fix: block wireserver port 80 traffic in multitenancy #2395
Conversation
QxBytes
force-pushed
the
alew/block-wireserver
branch
from
2a4d40d to
c6acc01
Compare
QxBytes
force-pushed
the
alew/block-wireserver
branch
from
82e82a1 to
658d3c9
Compare
|
|
||
| func BlockWireserverTraffic() error { | ||
| // iptables -t filter -I FORWARD -j DROP -d <wireserver ip>/32 -p tcp -m tcp --dport 80 | ||
| dropWireserver := fmt.Sprintf("-d %s/32 -p tcp -m tcp --dport 80", AzureDNS) |
There was a problem hiding this comment.
should drop for udp as well
There was a problem hiding this comment.
Replicating capz rule to block for tcp protocol only as we discussed.
| return nil | ||
| } | ||
|
|
||
| func BlockWireserverTraffic() error { |
There was a problem hiding this comment.
can it be BlockEgressTrafficFromContainer(ipAddress, port)?
QxBytes
force-pushed
the
alew/block-wireserver
branch
from
987e54b to
744d816
Compare
network/network_linux.go
Outdated
| } | ||
| logger.Info("Ipv4 forwarding enabled") | ||
| if err := networkutils.BlockEgressTrafficFromContainer(networkutils.AzureDNS, iptables.HTTPPort); err != nil { | ||
| return nil, fmt.Errorf("unable to insert vm iptables rule drop all wireserver port 80 packets: %w", err) |
There was a problem hiding this comment.
Port 80 in the error message is from iptables.HTTPPort ? if so can we use the variable instead of hard coding.
There was a problem hiding this comment.
nit: Should we be using errors.wrapf (not sure but want to keep the cni files consistent going forward)?
@tamilmani1989
There was a problem hiding this comment.
Port 80 in the error message is from
iptables.HTTPPort? if so can we use the variable instead of hard coding.
The insert ip table function calls the ExecuteCommand function (which logs the command itself) so I'll probably remove the details (like port or ip) from the error message altogether.
There was a problem hiding this comment.
yes we should errors.Wrapf .. @QxBytes can you make that change?
| func BlockEgressTrafficFromContainer(ipAddress string, port int) error { | ||
| // iptables -t filter -I FORWARD -j DROP -d <ip>/32 -p tcp -m tcp --dport <port> | ||
| dropTraffic := fmt.Sprintf("-d %s/32 -p tcp -m tcp --dport %d", ipAddress, port) | ||
| return errors.Wrap(iptables.InsertIptableRule(iptables.V4, iptables.Filter, iptables.Forward, dropTraffic, iptables.Drop), "iptables block traffic failed") |
There was a problem hiding this comment.
We are just blocking ipv4 ? Should we make the function intake the type of address as well ? (ipv4 or ipv6)
There was a problem hiding this comment.
there is no ipv6 wireserver endpoint. but i asked @QxBytes to create separate PR for blocking all ipv6 addrs from pod.
QxBytes
force-pushed
the
alew/block-wireserver
branch
2 times, most recently
from
aa25ae8 to
87aee51
Compare
| return nil | ||
| } | ||
|
|
||
| func BlockEgressTrafficFromContainer(ipAddress string, port int) error { |
There was a problem hiding this comment.
should we take protocol also as part of arg?
| func BlockEgressTrafficFromContainer(ipAddress string, port int) error { | ||
| // iptables -t filter -I FORWARD -j DROP -d <ip>/32 -p tcp -m tcp --dport <port> | ||
| dropTraffic := fmt.Sprintf("-d %s/32 -p tcp -m tcp --dport %d", ipAddress, port) | ||
| return errors.Wrap(iptables.InsertIptableRule(iptables.V4, iptables.Filter, iptables.Forward, dropTraffic, iptables.Drop), "iptables block traffic failed") |
There was a problem hiding this comment.
there is no ipv6 wireserver endpoint. but i asked @QxBytes to create separate PR for blocking all ipv6 addrs from pod.
network/network_linux.go
Outdated
| } | ||
| logger.Info("Ipv4 forwarding enabled") | ||
| if err := networkutils.BlockEgressTrafficFromContainer(networkutils.AzureDNS, iptables.HTTPPort); err != nil { | ||
| return nil, fmt.Errorf("unable to insert vm iptables rule drop all wireserver port 80 packets: %w", err) |
There was a problem hiding this comment.
yes we should errors.Wrapf .. @QxBytes can you make that change?
network/network_linux.go
Outdated
| } | ||
| logger.Info("Ipv4 forwarding enabled") | ||
| if err := networkutils.BlockEgressTrafficFromContainer(iptables.V4, networkutils.AzureDNS, iptables.HTTPPort); err != nil { | ||
| return nil, fmt.Errorf("unable to insert vm iptables rule drop wireserver packets: %w", err) |
QxBytes
force-pushed
the
alew/block-wireserver
branch
from
2d7b3b2 to
90e6e83
Compare
| if err := iptables.InsertIptableRule(iptables.V4, "mangle", "PREROUTING", match, "ACCEPT"); err != nil { | ||
| return errors.Wrap(err, "unable to insert iptables rule accept all incoming from vlan interface") | ||
| } | ||
|
|
There was a problem hiding this comment.
can you add a comment this is for blocking wireserver traffic from customer vnet nic
| return nil, errors.Wrap(err, "ipv4 forwarding failed") | ||
| } | ||
| logger.Info("Ipv4 forwarding enabled") | ||
| if err := networkutils.BlockEgressTrafficFromContainer(iptables.V4, networkutils.AzureDNS, iptables.TCP, iptables.HTTPPort); err != nil { |
There was a problem hiding this comment.
add a comment this is for blocking wireserver traffic from apipa nic
QxBytes
force-pushed
the
alew/block-wireserver
branch
from
252da62 to
317948f
Compare
QxBytes
force-pushed
the
alew/block-wireserver
branch
from
317948f to
79a2698
Compare
* Add vm and vnet ns block wireserver port 80 rule * Use existing variable for known ip * Move code to networkutils * Address feedback * Address iptables version feedback * Address protocol and format feedback * Add comments * Remove cidr in case ipv6 is used
Reason for Change:
Pods should not be able to communicate with the wireserver on port 80.
Issue Fixed:
See above.
Requirements:
Notes: