mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Fix bad order of iptables filter rules
Rules with ctstate RELATED,ESTABLISHED must be create before same rules without ctstate. Signed-off-by: Yves Blusseau <90z7oey02@sneakemail.com>
This commit is contained in:
parent
83d261fd47
commit
6149b1f32f
3 changed files with 21 additions and 7 deletions
|
@ -136,7 +136,6 @@ func setupIPTablesInternal(bridgeIface string, addr net.Addr, icc, ipmasq, hairp
|
|||
hpNatRule = iptRule{table: iptables.Nat, chain: "POSTROUTING", preArgs: []string{"-t", "nat"}, args: []string{"-m", "addrtype", "--src-type", "LOCAL", "-o", bridgeIface, "-j", "MASQUERADE"}}
|
||||
skipDNAT = iptRule{table: iptables.Nat, chain: DockerChain, preArgs: []string{"-t", "nat"}, args: []string{"-i", bridgeIface, "-j", "RETURN"}}
|
||||
outRule = iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", bridgeIface, "!", "-o", bridgeIface, "-j", "ACCEPT"}}
|
||||
inRule = iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-o", bridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}}
|
||||
)
|
||||
|
||||
// Set NAT.
|
||||
|
@ -169,11 +168,6 @@ func setupIPTablesInternal(bridgeIface string, addr net.Addr, icc, ipmasq, hairp
|
|||
return err
|
||||
}
|
||||
|
||||
// Set Accept on incoming packets for existing connections.
|
||||
if err := programChainRule(inRule, "ACCEPT INCOMING", enable); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
|
|
@ -25,8 +25,8 @@ func TestProgramIPTable(t *testing.T) {
|
|||
}{
|
||||
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-d", "127.1.2.3", "-i", "lo", "-o", "lo", "-j", "DROP"}}, "Test Loopback"},
|
||||
{iptRule{table: iptables.Nat, chain: "POSTROUTING", preArgs: []string{"-t", "nat"}, args: []string{"-s", iptablesTestBridgeIP, "!", "-o", DefaultBridgeName, "-j", "MASQUERADE"}}, "NAT Test"},
|
||||
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "!", "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test ACCEPT NON_ICC OUTGOING"},
|
||||
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-o", DefaultBridgeName, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}}, "Test ACCEPT INCOMING"},
|
||||
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "!", "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test ACCEPT NON_ICC OUTGOING"},
|
||||
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test enable ICC"},
|
||||
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "DROP"}}, "Test disable ICC"},
|
||||
}
|
||||
|
|
|
@ -181,6 +181,26 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) err
|
|||
}
|
||||
|
||||
}
|
||||
establish := []string{
|
||||
"-o", bridgeName,
|
||||
"-m", "conntrack",
|
||||
"--ctstate", "RELATED,ESTABLISHED",
|
||||
"-j", "ACCEPT"}
|
||||
if !Exists(Filter, "FORWARD", establish...) && enable {
|
||||
insert := append([]string{string(Insert), "FORWARD"}, establish...)
|
||||
if output, err := Raw(insert...); err != nil {
|
||||
return err
|
||||
} else if len(output) != 0 {
|
||||
return fmt.Errorf("Could not create establish rule to %s: %s", c.Table, output)
|
||||
}
|
||||
} else if Exists(Filter, "FORWARD", establish...) && !enable {
|
||||
del := append([]string{string(Delete), "FORWARD"}, establish...)
|
||||
if output, err := Raw(del...); err != nil {
|
||||
return err
|
||||
} else if len(output) != 0 {
|
||||
return fmt.Errorf("Could not delete establish rule from %s: %s", c.Table, output)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
Loading…
Add table
Reference in a new issue