Add firewalld-cloudflare-http RPM package for HTTP/HTTPS filtering#1
Merged
Add firewalld-cloudflare-http RPM package for HTTP/HTTPS filtering#1
Conversation
- Update script fetches Cloudflare IP ranges and manages firewalld ipsets - Rich rules allow HTTP/HTTPS (80/443) only from Cloudflare IPs - systemd timer for weekly automatic IP list updates - RPM spec with proper post/preun scriptlets for setup and cleanup - Makefile for building tarball and RPM https://claude.ai/code/session_01BNCMS3DQ4UJAELZsGytzwg
- Build RPM on push/PR to main using Fedora container - Upload RPM and SRPM as artifacts - Auto-create GitHub Release with RPM assets on tag push (v*) https://claude.ai/code/session_01BNCMS3DQ4UJAELZsGytzwg
WalkthroughRPMパッケージ、CIワークフロー、Cloudflare IP を反映する更新スクリプト、systemd ユニット/タイマー、単体・統合テスト、README とビルド用ファイルを追加する変更。 Changes
Sequence Diagram(s)sequenceDiagram
rect rgba(200,230,201,0.5)
participant Dev as 開発者
participant GH as GitHub Actions
participant Art as アーティファクト
end
rect rgba(187,222,251,0.5)
participant Fedora as Fedora コンテナ
participant Build as rpmbuild / Makefile
end
Dev->>GH: push / PR / tag(v*)
GH->>GH: unit-test ジョブ実行
GH->>GH: integration-test ジョブ実行
GH->>Fedora: build ジョブ(依存: unit-test)
Fedora->>Build: make rpm / rpmbuild 実行
Build->>Art: RPM と SRPM をアップロード
GH->>GH: tag の場合 release ジョブが Art をダウンロードして Release 作成
sequenceDiagram
rect rgba(255,224,178,0.5)
participant Timer as systemd.timer
participant Service as systemd.service
participant Script as update スクリプト
participant CF as Cloudflare API
participant FW as firewalld
end
Timer->>Service: 週次トリガー(RandomizedDelaySec)
Service->>Script: ExecStart: update
Script->>CF: IPv4 リスト取得 (curl)
CF-->>Script: IPv4 CIDR リスト
Script->>CF: IPv6 リスト取得 (curl)
CF-->>Script: IPv6 CIDR リスト
Script->>Script: ipset XML を生成 (/etc/firewalld/ipsets)
Script->>FW: firewall-cmd で ipset/rich rules 更新および reload
Service-->>Timer: 実行完了
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 分 ウサギの詩
Note 🎁 Summarized by CodeRabbit FreeYour organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login. Comment |
- Unit tests: XML generation, CIDR validation, fetch_ips with mock curl - Integration tests: network namespace-based connectivity verification - Simulates Cloudflare IP (173.245.48.2) -> HTTP allowed - Simulates non-Cloudflare IP (198.51.100.2) -> HTTP blocked - GitHub Actions workflow updated with test jobs - Make update script variables overridable via env for testability https://claude.ai/code/session_01BNCMS3DQ4UJAELZsGytzwg
- Add BuildRequires: systemd-rpm-macros so %{_unitdir} macro is defined
- Install systemd-rpm-macros in CI build step
- Fix changelog date: Feb 03 2026 is Tuesday, not Monday
https://claude.ai/code/session_01BNCMS3DQ4UJAELZsGytzwg
firewalld defaults ipset family to inet (IPv4). Without explicit family="inet6", adding a rich rule with family="ipv6" referencing the ipset fails with INVALID_RULE: Source address family conflict. - write_ipset_xml now takes a family parameter (inet/inet6) - IPv6 ipsets include <option name="family" value="inet6"/> - Unit tests verify family option presence/absence - Integration test updated to use new calling convention https://claude.ai/code/session_01BNCMS3DQ4UJAELZsGytzwg
Fedora-built RPMs may not work on EL8 (zstd compression unsupported) and carry wrong dist tags. Build natively on each target distro: - fedora:latest -> .fc* RPM - rockylinux:8 -> .el8 RPM - rockylinux:9 -> .el9 RPM - almalinux:9 -> .el9 RPM All distro RPMs are uploaded as artifacts and attached to GitHub Releases on tag push. https://claude.ai/code/session_01BNCMS3DQ4UJAELZsGytzwg
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a complete RPM package that manages firewalld rules to restrict HTTP/HTTPS traffic to only Cloudflare IP addresses. The package automatically fetches and maintains Cloudflare's public IP ranges via a weekly systemd timer.
Key Changes
Makefilefor building tarball, SRPM, and RPM packagesfirewalld-cloudflare-http.specwith proper packaging metadata, dependencies, and lifecycle hooksfirewalld-cloudflare-http-updatebash script that:cloudflare-ipv4,cloudflare-ipv6)update,setup, andremovecommands.gitignorefor build outputsNotable Implementation Details
set -euo pipefailand includes proper error checking with informative messagesThe package is architecture-independent (noarch) and requires firewalld, curl, and systemd as dependencies.
https://claude.ai/code/session_01BNCMS3DQ4UJAELZsGytzwg
Summary by CodeRabbit
新機能
ドキュメント
テスト
CI/CD
雑多