feat(usbgadget): drop inbound TCP/UDP on usb0 via nftables

Adds an `inet jetkvm` table with a single `input_usb0` chain that drops
TCP and UDP arriving on usb0. ICMP/ICMPv6 (including NDP and ping) are
untouched so the link stays debuggable. Installed by applyNcmFirewall
when NCM is toggled on, removed by removeNcmFirewall on toggle off.

Fail-closed: if modprobe or any nftables operation fails, the link is
rolled back and bringUpNcmInterface returns the error -- no scenario
where usb0 is up without the firewall in place. Idempotent: a stale
table from a previous run is deleted before the fresh one is built.

The rv1106 rootfs ships nf_tables.ko in /lib/modules but does not
auto-load it (kernel module auto-load via NETLINK_NETFILTER never
fires here), so applyNcmFirewall does a lazy `modprobe nf_tables` on
first use. Match expressions (meta iifname, meta l4proto, cmp, drop)
are all baked into nf_tables.ko on 5.10, so no additional modprobes
are needed for the production rules.

This closes the security gap that was previously documented as a
known issue in PR #1470: with this in place, the web UI, mDNS, SSH
and any other system services are unreachable from the target host
over the CDC-NCM link, while ICMPv6 (NDP + ping) keeps the link
itself debuggable.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mcuelenaere

go.mod

@@ -10,11 +10,13 @@ require (
 	github.com/coder/websocket v1.8.14
 	github.com/coreos/go-oidc/v3 v3.16.0
 	github.com/creack/pty v1.1.24
+	github.com/eclipse/paho.mqtt.golang v1.5.1
 	github.com/erikdubbelboer/gspt v0.0.0-20210805194459-ce36a5128377
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gin-contrib/logger v1.2.6
 	github.com/gin-gonic/gin v1.10.1
 	github.com/go-co-op/gocron/v2 v2.17.0
+	github.com/google/nftables v0.3.0
 	github.com/google/uuid v1.6.0
 	github.com/guregu/null/v6 v6.0.0
 	github.com/gwatts/rootcerts v0.0.0-20250901182336-dc5ae18bd79f
@@ -54,14 +56,14 @@ require (
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/creack/goselect v0.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/eclipse/paho.mqtt.golang v1.5.1 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.9 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.27.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/josharian/native v1.1.0 // indirect
@@ -70,8 +72,9 @@ require (
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mdlayher/packet v1.1.2 // indirect
-	github.com/mdlayher/socket v0.4.1 // indirect
+	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect

go.sum

@@ -74,6 +74,8 @@ github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/nftables v0.3.0 h1:bkyZ0cbpVeMHXOrtlFc8ISmfVqq5gPJukoYieyVmITg=
+github.com/google/nftables v0.3.0/go.mod h1:BCp9FsrbF1Fn/Yu6CLUc9GGZFw/+hsxfluNXXmxBfRM=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
@@ -117,10 +119,12 @@ github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWE
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mdlayher/ndp v1.1.0 h1:QylGKGVtH60sKZUE88+IW5ila1Z/M9/OXhWdsVKuscs=
 github.com/mdlayher/ndp v1.1.0/go.mod h1:FmgESgemgjl38vuOIyAHWUUL6vQKA/pQNkvXdWsdQFM=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/packet v1.1.2 h1:3Up1NG6LZrsgDVn6X4L9Ge/iyRyxFEFD9o6Pr3Q1nQY=
 github.com/mdlayher/packet v1.1.2/go.mod h1:GEu1+n9sG5VtiRE4SydOmX5GTwyyYlteZiFU+x0kew4=
-github.com/mdlayher/socket v0.4.1 h1:eM9y2/jlbs1M615oshPQOHZzj6R6wMT7bX5NPiQvn2U=
-github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8KuoJGIReA=
+github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
+github.com/mdlayher/socket v0.5.0/go.mod h1:WkcBFfvyG8QENs5+hfQPl1X6Jpd2yeLIYgrGFmJiJxI=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

