Apply outbound restriction in exam_mode on macvtap interfaces too
This commit is contained in:
Raphael Dannecker
parent
93a0f07846
commit
9ee19d1459
3 changed files with 57 additions and 0 deletions
|
|
@ -5,10 +5,16 @@
|
||||||
|
|
||||||
if [[ "${PAM_USER}" =~ -exam$ ]]; then
|
if [[ "${PAM_USER}" =~ -exam$ ]]; then
|
||||||
systemctl start firewalld.service
|
systemctl start firewalld.service
|
||||||
|
if [[ -f /usr/local/sbin/no-way-out-nftable ]]; then
|
||||||
|
/usr/local/sbin/no-way-out-nftable || true
|
||||||
|
fi
|
||||||
if systemctl is-enabled --quiet libvirtd.service; then
|
if systemctl is-enabled --quiet libvirtd.service; then
|
||||||
systemctl restart libvirtd.service
|
systemctl restart libvirtd.service
|
||||||
fi
|
fi
|
||||||
elif ! (users | grep -q -- "-exam"); then
|
elif ! (users | grep -q -- "-exam"); then
|
||||||
|
if /usr/sbin/nft list tables | /usr/bin/grep -q filtermacvtap; then
|
||||||
|
/usr/sbin/nft delete table netdev filtermacvtap || true
|
||||||
|
fi
|
||||||
systemctl stop firewalld.service
|
systemctl stop firewalld.service
|
||||||
if systemctl is-enabled --quiet libvirtd.service; then
|
if systemctl is-enabled --quiet libvirtd.service; then
|
||||||
systemctl restart libvirtd.service
|
systemctl restart libvirtd.service
|
||||||
|
|
|
||||||
|
|
@ -71,6 +71,16 @@
|
||||||
- exam_destination_allowed_ipv4 is defined
|
- exam_destination_allowed_ipv4 is defined
|
||||||
- exam_destination_allowed_ipv4 | length > 0
|
- exam_destination_allowed_ipv4 | length > 0
|
||||||
|
|
||||||
|
- name: Install no-way-out nf-table for macvtap device
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: no-way-out-nftable.j2
|
||||||
|
dest: "/usr/local/sbin/no-way-out-nftable"
|
||||||
|
mode: '0755'
|
||||||
|
when:
|
||||||
|
- exam_destination_allowed_ipv4 is defined
|
||||||
|
- exam_destination_allowed_ipv4 | length > 0
|
||||||
|
- vm_support is defined and vm_support
|
||||||
|
|
||||||
- name: Enable login script via pam_exec.so
|
- name: Enable login script via pam_exec.so
|
||||||
ansible.builtin.lineinfile:
|
ansible.builtin.lineinfile:
|
||||||
dest: /etc/pam.d/common-session
|
dest: /etc/pam.d/common-session
|
||||||
|
|
|
||||||
41
roles/lmn_exam/templates/no-way-out-nftable.j2
Normal file
41
roles/lmn_exam/templates/no-way-out-nftable.j2
Normal file
|
|
@ -0,0 +1,41 @@
|
||||||
|
#!/usr/bin/bash
|
||||||
|
|
||||||
|
set -eu
|
||||||
|
|
||||||
|
interfaces=$(/usr/bin/ip link | /usr/bin/sed -En 's/.*(macvtap-.*)@.*/\1/p')
|
||||||
|
gateway=$(/usr/bin/ip route list default | /usr/bin/head -1 | /usr/bin/cut -f 3 -d " ")
|
||||||
|
|
||||||
|
filterchain=""
|
||||||
|
for interface in ${interfaces}; do
|
||||||
|
filterchain=$(cat <<- EOF
|
||||||
|
${filterchain}
|
||||||
|
|
||||||
|
chain filterin_${interface} {
|
||||||
|
type filter hook ingress device ${interface} priority filter; policy drop;
|
||||||
|
ip saddr \$allowed_ipv4 accept
|
||||||
|
ip saddr ${gateway} accept;
|
||||||
|
ip saddr 255.255.255.255 accept;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain filterout_${interface} {
|
||||||
|
type filter hook egress device ${interface} priority filter; policy drop;
|
||||||
|
ip daddr \$allowed_ipv4 accept
|
||||||
|
ip daddr ${gateway} accept;
|
||||||
|
ip daddr 255.255.255.255 accept;
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
done
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
nft_table=$(cat <<- EOF
|
||||||
|
define allowed_ipv4 = { {{ exam_destination_allowed_ipv4 | join(",") }} }
|
||||||
|
|
||||||
|
table netdev filtermacvtap {
|
||||||
|
${filterchain}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
|
||||||
|
echo "$nft_table" | /usr/sbin/nft -f -
|
||||||
Loading…
Add table
Reference in a new issue