Revert "Merge branch 'eero/re-apply-firewall' into 'master'"

ic-os/defs.bzl

@@ -480,7 +480,6 @@ def icos_build(
             ":disk-img.tar.zst.cas-url",
             ":disk-img.tar.zst.sha256",
             "//ic-os:scripts/build-bootstrap-config-image.sh",
-            "//rs/tests:src/default_firewall_whitelist.conf",
             ":version.txt",
         ],
         outs = ["launch_remote_vm_script"],
@@ -490,12 +489,11 @@ def icos_build(
         URL="$$(cat $(location :disk-img.tar.zst.cas-url))"
         SHA="$$(cat $(location :disk-img.tar.zst.sha256))"
         SCRIPT="$(location //ic-os:scripts/build-bootstrap-config-image.sh)"
-        DEFAULT_FIREWALL_WHITELIST="$(location //rs/tests:src/default_firewall_whitelist.conf)"
         cat <<EOF > $@
 #!/usr/bin/env bash
 set -euo pipefail
 cd "\\$$BUILD_WORKSPACE_DIRECTORY"
-$$BIN --version "$$VERSION" --url "$$URL" --sha256 "$$SHA" --build-bootstrap-script "$$SCRIPT" --default-firewall-whitelist "$$DEFAULT_FIREWALL_WHITELIST"
+$$BIN --version "$$VERSION" --url "$$URL" --sha256 "$$SHA" --build-bootstrap-script "$$SCRIPT"
 EOF
         """,
         executable = True,

ic-os/guestos/rootfs/etc/systemd/system/ic-replica.service

@@ -28,7 +28,7 @@ Environment=RUST_BACKTRACE=1
 # Remember to update 'rs/default.nix' for nix-shell users
 # Remember to update 'src/dfx/src/actors/replica.rs' in the sdk repo for dfx users
 Environment=RUST_MIN_STACK=8192000
-ExecStartPre=+/opt/ic/bin/generate-replica-config.sh -n /boot/config/network.conf -c /boot/config/nns.conf -b /boot/config/backup.conf -l /boot/config/log.conf -m /boot/config/malicious_behavior.conf -q /boot/config/query_stats.conf -w /boot/config/default_firewall_whitelist.conf -i /opt/ic/share/ic.json5.template -o /run/ic-node/config/ic.json5
+ExecStartPre=+/opt/ic/bin/generate-replica-config.sh -n /boot/config/network.conf -c /boot/config/nns.conf -b /boot/config/backup.conf -l /boot/config/log.conf -m /boot/config/malicious_behavior.conf -q /boot/config/query_stats.conf -i /opt/ic/share/ic.json5.template -o /run/ic-node/config/ic.json5
 ExecStart=/opt/ic/bin/orchestrator --replica-binary-dir /var/lib/ic/data/images --cup-dir /var/lib/ic/data/cups --replica-config-file /run/ic-node/config/ic.json5 --enable-provisional-registration --ic-binary-directory /opt/ic/bin --orchestrator-data-directory /var/lib/ic/data/orchestrator --version-file /opt/ic/share/version.txt
 LimitNOFILE=1048576
 Restart=always

ic-os/guestos/rootfs/opt/ic/bin/bootstrap-ic-node.sh

@@ -127,7 +127,7 @@ function process_bootstrap() {
 
     # stash the following configuration files to config store
     # note: keep this list in sync with configurations supported in build-bootstrap-config-image.sh
-    for FILE in filebeat.conf network.conf nns.conf backup.conf log.conf malicious_behavior.conf query_stats.conf bitcoind_addr.conf socks_proxy.conf default_firewall_whitelist.conf; do
+    for FILE in filebeat.conf network.conf nns.conf backup.conf log.conf malicious_behavior.conf query_stats.conf bitcoind_addr.conf socks_proxy.conf; do
         if [ -e "${TMPDIR}/${FILE}" ]; then
             echo "Setting up ${FILE}"
             cp "${TMPDIR}/${FILE}" "${CONFIG_ROOT}/${FILE}"

ic-os/guestos/rootfs/opt/ic/bin/generate-replica-config.sh

@@ -6,7 +6,7 @@
 function usage() {
     cat <<EOF
 Usage:
-  generate-replica-config [-n network.conf] [-c nns.conf] [-b backup.conf] [-l log.conf] [-m malicious_behavior.conf] [-q query_stats.conf] [-w default_firewall_whitelist.conf] -i ic.json5.template -o ic.json5
+  generate-replica-config [-n network.conf] [-c nns.conf] [-b backup.conf] [-l log.conf] [-m malicious_behavior.conf] [-q query_stats.conf] -i ic.json5.template -o ic.json5
 
   Generate replica config from template file.
 
