From 446b6886b369acbe06d4f84c53031e6513262d43 Mon Sep 17 00:00:00 2001 From: Tom Cook Date: Tue, 7 Jan 2020 15:45:19 +0000 Subject: [PATCH] Limited bridge netfilter application. libnetwork uses the br-netfilter module to allow filtering of packets passing through a bridge. To do so, it sets /proc/sys/net/bridge/bridge-nf-call-ip[6]tables to 1, forcing iptables for every bridge on the system, whether this is desired or not. This overrides anything set in /etc/sysctl.conf. This change prevents libnetwork from setting the system-wide /proc/sys/net/bridge/bridge-nf-call-ip[6]tables and instead sets /sys/class/net//bridge/nf_call_ip[6]tables for each bridge which has ICC disabled. Note that this does introduce a change in the behaviour of docker. For a default network configuration, with the existing behaviour, both `docker_gwbridge` and `docker0` bridges have iptables enabled while this change results in `docker_gwbridge` having iptables enabled but `docker0` having iptables disabled, because ICC is enabled by default. As far as I can tell, iptables should not be enabled on the `docker0` bridge when ICC is enabled (the code which implements this seems to assume that iptables is enabled per-bridge and not systemwide) so I think this change is correct, but it is still a change in behaviour. Signed-off-by: Tom Cook --- drivers/bridge/setup_bridgenetfiltering.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/bridge/setup_bridgenetfiltering.go b/drivers/bridge/setup_bridgenetfiltering.go index 9b90acfac2..a33a8b1cce 100644 --- a/drivers/bridge/setup_bridgenetfiltering.go +++ b/drivers/bridge/setup_bridgenetfiltering.go @@ -64,11 +64,11 @@ func checkBridgeNetFiltering(config *networkConfiguration, i *bridgeInterface) e if err != nil { logrus.Warnf("failed to check %s forwarding: %v", ipVerName, err) } else if enabled { - enabled, err := getKernelBoolParam(getBridgeNFKernelParam(ipVer)) + enabled, err := getKernelBoolParam(getBridgeNFKernelParam(ipVer, iface)) if err != nil || enabled { return err } - return setKernelBoolParam(getBridgeNFKernelParam(ipVer), true) + return setKernelBoolParam(getBridgeNFKernelParam(ipVer, iface), true) } return nil } @@ -108,12 +108,12 @@ func getForwardingKernelParam(ipVer ipVersion, iface string) string { // Get kernel param path saying whether bridged IPv${ipVer} traffic shall be // passed to ip${ipVer}tables' chains. -func getBridgeNFKernelParam(ipVer ipVersion) string { +func getBridgeNFKernelParam(ipVer ipVersion, bridgeName string) string { switch ipVer { case ipv4: - return "/proc/sys/net/bridge/bridge-nf-call-iptables" + return fmt.Sprintf("/sys/class/net/%s/bridge/nf_call_iptables", bridgeName) case ipv6: - return "/proc/sys/net/bridge/bridge-nf-call-ip6tables" + return fmt.Sprintf("/sys/class/net/%s/bridge/nf_call_ip6tables", bridgeName) default: return "" }