Merge branch 'igornovg/apibn-bouncer' into 'master'

feat(BOUN-1147): guestos: enable bouncer in API BN

* Enable bouncer through cli args in orchestrator
* Add rules & sets to nftables template
* Allow `ic-replica` user to run `/usr/sbin/nft` using `sudo` 

See merge request dfinity-lab/public/ic!19314

ic-os/rootfs/guestos/etc/sudoers

@@ -29,6 +29,6 @@ root	ALL=(ALL:ALL) NOPASSWD:ALL
 # Allow members of group sudo to execute any command
 %sudo	ALL=(ALL:ALL) NOPASSWD:ALL
 
-ic-replica ALL=(ALL:ALL) NOPASSWD: /opt/ic/bin/manageboot.sh, /opt/ic/bin/provision-ssh-keys.sh, /opt/ic/bin/read-ssh-keys.sh, /opt/ic/bin/guestos_tool
+ic-replica ALL=(ALL:ALL) NOPASSWD: /opt/ic/bin/manageboot.sh, /opt/ic/bin/provision-ssh-keys.sh, /opt/ic/bin/read-ssh-keys.sh, /opt/ic/bin/guestos_tool, /usr/sbin/nft
 
 # See sudoers(5) for more information on "#include" directives:

ic-os/rootfs/guestos/opt/ic/share/ic.json5.template

@@ -378,10 +378,16 @@ table ip6 filter {\n\
     size 65535\n\
     flags dynamic\n\
   }\n\
+\n\
+  set blackhole {\n\
+    type ipv4_addr\n\
+    size 65535\n\
+  }\n\
 \n\
   chain INPUT {\n\
     type filter hook input priority 0; policy drop;\n\
     iif lo accept\n\
+    ip saddr @blackhole drop\n\
     ct state new add @rate_limit { ip saddr limit rate over 2000/minute burst 1000 packets } log prefix \"Drop - rate limit: \" drop\n\
     #  Notes about the rule below:\n\
     #   - The rule allows a maximum of <<MAX_SIMULTANEOUS_CONNECTIONS_PER_IP_ADDRESS>> persistent connections to any ip address.\n\
@@ -423,10 +429,16 @@ table ip6 filter {\n\
     size 65535\n\
     flags dynamic\n\
   }\n\
+\n\
+  set blackhole6 {\n\
+    type ipv6_addr\n\
+    size 65535\n\
+  }\n\
 \n\
   chain INPUT {\n\
     type filter hook input priority 0; policy drop;\n\
     iif lo accept\n\
+    ip6 saddr @blackhole6 drop\n\
     ct state new add @rate_limit { ip6 saddr limit rate over 2000/minute burst 1000 packets } log prefix \"Drop - rate limit: \" drop\n\
     #  Notes about the rule below:\n\
     #   - The rule allows a maximum of <<MAX_SIMULTANEOUS_CONNECTIONS_PER_IP_ADDRESS>> persistent connections to any ip6 address.\n\

rs/orchestrator/src/boundary_node.rs

@@ -166,6 +166,12 @@ impl BoundaryNodeManager {
             format!("--local-store-path=/var/lib/ic/data/ic_registry_local_store"),
             format!("--log-journald"),
             format!("--metrics-addr=[::]:9324"),
+            format!("--bouncer-enable"),
+            format!("--bouncer-ratelimit=600"),
+            format!("--bouncer-burst-size=1200"),
+            format!("--bouncer-ban-seconds=300"),
+            format!("--bouncer-max-buckets=30000"),
+            format!("--bouncer-bucket-ttl=60"),
         ];
 
         process

rs/orchestrator/testdata/nftables_boundary_node.conf.golden

@@ -11,9 +11,15 @@ table filter {
     flags dynamic
   }
 
+  set blackhole {
+    type ipv4_addr
+    size 65535
+  }
+
   chain INPUT {
     type filter hook input priority 0; policy drop;
     iif lo accept
+    ip saddr @blackhole drop
     ct state new add @rate_limit { ip saddr limit rate over 2000/minute burst 1000 packets } log prefix "Drop - rate limit: " drop
     #  Notes about the rule below:
     #   - The rule allows a maximum of 400 persistent connections to any ip address.
@@ -58,9 +64,15 @@ table ip6 filter {
     flags dynamic
   }
 
+  set blackhole6 {
+    type ipv6_addr
+    size 65535
+  }
+
   chain INPUT {
     type filter hook input priority 0; policy drop;
     iif lo accept
+    ip6 saddr @blackhole6 drop
     ct state new add @rate_limit { ip6 saddr limit rate over 2000/minute burst 1000 packets } log prefix "Drop - rate limit: " drop
     #  Notes about the rule below:
     #   - The rule allows a maximum of 400 persistent connections to any ip6 address.