@@ -16,7 +16,6 @@ Usage:
   -l log.conf: Optional, logging parameters of the node software
   -m malicious_behavior.conf: Optional, malicious behavior parameters
   -q query_stats.conf: Optional, query statistics epoch length configuration
-  -w default_firewall_whitelist.conf: Optional, default firewall whitelist configuration
   -i infile: input ic.json5.template file
   -o outfile: output ic.json5 file
 EOF
@@ -157,23 +156,7 @@ function read_query_stats_variables() {
     done <"$1"
 }
 
-# Read default firewall whitelist config variables from file. The file must be of the
-# form "key=value" for each line with a specific set of keys permissible (see
-# code below).
-#
-# Arguments:
-# - $1: Name of the file to be read.
-function read_default_firewall_whitelist_variables() {
-    # Read limited set of keys. Be extra-careful quoting values as it could
-    # otherwise lead to executing arbitrary shell code!
-    while IFS="=" read -r key value; do
-        case "$key" in
-            "ipv6_whitelist") ipv6_whitelist="${value}" ;;
-        esac
-    done <"$1"
-}
-
-while getopts "l:m:q:n:c:i:o:b:w:" OPT; do
+while getopts "l:m:q:n:c:i:o:b:" OPT; do
     case "${OPT}" in
         n)
             NETWORK_CONFIG_FILE="${OPTARG}"
@@ -193,9 +176,6 @@ while getopts "l:m:q:n:c:i:o:b:w:" OPT; do
         q)
             QUERY_STATS_CONFIG_FILE="${OPTARG}"
             ;;
-        w)
-            DEFAULT_FIREWALL_WHITELIST_CONFIG_FILE="${OPTARG}"
-            ;;
         i)
             IN_FILE="${OPTARG}"
             ;;
@@ -238,10 +218,6 @@ if [ "${QUERY_STATS_CONFIG_FILE}" != "" -a -e "${QUERY_STATS_CONFIG_FILE}" ]; th
     read_query_stats_variables "${QUERY_STATS_CONFIG_FILE}"
 fi
 
-if [ "${DEFAULT_FIREWALL_WHITELIST_CONFIG_FILE}" != "" -a -e "${DEFAULT_FIREWALL_WHITELIST_CONFIG_FILE}" ]; then
-    read_default_firewall_whitelist_variables "${DEFAULT_FIREWALL_WHITELIST_CONFIG_FILE}"
-fi
-
 INTERFACE=($(find /sys/class/net -type l -not -lname '*virtual*' -exec basename '{}' ';'))
 IPV6_ADDRESS="${ipv6_address%/*}"
 IPV6_ADDRESS="${IPV6_ADDRESS:-$(get_if_address_retries 6 ${INTERFACE} 12)}"
@@ -262,8 +238,6 @@ MALICIOUS_BEHAVIOR="${malicious_behavior:-null}"
 QUERY_STATS_AGGREGATION="${query_stats_aggregation:-\"Disabled\"}"
 # Default is 1800 blocks i.e. around 30min
 QUERY_STATS_EPOCH_LENGTH="${query_stats_epoch_length:-1800}"
-# Default value is none
-IPV6_WHITELIST="${ipv6_whitelist:-}"
 
 if [ "${IPV6_ADDRESS}" == "" ]; then
     echo "Cannot determine an IPv6 address, aborting"
@@ -298,7 +272,6 @@ sed -e "s@{{ ipv6_address }}@${IPV6_ADDRESS}@" \
     -e "s@{{ malicious_behavior }}@${MALICIOUS_BEHAVIOR}@" \
     -e "s@{{ query_stats_aggregation }}@${QUERY_STATS_AGGREGATION}@" \
     -e "s@{{ query_stats_epoch_length }}@${QUERY_STATS_EPOCH_LENGTH}@" \
-    -e "s@{{ ipv6_whitelist }}@${IPV6_WHITELIST}@" \
     "${IN_FILE}" >"${OUT_FILE}"
 
