From 67c2d53e59b8c33765abca0a7642af290bfb01a3 Mon Sep 17 00:00:00 2001
From: Adam Harrison <harrisonadamw@gmail.com>
Date: Wed, 4 Nov 2015 17:42:24 +0000
Subject: [PATCH 1/2] Bind the HTTP listener to localhost when fastdp enabled

Prevent containers from accessing the weave router control port when
fast datapath is in use.
---
 weave | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/weave b/weave
index 41e84ebef2..2da34e83a8 100755
--- a/weave
+++ b/weave
@@ -1481,7 +1481,7 @@ launch_router() {
         $(router_opts_$BRIDGE_TYPE) \
         --ipalloc-range "$IPRANGE" \
         --dns-effective-listen-address $DOCKER_BRIDGE_IP \
-        ${NETHOST_OPT:+$DNS_ROUTER_OPTS} $NO_DNS_OPT \
+        ${NETHOST_OPT:+$DNS_ROUTER_OPTS --http-addr 127.0.0.1:$HTTP_PORT} $NO_DNS_OPT \
         --docker-api "unix:///var/run/docker.sock" "$@")
     with_container_netns_or_die $CONTAINER_NAME setup_router_iface_$BRIDGE_TYPE
     attach_router

From d6dd1f269a0f596bfd4b5d03c6f5913190bb201b Mon Sep 17 00:00:00 2001
From: Adam Harrison <harrisonadamw@gmail.com>
Date: Thu, 5 Nov 2015 12:16:57 +0000
Subject: [PATCH 2/2] Document port security

---
 site/features.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/site/features.md b/site/features.md
index f2d4bf4411..baa580a44d 100644
--- a/site/features.md
+++ b/site/features.md
@@ -219,7 +219,7 @@ NB: By default docker permits communication between containers on the
 same host, via their docker-assigned IP addresses. For complete
 isolation between application containers, that feature needs to be
 disabled by
-[setting `--icc=false`](https://docs.docker.com/articles/networking/#between-containers)
+[setting `--icc=false`](https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers)
 in the docker daemon configuration. Furthermore, containers should be
 prevented from capturing and injecting raw network packets - this can
 be accomplished by starting them with the `--cap-drop net_raw` option.
@@ -307,6 +307,14 @@ supplying a password will [cause weave to fall back to a slower
 method](#fast-data-path) for transporting data between
 peers.
 
+Be aware that:
+
+* Containers will be able to access the router REST API if you have
+  disabled fast datapath. You can prevent this by setting
+  [`--icc=false`](https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communication-between-containers)
+* Containers are able to access the router control and data plane
+  ports, but you can mitigate this by enabling encryption
+
 ### <a name="host-network-integration"></a>Host network integration
 
 Weave application networks can be integrated with a host's network,