From 9f2ecdcd9d655215faf1b9a4c5fe18979d3bc372 Mon Sep 17 00:00:00 2001 From: Santhosh Manohar Date: Fri, 28 Oct 2016 13:54:52 -0700 Subject: [PATCH] If enabling ip forwarding set the default forward policy to drop Signed-off-by: Santhosh Manohar --- libnetwork/drivers/bridge/bridge.go | 15 ++++---- .../drivers/bridge/setup_ip_forwarding.go | 34 ++++++++++++++++--- .../bridge/setup_ip_forwarding_test.go | 2 +- libnetwork/iptables/iptables.go | 15 ++++++++ 4 files changed, 54 insertions(+), 12 deletions(-) diff --git a/libnetwork/drivers/bridge/bridge.go b/libnetwork/drivers/bridge/bridge.go index a30140feae..f6cbe07783 100644 --- a/libnetwork/drivers/bridge/bridge.go +++ b/libnetwork/drivers/bridge/bridge.go @@ -380,13 +380,6 @@ func (d *driver) configure(option map[string]interface{}) error { return &ErrInvalidDriverConfig{} } - if config.EnableIPForwarding { - err = setupIPForwarding() - if err != nil { - return err - } - } - if config.EnableIPTables { if _, err := os.Stat("/proc/sys/net/bridge"); err != nil { if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil { @@ -402,6 +395,14 @@ func (d *driver) configure(option map[string]interface{}) error { iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) }) } + if config.EnableIPForwarding { + err = setupIPForwarding(config.EnableIPTables) + if err != nil { + logrus.Warn(err) + return err + } + } + d.Lock() d.natChain = natChain d.filterChain = filterChain diff --git a/libnetwork/drivers/bridge/setup_ip_forwarding.go b/libnetwork/drivers/bridge/setup_ip_forwarding.go index 53f9c88d4d..2c6fedcb0e 100644 --- a/libnetwork/drivers/bridge/setup_ip_forwarding.go +++ b/libnetwork/drivers/bridge/setup_ip_forwarding.go @@ -2,6 +2,8 @@ package bridge import ( "fmt" + log "github.com/Sirupsen/logrus" + "github.com/docker/libnetwork/iptables" "io/ioutil" ) @@ -10,7 +12,15 @@ const ( ipv4ForwardConfPerm = 0644 ) -func setupIPForwarding() error { +func configureIPForwarding(enable bool) error { + var val byte + if enable { + val = '1' + } + return ioutil.WriteFile(ipv4ForwardConf, []byte{val, '\n'}, ipv4ForwardConfPerm) +} + +func setupIPForwarding(enableIPTables bool) error { // Get current IPv4 forward setup ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf) if err != nil { @@ -20,10 +30,26 @@ func setupIPForwarding() error { // Enable IPv4 forwarding only if it is not already enabled if ipv4ForwardData[0] != '1' { // Enable IPv4 forwarding - if err := ioutil.WriteFile(ipv4ForwardConf, []byte{'1', '\n'}, ipv4ForwardConfPerm); err != nil { - return fmt.Errorf("Setup IP forwarding failed: %v", err) + if err := configureIPForwarding(true); err != nil { + return fmt.Errorf("Enabling IP forwarding failed: %v", err) } + // When enabling ip_forward set the default policy on forward chain to + // drop only if the daemon option iptables is not set to false. + if !enableIPTables { + return nil + } + if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil { + if err := configureIPForwarding(false); err != nil { + log.Errorf("Disabling IP forwarding failed, %v", err) + } + return err + } + iptables.OnReloaded(func() { + log.Debugf("Setting the default DROP policy on firewall reload") + if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil { + log.Warnf("Settig the default DROP policy on firewall reload failed, %v", err) + } + }) } - return nil } diff --git a/libnetwork/drivers/bridge/setup_ip_forwarding_test.go b/libnetwork/drivers/bridge/setup_ip_forwarding_test.go index 1487b5b00b..c6b88c89d4 100644 --- a/libnetwork/drivers/bridge/setup_ip_forwarding_test.go +++ b/libnetwork/drivers/bridge/setup_ip_forwarding_test.go @@ -17,7 +17,7 @@ func TestSetupIPForwarding(t *testing.T) { } // Set IP Forwarding - if err := setupIPForwarding(); err != nil { + if err := setupIPForwarding(true); err != nil { t.Fatalf("Failed to setup IP forwarding: %v", err) } diff --git a/libnetwork/iptables/iptables.go b/libnetwork/iptables/iptables.go index 340bba6b0b..026f7bfc62 100644 --- a/libnetwork/iptables/iptables.go +++ b/libnetwork/iptables/iptables.go @@ -16,6 +16,9 @@ import ( // Action signifies the iptable action. type Action string +// Policy is the default iptable policies +type Policy string + // Table refers to Nat, Filter or Mangle. type Table string @@ -32,6 +35,10 @@ const ( Filter Table = "filter" // Mangle table is used for mangling the packet. Mangle Table = "mangle" + // Drop is the default iptables DROP policy + Drop Policy = "DROP" + // Accept is the default iptables ACCEPT policy + Accept Policy = "ACCEPT" ) var ( @@ -422,6 +429,14 @@ func GetVersion() (major, minor, micro int, err error) { return } +// SetDefaultPolicy sets the passed default policy for the table/chain +func SetDefaultPolicy(table Table, chain string, policy Policy) error { + if err := RawCombinedOutput("-t", string(table), "-P", chain, string(policy)); err != nil { + return fmt.Errorf("setting default policy to %v in %v chain failed: %v", policy, chain, err) + } + return nil +} + func parseVersionNumbers(input string) (major, minor, micro int) { re := regexp.MustCompile(`v\d*.\d*.\d*`) line := re.FindString(input)