 # umask for service is set to be restricted, but this file needs to be

ic-os/guestos/rootfs/opt/ic/share/ic.json5.template

@@ -267,7 +267,81 @@ table ip6 filter {\n\
         ipv6_user_output_rule_template: "meta skuid <<USER>> ip6 daddr {<<IPv6_PREFIXES>>} ct state { new } tcp dport {<<PORTS>>} <<ACTION>> # <<COMMENT>>",
         default_rules: [{
           ipv4_prefixes: [],
-          ipv6_prefixes: [{{ ipv6_whitelist }}],
+          ipv6_prefixes: [
+            "2001:438:fffd:11c::/64",
+            "2001:470:1:c76::/64",
+            "2001:4d78:400:10a::/64",
+            "2001:4d78:40d::/48",
+            "2602:fb2b:110::/48",
+            "2001:920:401a:1706::/64",
+            "2001:920:401a:1708::/64",
+            "2001:920:401a:1710::/64",
+            "2401:3f00:1000:22::/64",
+            "2401:3f00:1000:23::/64",
+            "2401:3f00:1000:24::/64",
+            "2600:2c01:21::/64",
+            "2600:3000:1300:1300::/64",
+            "2600:3000:6100:200::/64",
+            "2600:3004:1200:1200::/56",
+            "2600:3006:1400:1500::/64",
+            "2600:c00:2:100::/64",
+            "2600:c02:b002:15::/64",
+            "2600:c0d:3002:4::/64",
+            "2602:ffe4:801:16::/64",
+            "2602:ffe4:801:17::/64",
+            "2602:ffe4:801:18::/64",
+            "2604:1380:4091:3000::/64",
+            "2604:1380:40e1:4700::/64",
+            "2604:1380:40f1:1700::/64",
+            "2604:1380:45d1:bf00::/64",
+            "2604:1380:45e1:a600::/64",
+            "2604:1380:45f1:9400::/64",
+            "2604:1380:4601:6200::/64",
+            "2604:1380:4601:6201::/64",
+            "2604:1380:4601:6202::/64",
+            "2604:1380:4641:6101::/64",
+            "2604:1380:4641:6102::/64",
+            "2604:1380:4091:3001::/64",
+            "2604:1380:4091:3002::/64",
+            "2604:1380:45e1:a601::/64",
+            "2604:1380:45e1:a602::/64",
+            "2604:1380:4641:6100::/64",
+            "2604:3fc0:2001::/48",
+            "2604:3fc0:3002::/48",
+            "2604:6800:258:1::/64",
+            "2604:7e00:30:3::/64",
+            "2604:7e00:50::/64",
+            "2604:b900:4001:76::/64",
+            "2607:f1d0:10:1::/64",
+            "2607:f6f0:3004::/48",
+            "2602:fb2b:120::/48",
+            "2607:f758:1220::/64",
+            "2607:f758:c300::/64",
+            "2607:fb58:9005::/48",
+            "2602:fb2b:100::/48",
+            "2607:ff70:3:2::/64",
+            "2610:190:6000:1::/64",
+            "2610:190:df01:5::/64",
+            "2a00:fa0:3::/48",
+            "2a00:fb01:400:100::/56",
+            "2a00:fb01:400::/56",
+            "2a00:fc0:5000:300::/64",
+            "2a01:138:900a::/48",
+            "2a01:2a8:a13c:1::/64",
+            "2a01:2a8:a13d:1::/64",
+            "2a01:2a8:a13e:1::/64",
+            "2a02:418:3002:0::/64",
+            "2a02:41b:300e::/48",
+            "2a02:800:2:2003::/64",
+            "2a04:9dc0:0:108::/64",
+            "2a05:d014:939:bf00::/56",
+            "2a05:d01c:d9:2b00::/56",
+            "2a05:d01c:e2c:a700::/56",
+            "2a0b:21c0:4003:2::/64",
+            "2a0b:21c0:b002:2::/64",
+            "2a0f:cd00:0002::/56",
+            "fd00:2:1:1::/64",
+          ],
           ports: [22, 2497, 4100, 7070, 8080, 9090, 9091, 9100, 19100, 19531],
           action: 1,
           comment: "Default rule from template",

ic-os/hostos/rootfs/opt/ic/bin/generate-guestos-config.sh

@@ -114,9 +114,6 @@ function assemble_config_media() {
     if [ -f "/boot/config/node_operator_private_key.pem" ]; then
         cmd+=(--node_operator_private_key "/boot/config/node_operator_private_key.pem")
     fi
-    if [ -f "/boot/config/default_firewall_whitelist.conf" ]; then
-        cmd+=(--default_firewall_whitelist "/boot/config/default_firewall_whitelist.conf")
-    fi
 
     # Run the above command
     "${cmd[@]}"

ic-os/scripts/build-bootstrap-config-image.sh

@@ -27,10 +27,6 @@ options may be specified:
   --ipv6_gateway a:b::c
     Default IPv6 gateway.
 
