Skip to content

Commit

Permalink
Merge pull request moby#46446 from rhansen/host_ipv4
Browse files Browse the repository at this point in the history
Fix host_ipv4 bridge option when IPv6 and ip6tables are enabled
  • Loading branch information
thaJeztah authored Sep 13, 2023
2 parents 76915b1 + 12e27df commit 0a8bd82
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 4 deletions.
8 changes: 6 additions & 2 deletions libnetwork/drivers/bridge/setup_ip_tables_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -157,11 +157,15 @@ func (n *bridgeNetwork) setupIPTables(ipVersion iptables.IPVersion, maskedAddr *
return setupInternalNetworkRules(config.BridgeName, maskedAddr, config.EnableICC, false)
})
} else {
if err = setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
hostIP := config.HostIP
if ipVersion != iptables.IPv4 {
hostIP = nil
}
if err = setupIPTablesInternal(hostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
}
n.registerIptCleanFunc(func() error {
return setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
return setupIPTablesInternal(hostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
})
natChain, filterChain, _, _, err := n.getDriverChains(ipVersion)
if err != nil {
Expand Down
50 changes: 48 additions & 2 deletions libnetwork/drivers/bridge/setup_ip_tables_linux_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ import (

"github.com/docker/docker/internal/testutils/netnsutils"
"github.com/docker/docker/libnetwork/iptables"
"github.com/docker/docker/libnetwork/netlabel"
"github.com/docker/docker/libnetwork/portmapper"
"github.com/vishvananda/netlink"
)
Expand Down Expand Up @@ -92,6 +93,11 @@ func createTestBridge(config *networkConfiguration, br *bridgeInterface, t *test
if err := setupBridgeIPv4(config, br); err != nil {
t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
}
if config.EnableIPv6 {
if err := setupBridgeIPv6(config, br); err != nil {
t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
}
}
}

// Assert base function which pushes iptables chain rules on insertion and removal.
Expand Down Expand Up @@ -123,13 +129,20 @@ func assertChainConfig(d *driver, t *testing.T) {
if err != nil {
t.Fatal(err)
}
if d.config.EnableIP6Tables {
d.natChainV6, d.filterChainV6, d.isolationChain1V6, d.isolationChain2V6, err = setupIPChains(d.config, iptables.IPv6)
if err != nil {
t.Fatal(err)
}
}
}

// Assert function which pushes chains based on bridge config parameters.
func assertBridgeConfig(config *networkConfiguration, br *bridgeInterface, d *driver, t *testing.T) {
nw := bridgeNetwork{
portMapper: portmapper.New(""),
config: config,
portMapper: portmapper.New(""),
portMapperV6: portmapper.New(""),
config: config,
}
nw.driver = d

Expand All @@ -138,4 +151,37 @@ func assertBridgeConfig(config *networkConfiguration, br *bridgeInterface, d *dr
if err != nil {
t.Fatalf("%v", err)
}
if d.config.EnableIP6Tables {
if err := nw.setupIP6Tables(config, br); err != nil {
t.Fatalf("%v", err)
}
}
}

// Regression test for https://github.com/moby/moby/issues/46445
func TestSetupIP6TablesWithHostIP(t *testing.T) {
defer netnsutils.SetupTestOSContext(t)()
d := newDriver()
dc := &configuration{
EnableIPTables: true,
EnableIP6Tables: true,
}
if err := d.configure(map[string]interface{}{netlabel.GenericData: dc}); err != nil {
t.Fatal(err)
}
nc := &networkConfiguration{
BridgeName: DefaultBridgeName,
AddressIPv4: &net.IPNet{IP: net.ParseIP(iptablesTestBridgeIP), Mask: net.CIDRMask(16, 32)},
EnableIPMasquerade: true,
EnableIPv6: true,
AddressIPv6: &net.IPNet{IP: net.ParseIP("2001:db8::1"), Mask: net.CIDRMask(64, 128)},
HostIP: net.ParseIP("192.0.2.2"),
}
nh, err := netlink.NewHandle()
if err != nil {
t.Fatal(err)
}
br := &bridgeInterface{nlh: nh}
createTestBridge(nc, br, t)
assertBridgeConfig(nc, br, d, t)
}

0 comments on commit 0a8bd82

Please sign in to comment.