libnet/d/bridge: Allow IPv6 ICC from any IP address

IPv6 ipt rules are exactly the same as IPv4 rules, although both protocol don't use the same networking model. This has bad consequences, for instance: 1. the current v6 rules disallow Neighbor Solication/Advertisement ; 2. and more generally, any datagram using link-local addresses. To solve this, this commit changes the following rules: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP ``` into: ``` -A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c -o br-21502e5b2c6c -j DROP -A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP ``` These rules only limit the traffic ingressing/egressing the bridge, but not traffic between veth on the same bridge. Note that, the Kernel takes care of dropping invalid IPv6 packets, eg. loopback spoofing, thus these rules don't need to be more specific. Solve moby#45460. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
akerouanton · May 30, 2023 · ab30eda · ab30eda
1 parent 098b0fd
commit ab30eda
Showing 1 changed file with 25 additions and 12 deletions.
diff --git a/libnetwork/drivers/bridge/setup_ip_tables.go b/libnetwork/drivers/bridge/setup_ip_tables.go
@@ -396,23 +396,36 @@ func removeIPChains(version iptables.IPVersion) {
 }
 
 func setupInternalNetworkRules(bridgeIface string, addr *net.IPNet, icc, insert bool) error {
-	var (
-		inDropRule  = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{"-i", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
-		outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{"-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
-	)
-
 	version := iptables.IPv4
 
-	if addr.IP.To4() == nil {
+	if addr.IP.To4() != nil {
+		var (
+			inDropRule  = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{"-i", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
+			outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{"-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
+		)
+		if err := programChainRule(iptables.IPv4, inDropRule, "DROP INCOMING", insert); err != nil {
+			return err
+		}
+		if err := programChainRule(iptables.IPv4, outDropRule, "DROP OUTGOING", insert); err != nil {
+			return err
+		}
+	} else {
 		version = iptables.IPv6
-	}
 
-	if err := programChainRule(version, inDropRule, "DROP INCOMING", insert); err != nil {
-		return err
-	}
-	if err := programChainRule(version, outDropRule, "DROP OUTGOING", insert); err != nil {
-		return err
+		var (
+			inDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{
+				"-i", bridgeIface, "!", "-o", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
+			outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain1, args: []string{
+				"!", "-i", bridgeIface, "-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
+		)
+		if err := programChainRule(iptables.IPv4, inDropRule, "DROP INCOMING", insert); err != nil {
+			return err
+		}
+		if err := programChainRule(iptables.IPv4, outDropRule, "DROP OUTGOING", insert); err != nil {
+			return err
+		}
 	}
+
 	// Set Inter Container Communication.
 	return setIcc(version, bridgeIface, icc, insert)
 }