resorted EnableIP6Tables in driver configure
Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
This commit is contained in:
parent
9bc2f88f04
commit
4d1c92c155
|
@ -375,41 +375,43 @@ func (d *driver) configure(option map[string]interface{}) error {
|
||||||
return &ErrInvalidDriverConfig{}
|
return &ErrInvalidDriverConfig{}
|
||||||
}
|
}
|
||||||
|
|
||||||
if config.EnableIPTables {
|
if config.EnableIPTables || config.EnableIP6Tables {
|
||||||
if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
|
if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
|
||||||
if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
|
if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
|
||||||
logrus.Warnf("Running modprobe bridge br_netfilter failed with message: %s, error: %v", out, err)
|
logrus.Warnf("Running modprobe bridge br_netfilter failed with message: %s, error: %v", out, err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
removeIPChains(iptables.IPv4)
|
|
||||||
if config.EnableIP6Tables {
|
|
||||||
removeIPChains(iptables.IPv6)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if config.EnableIPTables {
|
||||||
|
removeIPChains(iptables.IPv4)
|
||||||
|
|
||||||
natChain, filterChain, isolationChain1, isolationChain2, err = setupIPChains(config, iptables.IPv4)
|
natChain, filterChain, isolationChain1, isolationChain2, err = setupIPChains(config, iptables.IPv4)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if config.EnableIP6Tables {
|
|
||||||
natChainV6, filterChainV6, isolationChain1V6, isolationChain2V6, err = setupIPChains(config, iptables.IPv6)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Make sure on firewall reload, first thing being re-played is chains creation
|
// Make sure on firewall reload, first thing being re-played is chains creation
|
||||||
iptables.OnReloaded(func() {
|
iptables.OnReloaded(func() {
|
||||||
logrus.Debugf("Recreating iptables chains on firewall reload")
|
logrus.Debugf("Recreating iptables chains on firewall reload")
|
||||||
setupIPChains(config, iptables.IPv4)
|
setupIPChains(config, iptables.IPv4)
|
||||||
})
|
})
|
||||||
|
}
|
||||||
|
|
||||||
if config.EnableIP6Tables {
|
if config.EnableIP6Tables {
|
||||||
|
removeIPChains(iptables.IPv6)
|
||||||
|
|
||||||
|
natChainV6, filterChainV6, isolationChain1V6, isolationChain2V6, err = setupIPChains(config, iptables.IPv6)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Make sure on firewall reload, first thing being re-played is chains creation
|
||||||
iptables.OnReloaded(func() {
|
iptables.OnReloaded(func() {
|
||||||
logrus.Debugf("Recreating ip6tables chains on firewall reload")
|
logrus.Debugf("Recreating ip6tables chains on firewall reload")
|
||||||
setupIPChains(config, iptables.IPv6)
|
setupIPChains(config, iptables.IPv6)
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
if config.EnableIPForwarding {
|
if config.EnableIPForwarding {
|
||||||
err = setupIPForwarding(config.EnableIPTables, config.EnableIP6Tables)
|
err = setupIPForwarding(config.EnableIPTables, config.EnableIP6Tables)
|
||||||
|
|
|
@ -36,9 +36,7 @@ func setupIPForwarding(enableIPTables bool, enableIP6Tables bool) error {
|
||||||
}
|
}
|
||||||
// When enabling ip_forward set the default policy on forward chain to
|
// When enabling ip_forward set the default policy on forward chain to
|
||||||
// drop only if the daemon option iptables is not set to false.
|
// drop only if the daemon option iptables is not set to false.
|
||||||
if !enableIPTables {
|
if enableIPTables {
|
||||||
return nil
|
|
||||||
}
|
|
||||||
iptable := iptables.GetIptable(iptables.IPv4)
|
iptable := iptables.GetIptable(iptables.IPv4)
|
||||||
if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
|
if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
|
||||||
if err := configureIPForwarding(false); err != nil {
|
if err := configureIPForwarding(false); err != nil {
|
||||||
|
@ -53,6 +51,7 @@ func setupIPForwarding(enableIPTables bool, enableIP6Tables bool) error {
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// add only iptables rules - forwarding is handled by setupIPv6Forwarding in setup_ipv6
|
// add only iptables rules - forwarding is handled by setupIPv6Forwarding in setup_ipv6
|
||||||
if enableIP6Tables {
|
if enableIP6Tables {
|
||||||
|
|
Loading…
Reference in New Issue