Manipulating the firewall rules by index introduces a race condition. Both NetworkManager and balenaEngine add the rules to the top of the FORWARD chain instead of appending, so if we first look up a rule by number and then use the number to refer to it, we can not guarantee that the rule number has not changed (iow the rule has not been moved down) in the meantime.
This patch removes the use of rule numbers completely and makes the "shared" dispatcher script refer to the rules by definition.
'Approve' if this change would be acceptable in the codebase (even if there are minor or cosmetic tweaks that could be improved).
'Request Changes' if this change would not be acceptable in our codebase (e.g. bugs, changes that will make development harder in future, security/performance issues, etc).
'Comment' if you don't feel you have enough information to decide either way (e.g. if you have major questions, or you don't understand the context of the change sufficiently to fully review yourself, but want to make a comment)
alexgg
commented
4 months ago
Manipulating the firewall rules by index introduces a race condition. Both NetworkManager and balenaEngine add the rules to the top of the FORWARD chain instead of appending, so if we first look up a rule by number and then use the number to refer to it, we can not guarantee that the rule number has not changed (iow the rule has not been moved down) in the meantime.
This patch removes the use of rule numbers completely and makes the "shared" dispatcher script refer to the rules by definition.
Change-type: patch Relates-to: https://balena.zendesk.com/agent/tickets/3402
Contributor checklist
Change-typepresent on at least one commitSigned-off-byis presentReviewer Guidelines