add nft rules template (#47)

Author: Omarabdul3ziz

cmds/modules/netlightd/main.go

@@ -34,6 +34,9 @@ const (
 //go:embed nft/rules.nft
 var nftRules embed.FS
 
+//go:embed nft/lansecurity.tmpl
+var securityRules string
+
 // Module is entry point for module
 var Module cli.Command = cli.Command{
 	Name:  "netlightd",
@@ -111,6 +114,11 @@ func action(cli *cli.Context) error {
 		return fmt.Errorf("failed to apply host nft rules: %w", err)
 	}
 	rules.Close()
+
+	if err := nft.DropTrafficToLAN(securityRules); err != nil {
+		return fmt.Errorf("failed to drop traffic to lan: %w", err)
+	}
+
 	_, err = netlight.CreateNDMZBridge()
 	if err != nil {
 		return fmt.Errorf("failed to create ndmz bridge: %w", err)
@@ -134,10 +142,6 @@ func action(cli *cli.Context) error {
 		return fmt.Errorf("failed to setup mycelium on host: %w", err)
 	}
 
-	// if err := nft.DropTrafficToLAN(); err != nil {
-	// 	return fmt.Errorf("failed to drop traffic to lan: %w", err)
-	// }
-
 	mod, err := netlight.NewNetworker()
 	if err != nil {
 		return fmt.Errorf("failed to create Networker: %w", err)

cmds/modules/netlightd/nft/lansecurity.tmpl

@@ -0,0 +1,17 @@
+flush chain inet filter forward;
+
+table inet filter {
+	chain forward {
+		type filter hook forward priority filter; policy accept;
+
+    # @th,16,16 is raw expression for sport/dport in transport header
+    # used due to limitation on the installed nft v0.9.1
+		meta l4proto { tcp, udp } @th,16,16 { 9650, 9651 } accept;
+
+    # accept traffic to only default gateway
+		ip daddr {{.GatewayIP}} accept;
+
+    # drop traffic to all other ips on the subnet
+		ip daddr {{.SubnetIP}} drop;
+	}
+}

go.mod

@@ -40,7 +40,7 @@ require (
 	github.com/threefoldtech/tfchain/clients/tfchain-client-go v0.0.0-20241127100051-77e684bcb1b2
 	github.com/threefoldtech/tfgrid-sdk-go/rmb-sdk-go v0.16.1-0.20241229121208-76ac3fea5e67
 	github.com/threefoldtech/zbus v1.0.1
-	github.com/threefoldtech/zosbase v0.1.3-0.20250226154121-1ad00c2e23c7
+	github.com/threefoldtech/zosbase v0.1.3-0.20250304112457-4fe70d8d47ff
 	github.com/urfave/cli/v2 v2.17.2-0.20221006022127-8f469abc00aa
 	github.com/vishvananda/netlink v1.1.1-0.20201029203352-d40f9887b852
 	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect

go.sum

@@ -542,8 +542,8 @@ github.com/threefoldtech/tfgrid-sdk-go/rmb-sdk-go v0.16.1-0.20241229121208-76ac3
 github.com/threefoldtech/tfgrid-sdk-go/rmb-sdk-go v0.16.1-0.20241229121208-76ac3fea5e67/go.mod h1:93SROfr+QjgaJ5/jIWtIpLkhaD8Pv8WbdfwvwMNG2p4=
 github.com/threefoldtech/zbus v1.0.1 h1:3KaEpyOiDYAw+lrAyoQUGIvY9BcjVRXlQ1beBRqhRNk=
 github.com/threefoldtech/zbus v1.0.1/go.mod h1:E/v/xEvG/l6z/Oj0aDkuSUXFm/1RVJkhKBwDTAIdsHo=
-github.com/threefoldtech/zosbase v0.1.3-0.20250226154121-1ad00c2e23c7 h1:PzwfyBeCFIwLXSpDD3M+U7XQmQ3G0SGWd1kcbM05oyI=
-github.com/threefoldtech/zosbase v0.1.3-0.20250226154121-1ad00c2e23c7/go.mod h1:rxc49wA04S4IsBOYe0omVO7nu7GXridueh2PJh34gSo=
+github.com/threefoldtech/zosbase v0.1.3-0.20250304112457-4fe70d8d47ff h1:jKXimkoOIOpv+3/VHp5cag7WYAduFcBw6IlX4nMlsqk=
+github.com/threefoldtech/zosbase v0.1.3-0.20250304112457-4fe70d8d47ff/go.mod h1:rxc49wA04S4IsBOYe0omVO7nu7GXridueh2PJh34gSo=
 github.com/tinylib/msgp v1.1.5 h1:2gXmtWueD2HefZHQe1QOy9HVzmFrLOVvsXwXBQ0ayy0=
 github.com/tinylib/msgp v1.1.5/go.mod h1:eQsjooMTnV42mHu917E26IogZ2930nFyBQdofk10Udg=
 github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=