Fix stuck nftables load

Previously, the ssh connection got stuck when first loading the nftables ruleset. I now found the reason for this: conntrack was not active before loading the ruleset, so there was no conntrack entry for the ssh connection. This means the traffic was not matched by 'ct state established', and the other output rules did not allow the traffic. To fix this, we can load a ruleset at boot which uses conntrack; this ensures that conntrack is already enabled when loading the actual ruleset over ssh.
2025-03-07 12:41:24 +01:00 · 2025-03-07 12:41:24 +01:00 · 500ca36444
parent 0352ad997f
commit 500ca36444
4 changed files with 23 additions and 4 deletions
--- a/contestops/configure-machines.sh
+++ b/contestops/configure-machines.sh
@ -10,9 +10,7 @@ parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts

 # Configure firewall.
 parallel-scp -x "-F local.ssh_config" -h hostlist ./config-nftables.conf /etc/nftables.conf
-parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl enable nftables.service
-# For some unknown reason nft gets stuck the first time it is run.
-parallel-ssh -x "-F local.ssh_config" -h hostlist --par 30 systemctl start nftables.service
+parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl reload nftables.service

 # Uncomment these lines if machines have 4K displays. This scales display to 2x.
 # parallel-scp -x "-F local.ssh_config" -h hostlist ./set-display-scale.py /usr/local/bin/set-display-scale.py
--- a/contestops/readme.md
+++ b/contestops/readme.md
@ -122,7 +122,6 @@ You can look these up with `host contest.soi.ch`.
 Edit `contest-lock.json` to fill in the title and start time of the contest.

 Apply the configuration to machines.
-If the script gets stuck, press Ctrl+C and run it again.

 ```bash
 ./configure-machines.sh
--- a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
+++ b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
@ -28,3 +28,6 @@ systemctl disable kexec.service

 # Restrict access to the config which contains the WiFi password.
 chmod og= /etc/NetworkManager/system-connections/contest.nmconnection
+
+# Enable firewall.
+systemctl enable nftables.service
--- a/os/layers/contestant/includes.chroot/etc/nftables.conf
+++ b/os/layers/contestant/includes.chroot/etc/nftables.conf
@ -0,0 +1,19 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter;
+    # Add a rule which references conntrack, to make sure that conntrack is
+    # already enabled when we activate a restrictive ruleset.
+    ct state { established, related } accept
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+    ct state { established, related } accept
+	}
+}