moby--moby/libnetwork/drivers/bridge/setup_ip_forwarding.go

// +build linux

package bridge

import (
	"fmt"
	"io/ioutil"

	"github.com/docker/docker/libnetwork/iptables"
	"github.com/sirupsen/logrus"
)

const (
	ipv4ForwardConf     = "/proc/sys/net/ipv4/ip_forward"
	ipv4ForwardConfPerm = 0644
)

func configureIPForwarding(enable bool) error {
	var val byte
	if enable {
		val = '1'
	}
	return ioutil.WriteFile(ipv4ForwardConf, []byte{val, '\n'}, ipv4ForwardConfPerm)
}

func setupIPForwarding(enableIPTables bool, enableIP6Tables bool) error {
	// Get current IPv4 forward setup
	ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf)
	if err != nil {
		return fmt.Errorf("Cannot read IP forwarding setup: %v", err)
	}

	// Enable IPv4 forwarding only if it is not already enabled
	if ipv4ForwardData[0] != '1' {
		// Enable IPv4 forwarding
		if err := configureIPForwarding(true); err != nil {
			return fmt.Errorf("Enabling IP forwarding failed: %v", err)
		}
		// When enabling ip_forward set the default policy on forward chain to
		// drop only if the daemon option iptables is not set to false.
		if enableIPTables {
			iptable := iptables.GetIptable(iptables.IPv4)
			if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
				if err := configureIPForwarding(false); err != nil {
					logrus.Errorf("Disabling IP forwarding failed, %v", err)
				}
				return err
			}
			iptables.OnReloaded(func() {
				logrus.Debug("Setting the default DROP policy on firewall reload")
				if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
					logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
				}
			})
		}
	}

	// add only iptables rules - forwarding is handled by setupIPv6Forwarding in setup_ipv6
	if enableIP6Tables {
		iptable := iptables.GetIptable(iptables.IPv6)
		if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
			logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
		}
		iptables.OnReloaded(func() {
			logrus.Debug("Setting the default DROP policy on firewall reload")
			if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
				logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
			}
		})
	}

	return nil
}
Fix some windows issues in libnetwork tests Fix build constraints for linux-only network drivers Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2021-05-25 23:48:54 +00:00			`// +build linux`

Add implementation and test for SetIPForwarding() - Addressed Arnaud's comments Signed-off-by: Alessandro Boch <aboch@socketplane.io> 2015-03-04 10:11:31 -08:00			`package bridge`

			`import (`
			`"fmt"`
			`"io/ioutil"`
Refactoring logrus import and formatting Fix import name to use original project name 'logrus' instead of 'log' Removing `f` from `logrus.Debugf` when formatting string is not present. Signed-off-by: Daehyeok Mun <daehyeok@gmail.com> 2016-11-21 11:53:07 -07:00
Fix libnetwork imports After moving libnetwork to this repo, we need to update all the import paths for libnetwork to point to docker/docker/libnetwork instead of docker/libnetwork. This change implements that. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 2021-04-06 00:24:47 +00:00			`"github.com/docker/docker/libnetwork/iptables"`
Update logrus to v1.0.1 Fix case sensitivity issue Update docker and runc vendors Signed-off-by: Derek McGowan <derek@mcgstyle.net> 2017-07-26 14:18:31 -07:00			`"github.com/sirupsen/logrus"`
Add implementation and test for SetIPForwarding() - Addressed Arnaud's comments Signed-off-by: Alessandro Boch <aboch@socketplane.io> 2015-03-04 10:11:31 -08:00			`)`

			`const (`
Remove golint warnings Fix all golint warnings, mostly by making exported types internal. Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-03-04 13:25:43 -08:00			`ipv4ForwardConf = "/proc/sys/net/ipv4/ip_forward"`
			`ipv4ForwardConfPerm = 0644`
Add implementation and test for SetIPForwarding() - Addressed Arnaud's comments Signed-off-by: Alessandro Boch <aboch@socketplane.io> 2015-03-04 10:11:31 -08:00			`)`

