nftables: drop busybox, replace nftd with nft-helper, reduce size

troglobit · troglobit · commit 448dab0d1b81 · 2024-02-01T20:02:00.000+01:00
Simplify container even further, to a strict application container,
dropping BusyByx and replacing nftd (shell script) with nft-helper.

The resulting container is a ¼ of the previous size, while retaining the
functionality, making it a lot more sane to bundle with Infix images.

Signed-off-by: Joachim Wiberg &lt;troglobit@gmail.com&gt;
diff --git a/board/nftables/rootfs/sbin/nftd b/board/nftables/rootfs/sbin/nftd
diff --git a/configs/curios-nftables_amd64_defconfig b/configs/curios-nftables_amd64_defconfig
@@ -4,23 +4,24 @@ BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_X86_64_UCLIBC_STABLE=y
 BR2_DL_DIR="${BR2_EXTERNAL_CURIOS_PATH}/dl"
 BR2_CCACHE=y
 BR2_CCACHE_DIR="${BR2_EXTERNAL_CURIOS_PATH}/.ccache"
+BR2_STATIC_LIBS=y
 BR2_TARGET_GENERIC_HOSTNAME="curiOS"
 BR2_TARGET_GENERIC_ISSUE="Welcome to curiOS"
 BR2_INIT_NONE=y
+# BR2_TARGET_ENABLE_ROOT_LOGIN is not set
 BR2_SYSTEM_BIN_SH_NONE=y
 # BR2_TARGET_GENERIC_GETTY is not set
 # BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW is not set
 BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_CURIOS_PATH)/board/nftables/rootfs"
 BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL_CURIOS_PATH)/board/common/post-build.sh"
-BR2_PACKAGE_BUSYBOX_CONFIG="${BR2_EXTERNAL_CURIOS_PATH}/board/common/busybox-tiny_defconfig"
-BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y
+# BR2_PACKAGE_BUSYBOX is not set
 # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set
 BR2_PACKAGE_NFTABLES=y
-# BR2_PACKAGE_URANDOM_SCRIPTS is not set
 BR2_PACKAGE_TINI=y
 BR2_TARGET_ROOTFS_OCI=y
 BR2_TARGET_ROOTFS_OCI_AUTHOR="curiOS"
 BR2_TARGET_ROOTFS_OCI_TAG="edge"
 BR2_TARGET_ROOTFS_OCI_ENTRYPOINT="/usr/bin/tini --"
-BR2_TARGET_ROOTFS_OCI_CMD="/sbin/nftd"
+BR2_TARGET_ROOTFS_OCI_CMD="/usr/sbin/nft-helper /etc/nftables.conf"
 BR2_TARGET_ROOTFS_OCI_LABELS=".url=https://github.com/kernelkit/curiOS .title=curiOS-nftables"
+BR2_PACKAGE_NFT_HELPER=y
diff --git a/configs/curios-nftables_arm64_defconfig b/configs/curios-nftables_arm64_defconfig
@@ -5,23 +5,24 @@ BR2_TOOLCHAIN_EXTERNAL_BOOTLIN_AARCH64_UCLIBC_STABLE=y
 BR2_DL_DIR="${BR2_EXTERNAL_CURIOS_PATH}/dl"
 BR2_CCACHE=y
 BR2_CCACHE_DIR="${BR2_EXTERNAL_CURIOS_PATH}/.ccache"
+BR2_STATIC_LIBS=y
 BR2_TARGET_GENERIC_HOSTNAME="curiOS"
 BR2_TARGET_GENERIC_ISSUE="Welcome to curiOS"
 BR2_INIT_NONE=y
+# BR2_TARGET_ENABLE_ROOT_LOGIN is not set
 BR2_SYSTEM_BIN_SH_NONE=y
 # BR2_TARGET_GENERIC_GETTY is not set
 # BR2_TARGET_GENERIC_REMOUNT_ROOTFS_RW is not set
 BR2_ROOTFS_OVERLAY="$(BR2_EXTERNAL_CURIOS_PATH)/board/nftables/rootfs"
 BR2_ROOTFS_POST_BUILD_SCRIPT="$(BR2_EXTERNAL_CURIOS_PATH)/board/common/post-build.sh"
-BR2_PACKAGE_BUSYBOX_CONFIG="${BR2_EXTERNAL_CURIOS_PATH}/board/common/busybox-tiny_defconfig"
-BR2_PACKAGE_BUSYBOX_SHOW_OTHERS=y
+# BR2_PACKAGE_BUSYBOX is not set
 # BR2_PACKAGE_IFUPDOWN_SCRIPTS is not set
 BR2_PACKAGE_NFTABLES=y
-# BR2_PACKAGE_URANDOM_SCRIPTS is not set
 BR2_PACKAGE_TINI=y
 BR2_TARGET_ROOTFS_OCI=y
 BR2_TARGET_ROOTFS_OCI_AUTHOR="curiOS"
 BR2_TARGET_ROOTFS_OCI_TAG="edge"
 BR2_TARGET_ROOTFS_OCI_ENTRYPOINT="/usr/bin/tini --"
-BR2_TARGET_ROOTFS_OCI_CMD="/sbin/nftd"
+BR2_TARGET_ROOTFS_OCI_CMD="/usr/sbin/nft-helper /etc/nftables.conf"
 BR2_TARGET_ROOTFS_OCI_LABELS=".url=https://github.com/kernelkit/curiOS .title=curiOS-nftables"
+BR2_PACKAGE_NFT_HELPER=y
diff --git a/package/Config.in b/package/Config.in
