Remove support for deny_networks

[#112228267]

Signed-off-by: Matthew Sykes <[email protected]>

warden-protocol/lib/warden/protocol/pb/net_out.proto

@@ -1,7 +1,6 @@
 // Whitelist network traffic.
 //
-// If the configuration directive `deny_networks` is not used,
-// all networks are already whitelisted and this command is effectively a no-op.
+// Outbound traffic is denied by default.
 //
 // > **TODO** Link to page explaining how networking works.
 //

warden/lib/warden/config.rb

@@ -89,7 +89,6 @@ def self.logging_schema
     def self.network_defaults
       {
         "pool_network"   => "10.254.0.0/24",
-        "deny_networks"  => [],
         "allow_networks" => [],
         "allow_host_access" => false,
         "mtu"            => 1500,
@@ -108,7 +107,6 @@ def self.network_schema
           optional("release_delay")          => Integer,
           optional("mtu")                => Integer,
 
-          "deny_networks"      => [String],
           "allow_networks"     => [String],
           optional("allow_host_access") => bool,
         }
@@ -201,7 +199,6 @@ def transform
         split("::").
         inject(Kernel) { |prev, cur| prev.const_get(cur) }
 
-      @network["deny_networks"]  = @network["deny_networks"].compact
       @network["allow_networks"] = @network["allow_networks"].compact
 
       # Transform pool_start_address/pool_size into pool_network if needed

warden/lib/warden/container/features/net.rb

@@ -181,16 +181,12 @@ module ClassMethods
 
           include Spawn
 
-          # Network blacklist
-          attr_accessor :deny_networks
-
           # Network whitelist
           attr_accessor :allow_networks
 
           def setup(config)
             super(config)
 
-            self.deny_networks  = config.network["deny_networks"]
             self.allow_networks = config.network["allow_networks"]
           end
         end

warden/lib/warden/container/linux.rb

@@ -43,7 +43,6 @@ def setup(config)
             :env => {
               "POOL_NETWORK" => config.network["pool_network"],
               "ALLOW_NETWORKS" => allow_networks.join(" "),
-              "DENY_NETWORKS" => deny_networks.join(" "),
               "ALLOW_HOST_ACCESS" => config.network["allow_host_access"].to_s,
               "CONTAINER_ROOTFS_PATH" => container_rootfs_path,
               "CONTAINER_DEPOT_PATH" => container_depot_path,

warden/root/linux/net.sh

@@ -12,9 +12,8 @@ nat_prerouting_chain="warden-prerouting"
 nat_postrouting_chain="warden-postrouting"
 nat_instance_prefix="warden-i-"
 
-# Default ALLOW_NETWORKS/DENY_NETWORKS to empty
+# Default ALLOW_NETWORKS to empty
 ALLOW_NETWORKS=${ALLOW_NETWORKS:-}
-DENY_NETWORKS=${DENY_NETWORKS:-}
 
 # Default ALLOW_HOST_ACCESS to false
 ALLOW_HOST_ACCESS=${ALLOW_HOST_ACCESS:-false}
@@ -109,15 +108,6 @@ function setup_filter() {
     iptables -w -A ${filter_default_chain} --destination "$n" --jump RETURN
   done
 
-  for n in ${DENY_NETWORKS}; do
-    if [ "$n" == "" ]
-    then
-      break
-    fi
-
-    iptables -w -A ${filter_default_chain} --destination "$n" --jump DROP
-  done
-
   iptables -w -A ${filter_default_chain} --jump REJECT
 
   # Accept packets related to previously established connections

warden/spec/container/insecure_spec.rb

@@ -59,7 +59,6 @@ def start_warden
           "pool_start_address" => start_address,
           "pool_size" => 64,
           "allow_networks" => ["4.2.2.3/32"],
-          "deny_networks" => ["4.2.2.0/24"] },
         "port" => {
           "pool_start_port" => 64000,
           "pool_size" => 1000 },

warden/spec/container/linux_nested_spec.rb

@@ -33,7 +33,6 @@
       @container_depot_path = File.join(work_path, "containers")
       container_depot_file = container_depot_path + ".img"
       allow_networks = []
-      deny_networks = []
       mtu = 1500
 
 
@@ -51,7 +50,6 @@
             "pool_size" => 64,
             "mtu" => mtu,
             "allow_networks" => allow_networks,
-            "deny_networks" => deny_networks },
         "port" => {
             "pool_start_port" => 64000,
             "pool_size" => 1000 },

warden/spec/container/linux_spec.rb

@@ -23,7 +23,6 @@
   let(:have_uid_support) { true }
   let(:netmask) { Warden::Network::Netmask.new(255, 255, 255, 252) }
   let(:allow_networks) { [] }
-  let(:deny_networks) { [] }
   let(:allow_host_access) { false }
   let(:mtu) { 1500 }
   let(:job_output_limit) { 100 * 1024 }
@@ -125,7 +124,6 @@ def start_warden
               "pool_size" => 64,
               "mtu" => mtu,
               "allow_networks" => allow_networks,
-              "deny_networks" => deny_networks,
               "allow_host_access" => allow_host_access },
           "port" => {
               "pool_start_port" => 64000,