If enabling ip forwarding set the default forward policy to drop Signed-off-by: Santhosh Manohar <santhosh@docker.com> 2016-10-28 13:54:52 -07:00			`func configureIPForwarding(enable bool) error {`
			`var val byte`
			`if enable {`
			`val = '1'`
			`}`
			`return ioutil.WriteFile(ipv4ForwardConf, []byte{val, '\n'}, ipv4ForwardConfPerm)`
			`}`

moved some ipv6 config to setupIPForwarding Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net> 2020-07-19 16:07:22 +02:00			`func setupIPForwarding(enableIPTables bool, enableIP6Tables bool) error {`
modify /proc/sys only if needed fixes #405 Signed-off-by: Tomas Kral <tomas.kral@gmail.com> 2015-07-27 13:31:03 +02:00			`// Get current IPv4 forward setup`
			`ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf)`
			`if err != nil {`
			`return fmt.Errorf("Cannot read IP forwarding setup: %v", err)`
			`}`

			`// Enable IPv4 forwarding only if it is not already enabled`
			`if ipv4ForwardData[0] != '1' {`
			`// Enable IPv4 forwarding`
If enabling ip forwarding set the default forward policy to drop Signed-off-by: Santhosh Manohar <santhosh@docker.com> 2016-10-28 13:54:52 -07:00			`if err := configureIPForwarding(true); err != nil {`
			`return fmt.Errorf("Enabling IP forwarding failed: %v", err)`
modify /proc/sys only if needed fixes #405 Signed-off-by: Tomas Kral <tomas.kral@gmail.com> 2015-07-27 13:31:03 +02:00			`}`
Revert "Always configure iptables forward policy" Reverts 141b53c77ab33a93fa4fced5944c3cf9d9bbc80d (PR #2450) Fallout from changing the forwarding default policy to deny was greater than anticipated. Signed-off-by: Euan Harris <euan.harris@docker.com> 2019-10-07 17:50:38 +01:00			`// When enabling ip_forward set the default policy on forward chain to`
			`// drop only if the daemon option iptables is not set to false.`
resorted EnableIP6Tables in driver configure Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net> 2020-07-21 18:38:34 +02:00			`if enableIPTables {`
			`iptable := iptables.GetIptable(iptables.IPv4)`
Implement NAT IPv6 to fix the issue https://github.com/moby/moby/issues/25407 Signed-off-by: Billy Ridgway <wrridgwa@us.ibm.com> Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net> 2017-11-28 15:15:55 -06:00			`if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {`
resorted EnableIP6Tables in driver configure Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net> 2020-07-21 18:38:34 +02:00			`if err := configureIPForwarding(false); err != nil {`
			`logrus.Errorf("Disabling IP forwarding failed, %v", err)`
			`}`
			`return err`
If enabling ip forwarding set the default forward policy to drop Signed-off-by: Santhosh Manohar <santhosh@docker.com> 2016-10-28 13:54:52 -07:00			`}`
resorted EnableIP6Tables in driver configure Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net> 2020-07-21 18:38:34 +02:00			`iptables.OnReloaded(func() {`
			`logrus.Debug("Setting the default DROP policy on firewall reload")`
			`if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {`
			`logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)`
			`}`
			`})`
			`}`
Add a diagnostic message to ip forwading code Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-03-04 11:37:16 -08:00			`}`
moved some ipv6 config to setupIPForwarding Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net> 2020-07-19 16:07:22 +02:00
			`// add only iptables rules - forwarding is handled by setupIPv6Forwarding in setup_ipv6`
			`if enableIP6Tables {`
			`iptable := iptables.GetIptable(iptables.IPv6)`
			`if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {`
			`logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)`
			`}`
default DROP policy on firewall reload also for IPv6 Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net> 2020-07-20 19:56:34 +02:00			`iptables.OnReloaded(func() {`
			`logrus.Debug("Setting the default DROP policy on firewall reload")`
			`if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {`
			`logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)`
			`}`
			`})`
moved some ipv6 config to setupIPForwarding Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net> 2020-07-19 16:07:22 +02:00			`}`

Add a diagnostic message to ip forwading code Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com> 2015-03-04 11:37:16 -08:00			`return nil`
Add implementation and test for SetIPForwarding() - Addressed Arnaud's comments Signed-off-by: Alessandro Boch <aboch@socketplane.io> 2015-03-04 10:11:31 -08:00			`}`