github.com/jfrazelle/docker@v1.1.2-0.20210712172922-bf78e25fe508/libnetwork/drivers/bridge/setup_ip_forwarding.go (about)

     1  // +build linux
     2  
     3  package bridge
     4  
     5  import (
     6  	"fmt"
     7  	"io/ioutil"
     8  
     9  	"github.com/docker/docker/libnetwork/iptables"
    10  	"github.com/sirupsen/logrus"
    11  )
    12  
    13  const (
    14  	ipv4ForwardConf     = "/proc/sys/net/ipv4/ip_forward"
    15  	ipv4ForwardConfPerm = 0644
    16  )
    17  
    18  func configureIPForwarding(enable bool) error {
    19  	var val byte
    20  	if enable {
    21  		val = '1'
    22  	}
    23  	return ioutil.WriteFile(ipv4ForwardConf, []byte{val, '\n'}, ipv4ForwardConfPerm)
    24  }
    25  
    26  func setupIPForwarding(enableIPTables bool, enableIP6Tables bool) error {
    27  	// Get current IPv4 forward setup
    28  	ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf)
    29  	if err != nil {
    30  		return fmt.Errorf("Cannot read IP forwarding setup: %v", err)
    31  	}
    32  
    33  	// Enable IPv4 forwarding only if it is not already enabled
    34  	if ipv4ForwardData[0] != '1' {
    35  		// Enable IPv4 forwarding
    36  		if err := configureIPForwarding(true); err != nil {
    37  			return fmt.Errorf("Enabling IP forwarding failed: %v", err)
    38  		}
    39  		// When enabling ip_forward set the default policy on forward chain to
    40  		// drop only if the daemon option iptables is not set to false.
    41  		if enableIPTables {
    42  			iptable := iptables.GetIptable(iptables.IPv4)
    43  			if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
    44  				if err := configureIPForwarding(false); err != nil {
    45  					logrus.Errorf("Disabling IP forwarding failed, %v", err)
    46  				}
    47  				return err
    48  			}
    49  			iptables.OnReloaded(func() {
    50  				logrus.Debug("Setting the default DROP policy on firewall reload")
    51  				if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
    52  					logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
    53  				}
    54  			})
    55  		}
    56  	}
    57  
    58  	// add only iptables rules - forwarding is handled by setupIPv6Forwarding in setup_ipv6
    59  	if enableIP6Tables {
    60  		iptable := iptables.GetIptable(iptables.IPv6)
    61  		if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
    62  			logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
    63  		}
    64  		iptables.OnReloaded(func() {
    65  			logrus.Debug("Setting the default DROP policy on firewall reload")
    66  			if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
    67  				logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
    68  			}
    69  		})
    70  	}
    71  
    72  	return nil
    73  }