func (n *bridgeNetwork) setupIPv6Tables(config *networkConfiguration, i *bridgeInterface) error { d := n.driver d.Lock() driverConfig := d.config d.Unlock() // Sanity check. if driverConfig.EnableIPTables == false { return fmt.Errorf("Cannot program chains, EnableIPTable is disabled") } // Pickup this configuraton option from driver hairpinMode := !driverConfig.EnableUserlandProxy if config.Internal { return fmt.Errorf("Internal IPv6 network not supported by public IPv6 bridge") } else { filterChain, _, err := n.getDriver6Chains() if err != nil { return fmt.Errorf("Failed to setup IP tables, cannot acquire chain info %s", err.Error()) } err = iptables.ProgramChain(filterChain, config.BridgeName, hairpinMode, true) if err != nil { return fmt.Errorf("Failed to program FILTER chain: %s", err.Error()) } n.registerIptCleanFunc(func() error { return iptables.ProgramChain(filterChain, config.BridgeName, hairpinMode, false) }) } if err := ensureJumpRule(iptables.IP6Tables, "FORWARD", IsolationChain); err != nil { return err } return nil }
func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInterface) error { d := n.driver d.Lock() driverConfig := d.config d.Unlock() // Sanity check. if driverConfig.EnableIPTables == false { return fmt.Errorf("Cannot program chains, EnableIPTable is disabled") } // Pickup this configuraton option from driver hairpinMode := !driverConfig.EnableUserlandProxy addrv4, _, err := netutils.GetIfaceAddr(config.BridgeName) if err != nil { return fmt.Errorf("Failed to setup IP tables, cannot acquire Interface address: %s", err.Error()) } ipnet := addrv4.(*net.IPNet) maskedAddrv4 := &net.IPNet{ IP: ipnet.IP.Mask(ipnet.Mask), Mask: ipnet.Mask, } if config.Internal { if err = setupInternalNetworkRules(config.BridgeName, maskedAddrv4, true); err != nil { return fmt.Errorf("Failed to Setup IP tables: %s", err.Error()) } n.registerIptCleanFunc(func() error { return setupInternalNetworkRules(config.BridgeName, maskedAddrv4, false) }) } else { if err = setupIPTablesInternal(config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil { return fmt.Errorf("Failed to Setup IP tables: %s", err.Error()) } n.registerIptCleanFunc(func() error { return setupIPTablesInternal(config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, false) }) natChain, filterChain, _, err := n.getDriverChains() if err != nil { return fmt.Errorf("Failed to setup IP tables, cannot acquire chain info %s", err.Error()) } err = iptables.ProgramChain(natChain, config.BridgeName, hairpinMode, true) if err != nil { return fmt.Errorf("Failed to program NAT chain: %s", err.Error()) } err = iptables.ProgramChain(filterChain, config.BridgeName, hairpinMode, true) if err != nil { return fmt.Errorf("Failed to program FILTER chain: %s", err.Error()) } n.registerIptCleanFunc(func() error { return iptables.ProgramChain(filterChain, config.BridgeName, hairpinMode, false) }) n.portMapper.SetIptablesChain(natChain, n.getNetworkBridgeName()) } if err := ensureJumpRule(iptables.Iptables, "FORWARD", IsolationChain); err != nil { return err } return nil }