diff --git a/services/game-stream/wolf-gatekeeper-configmap.yaml b/services/game-stream/wolf-gatekeeper-configmap.yaml index 7b9bc4c1..9470a278 100644 --- a/services/game-stream/wolf-gatekeeper-configmap.yaml +++ b/services/game-stream/wolf-gatekeeper-configmap.yaml @@ -45,42 +45,47 @@ data: return ["{", *[f"{port}," for port in ports[:-1]], ports[-1], "}"] - def _ensure_rules(): - _nft(["add", "table", "inet", "wolf_gatekeeper"], check=False) - _nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v4", "{", "type", "ipv4_addr;", "flags", "timeout;", "}"], check=False) - _nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v6", "{", "type", "ipv6_addr;", "flags", "timeout;", "}"], check=False) + def _install_chain(name, hook, priority): _nft( [ "add", "chain", "inet", "wolf_gatekeeper", - "input", + name, "{", "type", "filter", "hook", - "input", + hook, "priority", - "-90;", + priority, "policy", "accept;", "}", ], check=False, ) - _nft(["flush", "chain", "inet", "wolf_gatekeeper", "input"], check=False) - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "iifname", "lo", "accept"]) + _nft(["flush", "chain", "inet", "wolf_gatekeeper", name], check=False) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "iifname", "lo", "accept"]) for cidr in PRIVATE_V4: - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", cidr, "accept"]) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", cidr, "accept"]) for cidr in PRIVATE_V6: - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", cidr, "accept"]) - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", "@allowed_v4", "tcp", "dport", *_port_set(TCP_PORTS), "accept"]) - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip", "saddr", "@allowed_v4", "udp", "dport", *_port_set(UDP_PORTS), "accept"]) - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", "@allowed_v6", "tcp", "dport", *_port_set(TCP_PORTS), "accept"]) - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "ip6", "saddr", "@allowed_v6", "udp", "dport", *_port_set(UDP_PORTS), "accept"]) - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "tcp", "dport", *_port_set(TCP_PORTS), "drop"]) - _nft(["add", "rule", "inet", "wolf_gatekeeper", "input", "udp", "dport", *_port_set(UDP_PORTS), "drop"]) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", cidr, "accept"]) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", "@allowed_v4", "tcp", "dport", *_port_set(TCP_PORTS), "accept"]) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip", "saddr", "@allowed_v4", "udp", "dport", *_port_set(UDP_PORTS), "accept"]) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", "@allowed_v6", "tcp", "dport", *_port_set(TCP_PORTS), "accept"]) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "ip6", "saddr", "@allowed_v6", "udp", "dport", *_port_set(UDP_PORTS), "accept"]) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "tcp", "dport", *_port_set(TCP_PORTS), "drop"]) + _nft(["add", "rule", "inet", "wolf_gatekeeper", name, "udp", "dport", *_port_set(UDP_PORTS), "drop"]) + + + def _ensure_rules(): + _nft(["add", "table", "inet", "wolf_gatekeeper"], check=False) + _nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v4", "{", "type", "ipv4_addr;", "flags", "timeout;", "}"], check=False) + _nft(["add", "set", "inet", "wolf_gatekeeper", "allowed_v6", "{", "type", "ipv6_addr;", "flags", "timeout;", "}"], check=False) + _install_chain("prerouting", "prerouting", "-300;") + _install_chain("input", "input", "-90;") def _validate_ip(value):