From 34daefa75278aab65432e9f531c1054040a364f8 Mon Sep 17 00:00:00 2001 From: Sandy Cash Date: Thu, 4 Feb 2016 10:52:25 -0500 Subject: [PATCH] Remove support for deny_networks [#112228267] Signed-off-by: Matthew Sykes --- warden-protocol/lib/warden/protocol/pb/net_out.proto | 3 +-- warden/lib/warden/config.rb | 3 --- warden/lib/warden/container/features/net.rb | 4 ---- warden/lib/warden/container/linux.rb | 1 - warden/root/linux/net.sh | 12 +----------- warden/spec/container/insecure_spec.rb | 1 - warden/spec/container/linux_nested_spec.rb | 2 -- warden/spec/container/linux_spec.rb | 2 -- 8 files changed, 2 insertions(+), 26 deletions(-) diff --git a/warden-protocol/lib/warden/protocol/pb/net_out.proto b/warden-protocol/lib/warden/protocol/pb/net_out.proto index 4fa738c3..b96e3a0e 100644 --- a/warden-protocol/lib/warden/protocol/pb/net_out.proto +++ b/warden-protocol/lib/warden/protocol/pb/net_out.proto @@ -1,7 +1,6 @@ // Whitelist network traffic. // -// If the configuration directive `deny_networks` is not used, -// all networks are already whitelisted and this command is effectively a no-op. +// Outbound traffic is denied by default. // // > **TODO** Link to page explaining how networking works. // diff --git a/warden/lib/warden/config.rb b/warden/lib/warden/config.rb index 83f12b31..238399da 100644 --- a/warden/lib/warden/config.rb +++ b/warden/lib/warden/config.rb @@ -89,7 +89,6 @@ def self.logging_schema def self.network_defaults { "pool_network" => "10.254.0.0/24", - "deny_networks" => [], "allow_networks" => [], "allow_host_access" => false, "mtu" => 1500, @@ -108,7 +107,6 @@ def self.network_schema optional("release_delay") => Integer, optional("mtu") => Integer, - "deny_networks" => [String], "allow_networks" => [String], optional("allow_host_access") => bool, } @@ -201,7 +199,6 @@ def transform split("::"). inject(Kernel) { |prev, cur| prev.const_get(cur) } - @network["deny_networks"] = @network["deny_networks"].compact @network["allow_networks"] = @network["allow_networks"].compact # Transform pool_start_address/pool_size into pool_network if needed diff --git a/warden/lib/warden/container/features/net.rb b/warden/lib/warden/container/features/net.rb index d38d9901..822a295d 100644 --- a/warden/lib/warden/container/features/net.rb +++ b/warden/lib/warden/container/features/net.rb @@ -181,16 +181,12 @@ module ClassMethods include Spawn - # Network blacklist - attr_accessor :deny_networks - # Network whitelist attr_accessor :allow_networks def setup(config) super(config) - self.deny_networks = config.network["deny_networks"] self.allow_networks = config.network["allow_networks"] end end diff --git a/warden/lib/warden/container/linux.rb b/warden/lib/warden/container/linux.rb index 943877a9..3497076a 100644 --- a/warden/lib/warden/container/linux.rb +++ b/warden/lib/warden/container/linux.rb @@ -43,7 +43,6 @@ def setup(config) :env => { "POOL_NETWORK" => config.network["pool_network"], "ALLOW_NETWORKS" => allow_networks.join(" "), - "DENY_NETWORKS" => deny_networks.join(" "), "ALLOW_HOST_ACCESS" => config.network["allow_host_access"].to_s, "CONTAINER_ROOTFS_PATH" => container_rootfs_path, "CONTAINER_DEPOT_PATH" => container_depot_path, diff --git a/warden/root/linux/net.sh b/warden/root/linux/net.sh index 17c30415..6bc0b308 100755 --- a/warden/root/linux/net.sh +++ b/warden/root/linux/net.sh @@ -12,9 +12,8 @@ nat_prerouting_chain="warden-prerouting" nat_postrouting_chain="warden-postrouting" nat_instance_prefix="warden-i-" -# Default ALLOW_NETWORKS/DENY_NETWORKS to empty +# Default ALLOW_NETWORKS to empty ALLOW_NETWORKS=${ALLOW_NETWORKS:-} -DENY_NETWORKS=${DENY_NETWORKS:-} # Default ALLOW_HOST_ACCESS to false ALLOW_HOST_ACCESS=${ALLOW_HOST_ACCESS:-false} @@ -109,15 +108,6 @@ function setup_filter() { iptables -w -A ${filter_default_chain} --destination "$n" --jump RETURN done - for n in ${DENY_NETWORKS}; do - if [ "$n" == "" ] - then - break - fi - - iptables -w -A ${filter_default_chain} --destination "$n" --jump DROP - done - iptables -w -A ${filter_default_chain} --jump REJECT # Accept packets related to previously established connections diff --git a/warden/spec/container/insecure_spec.rb b/warden/spec/container/insecure_spec.rb index adbd4106..e88ded9c 100644 --- a/warden/spec/container/insecure_spec.rb +++ b/warden/spec/container/insecure_spec.rb @@ -59,7 +59,6 @@ def start_warden "pool_start_address" => start_address, "pool_size" => 64, "allow_networks" => ["4.2.2.3/32"], - "deny_networks" => ["4.2.2.0/24"] }, "port" => { "pool_start_port" => 64000, "pool_size" => 1000 }, diff --git a/warden/spec/container/linux_nested_spec.rb b/warden/spec/container/linux_nested_spec.rb index 815b8fee..ba87b806 100644 --- a/warden/spec/container/linux_nested_spec.rb +++ b/warden/spec/container/linux_nested_spec.rb @@ -33,7 +33,6 @@ @container_depot_path = File.join(work_path, "containers") container_depot_file = container_depot_path + ".img" allow_networks = [] - deny_networks = [] mtu = 1500 @@ -51,7 +50,6 @@ "pool_size" => 64, "mtu" => mtu, "allow_networks" => allow_networks, - "deny_networks" => deny_networks }, "port" => { "pool_start_port" => 64000, "pool_size" => 1000 }, diff --git a/warden/spec/container/linux_spec.rb b/warden/spec/container/linux_spec.rb index 883e5c71..bd5e8c38 100644 --- a/warden/spec/container/linux_spec.rb +++ b/warden/spec/container/linux_spec.rb @@ -23,7 +23,6 @@ let(:have_uid_support) { true } let(:netmask) { Warden::Network::Netmask.new(255, 255, 255, 252) } let(:allow_networks) { [] } - let(:deny_networks) { [] } let(:allow_host_access) { false } let(:mtu) { 1500 } let(:job_output_limit) { 100 * 1024 } @@ -125,7 +124,6 @@ def start_warden "pool_size" => 64, "mtu" => mtu, "allow_networks" => allow_networks, - "deny_networks" => deny_networks, "allow_host_access" => allow_host_access }, "port" => { "pool_start_port" => 64000,