From 500ca364447877c3c3a05a4b6435d4183df9b0c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Sch=C3=A4r?= Date: Fri, 7 Mar 2025 12:41:24 +0100 Subject: [PATCH] Fix stuck nftables load Previously, the ssh connection got stuck when first loading the nftables ruleset. I now found the reason for this: conntrack was not active before loading the ruleset, so there was no conntrack entry for the ssh connection. This means the traffic was not matched by 'ct state established', and the other output rules did not allow the traffic. To fix this, we can load a ruleset at boot which uses conntrack; this ensures that conntrack is already enabled when loading the actual ruleset over ssh. --- contestops/configure-machines.sh | 4 +--- contestops/readme.md | 1 - .../hooks/live/2010-contestant.hook.chroot | 3 +++ .../includes.chroot/etc/nftables.conf | 19 +++++++++++++++++++ 4 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 os/layers/contestant/includes.chroot/etc/nftables.conf diff --git a/contestops/configure-machines.sh b/contestops/configure-machines.sh index c3d8fd6..6e2f61e 100755 --- a/contestops/configure-machines.sh +++ b/contestops/configure-machines.sh @@ -10,9 +10,7 @@ parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts # Configure firewall. parallel-scp -x "-F local.ssh_config" -h hostlist ./config-nftables.conf /etc/nftables.conf -parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl enable nftables.service -# For some unknown reason nft gets stuck the first time it is run. -parallel-ssh -x "-F local.ssh_config" -h hostlist --par 30 systemctl start nftables.service +parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl reload nftables.service # Uncomment these lines if machines have 4K displays. This scales display to 2x. # parallel-scp -x "-F local.ssh_config" -h hostlist ./set-display-scale.py /usr/local/bin/set-display-scale.py diff --git a/contestops/readme.md b/contestops/readme.md index 14a3f5d..d0a392b 100644 --- a/contestops/readme.md +++ b/contestops/readme.md @@ -122,7 +122,6 @@ You can look these up with `host contest.soi.ch`. Edit `contest-lock.json` to fill in the title and start time of the contest. Apply the configuration to machines. -If the script gets stuck, press Ctrl+C and run it again. ```bash ./configure-machines.sh diff --git a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot index e65b6fd..c8c0dea 100755 --- a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot +++ b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot @@ -28,3 +28,6 @@ systemctl disable kexec.service # Restrict access to the config which contains the WiFi password. chmod og= /etc/NetworkManager/system-connections/contest.nmconnection + +# Enable firewall. +systemctl enable nftables.service diff --git a/os/layers/contestant/includes.chroot/etc/nftables.conf b/os/layers/contestant/includes.chroot/etc/nftables.conf new file mode 100644 index 0000000..190685b --- /dev/null +++ b/os/layers/contestant/includes.chroot/etc/nftables.conf @@ -0,0 +1,19 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; + # Add a rule which references conntrack, to make sure that conntrack is + # already enabled when we activate a restrictive ruleset. + ct state { established, related } accept + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + ct state { established, related } accept + } +}