File: setup_ip_forwarding.go

package info (click to toggle)
docker.io 26.1.5%2Bdfsg1-9
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 68,576 kB
  • sloc: sh: 5,748; makefile: 912; ansic: 664; asm: 228; python: 162
file content (74 lines) | stat: -rw-r--r-- 2,405 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
//go:build linux

package bridge

import (
	"context"
	"fmt"
	"os"

	"github.com/containerd/log"
	"github.com/docker/docker/libnetwork/iptables"
)

const (
	ipv4ForwardConf     = "/proc/sys/net/ipv4/ip_forward"
	ipv4ForwardConfPerm = 0o644
)

func configureIPForwarding(enable bool) error {
	var val byte
	if enable {
		val = '1'
	}
	return os.WriteFile(ipv4ForwardConf, []byte{val, '\n'}, ipv4ForwardConfPerm)
}

func setupIPForwarding(enableIPTables bool, enableIP6Tables bool) error {
	// Get current IPv4 forward setup
	ipv4ForwardData, err := os.ReadFile(ipv4ForwardConf)
	if err != nil {
		return fmt.Errorf("Cannot read IP forwarding setup: %v", err)
	}

	// Enable IPv4 forwarding only if it is not already enabled
	if ipv4ForwardData[0] != '1' {
		// Enable IPv4 forwarding
		if err := configureIPForwarding(true); err != nil {
			return fmt.Errorf("Enabling IP forwarding failed: %v", err)
		}
		// When enabling ip_forward set the default policy on forward chain to
		// drop only if the daemon option iptables is not set to false.
		if enableIPTables {
			iptable := iptables.GetIptable(iptables.IPv4)
			if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
				if err := configureIPForwarding(false); err != nil {
					log.G(context.TODO()).Errorf("Disabling IP forwarding failed, %v", err)
				}
				return err
			}
			iptables.OnReloaded(func() {
				log.G(context.TODO()).Debug("Setting the default DROP policy on firewall reload")
				if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
					log.G(context.TODO()).Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
				}
			})
		}
	}

	// add only iptables rules - forwarding is handled by setupIPv6Forwarding in setup_ipv6
	if enableIP6Tables {
		iptable := iptables.GetIptable(iptables.IPv6)
		if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
			log.G(context.TODO()).Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
		}
		iptables.OnReloaded(func() {
			log.G(context.TODO()).Debug("Setting the default DROP policy on firewall reload")
			if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
				log.G(context.TODO()).Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
			}
		})
	}

	return nil
}