Zone based firewalling with containers

zen · November 28, 2022, 11:21am

Am I missing something, or is there not a straightforward way to use zone based firewalling with the containers?

Viacheslav · November 28, 2022, 11:59am

There are some nuances with container networks
So the container network consists of 2 parts, veth pairs and bridge that connect container netns veth interface vith default netns
Just small example

set container name busybox image 'busybox'
set container name busybox network NET01
set container network NET01 prefix '10.0.0.0/24'

So we have one bridge and one veth interface in default netns

vyos@r1# run show netns
netns-2c7c63d8-85ce-2cc7-163d-cb78ee583d7a (id: 0)
[edit]
vyos@r1# 
[edit]
vyos@r1# sudo ip link show type veth
11: veth3dfa6bdf@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master cni-NET01 state UP mode DEFAULT group default 
    link/ether 9e:13:b2:ae:c9:be brd ff:ff:ff:ff:ff:ff link-netns netns-2c7c63d8-85ce-2cc7-163d-cb78ee583d7a
[edit]
vyos@r1# 
[edit]
vyos@r1# sudo ip link show type bridge
10: cni-NET01: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 8e:13:60:2e:2a:d6 brd ff:ff:ff:ff:ff:ff
[edit]
vyos@r1#

So you can try setting the interface name cni-NET10 or veth3dfa6bdf for ZBF
interface veth can be different after reboot/recreate

Maybe it helps

zen · November 28, 2022, 12:05pm

Maybe I was doing it wrong, but I believe I tried using either of those interface names and it was not working correctly. This method also doesn’t seem to support autocomplete, although it does seem to accept any interface names, regardless of whether or not they are present.

I would also like it to be persistent across reboots. I found it was easiest for me to try to have the services only listen on specific interfaces, and then only allowed connections to specific ips in the local zone. I would prefer all containers fit into a specific zone though, maybe with some being put into zones for physical servers on the network. I may give using the interface names another shot, but I believe I tried every permutation of the address that I was able to get by running ip a with no success.

Maybe I should submit a feature request for this, but do you know the state of pods with other pods as dependencies? I don’t see a way I can configure this within vyos.

Viacheslav · November 28, 2022, 4:04pm

Need testing

Create please a feature request at phabricator

zen · November 29, 2022, 1:23pm

I tried it this time and it seems to be just working, I’m not sure what I was doing wrong before. I believe I even tried it with/without the cni-prefix and other things, it was just hitting the zone default-drop rules, but I’m glad it’s working now