acme-common: Move nftables rule to hook#29802
Conversation
|
Whoops, forgot to add the fixes tag. Thank you. |
|
Could you add same func at uacme's hook script too? |
Once this has a review and everyone is happy I will make the changes for uacme as well. This can be a condition of getting this merged. I'd prefer to get it right in one spot first. |
2de7fcf to
f60b179
Compare
|
I've looked at uacme's hook script and it says that the standalone server is not implemented. Unless I'm missing something I won't be making any modifications to uacme. |
|
Webroot/tls-alpn still need to open its port to public (I doubt most people open luci to internet 24/7) |
f60b179 to
d9c38cb
Compare
|
do you have reason to webroot challenge to not open port? you can't expect uhttpd(which run luci too) to be open to public by default: |
I'm a bit lost. Was this for uacme or acmesh? |
|
Both; you don't set rule add when you select web root challenge solver |
d9c38cb to
a23c8f4
Compare
|
tested it with uacme with webroot challenge solver, it works as intended. |
|
I forgot to mention but you now have to bump PKG_RELEASE(it's in packages makefile) at every package you touched : acme-common is only on here, so for it you need last number of PKG_VERSION |
a23c8f4 to
af1fa9b
Compare
|
Whoops. Was there anything else I need to fix? |
|
I suspect the bot is going to complain that you don't have a signoff in your commit message. Also, the message starts with "The nftables rule in acme-common works" - does it really, though? If it's being removed while the check is still ongoing it does not, in fact, work, does it? :) |
af1fa9b to
c8b15d8
Compare
tohojo
left a comment
There was a problem hiding this comment.
Code looks good to me; seems the bot has one more nit, please fix that and we should be good to go :)
c8b15d8 to
a5ab162
Compare
|
Nudging this one |
|
Unsolicited comment: @mcassaniti @tohojo this nft rule manipulation feels like a crutch when OpenWrt already supports adding firewall objects to procd instances. Would it not be more elegant to create a patch that overwrites _startserver/_stopserver (and tls functions too) to start procd socat instance + firewall object and tear them down? Just a food for thought for the future. Should be an easy work for an agent. |
IIRC old one before this PR did that, but _stopserver called too early and removed firewall rule before remote ACME server actually check challenge file |
|
LGTM? |
|
@BKPepe could you take another look at this? |
a5ab162 to
0f9a9e1
Compare
Formality Check: FailedWe completed the verification flow. Please review the formatting overview logs below. 🛑 CRITICAL ERRORS
|
|
You should wait for maintainer. |
There was a problem hiding this comment.
Pull request overview
This PR aims to fix a race in acme-common firewall (nftables) rule management by moving rule insertion/deletion from the acme init script into the per-client hook scripts, so the rule lifetime more closely matches the actual ACME client runtime.
Changes:
- Removed nftables rule lifecycle management from
net/acme-common/files/acme.init. - Added shared
add_nft_rule/del_nft_rulehelpers innet/acme-common/files/functions.shand invoked them from theacme-acmeshanduacmehooks. - Bumped package versions/releases to ship the behavior change.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| net/uacme/Makefile | Bumps PKG_RELEASE to ship hook behavior changes. |
| net/uacme/files/hook.sh | Moves nft rule management into the uacme hook (add before run, delete after). |
| net/acme-common/Makefile | Bumps PKG_VERSION for the acme-common behavior change. |
| net/acme-common/files/functions.sh | Introduces shared nft rule helper functions. |
| net/acme-common/files/acme.init | Removes prior init-script-managed nft rule handling to avoid races. |
| net/acme-acmesh/Makefile | Bumps PKG_RELEASE to ship hook behavior changes. |
| net/acme-acmesh/files/hook.sh | Moves nft rule management into the acme.sh hook (renew + issuance paths). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
a3e716b to
4092748
Compare
|
I'll need some help with this one |
tohojo
left a comment
There was a problem hiding this comment.
A few nits. I think you can ignore the PKG_VERSION comment in this case (it wants you to mention the version bump in the commit header, but in this case it's not an upstream release, so it's kinda incidental)
Honestly, this is a question of how we want to handle it. Some might consider it a false positive, but frankly, I believe that unless proven otherwise, the number of packages using this non-standard approach is so small that I'm unsure what the best way to catch it would be. Looking at mwan3, @feckert manages to address it there. Of course, one could argue it's a workaround or a bypass of the check, but he implemented it this way long before the OpenWrt GitHub bot existed. In my view, the workflow in the external repository is that changes accumulate in the master branch, and then a decision is made to cut a new release along with release notes. I think we could introduce this practice here too, just to keep things transparent. We can definitely open this up for discussion. |
The nftables rule in acme-common partially works, but it races against the acme.sh and uacme client. While the client is performing the renew the rule is being deleted because the client is run in the background. This change moves the rule management to the hook instead. While duplicate rules could be created, the benefits outway the potential costs. It is unknown how many installations issue/renew multiple certificates. Version bump to 1.5.3 of acme-common was required. Signed-off-by: Michael A Cassaniti <michael@cassaniti.id.au>
4092748 to
a7e6963
Compare
tohojo
left a comment
There was a problem hiding this comment.
One small nit. Also, let's split the package version and revision bumps into its own commit (and mention the version in the commit subject) to appease the formalities bot :)
| # shellcheck disable=SC2086 | ||
| if ! nft delete rule inet fw4 input $NFT_HANDLE ; then | ||
| log err "Failed to delete nftables rule $NFT_HANDLE" | ||
| fi |
There was a problem hiding this comment.
We should reset NFT_HANDLE to the empty string here to make sure the function is idempotent. I don't think we'll ever call it twice as-is now, but it's still good practice to guard against it.
📦 Package Details
Maintainer: @tohojo
Description:
The nftables rule in acme-common partially works, but it races against the acme.sh and uacme client. While the client is performing the renew the rule is being deleted because the client is run in the background. This change moves the rule management to the hook instead. While duplicate rules could be created, the benefits outway the potential costs. It is unknown how many installations issue/renew multiple certificates.
I've done some basic testing against my production firewalls and confirmed this is working. Feel free to make changes as required.
🧪 Run Testing Details
✅ Formalities
If your PR contains a patch:
I'll need some help with these ones
git am(e.g., subject line, commit description, etc.)
We must try to upstream patches to reduce maintenance burden.