From d0ca14bb599d9a292189f76449a5accea570cf6e Mon Sep 17 00:00:00 2001 From: Yves Blusseau <90z7oey02@sneakemail.com> Date: Wed, 24 Feb 2016 13:43:32 +0100 Subject: [PATCH] Fix bad order of iptables filter rules Rules with ctstate RELATED,ESTABLISHED must be create before same rules without ctstate. Signed-off-by: Yves Blusseau <90z7oey02@sneakemail.com> --- drivers/bridge/setup_ip_tables.go | 6 ------ drivers/bridge/setup_ip_tables_test.go | 2 +- iptables/iptables.go | 20 ++++++++++++++++++++ 3 files changed, 21 insertions(+), 7 deletions(-) diff --git a/drivers/bridge/setup_ip_tables.go b/drivers/bridge/setup_ip_tables.go index 78ab10f053..810fe26d2e 100644 --- a/drivers/bridge/setup_ip_tables.go +++ b/drivers/bridge/setup_ip_tables.go @@ -136,7 +136,6 @@ func setupIPTablesInternal(bridgeIface string, addr net.Addr, icc, ipmasq, hairp hpNatRule = iptRule{table: iptables.Nat, chain: "POSTROUTING", preArgs: []string{"-t", "nat"}, args: []string{"-m", "addrtype", "--src-type", "LOCAL", "-o", bridgeIface, "-j", "MASQUERADE"}} skipDNAT = iptRule{table: iptables.Nat, chain: DockerChain, preArgs: []string{"-t", "nat"}, args: []string{"-i", bridgeIface, "-j", "RETURN"}} outRule = iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", bridgeIface, "!", "-o", bridgeIface, "-j", "ACCEPT"}} - inRule = iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-o", bridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}} ) // Set NAT. @@ -169,11 +168,6 @@ func setupIPTablesInternal(bridgeIface string, addr net.Addr, icc, ipmasq, hairp return err } - // Set Accept on incoming packets for existing connections. - if err := programChainRule(inRule, "ACCEPT INCOMING", enable); err != nil { - return err - } - return nil } diff --git a/drivers/bridge/setup_ip_tables_test.go b/drivers/bridge/setup_ip_tables_test.go index 983f225f36..50c97622e8 100644 --- a/drivers/bridge/setup_ip_tables_test.go +++ b/drivers/bridge/setup_ip_tables_test.go @@ -25,8 +25,8 @@ func TestProgramIPTable(t *testing.T) { }{ {iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-d", "127.1.2.3", "-i", "lo", "-o", "lo", "-j", "DROP"}}, "Test Loopback"}, {iptRule{table: iptables.Nat, chain: "POSTROUTING", preArgs: []string{"-t", "nat"}, args: []string{"-s", iptablesTestBridgeIP, "!", "-o", DefaultBridgeName, "-j", "MASQUERADE"}}, "NAT Test"}, - {iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "!", "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test ACCEPT NON_ICC OUTGOING"}, {iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-o", DefaultBridgeName, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}}, "Test ACCEPT INCOMING"}, + {iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "!", "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test ACCEPT NON_ICC OUTGOING"}, {iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test enable ICC"}, {iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "DROP"}}, "Test disable ICC"}, } diff --git a/iptables/iptables.go b/iptables/iptables.go index f6ddaed775..1d00c4b9c9 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -181,6 +181,26 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) err } } + establish := []string{ + "-o", bridgeName, + "-m", "conntrack", + "--ctstate", "RELATED,ESTABLISHED", + "-j", "ACCEPT"} + if !Exists(Filter, "FORWARD", establish...) && enable { + insert := append([]string{string(Insert), "FORWARD"}, establish...) + if output, err := Raw(insert...); err != nil { + return err + } else if len(output) != 0 { + return fmt.Errorf("Could not create establish rule to %s: %s", c.Table, output) + } + } else if Exists(Filter, "FORWARD", establish...) && !enable { + del := append([]string{string(Delete), "FORWARD"}, establish...) + if output, err := Raw(del...); err != nil { + return err + } else if len(output) != 0 { + return fmt.Errorf("Could not delete establish rule from %s: %s", c.Table, output) + } + } } return nil }