firewall: Add support for retrieving blacklisted IP addresses from Radar#2170
Open
francescolavra wants to merge 4 commits into
Open
firewall: Add support for retrieving blacklisted IP addresses from Radar#2170francescolavra wants to merge 4 commits into
francescolavra wants to merge 4 commits into
Conversation
added 4 commits
June 20, 2026 15:04
In preparation for adding support for retrieving firewall rules from different sources, refactor the rule initialization logic so that rules from the manifest are parsed in a dedicated function.
If the `addr` pointer argument in the lwIP DNS callback is NULL, it means that a DNS name cannot be resolved asynchronously; this must be reported as an error.
…oding This allows e.g. the cloud_init klib to download files from servers that use chunked transfer encoding, and will be required when adding support for the radar rule source to the firewall klib.
Add support for a "dynamic_rules" attribute in the "firewall" configuration
tuple: this attribute contains an array of sources for firewall rules that
are retrieved dynamically (as opposed to hard-coding the rules in the
configuration manifest). This first type of dynamic rule sources being
supported is "radar", which allows retrieving from the Radar server a list
of IP addresses to be blocked (requires a Radar API key).
Since data from the Radar server are retrieved asynchronously, in order to
allow the firewall klib to enable packet filtering after the initial boot
sequence, remove the "read-only after init" attribute from the
`net_ip_input_filter` function pointer.
Example Ops configuration snippet that specifies the Radar source for
firewall rules:
```
"ManifestPassthrough": {
"firewall": {
"dynamic_rules":["radar"]
}
},
"Env": {
"RADAR_KEY": "my_radar_api_key"
}
```
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This change set adds support for a "dynamic_rules" attribute in the "firewall" configuration tuple: this attribute contains an array of sources for firewall rules that are retrieved dynamically (as opposed to hard-coding the rules in the configuration manifest).
The first type of dynamic rule sources being supported is "radar", which allows retrieving from the Radar server a list of IP addresses to be blocked (requires a Radar API key).
Example Ops configuration snippet that specifies the Radar source for
firewall rules:
As part of these changes, the internal HTTP client implementation has been enhanced to support receiving data with chunked transfer encoding. This removes a previous limitation on the ability of the cloud_init klib to download files from some servers.