I am using ubuntu core as a gateway for a piece of industrial machinery. I need to have nat rules and a openvpn client that are loaded when the system is restarted. I have made my own snap that has a service that loads the openvpn settings, iptable rules and the sysctl setting to allow packet forwarding.
The interfaces I have given the snap access to are…
but I am still having trouble with permissions, particularly with the iptables rules and the sysctl change.
What interfaces am I missing? Or am going about this the wrong way and there is a far easier way to accomplish this?
These should be sufficient for what you describe as your use case (indeed, the ufw snap plugs only firewall-control). Are the interfaces connected? Use
snap interfaces <snapname> to check. If not, use
snap connect <snapname>:<interface> to connect them.
If they are connected, are there any security policy denials in the logs? Running
sudo journalctl --follow|grep audit then running your snap will show you denials. You might also be interested in the snappy-debug snap:
sudo snap install snappy-debug ; sudo snappy-debug.security scanlog in one terminal then exercise your snap.
I had only previously used auto connect plugs… Okay, the snap now works via the cli.
The issue I am having is that I have the iptables settings as a oneshot systemd service. When you install a snap with a oneshot service it runs on install and fails. This appears to cancel the install. This does not give me the opportunity to connect the interface to the plug.
Can you connect the interface during the install?
You could use an install hook to check if you can do an operation allowed by the firewall-control interface (eg,
/sbin/iptables --version, but it could be anything you want), then if it fails, create a stamp file in $SNAP_COMMON. Then your oneshot service checks if the stamp file exists and if so, exits with a message to tell the user to run ‘sudo snap connect :firewall-control’.
The user cannot, but there is something called a ‘snap declaration’ that can be issued by the store to auto-connect it on install. There is a process for requesting that: Process for aliases, auto-connections and tracks