func (n *bridgeNetwork) setupFirewalld(config *networkConfiguration, i *bridgeInterface) error { // Sanity check. if config.EnableIPTables == false { return IPTableCfgError(config.BridgeName) } iptables.OnReloaded(func() { n.setupIPTables(config, i) }) iptables.OnReloaded(n.portMapper.ReMapAll) return nil }
func setupIPForwarding(enableIPTables bool) error { // Get current IPv4 forward setup ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf) if err != nil { return fmt.Errorf("Cannot read IP forwarding setup: %v", err) } // Enable IPv4 forwarding only if it is not already enabled if ipv4ForwardData[0] != '1' { // Enable IPv4 forwarding if err := configureIPForwarding(true); err != nil { return fmt.Errorf("Enabling IP forwarding failed: %v", err) } // When enabling ip_forward set the default policy on forward chain to // drop only if the daemon option iptables is not set to false. if !enableIPTables { return nil } if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil { if err := configureIPForwarding(false); err != nil { logrus.Errorf("Disabling IP forwarding failed, %v", err) } return err } iptables.OnReloaded(func() { logrus.Debug("Setting the default DROP policy on firewall reload") if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil { logrus.Warnf("Settig the default DROP policy on firewall reload failed, %v", err) } }) } return nil }
func (d *driver) configure(option map[string]interface{}) error { var ( config *configuration err error natChain *iptables.ChainInfo filterChain *iptables.ChainInfo isolationChain *iptables.ChainInfo ) genericData, ok := option[netlabel.GenericData] if !ok || genericData == nil { return nil } switch opt := genericData.(type) { case options.Generic: opaqueConfig, err := options.GenerateFromModel(opt, &configuration{}) if err != nil { return err } config = opaqueConfig.(*configuration) case *configuration: config = opt default: return &ErrInvalidDriverConfig{} } if config.EnableIPForwarding { err = setupIPForwarding() if err != nil { return err } } if config.EnableIPTables { removeIPChains() natChain, filterChain, isolationChain, err = setupIPChains(config) if err != nil { return err } // Make sure on firewall reload, first thing being re-played is chains creation iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) }) } d.Lock() d.natChain = natChain d.filterChain = filterChain d.isolationChain = isolationChain d.config = config d.Unlock() err = d.initStore(option) if err != nil { return err } return nil }
func (l *link) Enable() error { // -A == iptables append flag linkFunction := func() error { return linkContainers("-A", l.parentIP, l.childIP, l.ports, l.bridge, false) } iptables.OnReloaded(func() { linkFunction() }) return linkFunction() }
func (d *driver) configure(option map[string]interface{}) error { var ( config *configuration err error natChain *iptables.ChainInfo filterChain *iptables.ChainInfo isolationChain *iptables.ChainInfo ) genericData, ok := option[netlabel.GenericData] if !ok || genericData == nil { return nil } switch opt := genericData.(type) { case options.Generic: opaqueConfig, err := options.GenerateFromModel(opt, &configuration{}) if err != nil { return err } config = opaqueConfig.(*configuration) case *configuration: config = opt default: return &ErrInvalidDriverConfig{} } if config.EnableIPForwarding { err = setupIPForwarding() if err != nil { return err } } if config.EnableIPTables { if _, err := os.Stat("/proc/sys/net/bridge"); err != nil { if out, err := exec.Command("modprobe", "-va", "bridge", "br_netfilter").CombinedOutput(); err != nil { logrus.Warnf("Running modprobe bridge br_netfilter failed with message: %s, error: %v", out, err) } } removeIPChains() natChain, filterChain, isolationChain, err = setupIPChains(config) if err != nil { return err } // Make sure on firewall reload, first thing being re-played is chains creation iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) }) } d.Lock() d.natChain = natChain d.filterChain = filterChain d.isolationChain = isolationChain d.config = config d.Unlock() err = d.initStore(option) if err != nil { return err } return nil }