diff options
author | Martin Polden <martin.polden@gmail.com> | 2017-03-20 12:18:13 +0100 |
---|---|---|
committer | Martin Polden <martin.polden@gmail.com> | 2017-03-20 12:44:13 +0100 |
commit | 1e68e67c908b22baa3e6320cde99a7517a7b256b (patch) | |
tree | bce3ce8ff913e10046e742d8da60279c9aa30571 /node-admin | |
parent | d8cc99f95d307de313ede83d012880b0259f15c6 (diff) |
Reject packets not matching any other rules
Only valid chain policies are ACCEPT and DROP, so the previous configuration
failed.
Diffstat (limited to 'node-admin')
2 files changed, 14 insertions, 3 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java index 850b9bf170d..250b4ee6fb3 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java @@ -31,8 +31,8 @@ public class Acl { public List<Command> toCommands() { final ImmutableList.Builder<Command> commands = ImmutableList.builder(); commands.add( - // Default policies - new PolicyCommand(Chain.INPUT, Action.REJECT), + // Default policies. Packets that do not match any rules will be processed according to policy. + new PolicyCommand(Chain.INPUT, Action.DROP), new PolicyCommand(Chain.FORWARD, Action.DROP), new PolicyCommand(Chain.OUTPUT, Action.ACCEPT), @@ -57,6 +57,13 @@ public class Acl { .withOption("-s", String.format("%s/128", ipAddress))) .forEach(commands::add); + // Reject all other packets. This means that packets that would otherwise be processed according to policy, are + // matched by the following rule. + // + // Ideally, we want to set the INPUT policy to REJECT and get rid of this rule, but unfortunately REJECT is not + // a valid policy action. + commands.add(new FilterCommand(Chain.INPUT, Action.REJECT)); + return commands.build(); } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index dc924cc7a8f..860d42fb928 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -116,7 +116,7 @@ public class AclMaintainerTest { ); verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( eq(containerName), - aryEq(new String[]{"ip6tables", "-P", "INPUT", "REJECT"}) + aryEq(new String[]{"ip6tables", "-P", "INPUT", "DROP"}) ); verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( eq(containerName), @@ -143,6 +143,10 @@ public class AclMaintainerTest { eq(containerName), aryEq(new String[]{"ip6tables", "-A", "INPUT", "-s", aclSpec.ipAddress() + "/128", "-j", "ACCEPT"}) )); + verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( + eq(containerName), + aryEq(new String[]{"ip6tables", "-A", "INPUT", "-j", "REJECT"}) + ); } private Container makeContainer(String hostname) { |