From: Zoltán Felleg Date: Fri, 18 Apr 2025 15:22:34 +0000 (+0200) Subject: Updated ifg.in (deleted linuxone interface and rules). X-Git-Url: http://git.useribm.hu/?a=commitdiff_plain;h=d0052324eb0cbd5d930eb3f74b33d80f242d0ad8;p=user-lxc.git Updated ifg.in (deleted linuxone interface and rules). --- diff --git a/sources/ifg.in/c3d/firstboot/data/nftables.config b/sources/ifg.in/c3d/firstboot/data/nftables.config index d44fcd4..2dd5cdb 100644 --- a/sources/ifg.in/c3d/firstboot/data/nftables.config +++ b/sources/ifg.in/c3d/firstboot/data/nftables.config @@ -8,14 +8,11 @@ # internal interface define INTERNAL_IF = eth0 -# linuxone interface -define LINUXONE_IF = eth1 - # loopback interface define LOOPBACK_IF = lo # perimeter interface -define PERIMETER_IF = eth2 +define PERIMETER_IF = eth1 ################################ # address definitions @@ -72,10 +69,6 @@ define GIT_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad2a define IFG_PERIMETER_IPV4 = 192.168.173.1 define IFG_PERIMETER_IPV6 = 2001:1aa1:000a:7c0c:000c:18ff:fe03:ad01 -# ifg addresses (linuxone network) -define LINUXONE_INTERNAL_IPV4 = 172.24.121.254 -define LINUXONE_INTERNAL_IPV6 = 2001:1aa1:000a:577d:000c:18ff:fe03:79fe - # ifg addresses (internal network) define IFG_INTERNAL_IPV4 = 10.228.109.254 define IFG_INTERNAL_IPV6 = 2001:1aa1:000a:7dae:000c:18ff:fe03:6dfe @@ -144,8 +137,6 @@ define WORKSHEET_SR_IPV4 = 192.168.42.248 # internal networks define INTERNAL_IPV4_NET = 10.228.0.0/16 define INTERNAL_IPV6_NET = 2001:1aa1:000a:7dae::/64 -define LINUXONE_IPV4_NET = 172.24.121.0/24 -define LINUXONE_IPV6_NET = 2001:1aa1:000a:577d::/64 define SR_IPV4_NET = 192.168.42.0/24 define IN_IPV4_NET = 192.168.43.0/24 define INTERNAL_IPV4_NETS = { $INTERNAL_IPV4_NET, \ @@ -199,12 +190,6 @@ add rule ip ifg-nat prerouting \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \ counter dnat $WS_PERIMETER_IPV4 comment "Webserver access" -add rule ip ifg-nat prerouting \ - ip protocol tcp \ - iifname $LINUXONE_IF ip saddr $LINUXONE_IPV4_NET tcp sport 1024-65535 \ - ip daddr $PUBLIC_WS_IPV4 tcp dport { http, https } \ - counter dnat $WS_PERIMETER_IPV4 comment "Webserver access" - ################################ # FILTER input rules @@ -269,16 +254,6 @@ add rule ip6 ifg-filter forward \ iifname $PERIMETER_IF \ oifname $INTERNAL_IF ip6 daddr $INTERNAL_IPV6_NET \ counter accept comment "Established sessions" -add rule ip ifg-filter forward \ - ct state established, related \ - iifname $PERIMETER_IF \ - oifname $LINUXONE_IF ip daddr $LINUXONE_IPV4_NET \ - counter accept comment "Established sessions" -add rule ip6 ifg-filter forward \ - ct state established, related \ - iifname $PERIMETER_IF \ - oifname $LINUXONE_IF ip6 daddr $LINUXONE_IPV6_NET \ - counter accept comment "Established sessions" add rule ip ifg-filter forward \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS \ @@ -288,27 +263,6 @@ add rule ip6 ifg-filter forward \ iifname $INTERNAL_IF ip6 saddr $INTERNAL_IPV6_NET \ oifname $PERIMETER_IF \ counter accept comment "Internet access" -add rule ip ifg-filter forward \ - iifname $LINUXONE_IF ip saddr $LINUXONE_IPV4_NET \ - oifname $PERIMETER_IF ip daddr != $PERIMETER_NET \ - counter accept comment "Internet access" -add rule ip6 ifg-filter forward \ - iifname $LINUXONE_IF ip6 saddr $LINUXONE_IPV6_NET \ - oifname $PERIMETER_IF \ - counter accept comment "Internet access" - -add rule ip ifg-filter forward \ - iifname $LINUXONE_IF oifname $INTERNAL_IF \ - counter accept comment "LinuxONE internal