kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #28257 from sanimej/iptables

Browse source 
vendor libnetwork @1861587
This commit is contained in:
Victor Vieux 2016-11-10 14:01:02 -08:00 committed by GitHub
commit f700a86dc0
4 changed files with 54 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

2
vendor.conf
View file

@ -23,7 +23,7 @@ github.com/RackSec/srslog 365bf33cd9acc21ae1c355209865f17228ca534e
github.com/imdario/mergo 0.2.1 github.com/imdario/mergo 0.2.1
#get libnetwork packages #get libnetwork packages
github.com/docker/libnetwork 3ab699ea36573d98f481d233c30c742ade737565 github.com/docker/libnetwork 1861587d0fe7cdf85b89160ed36f20b81e96528d
github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894 github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

15
vendor/github.com/docker/libnetwork/drivers/bridge/bridge.go generated vendored
View file

@ -380,13 +380,6 @@ func (d *driver) configure(option map[string]interface{}) error {
return &ErrInvalidDriverConfig{} return &ErrInvalidDriverConfig{}
} }
if config.EnableIPForwarding {
err = setupIPForwarding()
if err != nil {
return err
}
}
if config.EnableIPTables { if config.EnableIPTables {
if _, err := os.Stat("/proc/sys/net/bridge"); err != nil { if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil { if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
@ -402,6 +395,14 @@ func (d *driver) configure(option map[string]interface{}) error {
iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) }) iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) })
} }
if config.EnableIPForwarding {
err = setupIPForwarding(config.EnableIPTables)
if err != nil {
logrus.Warn(err)
return err
}
}
d.Lock() d.Lock()
d.natChain = natChain d.natChain = natChain
d.filterChain = filterChain d.filterChain = filterChain

34
vendor/github.com/docker/libnetwork/drivers/bridge/setup_ip_forwarding.go generated vendored
View file

@ -2,6 +2,8 @@ package bridge
import ( import (
"fmt" "fmt"
log "github.com/Sirupsen/logrus"
"github.com/docker/libnetwork/iptables"
"io/ioutil" "io/ioutil"
) )
@ -10,7 +12,15 @@ const (
ipv4ForwardConfPerm = 0644 ipv4ForwardConfPerm = 0644
) )
func setupIPForwarding() error { func configureIPForwarding(enable bool) error {
var val byte
if enable {
val = '1'
}
return ioutil.WriteFile(ipv4ForwardConf, []byte{val, '\n'}, ipv4ForwardConfPerm)
}
func setupIPForwarding(enableIPTables bool) error {
// Get current IPv4 forward setup // Get current IPv4 forward setup
ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf) ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf)
if err != nil { if err != nil {
@ -20,10 +30,26 @@ func setupIPForwarding() error {
// Enable IPv4 forwarding only if it is not already enabled // Enable IPv4 forwarding only if it is not already enabled
if ipv4ForwardData[0] != '1' { if ipv4ForwardData[0] != '1' {
// Enable IPv4 forwarding // Enable IPv4 forwarding
if err := ioutil.WriteFile(ipv4ForwardConf, []byte{'1', '\n'}, ipv4ForwardConfPerm); err != nil { if err := configureIPForwarding(true); err != nil {
return fmt.Errorf("Setup IP forwarding failed: %v", err) return fmt.Errorf("Enabling IP forwarding failed: %v", err)
} }
// When enabling ip_forward set the default policy on forward chain to
// drop only if the daemon option iptables is not set to false.
if !enableIPTables {
return nil
}
if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
if err := configureIPForwarding(false); err != nil {
log.Errorf("Disabling IP forwarding failed, %v", err)
}
return err
}
iptables.OnReloaded(func() {
log.Debugf("Setting the default DROP policy on firewall reload")
if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
log.Warnf("Settig the default DROP policy on firewall reload failed, %v", err)
}
})
} }
return nil return nil
} }

15
vendor/github.com/docker/libnetwork/iptables/iptables.go generated vendored
View file

@ -16,6 +16,9 @@ import (
// Action signifies the iptable action. // Action signifies the iptable action.
type Action string type Action string
// Policy is the default iptable policies
type Policy string
// Table refers to Nat, Filter or Mangle. // Table refers to Nat, Filter or Mangle.
type Table string type Table string
@ -32,6 +35,10 @@ const (
Filter Table = "filter" Filter Table = "filter"
// Mangle table is used for mangling the packet. // Mangle table is used for mangling the packet.
Mangle Table = "mangle" Mangle Table = "mangle"
// Drop is the default iptables DROP policy
Drop Policy = "DROP"
// Accept is the default iptables ACCEPT policy
Accept Policy = "ACCEPT"
) )
var ( var (
@ -437,6 +444,14 @@ func GetVersion() (major, minor, micro int, err error) {
return return
} }
// SetDefaultPolicy sets the passed default policy for the table/chain
func SetDefaultPolicy(table Table, chain string, policy Policy) error {
if err := RawCombinedOutput("-t", string(table), "-P", chain, string(policy)); err != nil {
return fmt.Errorf("setting default policy to %v in %v chain failed: %v", policy, chain, err)
}
return nil
}
func parseVersionNumbers(input string) (major, minor, micro int) { func parseVersionNumbers(input string) (major, minor, micro int) {
re := regexp.MustCompile(`v\d*.\d*.\d*`) re := regexp.MustCompile(`v\d*.\d*.\d*`)
line := re.FindString(input) line := re.FindString(input)