ExternalVendorCode/balena-supervisor
1
0
Fork 0
mirror of https://github.com/balena-os/balena-supervisor.git synced 2025-01-18 18:56:24 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fallback to DROP when iptables REJECT is not available

Browse Source 
Using REJECT allows better feedback for legitimate users while providing the same level
of security than drop (see http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject).

But some hosts don't have REJECT support in the kernel config, so in that case we fall back to DROP.
This commit is contained in:
Pablo Carranza Velez 2016-11-23 16:02:09 -03:00
parent 2b4c674a1a
commit fefb1e6928
2 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -1,3 +1,5 @@
* Fallback to DROP when iptables REJECT is not available [Pablo]
# v2.8.2
* Update the supervisor base to 20161103 to include the i386 fix [Pablo]

3
src/utils.coffee
View File

@ -323,3 +323,6 @@ exports.createIpTablesRules = ->
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -i #{iface} -j ACCEPT")
.then ->
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -j REJECT")
.catch ->
# On systems without REJECT support, fall back to DROP
checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -j DROP")