-  --default_firewall_whitelist path
-    File containing the default whitelist configuration for GuestOS on
-    orchestrator startup.
-
   --ipv4_address a.b.c.d/n
     (optional) The IPv4 address to assign. Must include prefix length (e.g.
     18.208.190.35/28).
@@ -138,7 +134,6 @@ function build_ic_bootstrap_tar() {
     local MALICIOUS_BEHAVIOR
     local QUERY_STATS_EPOCH_LENGTH
     local BITCOIND_ADDR
-    local DEFAULT_FIREWALL_WHITELIST
 
     while true; do
         if [ $# == 0 ]; then
@@ -152,9 +147,6 @@ function build_ic_bootstrap_tar() {
             --ipv6_gateway)
                 IPV6_GATEWAY="$2"
                 ;;
-            --default_firewall_whitelist)
-                DEFAULT_FIREWALL_WHITELIST="$2"
-                ;;
             --ipv4_address)
                 IPV4_ADDRESS="$2"
                 ;;
@@ -280,9 +272,6 @@ EOF
     if [ "${NODE_OPERATOR_PRIVATE_KEY}" != "" ]; then
         cp "${NODE_OPERATOR_PRIVATE_KEY}" "${BOOTSTRAP_TMPDIR}/node_operator_private_key.pem"
     fi
-    if [ "${DEFAULT_FIREWALL_WHITELIST}" != "" ]; then
-        cp "${DEFAULT_FIREWALL_WHITELIST}" "${BOOTSTRAP_TMPDIR}/default_firewall_whitelist.conf"
-    fi
 
     tar cf "${OUT_FILE}" \
         --sort=name \

ic-os/setupos/rootfs/opt/ic/bin/config.sh

@@ -48,11 +48,6 @@ function clone_config() {
         log_and_reboot_on_error "${?}" "Unable to copy 'node_operator_private_key.pem' configuration file."
     fi
 
-    if [ -f "${CONFIG_DIR}/default_firewall_whitelist.conf" ]; then
-        cp ${CONFIG_DIR}/default_firewall_whitelist.conf ${CONFIG_TMP}/default_firewall_whitelist.conf
-        log_and_reboot_on_error "${?}" "Unable to copy 'default_firewall_whitelist.conf' configuration file."
-    fi
-
     if [ -d "${SSH_AUTHORIZED_KEYS}" ]; then
         cp -r "${SSH_AUTHORIZED_KEYS}" "${CONFIG_TMP}"
         log_and_reboot_on_error "${?}" "Unable to copy 'ssh_authorized_keys' directory."

ic-os/setupos/rootfs/opt/ic/bin/devices.sh

@@ -42,11 +42,6 @@ function copy_config_files() {
         echo "node_operator_private_key.pem does not exist, requiring HSM."
     fi
 
-    if [ -f "${CONFIG_DIR}/default_firewall_whitelist.conf" ]; then
-        cp ${CONFIG_DIR}/default_firewall_whitelist.conf /media/
-        log_and_reboot_on_error "${?}" "Unable to copy default_firewall_whitelist.conf to hostOS config partition."
-    fi
-
     echo "* Copying deployment.json to config partition..."
     cp /data/deployment.json /media/
     log_and_reboot_on_error "${?}" "Unable to copy deployment.json to hostOS config partition."

