Merge pull request #44824 from neersighted/revert_44706

Revert "libnetwork: Support IPv6 in arrangeUserFilterRule()"

libnetwork/controller.go

@@ -1247,23 +1247,3 @@ func (c *Controller) iptablesEnabled() bool {
 	}
 	return enabled
 }
-
-func (c *controller) ip6tablesEnabled() bool {
-	c.Lock()
-	defer c.Unlock()
-
-	if c.cfg == nil {
-		return false
-	}
-	// parse map cfg["bridge"]["generic"]["EnableIP6Table"]
-	cfgBridge, ok := c.cfg.DriverCfg["bridge"].(map[string]interface{})
-	if !ok {
-		return false
-	}
-	cfgGeneric, ok := cfgBridge[netlabel.GenericData].(options.Generic)
-	if !ok {
-		return false
-	}
-	enabled, _ := cfgGeneric["EnableIP6Tables"].(bool)
-	return enabled
-}

libnetwork/firewall_linux.go

@@ -21,40 +21,24 @@ func setupArrangeUserFilterRule(c *Controller) {
 // IPTableForwarding is disabled, because it contains rules configured by user that
 // are beyond docker engine's control.
 func arrangeUserFilterRule() {
-	if ctrl == nil {
+	if ctrl == nil || !ctrl.iptablesEnabled() {
 		return
 	}
-
-	conds := []struct {
-		ipVer iptables.IPVersion
-		cond  bool
-	}{
-		{ipVer: iptables.IPv4, cond: ctrl.iptablesEnabled()},
-		{ipVer: iptables.IPv6, cond: ctrl.ip6tablesEnabled()},
+	// TODO IPv6 support
+	iptable := iptables.GetIptable(iptables.IPv4)
+	_, err := iptable.NewChain(userChain, iptables.Filter, false)
+	if err != nil {
+		logrus.Warnf("Failed to create %s chain: %v", userChain, err)
+		return
 	}
 
-	for _, ipVerCond := range conds {
-		cond := ipVerCond.cond
-		if !cond {
-			continue
-		}
-
-		ipVer := ipVerCond.ipVer
-		iptable := iptables.GetIptable(ipVer)
-		_, err := iptable.NewChain(userChain, iptables.Filter, false)
-		if err != nil {
-			logrus.WithError(err).Warnf("Failed to create %s %v chain", userChain, ipVer)
-			return
-		}
-
-		if err = iptable.AddReturnRule(userChain); err != nil {
-			logrus.WithError(err).Warnf("Failed to add the RETURN rule for %s %v", userChain, ipVer)
-			return
-		}
+	if err = iptable.AddReturnRule(userChain); err != nil {
+		logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
+		return
+	}
 
-		err = iptable.EnsureJumpRule("FORWARD", userChain)
-		if err != nil {
-			logrus.WithError(err).Warnf("Failed to ensure the jump rule for %s %v", userChain, ipVer)
-		}
+	err = iptable.EnsureJumpRule("FORWARD", userChain)
+	if err != nil {
+		logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
 	}
 }

libnetwork/firewall_linux_test.go

@@ -18,8 +18,7 @@ const (
 )
 
 func TestUserChain(t *testing.T) {
-	iptable4 := iptables.GetIptable(iptables.IPv4)
-	iptable6 := iptables.GetIptable(iptables.IPv6)
+	iptable := iptables.GetIptable(iptables.IPv4)
 
 	tests := []struct {
 		iptables  bool
@@ -57,40 +56,32 @@ func TestUserChain(t *testing.T) {
 			defer c.Stop()
 			c.cfg.DriverCfg["bridge"] = map[string]interface{}{
 				netlabel.GenericData: options.Generic{
-					"EnableIPTables":  tc.iptables,
-					"EnableIP6Tables": tc.iptables,
+					"EnableIPTables": tc.iptables,
 				},
 			}
 
 			// init. condition, FORWARD chain empty DOCKER-USER not exist
-			assert.DeepEqual(t, getRules(t, iptables.IPv4, fwdChainName), []string{"-P FORWARD ACCEPT"})
-			assert.DeepEqual(t, getRules(t, iptables.IPv6, fwdChainName), []string{"-P FORWARD ACCEPT"})
+			assert.DeepEqual(t, getRules(t, fwdChainName), []string{"-P FORWARD ACCEPT"})
 
 			if tc.insert {
-				_, err = iptable4.Raw("-A", fwdChainName, "-j", "DROP")
-				assert.NilError(t, err)
-				_, err = iptable6.Raw("-A", fwdChainName, "-j", "DROP")
+				_, err = iptable.Raw("-A", fwdChainName, "-j", "DROP")
 				assert.NilError(t, err)
 			}
 			arrangeUserFilterRule()
 
-			assert.DeepEqual(t, getRules(t, iptables.IPv4, fwdChainName), tc.fwdChain)
-			assert.DeepEqual(t, getRules(t, iptables.IPv6, fwdChainName), tc.fwdChain)
+			assert.DeepEqual(t, getRules(t, fwdChainName), tc.fwdChain)
 			if tc.userChain != nil {
-				assert.DeepEqual(t, getRules(t, iptables.IPv4, usrChainName), tc.userChain)
-				assert.DeepEqual(t, getRules(t, iptables.IPv6, usrChainName), tc.userChain)
+				assert.DeepEqual(t, getRules(t, usrChainName), tc.userChain)
 			} else {
-				_, err := iptable4.Raw("-S", usrChainName)
-				assert.Assert(t, err != nil, "ipv4 chain %v: created unexpectedly", usrChainName)
-				_, err = iptable6.Raw("-S", usrChainName)
-				assert.Assert(t, err != nil, "ipv6 chain %v: created unexpectedly", usrChainName)
+				_, err := iptable.Raw("-S", usrChainName)
+				assert.Assert(t, err != nil, "chain %v: created unexpectedly", usrChainName)
 			}
 		})
 	}
 }
 
-func getRules(t *testing.T, ipVer iptables.IPVersion, chain string) []string {
-	iptable := iptables.GetIptable(ipVer)
+func getRules(t *testing.T, chain string) []string {
+	iptable := iptables.GetIptable(iptables.IPv4)
 
 	t.Helper()
 	output, err := iptable.Raw("-S", chain)
@@ -104,13 +95,10 @@ func getRules(t *testing.T, ipVer iptables.IPVersion, chain string) []string {
 }
 
 func resetIptables(t *testing.T) {
-	t.Helper()
-
-	for _, ipVer := range []iptables.IPVersion{iptables.IPv4, iptables.IPv6} {
-		iptable := iptables.GetIptable(ipVer)
+	iptable := iptables.GetIptable(iptables.IPv4)
 
-		_, err := iptable.Raw("-F", fwdChainName)
-		assert.Check(t, err)
-		_ = iptable.RemoveExistingChain(usrChainName, "")
-	}
+	t.Helper()
+	_, err := iptable.Raw("-F", fwdChainName)
+	assert.NilError(t, err)
+	_ = iptable.RemoveExistingChain(usrChainName, "")
 }