split setupIPTables into setupIP4Tables and setupIP6Tables

Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
2022-11-09 12:21:53 -05:00 · 2020-07-21 16:40:18 +02:00 · 2020-07-21 16:40:18 +02:00 · ccad03a139
commit ccad03a139
parent 9cf5335269
4 changed files with 69 additions and 84 deletions
--- a/libnetwork/drivers/bridge/bridge.go
+++ b/libnetwork/drivers/bridge/bridge.go
@ -764,11 +764,16 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) {
 		{!d.config.EnableUserlandProxy, setupLoopbackAddressesRouting},
 		// Setup IPTables.
-		{d.config.EnableIPTables, network.setupIPTables},
+		{d.config.EnableIPTables, network.setupIP4Tables},
 		// Setup IP6Tables.
 		{d.config.EnableIP6Tables, network.setupIP6Tables},
 		//We want to track firewalld configuration so that
 		//if it is started/reloaded, the rules can be applied correctly
 		{d.config.EnableIPTables, network.setupFirewalld},
 		// same for IPv6
 		{d.config.EnableIP6Tables, network.setupFirewalld6},
 		// Setup DefaultGatewayIPv4
 		{config.DefaultGatewayIPv4 != nil, setupGatewayIPv4},
--- a/libnetwork/drivers/bridge/setup_firewalld.go
+++ b/libnetwork/drivers/bridge/setup_firewalld.go
@ -13,12 +13,23 @@ func (n *bridgeNetwork) setupFirewalld(config *networkConfiguration, i *bridgeIn
 		return IPTableCfgError(config.BridgeName)
 	}
-	iptables.OnReloaded(func() { n.setupIPTables(config, i) })
+	iptables.OnReloaded(func() { n.setupIP4Tables(config, i) })
 	iptables.OnReloaded(n.portMapper.ReMapAll)
-
+	return nil
-	if driverConfig.EnableIP6Tables == true {
+}
-		iptables.OnReloaded(n.portMapperV6.ReMapAll)
+
-	}
+func (n *bridgeNetwork) setupFirewalld6(config *networkConfiguration, i *bridgeInterface) error {
-
+	d := n.driver
 	d.Lock()
 	driverConfig := d.config
 	d.Unlock()
 	// Sanity check.
 	if !driverConfig.EnableIP6Tables {
 		return IPTableCfgError(config.BridgeName)
 	}
 	iptables.OnReloaded(func() { n.setupIP6Tables(config, i) })
 	iptables.OnReloaded(n.portMapperV6.ReMapAll)
 	return nil
 }
--- a/libnetwork/drivers/bridge/setup_ip_tables.go
+++ b/libnetwork/drivers/bridge/setup_ip_tables.go
@ -95,7 +95,44 @@ func setupIPChains(config *configuration, version iptables.IPVersion) (*iptables
 	return natChain, filterChain, isolationChain1, isolationChain2, nil
 }
-func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInterface) error {
+func (n *bridgeNetwork) setupIP4Tables(config *networkConfiguration, i *bridgeInterface) error {
 	d := n.driver
 	d.Lock()
 	driverConfig := d.config
 	d.Unlock()
 	// Sanity check.
 	if !driverConfig.EnableIPTables {
 		return errors.New("Cannot program chains, EnableIPTable is disabled")
 	}
 	maskedAddrv4 := &net.IPNet{
 		IP:   i.bridgeIPv4.IP.Mask(i.bridgeIPv4.Mask),
 		Mask: i.bridgeIPv4.Mask,
 	}
 	return n.setupIPTables(iptables.IPv4, maskedAddrv4, config, i)
 }
 func (n *bridgeNetwork) setupIP6Tables(config *networkConfiguration, i *bridgeInterface) error {
 	d := n.driver
 	d.Lock()
 	driverConfig := d.config
 	d.Unlock()
 	// Sanity check.
 	if !driverConfig.EnableIP6Tables {
 		return errors.New("Cannot program chains, EnableIP6Tables is disabled")
 	}
 	maskedAddrv6 := &net.IPNet{
 		IP:   i.bridgeIPv6.IP.Mask(i.bridgeIPv6.Mask),
 		Mask: i.bridgeIPv6.Mask,
 	}
 	return n.setupIPTables(iptables.IPv6, maskedAddrv6, config, i)
 }
 func (n *bridgeNetwork) setupIPTables(ipVersion iptables.IPVersion, maskedAddr *net.IPNet, config *networkConfiguration, i *bridgeInterface) error {
 	var err error
 	d := n.driver
@ -103,36 +140,26 @@ func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInt
 	driverConfig := d.config
 	d.Unlock()
 	// Sanity check.
