From 1e195acee45ac69a2f7d8d4f2c9ea05ff6b0af2c Mon Sep 17 00:00:00 2001 From: Cory Snider Date: Mon, 3 Apr 2023 17:30:49 -0400 Subject: [PATCH] libn/d/overlay: stop programming INPUT ACCEPT rule Encrypted overlay networks are unique in that they are the only kind of network for which libnetwork programs an iptables rule to explicitly accept incoming packets. No other network driver does this. The overlay driver doesn't even do this for unencrypted networks! Because the ACCEPT rule is appended to the end of INPUT table rather than inserted at the front, the rule can be entirely inert on many common configurations. For example, FirewallD programs an unconditional REJECT rule at the end of the INPUT table, so any ACCEPT rules appended after it have no effect. And on systems where the rule is effective, its presence may subvert the administrator's intentions. In particular, automatically appending the ACCEPT rule could allow incoming traffic which the administrator was expecting to be dropped implicitly with a default-DROP policy. Let the administrator always have the final say in how incoming encrypted overlay packets are filtered by no longer automatically programming INPUT ACCEPT iptables rules for them. Signed-off-by: Cory Snider --- libnetwork/drivers/overlay/encryption.go | 6 ------ 1 file changed, 6 deletions(-) diff --git a/libnetwork/drivers/overlay/encryption.go b/libnetwork/drivers/overlay/encryption.go index 5b76f7793d..1995ac984b 100644 --- a/libnetwork/drivers/overlay/encryption.go +++ b/libnetwork/drivers/overlay/encryption.go @@ -300,12 +300,6 @@ var programInput = programVXLANRuleFunc(func(matchVXLAN matchVXLANFunc, vni uint return a } - // Accept incoming VXLAN datagrams for the VNI which were subjected to IPSec processing. - // Append to the bottom of the chain to give administrator-configured rules precedence. - if err := iptable.ProgramRule(iptables.Filter, chain, action(iptables.Append), rule("ipsec", "ACCEPT")); err != nil { - return fmt.Errorf("could not %s input accept rule: %w", msg, err) - } - // Drop incoming VXLAN datagrams for the VNI which were received in cleartext. // Insert at the top of the chain so the packets are dropped even if an // administrator-configured rule exists which would otherwise unconditionally