func (n *bridgeNetwork) setupFirewalld(config *networkConfiguration, i *bridgeInterface) error {
	// Sanity check.
	if config.EnableIPTables == false {
		return IPTableCfgError(config.BridgeName)
	}

	iptables.OnReloaded(func() { n.setupIPTables(config, i) })
	iptables.OnReloaded(n.portMapper.ReMapAll)

	return nil
}
Beispiel #2
0
func setupIPForwarding(enableIPTables bool) error {
	// Get current IPv4 forward setup
	ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf)
	if err != nil {
		return fmt.Errorf("Cannot read IP forwarding setup: %v", err)
	}

	// Enable IPv4 forwarding only if it is not already enabled
	if ipv4ForwardData[0] != '1' {
		// Enable IPv4 forwarding
		if err := configureIPForwarding(true); err != nil {
			return fmt.Errorf("Enabling IP forwarding failed: %v", err)
		}
		// When enabling ip_forward set the default policy on forward chain to
		// drop only if the daemon option iptables is not set to false.
		if !enableIPTables {
			return nil
		}
		if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
			if err := configureIPForwarding(false); err != nil {
				logrus.Errorf("Disabling IP forwarding failed, %v", err)
			}
			return err
		}
		iptables.OnReloaded(func() {
			logrus.Debug("Setting the default DROP policy on firewall reload")
			if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
				logrus.Warnf("Settig the default DROP policy on firewall reload failed, %v", err)
			}
		})
	}
	return nil
}
Beispiel #3
0
func (d *driver) configure(option map[string]interface{}) error {
	var (
		config         *configuration
		err            error
		natChain       *iptables.ChainInfo
		filterChain    *iptables.ChainInfo
		isolationChain *iptables.ChainInfo
	)

	genericData, ok := option[netlabel.GenericData]
	if !ok || genericData == nil {
		return nil
	}

	switch opt := genericData.(type) {
	case options.Generic:
		opaqueConfig, err := options.GenerateFromModel(opt, &configuration{})
		if err != nil {
			return err
		}
		config = opaqueConfig.(*configuration)
	case *configuration:
		config = opt
	default:
		return &ErrInvalidDriverConfig{}
	}

	if config.EnableIPForwarding {
		err = setupIPForwarding()
		if err != nil {
			return err
		}
	}

	if config.EnableIPTables {
		removeIPChains()
		natChain, filterChain, isolationChain, err = setupIPChains(config)
		if err != nil {
			return err
		}
		// Make sure on firewall reload, first thing being re-played is chains creation
		iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) })
	}

	d.Lock()
	d.natChain = natChain
	d.filterChain = filterChain
	d.isolationChain = isolationChain
	d.config = config
	d.Unlock()

	err = d.initStore(option)
	if err != nil {
		return err
	}

	return nil
}
Beispiel #4
0
func (l *link) Enable() error {
	// -A == iptables append flag
	linkFunction := func() error {
		return linkContainers("-A", l.parentIP, l.childIP, l.ports, l.bridge, false)
	}

	iptables.OnReloaded(func() { linkFunction() })
	return linkFunction()
}
Beispiel #5
0
func (d *driver) configure(option map[string]interface{}) error {
	var (
		config         *configuration
		err            error
		natChain       *iptables.ChainInfo
		filterChain    *iptables.ChainInfo
		isolationChain *iptables.ChainInfo
	)

	genericData, ok := option[netlabel.GenericData]
	if !ok || genericData == nil {
		return nil
	}

	switch opt := genericData.(type) {
	case options.Generic:
		opaqueConfig, err := options.GenerateFromModel(opt, &configuration{})
		if err != nil {
			return err
		}
		config = opaqueConfig.(*configuration)
	case *configuration:
		config = opt
	default:
		return &ErrInvalidDriverConfig{}
	}

	if config.EnableIPForwarding {
		err = setupIPForwarding()
		if err != nil {
			return err
		}
	}

	if config.EnableIPTables {
		if _, err := os.Stat("/proc/sys/net/bridge"); err != nil {
			if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil {
				logrus.Warnf("Running modprobe bridge br_netfilter failed with message: %s, error: %v", out, err)
			}
		}
		removeIPChains()
		natChain, filterChain, isolationChain, err = setupIPChains(config)
		if err != nil {
			return err
		}
		// Make sure on firewall reload, first thing being re-played is chains creation
		iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) })
	}

	d.Lock()
	d.natChain = natChain
	d.filterChain = filterChain
	d.isolationChain = isolationChain
	d.config = config
	d.Unlock()

	err = d.initStore(option)
	if err != nil {
		return err
	}

	return nil
}