Reject packets not matching any other rules

Only valid chain policies are ACCEPT and DROP, so the previous configuration failed.
author: Martin Polden <martin.polden@gmail.com> 2017-03-20 12:18:13 +0100
committer: Martin Polden <martin.polden@gmail.com> 2017-03-20 12:44:13 +0100
commit: 1e68e67c908b22baa3e6320cde99a7517a7b256b (patch)
tree: bce3ce8ff913e10046e742d8da60279c9aa30571 /node-admin
parent: d8cc99f95d307de313ede83d012880b0259f15c6 (diff)
2 files changed, 14 insertions, 3 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java
index 850b9bf170d..250b4ee6fb3 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java
@@ -31,8 +31,8 @@ public class Acl {
     public List<Command> toCommands() {
         final ImmutableList.Builder<Command> commands = ImmutableList.builder();
         commands.add(
-                // Default policies
-                new PolicyCommand(Chain.INPUT, Action.REJECT),
+                // Default policies. Packets that do not match any rules will be processed according to policy.
+                new PolicyCommand(Chain.INPUT, Action.DROP),
                 new PolicyCommand(Chain.FORWARD, Action.DROP),
                 new PolicyCommand(Chain.OUTPUT, Action.ACCEPT),
 
@@ -57,6 +57,13 @@ public class Acl {
                         .withOption("-s", String.format("%s/128", ipAddress)))
                 .forEach(commands::add);
 
+        // Reject all other packets. This means that packets that would otherwise be processed according to policy, are
+        // matched by the following rule.
+        //
+        // Ideally, we want to set the INPUT policy to REJECT and get rid of this rule, but unfortunately REJECT is not
+        // a valid policy action.
+        commands.add(new FilterCommand(Chain.INPUT, Action.REJECT));
+
         return commands.build();
     }
 
diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
index dc924cc7a8f..860d42fb928 100644
--- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
+++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java
@@ -116,7 +116,7 @@ public class AclMaintainerTest {
         );
         verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
                 eq(containerName),
-                aryEq(new String[]{"ip6tables", "-P", "INPUT", "REJECT"})
+                aryEq(new String[]{"ip6tables", "-P", "INPUT", "DROP"})
         );
         verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
                 eq(containerName),
@@ -143,6 +143,10 @@ public class AclMaintainerTest {
                 eq(containerName),
                 aryEq(new String[]{"ip6tables", "-A", "INPUT", "-s", aclSpec.ipAddress() + "/128", "-j", "ACCEPT"})
         ));
+        verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace(
+                eq(containerName),
+                aryEq(new String[]{"ip6tables", "-A", "INPUT", "-j", "REJECT"})
+        );
     }
 
     private Container makeContainer(String hostname) {
author	Martin Polden <martin.polden@gmail.com>	2017-03-20 12:18:13 +0100
committer	Martin Polden <martin.polden@gmail.com>	2017-03-20 12:44:13 +0100
commit	1e68e67c908b22baa3e6320cde99a7517a7b256b (patch)
tree	bce3ce8ff913e10046e742d8da60279c9aa30571 /node-admin
parent	d8cc99f95d307de313ede83d012880b0259f15c6 (diff)