Enable 'ip6tables' by default, don't require 'experimental'. #47747
Commits on May 10, 2024
-
Disable ip6tables in tests that disable iptables
Tests that start a daemon disable iptables, to avoid conflicts with other tests running in parallel and also creating iptables chains. Do the same for ip6tables, in prep for them being enabled by-default. Signed-off-by: Rob Murray <rob.murray@docker.com>
-
Allow "--ip6tables=true" when "--iptables=false"
The bridge driver's setupIPChains() had an initial sanity check that "--iptables=true". But, it's called with "version=IPv6" when "--iptables=false" and "--ip6tables=true" - the sanity test needed to allow for that. Signed-off-by: Rob Murray <rob.murray@docker.com>
-
Set up IPv6 n/w isolation rules when --ip6tables=true
bridgeNetwork.isolateNetwork() checks "--iptables=true" and "--ip6tables=true" before doing anything with IPv4 and IPv6 respectively. But, it was only called if "--iptables=true". Now, it's called if "--ip6tables=true", even if "--iptables=false". Signed-off-by: Rob Murray <rob.murray@docker.com>
-
Gate setting of bridge-nf-call-ip6tables on "--ip6tables=true".
The code to enable "bridge-nf-call-iptables" or "bridge-nf-call-ip6tables" was gated on "--iptables=true", it didn't check "--ip6tables=true". So, split the top level call into IPv4/IPv6 so that the iptables-enable settings can be checked independently, and simplfied the implementation. Signed-off-by: Rob Murray <rob.murray@docker.com>
-
Enable filtering on IPv6 bridges with no IPv6 address
Check forwarding, then set bridge-nf-call-ip6tables, on a bridge if IPv6 is enabled - even if no IPv6 address has been assigned. Signed-off-by: Rob Murray <rob.murray@docker.com>
-
Make it an error to set up filtering on an unnamed bridge
In setupIPv6BridgeNetFiltering(), the bridge should always be named. Don't fall back to checking the "default" setting for a new bridge. Signed-off-by: Rob Murray <rob.murray@docker.com>
-
Enable 'ip6tables' by default, don't require 'experimental'.
Signed-off-by: Rob Murray <rob.murray@docker.com>
-
Don't explicitly enable ip6tables in tests
Tests no longer need to use "--experimental --ip6tables", now ip6tables is the default behaviour. Signed-off-by: Rob Murray <rob.murray@docker.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.