Use a more targeted iptables rule to block access to control port

Only block the specific port Weave Net is listening on. Add a comment so users know what the rule is for. Remove the rule added in v2.6.3 because it was too coarse.
weaveworks · May 29, 2020 · a46d18d · a46d18d
1 parent 95c020f
commit a46d18d
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 4 deletions.
diff --git a/net/bridge.go b/net/bridge.go
@@ -221,6 +221,7 @@ type BridgeConfig struct {
 	MTU              int
 	Mac              string
 	Port             int
+	ControlPort      string
 	NoMasqLocal      bool
 }
 
@@ -469,10 +470,17 @@ func configureIPTables(config *BridgeConfig, ips ipset.Interface) error {
 		}
 	}
 
-	// Block non-local traffic to the Weave control port
-	if err = ipt.AppendUnique("filter", "INPUT", "-p", "tcp", "--dst", "127.0.0.1", "-m", "addrtype", "!", "--src-type", "LOCAL", "-m", "conntrack", "!", "--ctstate", "RELATED,ESTABLISHED", "-j", "DROP"); err != nil {
-		return err
+	if config.ControlPort != "" {
+		if err = ipt.AppendUnique("filter", "INPUT", "-p", "tcp", "--dst", "127.0.0.1", "--dport", config.ControlPort,
+			"-m", "addrtype", "!", "--src-type", "LOCAL",
+			"-m", "conntrack", "!", "--ctstate", "RELATED,ESTABLISHED",
+			"-m", "comment", "--comment", "Block non-local access to Weave Net control port",
+			"-j", "DROP"); err != nil {
+			return err
+		}
 	}
+	// Remove the rule from Weave Net 2.6.3 which dropped too much.
+	_ = ipt.Delete("filter", "INPUT", "-p", "tcp", "--dst", "127.0.0.1", "-m", "addrtype", "!", "--src-type", "LOCAL", "-m", "conntrack", "!", "--ctstate", "RELATED,ESTABLISHED", "-j", "DROP")
 
 	if config.NPC {
 		// Steer traffic via the NPC.

diff --git a/prog/weaver/main.go b/prog/weaver/main.go
@@ -307,6 +307,11 @@ func main() {
 
 	bridgeConfig.Mac = name.String()
 	bridgeConfig.Port = config.Port
+	if httpAddr != "" {
+		if _, port, err := net.SplitHostPort(httpAddr); err == nil {
+			bridgeConfig.ControlPort = port
+		}
+	}
 	ips := ipset.New(common.LogLogger(), 0)
 	bridgeType, err := weavenet.EnsureBridge(procPath, &bridgeConfig, Log, ips)
 	checkFatal(err)

diff --git a/weave b/weave
@@ -483,7 +483,7 @@ destroy_bridge() {
 
     [ -n "$DOCKER_BRIDGE_IP" ] || DOCKER_BRIDGE_IP=$(util_op bridge-ip $DOCKER_BRIDGE)
 
-    run_iptables -t filter -D INPUT -d 127.0.0.1/32 -p tcp -m addrtype ! --src-type LOCAL -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP >/dev/null 2>&1 || true
+    run_iptables -t filter -D INPUT -d 127.0.0.1/32 -p tcp --dport 6784 -m addrtype ! --src-type LOCAL -m conntrack ! --ctstate RELATED,ESTABLISHED -m comment --comment "Block non-local access to Weave Net control port" -j DROP >/dev/null 2>&1 || true
     run_iptables -t filter -D INPUT -i $DOCKER_BRIDGE -p udp --dport 53  -j ACCEPT  >/dev/null 2>&1 || true
     run_iptables -t filter -D INPUT -i $DOCKER_BRIDGE -p tcp --dport 53  -j ACCEPT  >/dev/null 2>&1 || true