We use cookies to ensure you get the best experience on our website
Home Esplora Aiuto
Registrati Accedi
0ct0pu5
/
moby
1
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Sfoglia il codice sorgente

Fix host_ipv4 bridge option when IPv6 and ip6tables are enabled

Before this commit, setting the `com.docker.network.host_ipv4` bridge
option when `enable_ipv6` is true and the experimental `ip6tables`
option is enabled would cause Docker to fail to create the network:

> failed to create network `test-network`: Error response from daemon:
> Failed to Setup IP tables: Unable to enable NAT rule: (iptables
> failed: `ip6tables --wait -t nat -I POSTROUTING -s fd01::/64 ! -o
> br-test -j SNAT --to-source 192.168.0.2`: ip6tables
> v1.8.7 (nf_tables): Bad IP address "192.168.0.2"
>
> Try `ip6tables -h` or `ip6tables --help` for more information.
>  (exit status 2))

Fix this error by passing nil -- not the `host_ipv4` address -- when
creating the IPv6 rules.

Signed-off-by: Richard Hansen <rhansen@rhansen.org>
Richard Hansen 1 anno fa
parent
6ce5aa1cd5
commit
12e27dfd8f
2 ha cambiato i file con 54 aggiunte e 4 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 6 2
      libnetwork/drivers/bridge/setup_ip_tables_linux.go
  2. 48 2
      libnetwork/drivers/bridge/setup_ip_tables_linux_test.go

+ 6 - 2
libnetwork/drivers/bridge/setup_ip_tables_linux.go
Vedi File 

@@ -157,11 +157,15 @@ func (n *bridgeNetwork) setupIPTables(ipVersion iptables.IPVersion, maskedAddr *
 
 			return setupInternalNetworkRules(config.BridgeName, maskedAddr, config.EnableICC, false)
 
 		})
 
 	} else {
 
-		if err = setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
 
+		hostIP := config.HostIP
 
+		if ipVersion != iptables.IPv4 {
 
+			hostIP = nil
 
+		}
 
+		if err = setupIPTablesInternal(hostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
 
 			return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
 
 		}
 
 		n.registerIptCleanFunc(func() error {
 
-			return setupIPTablesInternal(config.HostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
 
+			return setupIPTablesInternal(hostIP, config.BridgeName, maskedAddr, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false)
 
 		})
 
 		natChain, filterChain, _, _, err := n.getDriverChains(ipVersion)
 
 		if err != nil {

+ 48 - 2
libnetwork/drivers/bridge/setup_ip_tables_linux_test.go
Vedi File 

@@ -6,6 +6,7 @@ import (
 
 
 	"github.com/docker/docker/internal/testutils/netnsutils"
 
 	"github.com/docker/docker/libnetwork/iptables"
 
+	"github.com/docker/docker/libnetwork/netlabel"
 
 	"github.com/docker/docker/libnetwork/portmapper"
 
 	"github.com/vishvananda/netlink"
 
 )
 
@@ -92,6 +93,11 @@ func createTestBridge(config *networkConfiguration, br *bridgeInterface, t *test
 
 	if err := setupBridgeIPv4(config, br); err != nil {
 
 		t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
 
 	}
 
+	if config.EnableIPv6 {
 
+		if err := setupBridgeIPv6(config, br); err != nil {
 
+			t.Fatalf("Failed to bring up the testing Bridge: %s", err.Error())
 
+		}
 
+	}
 
 }
 
 
 // Assert base function which pushes iptables chain rules on insertion and removal.
 
@@ -123,13 +129,20 @@ func assertChainConfig(d *driver, t *testing.T) {
 
 	if err != nil {
 
 		t.Fatal(err)
 
 	}
 
+	if d.config.EnableIP6Tables {
 
+		d.natChainV6, d.filterChainV6, d.isolationChain1V6, d.isolationChain2V6, err = setupIPChains(d.config, iptables.IPv6)
 
+		if err != nil {
 
+			t.Fatal(err)
 
+		}
 
+	}
 
 }
 
 
 // Assert function which pushes chains based on bridge config parameters.
 
 func assertBridgeConfig(config *networkConfiguration, br *bridgeInterface, d *driver, t *testing.T) {
 
 	nw := bridgeNetwork{
 
-		portMapper: portmapper.New(""),
 
-		config:     config,
 
+		portMapper:   portmapper.New(""),
 
+		portMapperV6: portmapper.New(""),
 
+		config:       config,
 
 	}
 
 	nw.driver = d
 
 
@@ -138,4 +151,37 @@ func assertBridgeConfig(config *networkConfiguration, br *bridgeInterface, d *dr
 
 	if err != nil {
 
 		t.Fatalf("%v", err)
 
 	}
 
+	if d.config.EnableIP6Tables {
 
+		if err := nw.setupIP6Tables(config, br); err != nil {
 
+			t.Fatalf("%v", err)
 
+		}
 
+	}
 
+}
 
+
 
+// Regression test for https://github.com/moby/moby/issues/46445
 
+func TestSetupIP6TablesWithHostIP(t *testing.T) {
 
+	defer netnsutils.SetupTestOSContext(t)()
 
+	d := newDriver()
 
+	dc := &configuration{
 
+		EnableIPTables:  true,
 
+		EnableIP6Tables: true,
 
+	}
 
+	if err := d.configure(map[string]interface{}{netlabel.GenericData: dc}); err != nil {
 
+		t.Fatal(err)
 
+	}
 
+	nc := &networkConfiguration{
 
+		BridgeName:         DefaultBridgeName,
 
+		AddressIPv4:        &net.IPNet{IP: net.ParseIP(iptablesTestBridgeIP), Mask: net.CIDRMask(16, 32)},
 
+		EnableIPMasquerade: true,
 
+		EnableIPv6:         true,
 
+		AddressIPv6:        &net.IPNet{IP: net.ParseIP("2001:db8::1"), Mask: net.CIDRMask(64, 128)},
 
+		HostIP:             net.ParseIP("192.0.2.2"),
 
+	}
 
+	nh, err := netlink.NewHandle()
 
+	if err != nil {
 
+		t.Fatal(err)
 
+	}
 
+	br := &bridgeInterface{nlh: nh}
 
+	createTestBridge(nc, br, t)
 
+	assertBridgeConfig(nc, br, d, t)
 
 }

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5