Browse Source

Added improved IP validation for port mapper

Signed-off-by: Benjamin Böhmke <benjamin@boehmke.net>
Benjamin Böhmke 4 years ago
parent
commit
4886e5e5b1

+ 2 - 2
libnetwork/portmapper/mapper.go

@@ -151,7 +151,7 @@ func (pm *PortMapper) MapRange(container net.Addr, hostIP net.IP, hostPortStart,
 	}
 
 	containerIP, containerPort := getIPAndPort(m.container)
-	if hostIP.To4() != nil || hostIP.To16() != nil {
+	if pm.checkIP(hostIP) {
 		if err := pm.AppendForwardingTableEntry(m.proto, hostIP, allocatedHostPort, containerIP.String(), containerPort); err != nil {
 			return nil, err
 		}
@@ -160,7 +160,7 @@ func (pm *PortMapper) MapRange(container net.Addr, hostIP net.IP, hostPortStart,
 	cleanup := func() error {
 		// need to undo the iptables rules before we return
 		m.userlandProxy.Stop()
-		if hostIP.To4() != nil || hostIP.To16() != nil {
+		if pm.checkIP(hostIP) {
 			pm.DeleteForwardingTableEntry(m.proto, hostIP, allocatedHostPort, containerIP.String(), containerPort)
 			if err := pm.Allocator.ReleasePort(hostIP, m.proto, allocatedHostPort); err != nil {
 				return err

+ 8 - 0
libnetwork/portmapper/mapper_linux.go

@@ -44,3 +44,11 @@ func (pm *PortMapper) forward(action iptables.Action, proto string, sourceIP net
 	}
 	return pm.chain.Forward(action, sourceIP, sourcePort, proto, containerIP, containerPort, pm.bridgeName)
 }
+
+// checkIP checks if IP is valid and matching to chain version
+func (pm *PortMapper) checkIP(ip net.IP) bool {
+	if pm.chain == nil || pm.chain.IPTable.Version == iptables.IPv4 {
+		return ip.To4() != nil
+	}
+	return ip.To16() != nil
+}

+ 6 - 0
libnetwork/portmapper/mapper_windows.go

@@ -29,3 +29,9 @@ func (pm *PortMapper) AppendForwardingTableEntry(proto string, sourceIP net.IP,
 func (pm *PortMapper) DeleteForwardingTableEntry(proto string, sourceIP net.IP, sourcePort int, containerIP string, containerPort int) error {
 	return nil
 }
+
+// checkIP checks if IP is valid and matching to chain version
+func (pm *PortMapper) checkIP(ip net.IP) bool {
+	// no IPv6 for port mapper on windows -> only IPv4 valid
+	return ip.To4() != nil
+}