ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2024-12-19 13:47:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove legacy fallback to DROP rule in iptables

Browse Source 
This has not been necessary for a long time, and wwe can now remove it.

Change-type: patch
Signed-off-by: Cameron Diver <cameron@balena.io>
This commit is contained in:
Cameron Diver 2020-05-05 11:19:25 +01:00
parent 7b1f03ced5
commit 31957566e5
2 changed files with 11 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/lib/iptables.ts
View File

@ -42,25 +42,19 @@ export function rejectOnAllInterfacesExcept(
): Bluebird<void> {
// We delete each rule and create it again to ensure ordering (all ACCEPTs before the REJECT/DROP).
// This is especially important after a supervisor update.
return (
Bluebird.each(allowedInterfaces, iface =>
clearAndInsertIptablesRule(
`INPUT -p tcp --dport ${port} -i ${iface} -j ACCEPT`,
return Bluebird.each(allowedInterfaces, iface =>
clearAndInsertIptablesRule(
`INPUT -p tcp --dport ${port} -i ${iface} -j ACCEPT`,
),
)
.then(() =>
clearAndAppendIptablesRule(
`OUTPUT -p tcp --sport ${port} -m state --state ESTABLISHED -j ACCEPT`,
),
)
.then(() =>
clearAndAppendIptablesRule(
`OUTPUT -p tcp --sport ${port} -m state --state ESTABLISHED -j ACCEPT`,
),
)
.then(() =>
clearAndAppendIptablesRule(`INPUT -p tcp --dport ${port} -j REJECT`),
)
// On systems without REJECT support, fall back to DROP
.catch(() =>
clearAndAppendIptablesRule(`INPUT -p tcp --dport ${port} -j DROP`),
)
);
.then(() =>
clearAndAppendIptablesRule(`INPUT -p tcp --dport ${port} -j REJECT`),
);
}
export function removeRejections(port: number): Bluebird<void> {

75
test/06-iptables.spec.ts
View File

@ -60,79 +60,4 @@ describe('iptables', async () => {
);
(iptables.execAsync as sinon.SinonStub).restore();
});
it("falls back to blocking the port with DROP if there's no REJECT support", async () => {
stub(iptables, 'execAsync').callsFake(cmd => {
if (/REJECT$/.test(cmd)) {
return Bluebird.reject(new Error());
} else {
return Bluebird.resolve('');
}
});
await iptables.rejectOnAllInterfacesExcept(['foo', 'bar'], 42);
expect((iptables.execAsync as sinon.SinonStub).callCount).to.equal(20);
expect(iptables.execAsync).to.be.calledWith(
'iptables -D INPUT -p tcp --dport 42 -i foo -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -I INPUT -p tcp --dport 42 -i foo -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -D INPUT -p tcp --dport 42 -i bar -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -I INPUT -p tcp --dport 42 -i bar -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -D OUTPUT -p tcp --sport 42 -m state --state ESTABLISHED -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -A OUTPUT -p tcp --sport 42 -m state --state ESTABLISHED -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -D INPUT -p tcp --dport 42 -j REJECT',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -A INPUT -p tcp --dport 42 -j REJECT',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -D INPUT -p tcp --dport 42 -j DROP',
);
expect(iptables.execAsync).to.be.calledWith(
'iptables -A INPUT -p tcp --dport 42 -j DROP',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -D INPUT -p tcp --dport 42 -i foo -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -I INPUT -p tcp --dport 42 -i foo -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -D INPUT -p tcp --dport 42 -i bar -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -I INPUT -p tcp --dport 42 -i bar -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -D OUTPUT -p tcp --sport 42 -m state --state ESTABLISHED -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -A OUTPUT -p tcp --sport 42 -m state --state ESTABLISHED -j ACCEPT',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -D INPUT -p tcp --dport 42 -j REJECT',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -A INPUT -p tcp --dport 42 -j REJECT',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -D INPUT -p tcp --dport 42 -j DROP',
);
expect(iptables.execAsync).to.be.calledWith(
'ip6tables -A INPUT -p tcp --dport 42 -j DROP',
);
(iptables.execAsync as sinon.SinonStub).restore();
});
});