Skip to content

firewall: Add support for retrieving blacklisted IP addresses from Radar#2170

Open
francescolavra wants to merge 4 commits into
masterfrom
feature/firewall
Open

firewall: Add support for retrieving blacklisted IP addresses from Radar#2170
francescolavra wants to merge 4 commits into
masterfrom
feature/firewall

Conversation

@francescolavra

Copy link
Copy Markdown
Member

This change set adds support for a "dynamic_rules" attribute in the "firewall" configuration tuple: this attribute contains an array of sources for firewall rules that are retrieved dynamically (as opposed to hard-coding the rules in the configuration manifest).

The first type of dynamic rule sources being supported is "radar", which allows retrieving from the Radar server a list of IP addresses to be blocked (requires a Radar API key).

Example Ops configuration snippet that specifies the Radar source for
firewall rules:

  "ManifestPassthrough": {
    "firewall": {
      "dynamic_rules":["radar"]
    }
  },
  "Env": {
    "RADAR_KEY": "my_radar_api_key"
  }

As part of these changes, the internal HTTP client implementation has been enhanced to support receiving data with chunked transfer encoding. This removes a previous limitation on the ability of the cloud_init klib to download files from some servers.

Francesco Lavra added 4 commits June 20, 2026 15:04
In preparation for adding support for retrieving firewall rules from
different sources, refactor the rule initialization logic so that rules
from the manifest are parsed in a dedicated function.
If the `addr` pointer argument in the lwIP DNS callback is NULL, it means
that a DNS name cannot be resolved asynchronously; this must be reported as
an error.
…oding

This allows e.g. the cloud_init klib to download files from servers that
use chunked transfer encoding, and will be required when adding support for
the radar rule source to the firewall klib.
Add support for a "dynamic_rules" attribute in the "firewall" configuration
tuple: this attribute contains an array of sources for firewall rules that
are retrieved dynamically (as opposed to hard-coding the rules in the
configuration manifest). This first type of dynamic rule sources being
supported is "radar", which allows retrieving from the Radar server a list
of IP addresses to be blocked (requires a Radar API key).
Since data from the Radar server are retrieved asynchronously, in order to
allow the firewall klib to enable packet filtering after the initial boot
sequence, remove the "read-only after init" attribute from the
`net_ip_input_filter` function pointer.
Example Ops configuration snippet that specifies the Radar source for
firewall rules:
```
  "ManifestPassthrough": {
    "firewall": {
      "dynamic_rules":["radar"]
    }
  },
  "Env": {
    "RADAR_KEY": "my_radar_api_key"
  }
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant