddr \$allowed_ipv4 accept
+        ip daddr ${gateway} accept;
+        ip daddr 255.255.255.255 accept;
+    }
+EOF
+)
+done
+
+
+
+nft_table=$(cat <<- EOF
+define allowed_ipv4 = { {{ exam_destination_allowed_ipv4 | join(",") }} }
+
+table netdev filtermacvtap {
+${filterchain}
+}
+EOF
+)
+
+echo "$nft_table" | /usr/sbin/nft -f -