@@ -1,3 +1,4 @@
 menu "Networking applications"  
+	source "$BR2_EXTERNAL_CURIOS_PATH/package/nft-helper/Config.in"
 	source "$BR2_EXTERNAL_CURIOS_PATH/package/openresty/Config.in"
 endmenu
diff --git a/package/nft-helper/Config.in b/package/nft-helper/Config.in
@@ -0,0 +1,7 @@
+config BR2_PACKAGE_NFT_HELPER
+	bool "nft-helper"
+	help
+	  Wrapper for nft running under tini.  At startup it takes
+	  its first command line argument as the nftables.conf to
+	  load with: 'nft -f /path/to/nftables.conf' on any signal
+	  it shuts down by calling 'nft flush ruleset'.
diff --git a/package/nft-helper/nft-helper.mk b/package/nft-helper/nft-helper.mk
@@ -0,0 +1,21 @@
+################################################################################
+#
+# nft-helper
+#
+################################################################################
+
+NFT_HELPER_VERSION = 1.0
+NFT_HELPER_SITE_METHOD = local
+NFT_HELPER_SITE = $(BR2_EXTERNAL_CURIOS_PATH)/src/nft-helper
+NFT_HELPER_LICENSE = ISC
+NFT_HELPER_LICENSE_FILES = LICENSE
+
+define NFT_HELPER_BUILD_CMDS
+	$(TARGET_CONFIGURE_OPTS) $(MAKE) -C $(@D) all
+endef
+
+define NFT_HELPER_INSTALL_TARGET_CMDS
+	$(INSTALL) -D -m 0755 $(@D)/nft-helper $(TARGET_DIR)/usr/sbin/
+endef
+
+$(eval $(generic-package))
diff --git a/src/nft-helper/LICENSE b/src/nft-helper/LICENSE
@@ -0,0 +1,13 @@
+Copyright (c) 2024 The KernelKit Authors
+
+Permission to use, copy, modify, and/or distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
diff --git a/src/nft-helper/Makefile b/src/nft-helper/Makefile
@@ -0,0 +1,10 @@
+all: nft-helper
+
+clean:
+	rm nft-helper *.o
+
+distclean: clean
+	rm *~
+
+nft-helper: main.c Makefile
+	$(CC) -o $@ $(CFLAGS) $< $(LDFLAGS)
diff --git a/src/nft-helper/README.md b/src/nft-helper/README.md
@@ -0,0 +1,29 @@
+NFT Helper
+==========
+
+This is a wrapper for nft running under tini.  Its only purpose is to
+listen to signals from tini, load nft at start, flush ruleset at exit.
+
+We could use a simple script for this, as shown below, and that would
+be fine if we had a POSIX shell in the container.  This helper is for
+the case when there is nothing.
+
+```
+#!/bin/sh
+# nft wrapper to load rules at startup and flush at shutdown
+
+flush()
+{
+        echo "Got signal, stopping ..."
+	nft flush ruleset
+        exit 0
+}
+
+trap flush INT TERM QUIT EXIT
+
+# Load ruleset
+nft -f /etc/nftables.conf
+
+# sleep may exit on known signal, so we cannot use 'set -e'
+sleep infinity
+```
diff --git a/src/nft-helper/main.c b/src/nft-helper/main.c
@@ -0,0 +1,54 @@
+/* SPDX-License-Identifier: ISC */
+
+#include <err.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/wait.h>
+
+int run(char *cmd[])
+{
+	pid_t pid;
+	int rc;
+
+	pid = fork();
+	if (pid == -1) {
+		err(1, "failed fork()");
+	}
+
+	if (!pid) {
+		setsid();
+		_exit(execvp(cmd[0], cmd));
+	}
+
+	if (waitpid(pid, &rc, 0))
+		return -1;
+
+	return WEXITSTATUS(rc);
+}
+
+void cb(int signo)
+{
+	warnx("got signal %d, calling nft flush ruleset and exit.", signo);
+}
+
+int main(int argc, char *argv[])
+{
+	char *load[]  = { "nft", "-f", NULL, NULL };
+	char *flush[] = { "nft", "flush", "ruleset", NULL };
+
+	if (argc < 2 || access(argv[1], F_OK))
+		errx(1, "Missing nft.conf argument.\nUsage:\n\t%s /path/to/nftables.conf", argv[0]);
+
+	signal(SIGTERM, cb);
+	signal(SIGQUIT, cb);
+	signal(SIGINT, cb);
+	signal(SIGHUP, cb);
+
+	load[2] = argv[1];
+	run(load);
+	pause();
+	run(flush);
+
+	return 0;
+}
