Firewall: allow DNS requests from custom Docker bridge networks

We only allow DNS requests through `balena0` interface, but this is the default Docker bridge which is used for containers that don't have a custom bridge. However, the Supervisor creates a custom bridge for all containers unless another network mode is specified. Change-type: patch Signed-off-by: Christina Ying Wang <[email protected]>
balena-os · Nov 9, 2024 · 7e1cafa · 7e1cafa
1 parent dd24fc1
commit 7e1cafa
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/src/lib/firewall.ts b/src/lib/firewall.ts
@@ -56,12 +56,19 @@ const standardServices: iptables.Rule[] = [
 		target: 'ACCEPT',
 	},
 	{
-		comment: 'DNS',
+		comment: 'DNS from balena0',
 		action: iptables.RuleAction.Append,
 		proto: 'udp',
 		matches: ['--dport 53', '-i balena0'],
 		target: 'ACCEPT',
 	},
+	{
+		comment: 'DNS from custom Engine networks',
+		action: iptables.RuleAction.Append,
+		proto: 'udp',
+		matches: ['--dport 53', '-i br+'],
+		target: 'ACCEPT',
+	},
 ];
 
 const standardPolicy: iptables.Rule[] = [