mbus firewall rules

[ramonskie]

currently the agent uses iptables to create mbus firewall rules. as we now use cgroupv2 these rules wont work anymore.

we could add this now to the stemcell. or the agent if we put it in the stemcell it would look something like the script below and we could use systemd to run this when the bosh agent is ready. as the rules won't be added if the cgroup does not exists which is done once the agent is started. and it should also be renewed if the agent restarts.

#!/bin/bash

mbusurl=$(cat settings.json | jq -r .mbus)
mbushost=$(echo ${mbusurl#*//} | cut -d':' -f1)
mbusport=${mbusurl##*:}

if [ -z "$mbusurl" ]; then
  echo "No mbus url found in settings.json"
  exit 1
else
    if [[ $mbusurl =~ https://* ]]; then
        echo "mbus url contains https and no rules are needed"
        exit 0
    fi
fi

echo "my nats ip $mbushost and por $mbusport"

nft add chain inet filter nats_postrouting '{ type filter hook postrouting priority 0 ; policy accept ; }'
nft add rule inet filter nats_output socket cgroupv2 level 2 "system.slice/bosh-agent.service" ip daddr $mbushost tcp dport $mbusport log prefix "\"Matched cgroup bosh-agent nats rule: \"" accept
nft add rule inet filter nats_output skuid 0 ip daddr $mbushost tcp dport $mbusport log prefix "\"Matched skuid director nats rule: \"" accept
nft add rule inet filter nats_output ip daddr $mbushost tcp dport $mbusport log prefix "\"dropped nats rule: \"" drop