-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetup_ip_forwarding.go
71 lines (63 loc) · 2.24 KB
/
setup_ip_forwarding.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
package bridge
import (
"fmt"
"io/ioutil"
"github.com/docker/libnetwork/iptables"
"github.com/sirupsen/logrus"
)
const (
ipv4ForwardConf = "/proc/sys/net/ipv4/ip_forward"
ipv4ForwardConfPerm = 0644
)
func configureIPForwarding(enable bool) error {
var val byte
if enable {
val = '1'
}
return ioutil.WriteFile(ipv4ForwardConf, []byte{val, '\n'}, ipv4ForwardConfPerm)
}
func setupIPForwarding(enableIPTables bool, enableIP6Tables bool) error {
// Get current IPv4 forward setup
ipv4ForwardData, err := ioutil.ReadFile(ipv4ForwardConf)
if err != nil {
return fmt.Errorf("Cannot read IP forwarding setup: %v", err)
}
// Enable IPv4 forwarding only if it is not already enabled
if ipv4ForwardData[0] != '1' {
// Enable IPv4 forwarding
if err := configureIPForwarding(true); err != nil {
return fmt.Errorf("Enabling IP forwarding failed: %v", err)
}
// When enabling ip_forward set the default policy on forward chain to
// drop only if the daemon option iptables is not set to false.
if enableIPTables {
iptable := iptables.GetIptable(iptables.IPv4)
if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
if err := configureIPForwarding(false); err != nil {
logrus.Errorf("Disabling IP forwarding failed, %v", err)
}
return err
}
iptables.OnReloaded(func() {
logrus.Debug("Setting the default DROP policy on firewall reload")
if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
}
})
}
}
// add only iptables rules - forwarding is handled by setupIPv6Forwarding in setup_ipv6
if enableIP6Tables {
iptable := iptables.GetIptable(iptables.IPv6)
if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
}
iptables.OnReloaded(func() {
logrus.Debug("Setting the default DROP policy on firewall reload")
if err := iptable.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil {
logrus.Warnf("Setting the default DROP policy on firewall reload failed, %v", err)
}
})
}
return nil
}