Merge pull request #1526 from sanimej/policy

when enabling ip forwarding set the default forward policy to drop
2022-11-09 12:21:53 -05:00 · 2016-11-10 10:12:26 -08:00 · 2016-11-10 10:12:26 -08:00 · 5040d8ccd7
commit 5040d8ccd7
parent 96f001e6ed 9f2ecdcd9d
4 changed files with 54 additions and 12 deletions
--- a/libnetwork/drivers/bridge/bridge.go
+++ b/libnetwork/drivers/bridge/bridge.go
@ -380,13 +380,6 @@ func (d *driver) configure(option map[string]interface{}) error {
 		return &ErrInvalidDriverConfig{}
 	}

-	if config.EnableIPForwarding {
-		err = setupIPForwarding()
-		if err != nil {
-			return err
-		}
-	}
-
 	if config.EnableIPTables {
 		if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
 			if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
@ -402,6 +395,14 @@ func (d *driver) configure(option map[string]interface{}) error {
 		iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) })
 	}

+	if config.EnableIPForwarding {
+		err = setupIPForwarding(config.EnableIPTables)
+		if err != nil {
+			logrus.Warn(err)
+			return err
+		}
+	}
+
 	d.Lock()
 	d.natChain = natChain
 	d.filterChain = filterChain
--- a/libnetwork/drivers/bridge/setup_ip_forwarding.go
+++ b/libnetwork/drivers/bridge/setup_ip_forwarding.go
@ -2,6 +2,8 @@ package bridge

 import (
 	"fmt"
+	log "github.com/Sirupsen/logrus"
+	"github.com/docker/libnetwork/iptables"
 	"io/ioutil"
 )

@ -10,7 +12,15 @@ const (
 	ipv4ForwardConfPerm = 0644
 )

-func setupIPForwarding() error {
+func configureIPForwarding(enable bool) error {
+	var val byte
+	if enable {
+		val = '1'
+	}
+	return ioutil.WriteFile(ipv4ForwardConf, []byte{val, '\n'}, ipv4ForwardConfPerm)
+}
+
+func setupIPForwarding(enableIPTables bool) error {
 	// Get current IPv4 forward setup
 	ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf)
 	if err != nil {
@ -20,10 +30,26 @@ func setupIPForwarding() error {
 	// Enable IPv4 forwarding only if it is not already enabled
 	if ipv4ForwardData[0] != '1' {
 		// Enable IPv4 forwarding
-		if err := ioutil.WriteFile(ipv4ForwardConf, []byte{'1', '\n'}, ipv4ForwardConfPerm); err != nil {
-			return fmt.Errorf("Setup IP forwarding failed: %v", err)
+		if err := configureIPForwarding(true); err != nil {
+			return fmt.Errorf("Enabling IP forwarding failed: %v", err)
 		}
+		// When enabling ip_forward set the default policy on forward chain to
+		// drop only if the daemon option iptables is not set to false.
+		if !enableIPTables {
+			return nil
+		}
+		if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
+			if err := configureIPForwarding(false); err != nil {
+				log.Errorf("Disabling IP forwarding failed, %v", err)
+			}
+			return err
+		}
+		iptables.OnReloaded(func() {
+			log.Debugf("Setting the default DROP policy on firewall reload")
+			if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
+				log.Warnf("Settig the default DROP policy on firewall reload failed, %v", err)
+			}
+		})
 	}
-
 	return nil
 }
--- a/libnetwork/drivers/bridge/setup_ip_forwarding_test.go
+++ b/libnetwork/drivers/bridge/setup_ip_forwarding_test.go
@ -17,7 +17,7 @@ func TestSetupIPForwarding(t *testing.T) {
 	}

 	// Set IP Forwarding
-	if err := setupIPForwarding(); err != nil {
+	if err := setupIPForwarding(true); err != nil {
 		t.Fatalf("Failed to setup IP forwarding: %v", err)
 	}

--- a/libnetwork/iptables/iptables.go
+++ b/libnetwork/iptables/iptables.go
@ -16,6 +16,9 @@ import (
 // Action signifies the iptable action.
 type Action string

+// Policy is the default iptable policies
+type Policy string
+
 // Table refers to Nat, Filter or Mangle.
 type Table string

@ -32,6 +35,10 @@ const (
 	Filter Table = "filter"
 	// Mangle table is used for mangling the packet.
 	Mangle Table = "mangle"
+	// Drop is the default iptables DROP policy
+	Drop Policy = "DROP"
+	// Accept is the default iptables ACCEPT policy
+	Accept Policy = "ACCEPT"
 )

 var (
@ -437,6 +444,14 @@ func GetVersion() (major, minor, micro int, err error) {
 	return
 }

+// SetDefaultPolicy sets the passed default policy for the table/chain
+func SetDefaultPolicy(table Table, chain string, policy Policy) error {
+	if err := RawCombinedOutput("-t", string(table), "-P", chain, string(policy)); err != nil {
+		return fmt.Errorf("setting default policy to %v in %v chain failed: %v", policy, chain, err)
+	}
+	return nil
+}
+
 func parseVersionNumbers(input string) (major, minor, micro int) {
 	re := regexp.MustCompile(`v\d*.\d*.\d*`)
 	line := re.FindString(input)