 	if driverConfig.EnableIPTables == false {
 		return errors.New("Cannot program chains, EnableIPTable is disabled")
 	}
 	// Pickup this configuration option from driver
 	hairpinMode := !driverConfig.EnableUserlandProxy
-	maskedAddrv4 := &net.IPNet{
+	iptable := iptables.GetIptable(ipVersion)
 		IP:   i.bridgeIPv4.IP.Mask(i.bridgeIPv4.Mask),
 		Mask: i.bridgeIPv4.Mask,
 	}
 	iptable := iptables.GetIptable(iptables.IPv4)
 	if config.Internal {
-		if err = setupInternalNetworkRules(config.BridgeName, maskedAddrv4, config.EnableICC, true); err != nil {
+		if err = setupInternalNetworkRules(config.BridgeName, maskedAddr, config.EnableICC, true); err != nil {
 			return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
 		}
 		n.registerIptCleanFunc(func() error {
-			return setupInternalNetworkRules(config.BridgeName, maskedAddrv4, config.EnableICC, false)
+			return setupInternalNetworkRules(config.BridgeName, maskedAddr, config.EnableICC, false)
 		})
 	} else {
-		if err = setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
+		if err = setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
 			return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
 		}
 		n.registerIptCleanFunc(func() error {
-			return setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
+			return setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
 		})
-		natChain, filterChain, _, _, err := n.getDriverChains(iptables.IPv4)
+		natChain, filterChain, _, _, err := n.getDriverChains(ipVersion)
 		if err != nil {
 			return fmt.Errorf("Failed to setup IP tables, cannot acquire chain info %s", err.Error())
 		}
@ -157,65 +184,7 @@ func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInt
 	d.Lock()
 	err = iptable.EnsureJumpRule("FORWARD", IsolationChain1)
 	d.Unlock()
 	if err != nil {
 	return err
 	}
 	if !driverConfig.EnableIP6Tables || i.bridgeIPv6 == nil {
 		return nil
 	}
 	maskedAddrv6 := &net.IPNet{
 		IP:   i.bridgeIPv6.IP.Mask(i.bridgeIPv6.Mask),
 		Mask: i.bridgeIPv6.Mask,
 	}
 	iptable = iptables.GetIptable(iptables.IPv6)
 	if config.Internal {
 		if err = setupInternalNetworkRules(config.BridgeName, maskedAddrv6, config.EnableICC, true); err != nil {
 			return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
 		}
 		n.registerIptCleanFunc(func() error {
 			return setupInternalNetworkRules(config.BridgeName, maskedAddrv6, config.EnableICC, false)
 		})
 	} else {
 		if err = setupIPTablesInternal(nil, config.BridgeName, maskedAddrv6, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
 			return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
 		}
 		n.registerIptCleanFunc(func() error {
 			return setupIPTablesInternal(nil, config.BridgeName, maskedAddrv6, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
 		})
 		natChainV6, filterChainV6, _, _, err := n.getDriverChains(iptables.IPv6)
 		if err != nil {
 			return fmt.Errorf("Failed to setup IP tables, cannot acquire chain info %s", err.Error())
 		}
 		err = iptable.ProgramChain(natChainV6, config.BridgeName, hairpinMode, true)
 		if err != nil {
 			return fmt.Errorf("Failed to program NAT chain: %s", err.Error())
 		}
 		err = iptable.ProgramChain(filterChainV6, config.BridgeName, hairpinMode, true)
 		if err != nil {
 			return fmt.Errorf("Failed to program FILTER chain: %s", err.Error())
 		}
 		n.registerIptCleanFunc(func() error {
 			return iptable.ProgramChain(filterChainV6, config.BridgeName, hairpinMode, false)
 		})
 		n.portMapperV6.SetIptablesChain(natChainV6, n.getNetworkBridgeName())
 	}
 	d.Lock()
 	err = iptable.EnsureJumpRule("FORWARD", IsolationChain1)
 	d.Unlock()
 	if err != nil {
 		return err
 	}
 	return nil
 }
 type iptRule struct {
--- a/libnetwork/drivers/bridge/setup_ip_tables_test.go
+++ b/libnetwork/drivers/bridge/setup_ip_tables_test.go
@ -131,7 +131,7 @@ func assertBridgeConfig(config *networkConfiguration, br *bridgeInterface, d *dr
 	nw.driver = d
 	// Attempt programming of ip tables.
-	err := nw.setupIPTables(config, br)
+	err := nw.setupIP4Tables(config, br)
 	if err != nil {
 		t.Fatalf("%v", err)
 	}