We use cookies to ensure you get the best experience on our website
탐색 도움말
가입하기 로그인
0ct0pu5
/
moby
1
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
소스 검색

libnet/d/bridge: Allow IPv6 ICC from any IP address

IPv6 ipt rules are exactly the same as IPv4 rules, although both
protocol don't use the same networking model. This has bad consequences,
for instance: 1. the current v6 rules disallow Neighbor
Solication/Advertisement ; 2. multicast addresses can't be used ; 3.
link-local addresses are blocked too.

To solve this, this commit changes the following rules:

```
-A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
```

into:

```
-A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c   -o br-21502e5b2c6c -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64   -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP
```

These rules only limit the traffic ingressing/egressing the bridge, but
not traffic between veth on the same bridge.

Note that, the Kernel takes care of dropping invalid IPv6 packets, eg.
loopback spoofing, thus these rules don't need to be more specific.

Solve #45460.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
(cherry picked from commit da9e44a620db39307f5548a1451be9c434c5b34d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Albin Kerouanton 2 년 전
부모
c370341900
커밋
b7d1e98ae7
1개의 변경된 파일15개의 추가작업 그리고 8개의 파일을 삭제
분할 보기 변경상태 보기
  1. 15 8
      libnetwork/drivers/bridge/setup_ip_tables.go

+ 15 - 8
libnetwork/drivers/bridge/setup_ip_tables.go
파일 보기 

@@ -397,15 +397,21 @@ func removeIPChains(version iptables.IPVersion) {
 
 }
 
 
 func setupInternalNetworkRules(bridgeIface string, addr *net.IPNet, icc, insert bool) error {
 
-	var (
 
-		inDropRule  = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{"-i", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
 
-		outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{"-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
 
-	)
 
-
 
-	version := iptables.IPv4
 
-
 
-	if addr.IP.To4() == nil {
 
+	var version iptables.IPVersion
 
+	var inDropRule, outDropRule iptRule
 
+
 
+	if addr.IP.To4() != nil {
 
+		version = iptables.IPv4
 
+		inDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{
 
+			"-i", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
 
+		outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{
 
+			"-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
 
+	} else {
 
 		version = iptables.IPv6
 
+		inDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{
 
+			"-i", bridgeIface, "!", "-o", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
 
+		outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{
 
+			"!", "-i", bridgeIface, "-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
 
 	}
 
 
 	if err := programChainRule(version, inDropRule, "DROP INCOMING", insert); err != nil {
 
@@ -414,6 +420,7 @@ func setupInternalNetworkRules(bridgeIface string, addr *net.IPNet, icc, insert
 
 	if err := programChainRule(version, outDropRule, "DROP OUTGOING", insert); err != nil {
 
 		return err
 
 	}
 
+
 
 	// Set Inter Container Communication.
 
 	return setIcc(version, bridgeIface, icc, insert)
 
 }

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5