Reject port 0 in NB_DNS_FIREWALL_PORTS and roll back firewall on DNS setup failure

2026-05-06 00:56:39 +00:00 · 2026-05-05 18:37:24 +02:00
parent 0415137acd
commit f42b8aed90
3 changed files with 10 additions and 1 deletions
--- a/client/internal/dns/dnsfw/config.go
+++ b/client/internal/dns/dnsfw/config.go
@@ -49,6 +49,10 @@ func blockedPorts() []uint16 {
 			log.Warnf("dns firewall: ignoring invalid port %q in %s: %v", raw, EnvPorts, err)
 			continue
 		}
+		if port == 0 {
+			log.Warnf("dns firewall: ignoring port 0 in %s", EnvPorts)
+			continue
+		}
 		ports = append(ports, uint16(port))
 	}
 	if len(ports) == 0 {
--- a/client/internal/dns/dnsfw/config_test.go
+++ b/client/internal/dns/dnsfw/config_test.go
@@ -20,6 +20,7 @@ func TestBlockedPorts(t *testing.T) {
 		{name: "override multi", ports: "53, 853 ,5353", setPorts: true, want: []uint16{53, 853, 5353}},
 		{name: "override empty disables", ports: "", setPorts: true, want: nil},
 		{name: "override invalid skipped", ports: "53,not-a-port,853", setPorts: true, want: []uint16{53, 853}},
+		{name: "override zero skipped", ports: "53,0,853", setPorts: true, want: []uint16{53, 853}},
 		{name: "override only invalid disables", ports: "abc", setPorts: true, want: nil},
 	}

--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -221,7 +221,11 @@ func (r *registryConfigurator) applyRouteAll(config HostDNSConfig) error {
 			return fmt.Errorf("dns firewall: %w", err)
 		}
 		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
-			return fmt.Errorf("add dns setup: %w", err)
+			merr := multierror.Append(nil, fmt.Errorf("add dns setup: %w", err))
+			if dErr := r.dnsFirewall.Disable(); dErr != nil {
+				merr = multierror.Append(merr, fmt.Errorf("rollback dns firewall: %w", dErr))
+			}
+			return nberrors.FormatErrorOrNil(merr)
 		}
 		return nil
 	}