internal/usbgadget/ncm_firewall.go

@@ -0,0 +1,97 @@
+package usbgadget
+
+import (
+	"fmt"
+	"os/exec"
+
+	"github.com/google/nftables"
+	"github.com/google/nftables/expr"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	ncmFirewallTableName = "jetkvm"
+	ncmFirewallChainName = "input_usb0"
+)
+
+// applyNcmFirewall installs (or replaces) an nftables table that drops all
+// inbound TCP and UDP arriving on usb0. ICMP/ICMPv6 are intentionally not
+// touched so NDP and ping continue to work — host isolation, not full
+// blackhole. Idempotent: deletes any pre-existing table of the same name
+// first so a stale ruleset from a previous run can't accumulate.
+//
+// Loads nf_tables.ko on first call via modprobe; the rv1106 rootfs ships
+// the module but does not auto-load it.
+func (u *UsbGadget) applyNcmFirewall() error {
+	if out, err := exec.Command("modprobe", "nf_tables").CombinedOutput(); err != nil {
+		return fmt.Errorf("modprobe nf_tables: %w: %s", err, out)
+	}
+
+	conn, err := nftables.New()
+	if err != nil {
+		return fmt.Errorf("open nftables conn: %w", err)
+	}
+
+	// Wipe any stale table from a previous run before building fresh.
+	table := &nftables.Table{Name: ncmFirewallTableName, Family: nftables.TableFamilyINet}
+	conn.DelTable(table)
+	// Ignore error — table may not exist, which is fine.
+	_ = conn.Flush()
+
+	table = conn.AddTable(table)
+	policy := nftables.ChainPolicyAccept
+	chain := conn.AddChain(&nftables.Chain{
+		Name:     ncmFirewallChainName,
+		Table:    table,
+		Hooknum:  nftables.ChainHookInput,
+		Priority: nftables.ChainPriorityFilter,
+		Type:     nftables.ChainTypeFilter,
+		Policy:   &policy,
+	})
+
+	// One drop rule per L4 protocol. Each rule matches:
+	//   iifname == usb0 AND l4proto == <tcp|udp>  =>  drop
+	for _, proto := range []byte{unix.IPPROTO_TCP, unix.IPPROTO_UDP} {
+		conn.AddRule(&nftables.Rule{
+			Table: table,
+			Chain: chain,
+			Exprs: []expr.Any{
+				&expr.Meta{Key: expr.MetaKeyIIFNAME, Register: 1},
+				&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: ifnameBytes(ncmInterfaceName)},
+				&expr.Meta{Key: expr.MetaKeyL4PROTO, Register: 1},
+				&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: []byte{proto}},
+				&expr.Verdict{Kind: expr.VerdictDrop},
+			},
+		})
+	}
+
+	if err := conn.Flush(); err != nil {
+		return fmt.Errorf("commit nftables ruleset: %w", err)
+	}
+	return nil
+}
+
+// removeNcmFirewall deletes our nftables table. Best-effort: a missing table
+// is not an error (we may be called during teardown after a crash or during
+// rapid toggle off/on cycles).
+func (u *UsbGadget) removeNcmFirewall() {
+	conn, err := nftables.New()
+	if err != nil {
+		u.log.Warn().Err(err).Msg("nftables open failed during teardown")
+		return
+	}
+	conn.DelTable(&nftables.Table{Name: ncmFirewallTableName, Family: nftables.TableFamilyINet})
+	if err := conn.Flush(); err != nil {
+		// Most likely cause is "table not found", which we don't care about.
+		u.log.Debug().Err(err).Msg("nftables flush during teardown")
+	}
+}
+
+// ifnameBytes pads or truncates name to IFNAMSIZ (16 bytes), the form nft
+// expects when comparing against the iifname meta key. A shorter slice
+// silently fails to match (the kernel memcmps the full register width).
+func ifnameBytes(name string) []byte {
+	b := make([]byte, unix.IFNAMSIZ)
+	copy(b, name)
+	return b
+}

internal/usbgadget/ncm_iface.go

@@ -31,12 +31,21 @@ func (u *UsbGadget) bringUpNcmInterface() error {
 	if err := netlink.LinkSetUp(link); err != nil {
 		return fmt.Errorf("link up %s: %w", ncmInterfaceName, err)
 	}
+
+	// Install the host-isolation firewall before returning success. Fail closed:
+	// if the firewall can't be installed, usb0 must not be exposed.
+	if err := u.applyNcmFirewall(); err != nil {
+		// Roll back the link so we don't leak an unfiltered interface.
+		_ = netlink.LinkSetDown(link)
+		return fmt.Errorf("apply NCM firewall: %w", err)
+	}
 	return nil
 }
 
-// tearDownNcmInterface brings usb0 down before the gadget rebind drops the
-// netdev. Silent no-op if the interface is already gone.
+// tearDownNcmInterface removes the firewall and brings usb0 down before the
+// gadget rebind drops the netdev. Both steps are best-effort.
 func (u *UsbGadget) tearDownNcmInterface() {
+	u.removeNcmFirewall()
 	link, err := netlink.LinkByName(ncmInterfaceName)
 	if err != nil {
 		return