Limited bridge netfilter application.

libnetwork uses the br-netfilter module to allow filtering of packets passing through a bridge. To do so, it sets /proc/sys/net/bridge/bridge-nf-call-ip[6]tables to 1, forcing iptables for every bridge on the system, whether this is desired or not. This overrides anything set in /etc/sysctl.conf. This change prevents libnetwork from setting the system-wide /proc/sys/net/bridge/bridge-nf-call-ip[6]tables and instead sets /sys/class/net/<bridge-name>/bridge/nf_call_ip[6]tables for each bridge which has ICC disabled. Note that this does introduce a change in the behaviour of docker. For a default network configuration, with the existing behaviour, both `docker_gwbridge` and `docker0` bridges have iptables enabled while this change results in `docker_gwbridge` having iptables enabled but `docker0` having iptables disabled, because ICC is enabled by default. As far as I can tell, iptables should not be enabled on the `docker0` bridge when ICC is enabled (the code which implements this seems to assume that iptables is enabled per-bridge and not systemwide) so I think this change is correct, but it is still a change in behaviour. Signed-off-by: Tom Cook <[email protected]>
moby · Jan 8, 2020 · 446b688 · 446b688
1 parent feeff4f
commit 446b688
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/drivers/bridge/setup_bridgenetfiltering.go b/drivers/bridge/setup_bridgenetfiltering.go
@@ -64,11 +64,11 @@ func checkBridgeNetFiltering(config *networkConfiguration, i *bridgeInterface) e
 		if err != nil {
 			logrus.Warnf("failed to check %s forwarding: %v", ipVerName, err)
 		} else if enabled {
-			enabled, err := getKernelBoolParam(getBridgeNFKernelParam(ipVer))
+			enabled, err := getKernelBoolParam(getBridgeNFKernelParam(ipVer, iface))
 			if err != nil || enabled {
 				return err
 			}
-			return setKernelBoolParam(getBridgeNFKernelParam(ipVer), true)
+			return setKernelBoolParam(getBridgeNFKernelParam(ipVer, iface), true)
 		}
 		return nil
 	}
@@ -108,12 +108,12 @@ func getForwardingKernelParam(ipVer ipVersion, iface string) string {
 
 // Get kernel param path saying whether bridged IPv${ipVer} traffic shall be
 // passed to ip${ipVer}tables' chains.
-func getBridgeNFKernelParam(ipVer ipVersion) string {
+func getBridgeNFKernelParam(ipVer ipVersion, bridgeName string) string {
 	switch ipVer {
 	case ipv4:
-		return "/proc/sys/net/bridge/bridge-nf-call-iptables"
+		return fmt.Sprintf("/sys/class/net/%s/bridge/nf_call_iptables", bridgeName)
 	case ipv6:
-		return "/proc/sys/net/bridge/bridge-nf-call-ip6tables"
+		return fmt.Sprintf("/sys/class/net/%s/bridge/nf_call_ip6tables", bridgeName)
 	default:
 		return ""
 	}