ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2025-04-08 03:44:14 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Firewall: allow DNS requests from custom Docker bridge networks

Browse Source 
We only allow DNS requests through `balena0` interface, but this
is the default Docker bridge which is used for containers that
don't have a custom bridge. However, the Supervisor creates a
custom bridge for all containers unless another network mode is
specified.

Change-type: patch
Signed-off-by: Christina Ying Wang <christina@balena.io>
This commit is contained in:
Christina Ying Wang 2024-11-08 16:49:17 -08:00
parent dd24fc1404
commit 7e1cafa866
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/lib/firewall.ts
View File

@ -56,12 +56,19 @@ const standardServices: iptables.Rule[] = [
target: 'ACCEPT',
},
{
comment: 'DNS',
comment: 'DNS from balena0',
action: iptables.RuleAction.Append,
proto: 'udp',
matches: ['--dport 53', '-i balena0'],
target: 'ACCEPT',
},
{
comment: 'DNS from custom Engine networks',
action: iptables.RuleAction.Append,
proto: 'udp',
matches: ['--dport 53', '-i br+'],
target: 'ACCEPT',
},
];
const standardPolicy: iptables.Rule[] = [