communication" -add rule ip6 ifg-filter forward \ - iifname $LINUXONE_IF oifname $INTERNAL_IF \ - counter accept comment "LinuxONE internal communication" -add rule ip ifg-filter forward \ - iifname $INTERNAL_IF oifname $LINUXONE_IF \ - counter accept comment "internal LinuxONE communication" -add rule ip6 ifg-filter forward \ - iifname $INTERNAL_IF oifname $LINUXONE_IF \ - counter accept comment "internal LinuxONE communication" add rule ip ifg-filter forward \ iifname $INTERNAL_IF ip saddr $INTERNAL_IPV4_NETS tcp sport 1024-65535 \ diff --git a/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh b/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh index 6c17647..c119875 100755 --- a/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh +++ b/sources/ifg.in/c3d/firstboot/scripts/01_setupnetworking.sh @@ -26,11 +26,11 @@ do done [ $CYCLES_WAITED -gt 0 ] && echo -# wait for the four network connections to come up +# wait for the three network connections to come up CONNECTION_DEVICES_UP=$(nmcli --terse connection show \ | grep --invert-match ':$' | wc -l) CYCLES_WAITED=0 -while [ $CONNECTION_DEVICES_UP -lt 4 ] +while [ $CONNECTION_DEVICES_UP -lt 3 ] do if [ $CYCLES_WAITED -ge 10 ] then @@ -51,27 +51,22 @@ done [ $CYCLES_WAITED -gt 0 ] && echo CONNECTIONS=$(nmcli --terse connection show | wc -l) -if [ $CONNECTIONS -ne 4 ] +if [ $CONNECTIONS -ne 3 ] then echo "Number of connections: $CONNECTIONS instead of 4" >&2 exit 1 fi CONNECTION_DEVICE_IN="eth0" -CONNECTION_DEVICE_L1="eth1" -CONNECTION_DEVICE_PM="eth2" +CONNECTION_DEVICE_PM="eth1" CONNECTION_ID_IN="internal" -CONNECTION_ID_L1="linuxone" CONNECTION_ID_PM="perimeter" CONNECTION_LINE_IN=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_IN}$") -CONNECTION_LINE_L1=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_L1}$") CONNECTION_LINE_PM=$(nmcli --terse connection show | grep ":${CONNECTION_DEVICE_PM}$") CONNECTION_UUID_IN=$(echo $CONNECTION_LINE_IN | cut -f 2 -d ':') -CONNECTION_UUID_L1=$(echo $CONNECTION_LINE_L1 | cut -f 2 -d ':') CONNECTION_UUID_PM=$(echo $CONNECTION_LINE_PM | cut -f 2 -d ':') nmcli connection delete uuid "$CONNECTION_UUID_IN" -nmcli connection delete uuid "$CONNECTION_UUID_L1" nmcli connection delete uuid "$CONNECTION_UUID_PM" nmcli connection add \ @@ -97,24 +92,6 @@ allowed-connections=id:$CONNECTION_ID_IN keep-configuration=no EOF -nmcli connection add \ - connection.autoconnect yes \ - connection.id $CONNECTION_ID_L1 \ - connection.interface-name $CONNECTION_DEVICE_L1 \ - connection.type 802-3-ethernet \ - ipv4.addresses "172.24.121.254/24" \ - ipv4.method "manual" \ - ipv6.addresses "2001:1aa1:000a:577d:000c:18ff:fe03:79fe/64" \ - ipv6.method "manual" \ - save yes - -cat </etc/NetworkManager/conf.d/${CONNECTION_DEVICE_PM}.conf -[device] -match-device=interface-name:$CONNECTION_DEVICE_PM -allowed-connections=id:$CONNECTION_ID_PM -keep-configuration=no -EOF - nmcli connection add \ connection.autoconnect yes \ connection.id $CONNECTION_ID_PM \ diff --git a/sources/ifg.in/config b/sources/ifg.in/config index b0639dc..9450416 100644 --- a/sources/ifg.in/config +++ b/sources/ifg.in/config @@ -13,15 +13,9 @@ lxc.net.0.hwaddr = 02:0c:18:03:6d:fe lxc.net.1.type = veth lxc.net.1.flags = up -lxc.net.1.link = brl1-dev +lxc.net.1.link = brch-dev lxc.net.1.name = eth1 -lxc.net.1.hwaddr = 02:0c:18:03:79:fe - -lxc.net.2.type = veth -lxc.net.2.flags = up -lxc.net.2.link = brch-dev -lxc.net.2.name = eth2 -lxc.net.2.hwaddr = 02:0c:18:03:ad:01 +lxc.net.1.hwaddr = 02:0c:18:03:ad:01 lxc.autodev = 1