diff options
Diffstat (limited to 'node-admin')
2 files changed, 14 insertions, 3 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java index 850b9bf170d..250b4ee6fb3 100644 --- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java +++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/Acl.java @@ -31,8 +31,8 @@ public class Acl { public List<Command> toCommands() { final ImmutableList.Builder<Command> commands = ImmutableList.builder(); commands.add( - // Default policies - new PolicyCommand(Chain.INPUT, Action.REJECT), + // Default policies. Packets that do not match any rules will be processed according to policy. + new PolicyCommand(Chain.INPUT, Action.DROP), new PolicyCommand(Chain.FORWARD, Action.DROP), new PolicyCommand(Chain.OUTPUT, Action.ACCEPT), @@ -57,6 +57,13 @@ public class Acl { .withOption("-s", String.format("%s/128", ipAddress))) .forEach(commands::add); + // Reject all other packets. This means that packets that would otherwise be processed according to policy, are + // matched by the following rule. + // + // Ideally, we want to set the INPUT policy to REJECT and get rid of this rule, but unfortunately REJECT is not + // a valid policy action. + commands.add(new FilterCommand(Chain.INPUT, Action.REJECT)); + return commands.build(); } diff --git a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java index dc924cc7a8f..860d42fb928 100644 --- a/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java +++ b/node-admin/src/test/java/com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainerTest.java @@ -116,7 +116,7 @@ public class AclMaintainerTest { ); verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( eq(containerName), - aryEq(new String[]{"ip6tables", "-P", "INPUT", "REJECT"}) + aryEq(new String[]{"ip6tables", "-P", "INPUT", "DROP"}) ); verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( eq(containerName), @@ -143,6 +143,10 @@ public class AclMaintainerTest { eq(containerName), aryEq(new String[]{"ip6tables", "-A", "INPUT", "-s", aclSpec.ipAddress() + "/128", "-j", "ACCEPT"}) )); + verify(dockerOperations, verificationMode).executeCommandInNetworkNamespace( + eq(containerName), + aryEq(new String[]{"ip6tables", "-A", "INPUT", "-j", "REJECT"}) + ); } private Container makeContainer(String hostname) { |