Explicitly whitelist all traffic from concourse containers

[aemengo]

• This declaration is necessary for platforms where this is not
  the standard networking behavior (like windows).

Existing Issue

Fixes #5028 .

Changes proposed in this pull request

• Explicitly whitelist all traffic from concourse containers. This is already done implicitly for the linux platform, but we need it to explicit for behavior parity with the windows platform.

Contributor Checklist

• Unit tests

Reviewer Checklist

This section is intended for the core maintainers only, to track review progress. Please do not
fill out this section.

• Code reviewed
• Tests reviewed
• Documentation reviewed
• Release notes reviewed
• PR acceptance performed
• New config flags added? Ensure that they are added to the BOSH
  and Helm packaging; otherwise, ignored for the integration tests (for example, if they are Garden configs that are not displayed in the --help text).

@jfeeny @genevieve

[cirocosta]

LGTM 😁 thanks!!

---

I was curious about the differences between the iptables rules that gdn would generate before and after this change (as gdn itself does not "fill" the spec with a default NetRule):

(BEFORE)

	Chain w--instance-container-chain (1 references)
	target     prot opt source               destination
	RETURN     all  --  0.0.0.0/0            0.0.0.0/0            /* container */
	ACCEPT     all  --  10.254.0.4/30        10.254.0.4/30        /* container */
	w--default  all  --  0.0.0.0/0            0.0.0.0/0           [goto]  /* container */

(AFTER)

	Chain w--instance-container-chain(1 references)
	target     prot opt source               destination
	ACCEPT     all  --  10.254.0.0/30        10.254.0.0/30        /* container */
	w--default  all  --  0.0.0.0/0            0.0.0.0/0           [goto]  /* container */

while it might seem that we're now being too open by adding that "allow any"
there, it's actually fine, as the chain that should get to this (the reference),
would never really get to it:

	Chain w--forward (1 references)
	target                          prot opt source               destination
	ACCEPT                          all  --  0.0.0.0/0            0.0.0.0/0
	w--instance-sj7jnm74l16         all  --  10.254.0.6           0.0.0.0/0           [goto]  /* container */
	DROP                            all  --  0.0.0.0/0            0.0.0.0/0

as it'd accept anything anyway.

also,

for those curious where this is handled in gdn:

• during container creation (garden.Create()), gardener calls out to someone who implements the networker interface

// Create creates a container by combining the results of networker.Network,
// volumizer.Create and containzer.Create.
func (g *Gardener) Create(containerSpec garden.ContainerSpec) (ctr garden.Container, err error) {
         // ...
	if err = g.Networker.Network(log, containerSpec, actualSpec.Pid); err != nil {
		return nil, err
	}

https://github.com/cloudfoundry/guardian/blob/bcca70921740300398648046496790876981b158/gardener/gardener.go#L301-L303

• kawasaki ("the great networker" 😅 ) implements that interface, and it leverages the FirewallOpener contributor, which takes care of exec'in iptables, creating the rules as desired

func (f *FirewallOpener) BulkOpen(logger lager.Logger, instance, handle string, rules []garden.NetOutRule) error {
	chain := f.iptables.InstanceChain(instance)
	logger = logger.Session("prepend-filter-rule", lager.Data{
		"rules":    rules,
		"instance": instance,
		"chain":    chain,
	})
	logger.Debug("started")
	defer logger.Debug("ending")


	collatedIPTablesRules := []Rule{}
	for _, rule := range rules {
		iptablesRules, err := f.ruleTranslator.TranslateRule(handle, rule)
		if err != nil {
			return err
		}

		collatedIPTablesRules = append(collatedIPTablesRules, iptablesRules...)
	}

	return f.iptables.BulkPrependRules(chain, collatedIPTablesRules)
}

https://github.com/cloudfoundry/guardian/blob/bcca70921740300398648046496790876981b158/kawasaki/iptables/firewall_openner.go#L49-L70