Documentation
¶
Overview ¶
firewall_linux.go is the kernel-touching reconciler that converges a nftables table named "weft-fw" to a [pod.Firewall] desired state.
Shape :
table inet weft-fw {
chain input { type filter hook input priority filter; policy drop ;
ct state established,related accept
iifname "lo" accept
<per-rule allow lines>
}
chain output { type filter hook output priority filter; policy accept ;
<per-rule egress drop lines if any>
}
}
Reconcile is whole-state : we DELETE the table (if any) and re-create it in one batched netlink flush, so an outside observer never sees a half-applied policy. Same model the WireGuard apply uses (replace-set, idempotent).
Stateful : `ct state established,related accept` is added at the top of input so reply traffic from VM-initiated egress flows in without needing a mirrored ingress rule.
Package network configures the guest's pod-level networking purely via AF_NETLINK syscalls — no `ip`, `ifconfig`, or busybox dependency in the micro-VM. Scope is intentionally small: bring one interface up, assign one IPv4 address, install a default gateway, write /etc/resolv.conf. That's what a pod needs.
Netlink RTM messages are framed by hand against the kernel ABI (linux/rtnetlink.h, linux/if_addr.h). No third-party deps.
wgpeers.go holds the pure (no syscall, OS-agnostic) bits of the pod-spec → wgtransport translation so they're unit-testable on any host. The kernel bring-up itself lives in wireguard_linux.go.
wireguard_linux.go brings up a kernel WireGuard interface (wg0) by delegating to grpc-transports/wireguard's public BringUp (kernel backend). Same code path the host side (weft agent --proxy) uses for its own wg interface, so additions like cosigner verification or key rotation only need to land in one library.
The pod spec's WireGuard.Address is a full CIDR (e.g. "10.9.0.1/24") because the guest expects a connected route to the overlay subnet; BringUp itself only installs a /32, so this wrapper re-adds the broader prefix after to keep that semantic identical to the legacy raw-netlink path.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Apply ¶
Apply brings the pod's network up. Idempotent at the level the kernel itself enforces (setting an address that already exists returns EEXIST, which we swallow).
func ApplyFirewall ¶
ApplyFirewall reconciles the kernel nftables ruleset against fw. The empty ruleset is valid and yields :
- input : default-deny except ct established/related + lo
- output : default-accept
This is the "no Security Group attached" baseline.
func ApplyWireGuard ¶
ApplyWireGuard creates the WireGuard interface, configures its device (key, port, peers) and brings it up with the overlay address. Idempotent: re-applying replaces peers and re-asserts the address.
func ReadFirewallStatus ¶
func ReadFirewallStatus() pod.FirewallStatus
ReadFirewallStatus inspects the kernel "weft-fw" nftables table and returns a [pod.FirewallStatus] snapshot. PublishedAtUnix is left zero — the emitter stamps it just before publishing.
Errors are folded into the returned status (Overall=Degraded, LastError=err.Error()) rather than propagated as a Go error. The emitter publishes status unconditionally ; a netlink hiccup shouldn't stop the next publish, and the operator wants the bad state on the dashboard rather than silent black-hole.
Types ¶
This section is empty.
Source Files