Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NetworkManager: do not use FW rule numbers in shared dispatcher script #3429

Merged
merged 1 commit into from
May 24, 2024
Merged

NetworkManager: do not use FW rule numbers in shared dispatcher script #3429

merged 1 commit into from
May 24, 2024

Conversation

mtoman
Copy link
Contributor

@mtoman mtoman commented May 23, 2024

Manipulating the firewall rules by index introduces a race condition. Both NetworkManager and balenaEngine add the rules to the top of the FORWARD chain instead of appending, so if we first look up a rule by number and then use the number to refer to it, we can not guarantee that the rule number has not changed (iow the rule has not been moved down) in the meantime.

This patch removes the use of rule numbers completely and makes the "shared" dispatcher script refer to the rules by definition.

Contributor checklist

Reviewer Guidelines

  • When submitting a review, please pick:
    • 'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
    • 'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
    • 'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)

@flowzone-app flowzone-app bot enabled auto-merge May 23, 2024 12:04
alexgg
alexgg reviewed May 23, 2024
View reviewed changes
meta-balena-common/recipes-connectivity/networkmanager/balena-files/90shared Outdated Show resolved Hide resolved
meta-balena-common/recipes-connectivity/networkmanager/balena-files/90shared Outdated
info "Found shared FORWARD rule 'nm-shared-${IFNAME}' at index ${FW_RULE_NO}, moving down"

FW_RULE_ARGS="$(${IPTABLES} -S FORWARD ${FW_RULE_NO})"
info "Found shared FORWARD rule 'nm-shared-${IFNAME}', moving down"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This feels informational and ambiguous - what I'd prefer is a final check that actually makes sure the rule is last, and then print a message stating it has been moved. Printing the intention to move is not useful.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated

meta-balena-common/recipes-connectivity/networkmanager/balena-files/90shared Outdated

# Append the rule to the bottom
# Do not quote ${FW_RULE_ARGS}, this needs to expand
${IPTABLES} ${FW_RULE_ARGS}

# Remove the rule from its original position
${IPTABLES} -D FORWARD "${FW_RULE_NO}"
${IPTABLES} -D ${FW_RULE_ARGS#-A }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like not using line numbers, but a final check to make sure all has worked and err out (or retry) if not would make it more robust.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added this into a loop that tries 5 times before bailing out.

@mtoman mtoman force-pushed the mtoman/shared-no-rule-index branch 2 times, most recently from 76bcb36 to 95c64e4 Compare May 23, 2024 13:02
@mtoman
NetworkManager: do not use FW rule numbers in shared dispatcher script
ab8d611 
Manipulating the firewall rules by index introduces a race condition.
Both NetworkManager and balenaEngine add the rules to the top
of the FORWARD chain instead of appending, so if we first look up
a rule by number and then use the number to refer to it, we can not
guarantee that the rule number has not changed (iow the rule has not
been moved down) in the meantime.

This patch removes the use of rule numbers completely and makes
the "shared" dispatcher script refer to the rules by definition.

Change-type: patch
Signed-off-by: Michal Toman <michalt@balena.io>
@mtoman mtoman force-pushed the mtoman/shared-no-rule-index branch from 95c64e4 to ab8d611 Compare May 23, 2024 13:03
@mtoman mtoman requested a review from alexgg May 23, 2024 13:04
@mtoman
Copy link
Contributor Author

mtoman commented May 24, 2024

@resin-jenkins retest this please

@flowzone-app flowzone-app bot merged commit edd7b7c into master May 24, 2024
52 checks passed
@flowzone-app flowzone-app bot deleted the mtoman/shared-no-rule-index branch May 24, 2024 12:33
@alexgg alexgg mentioned this pull request May 24, 2024
Closed
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexgg alexgg alexgg approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mtoman @alexgg