Fix stuck nftables load

Previously, the ssh connection got stuck when first loading the nftables
ruleset. I now found the reason for this: conntrack was not active
before loading the ruleset, so there was no conntrack entry for the ssh
connection. This means the traffic was not matched by 'ct state
established', and the other output rules did not allow the traffic. To
fix this, we can load a ruleset at boot which uses conntrack; this
ensures that conntrack is already enabled when loading the actual
ruleset over ssh.
This commit is contained in:
Jan Schär 2025-03-07 12:41:24 +01:00
parent 0352ad997f
commit 500ca36444
4 changed files with 23 additions and 4 deletions

View File

@ -10,9 +10,7 @@ parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts
# Configure firewall.
parallel-scp -x "-F local.ssh_config" -h hostlist ./config-nftables.conf /etc/nftables.conf
parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl enable nftables.service
# For some unknown reason nft gets stuck the first time it is run.
parallel-ssh -x "-F local.ssh_config" -h hostlist --par 30 systemctl start nftables.service
parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl reload nftables.service
# Uncomment these lines if machines have 4K displays. This scales display to 2x.
# parallel-scp -x "-F local.ssh_config" -h hostlist ./set-display-scale.py /usr/local/bin/set-display-scale.py

View File

@ -122,7 +122,6 @@ You can look these up with `host contest.soi.ch`.
Edit `contest-lock.json` to fill in the title and start time of the contest.
Apply the configuration to machines.
If the script gets stuck, press Ctrl+C and run it again.
```bash
./configure-machines.sh

View File

@ -28,3 +28,6 @@ systemctl disable kexec.service
# Restrict access to the config which contains the WiFi password.
chmod og= /etc/NetworkManager/system-connections/contest.nmconnection
# Enable firewall.
systemctl enable nftables.service

View File

@ -0,0 +1,19 @@
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter;
# Add a rule which references conntrack, to make sure that conntrack is
# already enabled when we activate a restrictive ruleset.
ct state { established, related } accept
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
ct state { established, related } accept
}
}