From a46d18da0cf91d1c38d7bd68a6e4b7764cfd616f Mon Sep 17 00:00:00 2001 From: Bryan Boreham Date: Fri, 29 May 2020 15:43:35 +0000 Subject: [PATCH] Use a more targeted iptables rule to block access to control port Only block the specific port Weave Net is listening on. Add a comment so users know what the rule is for. Remove the rule added in v2.6.3 because it was too coarse. --- net/bridge.go | 14 +++++++++++--- prog/weaver/main.go | 5 +++++ weave | 2 +- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/net/bridge.go b/net/bridge.go index f27e3175b2..8283e6455f 100644 --- a/net/bridge.go +++ b/net/bridge.go @@ -221,6 +221,7 @@ type BridgeConfig struct { MTU int Mac string Port int + ControlPort string NoMasqLocal bool } @@ -469,10 +470,17 @@ func configureIPTables(config *BridgeConfig, ips ipset.Interface) error { } } - // Block non-local traffic to the Weave control port - if err = ipt.AppendUnique("filter", "INPUT", "-p", "tcp", "--dst", "127.0.0.1", "-m", "addrtype", "!", "--src-type", "LOCAL", "-m", "conntrack", "!", "--ctstate", "RELATED,ESTABLISHED", "-j", "DROP"); err != nil { - return err + if config.ControlPort != "" { + if err = ipt.AppendUnique("filter", "INPUT", "-p", "tcp", "--dst", "127.0.0.1", "--dport", config.ControlPort, + "-m", "addrtype", "!", "--src-type", "LOCAL", + "-m", "conntrack", "!", "--ctstate", "RELATED,ESTABLISHED", + "-m", "comment", "--comment", "Block non-local access to Weave Net control port", + "-j", "DROP"); err != nil { + return err + } } + // Remove the rule from Weave Net 2.6.3 which dropped too much. + _ = ipt.Delete("filter", "INPUT", "-p", "tcp", "--dst", "127.0.0.1", "-m", "addrtype", "!", "--src-type", "LOCAL", "-m", "conntrack", "!", "--ctstate", "RELATED,ESTABLISHED", "-j", "DROP") if config.NPC { // Steer traffic via the NPC. diff --git a/prog/weaver/main.go b/prog/weaver/main.go index ca89c6427a..3edaed16d2 100644 --- a/prog/weaver/main.go +++ b/prog/weaver/main.go @@ -307,6 +307,11 @@ func main() { bridgeConfig.Mac = name.String() bridgeConfig.Port = config.Port + if httpAddr != "" { + if _, port, err := net.SplitHostPort(httpAddr); err == nil { + bridgeConfig.ControlPort = port + } + } ips := ipset.New(common.LogLogger(), 0) bridgeType, err := weavenet.EnsureBridge(procPath, &bridgeConfig, Log, ips) checkFatal(err) diff --git a/weave b/weave index b824d008d3..a8e6fb0611 100755 --- a/weave +++ b/weave @@ -483,7 +483,7 @@ destroy_bridge() { [ -n "$DOCKER_BRIDGE_IP" ] || DOCKER_BRIDGE_IP=$(util_op bridge-ip $DOCKER_BRIDGE) - run_iptables -t filter -D INPUT -d 127.0.0.1/32 -p tcp -m addrtype ! --src-type LOCAL -m conntrack ! --ctstate RELATED,ESTABLISHED -j DROP >/dev/null 2>&1 || true + run_iptables -t filter -D INPUT -d 127.0.0.1/32 -p tcp --dport 6784 -m addrtype ! --src-type LOCAL -m conntrack ! --ctstate RELATED,ESTABLISHED -m comment --comment "Block non-local access to Weave Net control port" -j DROP >/dev/null 2>&1 || true run_iptables -t filter -D INPUT -i $DOCKER_BRIDGE -p udp --dport 53 -j ACCEPT >/dev/null 2>&1 || true run_iptables -t filter -D INPUT -i $DOCKER_BRIDGE -p tcp --dport 53 -j ACCEPT >/dev/null 2>&1 || true