ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2025-06-05 17:11:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1433 from balena-io/add-dns-to-firewall

Browse Source 
bug: Allow DNS through firewall for local containers
This commit is contained in:
bulldozer-balena[bot] 2020-08-11 14:54:05 +00:00 committed by GitHub
commit 17cb1461a6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 29 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/lib/firewall.ts
View File

@ -56,6 +56,13 @@ const standardServices: iptables.Rule[] = [
proto: 'icmp', proto: 'icmp',
target: 'ACCEPT', target: 'ACCEPT',
}, },
{
comment: 'DNS',
action: iptables.RuleAction.Append,
proto: 'udp',
matches: ['--dport 53', '-i balena0'],
target: 'ACCEPT',
},
]; ];
const standardPolicy: iptables.Rule[] = [ const standardPolicy: iptables.Rule[] = [

22
test/29-firewall.spec.ts
View File

@ -278,6 +278,28 @@ describe('Host Firewall', function () {
}); });
}); });
describe('Service rules', () => {
it('should have a rule to allow DNS traffic from the balena0 interface', async () => {
await iptablesMock.whilstMocked(
async ({ hasAppliedRules, expectRule }) => {
// set the firewall to be in auto mode...
await config.set({ firewallMode: 'on' });
await hasAppliedRules;
// expect that we have a rule to allow DNS access...
expectRule({
action: RuleAction.Append,
target: 'ACCEPT',
chain: 'BALENA-FIREWALL',
family: 4,
proto: 'udp',
matches: ['--dport 53', '-i balena0'],
});
},
);
});
});
describe('Supervisor API access', () => { describe('Supervisor API access', () => {
it('should allow access in localmode', async function () { it('should allow access in localmode', async function () {
await iptablesMock.whilstMocked( await iptablesMock.whilstMocked(