From baaf2d8d01d65ec7c541e0651e62beb3e83aed06 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 11 Oct 2019 19:15:19 +0200 Subject: [PATCH 1/3] Revert "Configure iptables forward policy when ip forwarding is enabled" This reverts commit d070217c5cb154b803189a51cdf6a4edeeccbdd3. Signed-off-by: Sebastiaan van Stijn --- drivers/bridge/setup_ip_forwarding.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/bridge/setup_ip_forwarding.go b/drivers/bridge/setup_ip_forwarding.go index 3db12bfd2f..10f61a1868 100644 --- a/drivers/bridge/setup_ip_forwarding.go +++ b/drivers/bridge/setup_ip_forwarding.go @@ -34,11 +34,11 @@ func setupIPForwarding(enableIPTables bool) error { if err := configureIPForwarding(true); err != nil { return fmt.Errorf("Enabling IP forwarding failed: %v", err) } - } - - // Set the default policy on forward chain to drop only if the - // daemon option iptables is not set to false. - if enableIPTables { + // When enabling ip_forward set the default policy on forward chain to + // drop only if the daemon option iptables is not set to false. + if !enableIPTables { + return nil + } if err := iptables.SetDefaultPolicy(iptables.Filter, "FORWARD", iptables.Drop); err != nil { if err := configureIPForwarding(false); err != nil { logrus.Errorf("Disabling IP forwarding failed, %v", err) From 57dadfccbd4382b38d4ad6f7bf2ad19417a18f18 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 11 Oct 2019 19:15:38 +0200 Subject: [PATCH 2/3] Revert "Move hasIPTablesEnabled check into firewall_linux.go" This reverts commit a232658db31d1736a38721ed8d6508977f0a0e3e. Signed-off-by: Sebastiaan van Stijn --- controller.go | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/controller.go b/controller.go index 5a499aa428..0d7c299bdb 100644 --- a/controller.go +++ b/controller.go @@ -678,6 +678,29 @@ func (c *controller) isAgent() bool { return c.cfg.Daemon.ClusterProvider.IsAgent() } +func (c *controller) hasIPTablesEnabled() bool { + c.Lock() + defer c.Unlock() + + if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil { + return false + } + + genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] + if !ok { + return false + } + + optMap := genericData.(map[string]interface{}) + + enabled, ok := optMap["EnableIPTables"].(bool) + if !ok { + return false + } + + return enabled +} + func (c *controller) isDistributedControl() bool { return !c.isManager() && !c.isAgent() } @@ -910,7 +933,9 @@ addToStore: c.Unlock() } - c.arrangeUserFilterRule() + if c.hasIPTablesEnabled() { + c.arrangeUserFilterRule() + } return network, nil } From 2dda3616cb4ccbd8459038bea0709d592a730758 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 11 Oct 2019 19:15:45 +0200 Subject: [PATCH 3/3] Revert "controller: Check if IPTables is enabled for arrangeUserFilterRule" This reverts commit 5e34060735b93be498375093269615cbf606ecf5. Signed-off-by: Sebastiaan van Stijn --- controller.go | 27 +-------------------------- 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/controller.go b/controller.go index 0d7c299bdb..5a499aa428 100644 --- a/controller.go +++ b/controller.go @@ -678,29 +678,6 @@ func (c *controller) isAgent() bool { return c.cfg.Daemon.ClusterProvider.IsAgent() } -func (c *controller) hasIPTablesEnabled() bool { - c.Lock() - defer c.Unlock() - - if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil { - return false - } - - genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] - if !ok { - return false - } - - optMap := genericData.(map[string]interface{}) - - enabled, ok := optMap["EnableIPTables"].(bool) - if !ok { - return false - } - - return enabled -} - func (c *controller) isDistributedControl() bool { return !c.isManager() && !c.isAgent() } @@ -933,9 +910,7 @@ addToStore: c.Unlock() } - if c.hasIPTablesEnabled() { - c.arrangeUserFilterRule() - } + c.arrangeUserFilterRule() return network, nil }