Page MenuHomeDevCentral
Differential D4099

Configure pf for routers
Needs RevisionPublic
Actions

Authored by yousra on Mon, May 4, 18:00.
Tags
None
Referenced Files
Unknown Object (File)
Thu, May 21, 17:09
Unknown Object (File)
Tue, May 19, 21:34
Unknown Object (File)
Tue, May 19, 13:35
Unknown Object (File)
Tue, May 19, 13:35
Unknown Object (File)
Tue, May 19, 13:35
Unknown Object (File)
Tue, May 19, 13:35
Unknown Object (File)
Sun, May 17, 15:00
Unknown Object (File)
Sun, May 17, 09:20
View All 57 Files
Subscribers
dereckson
Duranzed

Details

Reviewers
dereckson
Duranzed
Summary

This change introduces a SaltStack state to manage the PF firewall configuration
on routers. As part of T2324, we observed that complector could not access the Internet
because NAT was not configured. This state ensures proper NAT configuration,
allowing Intranought nodes to reach external networks.

Test Plan
  • Verify that Complector can access to the Internet through the router

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Skipped
Unit
No Test Coverage
Branch
pf-router
Build Status
Buildable 6686
Build 6974: arc lint + arc unit

Event Timeline

yousra requested review of this revision.Mon, May 4, 18:00
yousra created this revision.
Harbormaster completed remote builds in B6686: Diff 10729.Mon, May 4, 18:00
yousra mentioned this in T2324: Ensure OSPF default route is used by all IntraNought nodes.Mon, May 4, 18:03
dereckson requested changes to this revision.Mon, May 4, 18:08

We need to use /etc/pf.conf.d as roles/core/pf/files/pf.conf provide tables

Suggested changes:

  • In this revisio, provision roles/router/pf/files/pf.conf as /etc/pf.conf.d/router.conf
  • In another new revision, provision roles/core/pf/files/pf.conf as /etc/pf.conf.d/tables.conf
This revision now requires changes to proceed.Mon, May 4, 18:08
yousra updated this revision to Diff 10730.Tue, May 5, 09:55

provision roles/router/pf/files/pf.conf as /etc/pf.conf.d/router.conf

Harbormaster completed remote builds in B6687: Diff 10730.Tue, May 5, 09:55
yousra updated this revision to Diff 10732.Tue, May 5, 11:23

Include router.conf in /etc/pf.conf so pf can read the config

Harbormaster completed remote builds in B6689: Diff 10732.Tue, May 5, 11:23
dereckson retitled this revision from Add PF firewall configuration management for routers to Configure pf for routers.Thu, May 7, 16:08
dereckson requested changes to this revision.Wed, May 13, 22:16
dereckson added inline comments.
roles/router/pf/files/router.conf
17 ↗(On Diff #10732)

Interfaces should be passed as parameters.

17 ↗(On Diff #10732)
18 ↗(On Diff #10732)
roles/router/pf/init.sls
13
- template: jinja
- context:
    intranought: ...
    public: ...

Should be resolved through an amended node.resolve_network

This revision now requires changes to proceed.Wed, May 13, 22:16
Revision Contents
Changeset List
PathSize
roles/
router/
1 line
pf/
files/
28 lines
pf/
8 lines
Diff 10729
View Options
roles/router/init.sls
Loading...
View Options
roles/router/pf/files/pf.conf
Loading...
View Options
roles/router/pf/init.sls
Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator