-
Notifications
You must be signed in to change notification settings - Fork 34
fix: allow host service ports for GitHub Actions services containers #1436
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -236,6 +236,54 @@ if [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then | |
| fi | ||
| fi | ||
|
|
||
| # Allow host service ports (--allow-host-service-ports) ONLY to host gateway | ||
| # These ports bypass DANGEROUS_PORTS restrictions because they are restricted | ||
| # to the host gateway IP only (for GitHub Actions services containers). | ||
| # Must be applied BEFORE dangerous port RETURN rules so traffic to host gateway | ||
| # on these ports is accepted, not dropped. | ||
| if [ -n "$AWF_HOST_SERVICE_PORTS" ] && [ -n "$AWF_ENABLE_HOST_ACCESS" ]; then | ||
| # Parse port list once, before resolving gateway IPs, so both blocks can use it | ||
| IFS=',' read -ra HSP_PORTS <<< "$AWF_HOST_SERVICE_PORTS" | ||
|
|
||
| # Resolve host gateway IP | ||
| HSP_HOST_GW_IP=$(getent hosts host.docker.internal 2>/dev/null | awk 'NR==1 { print $1 }') | ||
| HSP_NET_GW_IP=$(route -n 2>/dev/null | awk '/^0\.0\.0\.0/ { print $2; exit }') | ||
|
|
||
| if [ -n "$HSP_HOST_GW_IP" ] && is_valid_ipv4 "$HSP_HOST_GW_IP"; then | ||
| echo "[iptables] Allowing host service ports to host gateway ($HSP_HOST_GW_IP): $AWF_HOST_SERVICE_PORTS" | ||
| for port in "${HSP_PORTS[@]}"; do | ||
| port=$(echo "$port" | xargs) | ||
| if ! [[ "$port" =~ ^[1-9][0-9]{0,4}$ ]] || [ "$port" -lt 1 ] || [ "$port" -gt 65535 ]; then | ||
| echo "[iptables] WARNING: Skipping invalid service port: $port" | ||
| continue | ||
| fi | ||
| if [ -n "$port" ]; then | ||
| echo "[iptables] Allow host service port $port to $HSP_HOST_GW_IP" | ||
| # FILTER: allow traffic to host gateway on this port | ||
| # (NAT bypass is already handled by the blanket RETURN rule in the host access block above) | ||
| iptables -A OUTPUT -p tcp -d "$HSP_HOST_GW_IP" --dport "$port" -j ACCEPT | ||
| fi | ||
| done | ||
| fi | ||
|
|
||
| # Also allow to network gateway (same as the host access block does) | ||
| if [ -n "$HSP_NET_GW_IP" ] && is_valid_ipv4 "$HSP_NET_GW_IP" && [ "$HSP_NET_GW_IP" != "$HSP_HOST_GW_IP" ]; then | ||
| echo "[iptables] Allowing host service ports to network gateway ($HSP_NET_GW_IP): $AWF_HOST_SERVICE_PORTS" | ||
| for port in "${HSP_PORTS[@]}"; do | ||
| port=$(echo "$port" | xargs) | ||
|
Comment on lines
+246
to
+273
|
||
| if ! [[ "$port" =~ ^[1-9][0-9]{0,4}$ ]] || [ "$port" -lt 1 ] || [ "$port" -gt 65535 ]; then | ||
| echo "[iptables] WARNING: Skipping invalid service port: $port" | ||
| continue | ||
| fi | ||
| if [ -n "$port" ]; then | ||
| # FILTER: allow traffic to network gateway on this port | ||
| # (NAT bypass is already handled by the blanket RETURN rule in the host access block above) | ||
| iptables -A OUTPUT -p tcp -d "$HSP_NET_GW_IP" --dport "$port" -j ACCEPT | ||
| fi | ||
| done | ||
| fi | ||
| fi | ||
|
|
||
| # Block dangerous ports at NAT level (defense-in-depth with Squid ACL filtering) | ||
| # These ports are explicitly blocked to prevent access to sensitive services | ||
| # even if Squid ACL filtering fails. The ports RETURN from NAT (not redirected) | ||
|
|
||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ports from $AWF_HOST_SERVICE_PORTS are passed directly into iptables --dport. Since this env var can come from the host environment (or from the CLI with currently-loose parsing), a malformed value can cause iptables failures and abort the script (set -e). Consider validating each port token in setup-iptables.sh (numeric only, 1-65535) and emitting a clear warning/error for invalid entries before running iptables.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed. Service port validation in setup-iptables.sh now uses a strict single-port regex (
^[1-9][0-9]{0,4}$) with range check 1-65535. Invalid entries are warned and skipped. This is more restrictive thanis_valid_port_spec(which accepts ranges) — aligned with the TypeScript validator that only accepts single numeric ports.