Fix host_ipv4 bridge option when IPv6 and ip6tables are enabled

Before this commit, setting the `com.docker.network.host_ipv4` bridge option when `enable_ipv6` is true and the experimental `ip6tables` option is enabled would cause Docker to fail to create the network: > failed to create network `test-network`: Error response from daemon: > Failed to Setup IP tables: Unable to enable NAT rule: (iptables > failed: `ip6tables --wait -t nat -I POSTROUTING -s fd01::/64 ! -o > br-test -j SNAT --to-source 192.168.0.2`: ip6tables > v1.8.7 (nf_tables): Bad IP address "192.168.0.2" > > Try `ip6tables -h` or `ip6tables --help` for more information. > (exit status 2)) Fix this error by passing nil -- not the `host_ipv4` address -- when creating the IPv6 rules. Signed-off-by: Richard Hansen <rhansen@rhansen.org>
2023-09-09 18:41:15 -04:00 · 2023-09-09 18:41:15 -04:00 · 12e27dfd8f
commit 12e27dfd8f
parent 6ce5aa1cd5
2 changed files with 54 additions and 4 deletions
--- a/libnetwork/drivers/bridge/setup_ip_tables_linux.go
+++ b/libnetwork/drivers/bridge/setup_ip_tables_linux.go
@ -157,11 +157,15 @@ func (n *bridgeNetwork) setupIPTables(ipVersion iptables.IPVersion, maskedAddr *
 			return setupInternalNetworkRules(config.BridgeName, maskedAddr, config.EnableICC, false)
 		})
 	} else {
-		if err = setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
+		hostIP := config.HostIP
+		if ipVersion != iptables.IPv4 {
+			hostIP = nil
+		}
+		if err = setupIPTablesInternal(hostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
 			return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
 		}
 		n.registerIptCleanFunc(func() error {
-			return setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
+			return setupIPTablesInternal(hostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
 		})
 		natChain, filterChain, _, _, err := n.getDriverChains(ipVersion)
 		if err != nil {
--- a/libnetwork/drivers/bridge/setup_ip_tables_linux_test.go
+++ b/libnetwork/drivers/bridge/setup_ip_tables_linux_test.go
@ -6,6 +6,7 @@ import (

 	"github.com/docker/docker/internal/testutils/netnsutils"
 	"github.com/docker/docker/libnetwork/iptables"
+	"github.com/docker/docker/libnetwork/netlabel"
 	"github.com/docker/docker/libnetwork/portmapper"
 	"github.com/vishvananda/netlink"
 )
@ -92,6 +93,11 @@ func createTestBridge(config *networkConfiguration, br *bridgeInterface, t *test
 	if err := setupBridgeIPv4(config, br); err != nil {
 		t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
 	}
+	if config.EnableIPv6 {
+		if err := setupBridgeIPv6(config, br); err != nil {
+			t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
+		}
+	}
 }

 // Assert base function which pushes iptables chain rules on insertion and removal.
@ -123,13 +129,20 @@ func assertChainConfig(d *driver, t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	if d.config.EnableIP6Tables {
+		d.natChainV6, d.filterChainV6, d.isolationChain1V6, d.isolationChain2V6, err = setupIPChains(d.config, iptables.IPv6)
+		if err != nil {
+			t.Fatal(err)
+		}
+	}
 }

 // Assert function which pushes chains based on bridge config parameters.
 func assertBridgeConfig(config *networkConfiguration, br *bridgeInterface, d *driver, t *testing.T) {
 	nw := bridgeNetwork{
-		portMapper: portmapper.New(""),
-		config:     config,
+		portMapper:   portmapper.New(""),
+		portMapperV6: portmapper.New(""),
+		config:       config,
 	}
 	nw.driver = d

@ -138,4 +151,37 @@ func assertBridgeConfig(config *networkConfiguration, br *bridgeInterface, d *dr
 	if err != nil {
 		t.Fatalf("%v", err)
 	}
+	if d.config.EnableIP6Tables {
+		if err := nw.setupIP6Tables(config, br); err != nil {
+			t.Fatalf("%v", err)
+		}
+	}
+}
+
+// Regression test for https://github.com/moby/moby/issues/46445
+func TestSetupIP6TablesWithHostIP(t *testing.T) {
+	defer netnsutils.SetupTestOSContext(t)()
+	d := newDriver()
+	dc := &configuration{
+		EnableIPTables:  true,
+		EnableIP6Tables: true,
+	}
+	if err := d.configure(map[string]interface{}{netlabel.GenericData: dc}); err != nil {
+		t.Fatal(err)
+	}
+	nc := &networkConfiguration{
+		BridgeName:         DefaultBridgeName,
+		AddressIPv4:        &net.IPNet{IP: net.ParseIP(iptablesTestBridgeIP), Mask: net.CIDRMask(16, 32)},
+		EnableIPMasquerade: true,
+		EnableIPv6:         true,
+		AddressIPv6:        &net.IPNet{IP: net.ParseIP("2001:db8::1"), Mask: net.CIDRMask(64, 128)},
+		HostIP:             net.ParseIP("192.0.2.2"),
+	}
+	nh, err := netlink.NewHandle()
+	if err != nil {
+		t.Fatal(err)
+	}
+	br := &bridgeInterface{nlh: nh}
+	createTestBridge(nc, br, t)
+	assertBridgeConfig(nc, br, d, t)
 }