rs/ic_os/launch-single-vm/Cargo.toml

@@ -6,9 +6,9 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-tests = { path = "../../tests" }
-ic-prep = { path = "../../prep" }
-ic-registry-subnet-type = { path = "../../registry/subnet_type" }
+tests = { path = "../../tests"}
+ic-prep = { path = "../../prep"}
+ic-registry-subnet-type = { path = "../../registry/subnet_type"}
 ic-types = { path = "../../types/types" }
 
 clap = { workspace = true }

rs/ic_os/launch-single-vm/src/main.rs

@@ -39,9 +39,6 @@ struct Args {
     /// Path to `build-bootstrap-config-image.sh` script
     #[clap(long)]
     build_bootstrap_script: PathBuf,
-    /// Path to `default_firewall_whitelist.conf` file
-    #[clap(long)]
-    default_firewall_whitelist: PathBuf,
     /// Key to be used for `admin` SSH
     #[clap(long)]
     ssh_key_path: Option<PathBuf>,
@@ -63,7 +60,6 @@ fn main() {
     let url = args.url;
     let sha256 = args.sha256;
     let build_bootstrap_script = args.build_bootstrap_script;
-    let default_firewall_whitelist = args.default_firewall_whitelist;
     let ssh_key_path = args.ssh_key_path;
 
     let test_name = "test_single_vm";
@@ -187,8 +183,6 @@ fn main() {
         .arg(&local_store)
         .arg("--accounts_ssh_authorized_keys")
         .arg(&keys_dir)
-        .arg("--default_firewall_whitelist")
-        .arg(default_firewall_whitelist)
         .status()
         .unwrap();
 

rs/ic_os/setupos-inject-configuration/src/main.rs

@@ -34,9 +34,6 @@ struct Cli {
 
     #[command(flatten)]
     deployment: DeploymentConfig,
-
-    #[arg(long)]
-    default_firewall_whitelist_path: Option<PathBuf>,
 }
 
 #[derive(Args)]
@@ -135,17 +132,6 @@ async fn main() -> Result<(), Error> {
             .context("failed to copy public keys")?;
     }
 
-    // Update default firewall whitelist
-    if let Some(default_firewall_whitelist_path) = cli.default_firewall_whitelist_path {
-        config
-            .write_file(
-                &default_firewall_whitelist_path,
-                Path::new("/default_firewall_whitelist.conf"),
-            )
-            .await
-            .context("failed to copy default firewall config")?;
-    }
-
     // Close config partition
     config.close().await?;
 

rs/prep/src/internet_computer.rs

@@ -388,23 +388,22 @@ impl IcConfig {
         let mut mutations = self.initial_mutations.clone();
 
         if let Some(prefixes) = self.whitelisted_prefixes {
-            // Port 8080 is always included.
-            let mut ports = vec![8080];
-
-            if let Some(additional_ports) = self.whitelisted_ports {
-                ports = additional_ports
+            let ports = if let Some(ports) = self.whitelisted_ports {
+                ports
                     .split(',')
-                    .map(|port| port.trim().parse::<u32>().unwrap())
-                    .chain(ports)
+                    .map(|port| port.parse::<u32>().unwrap())
+                    .chain(std::iter::once(8080))
                     .collect()
+            } else {
+                vec![8080]
             };
 
             mutations.extend(vec![insert(
                 make_firewall_rules_record_key(&FirewallRulesScope::Global),
                 encode_or_panic(&FirewallRuleSet {
                     entries: vec![FirewallRule {
                         ipv4_prefixes: Vec::new(),
-                        ipv6_prefixes: prefixes.split(',').map(|v| v.trim().to_string()).collect(),
+                        ipv6_prefixes: prefixes.split(',').map(|v| v.to_string()).collect(),
                         ports,
                         action: FirewallAction::Allow as i32,
                         comment: "Globally allow provided prefixes for testing".to_string(),

rs/tests/BUILD.bazel

@@ -95,10 +95,6 @@ exports_files([
     "create-universal-vm-config-image.sh",
 ])
 
-exports_files([
-    "src/default_firewall_whitelist.conf",
-])
-
 filegroup(
     name = "grafana_dashboards",
     srcs = glob(["dashboards/**/*"]),

rs/tests/common.bzl

@@ -183,7 +183,6 @@ GUESTOS_DEV_VERSION = "//ic-os/guestos/envs/dev:version.txt"
 GUESTOS_RUNTIME_DEPS = [
     GUESTOS_DEV_VERSION,
     "//ic-os:scripts/build-bootstrap-config-image.sh",
-    "//rs/tests:src/default_firewall_whitelist.conf",
 ]
 
 MAINNET_REVISION_RUNTIME_DEPS = ["//testnet:mainnet_nns_revision"]