-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable 'ip6tables' by default, don't require 'experimental'. #47747
Commits on May 10, 2024
-
Disable ip6tables in tests that disable iptables
Tests that start a daemon disable iptables, to avoid conflicts with other tests running in parallel and also creating iptables chains. Do the same for ip6tables, in prep for them being enabled by-default. Signed-off-by: Rob Murray <rob.murray@docker.com>
Configuration menu - View commit details
-
Copy full SHA for 9a8ffe3 - Browse repository at this point
Copy the full SHA 9a8ffe3View commit details -
Allow "--ip6tables=true" when "--iptables=false"
The bridge driver's setupIPChains() had an initial sanity check that "--iptables=true". But, it's called with "version=IPv6" when "--iptables=false" and "--ip6tables=true" - the sanity test needed to allow for that. Signed-off-by: Rob Murray <rob.murray@docker.com>
Configuration menu - View commit details
-
Copy full SHA for 23fd159 - Browse repository at this point
Copy the full SHA 23fd159View commit details -
Set up IPv6 n/w isolation rules when --ip6tables=true
bridgeNetwork.isolateNetwork() checks "--iptables=true" and "--ip6tables=true" before doing anything with IPv4 and IPv6 respectively. But, it was only called if "--iptables=true". Now, it's called if "--ip6tables=true", even if "--iptables=false". Signed-off-by: Rob Murray <rob.murray@docker.com>
Configuration menu - View commit details
-
Copy full SHA for 8751562 - Browse repository at this point
Copy the full SHA 8751562View commit details -
Gate setting of bridge-nf-call-ip6tables on "--ip6tables=true".
The code to enable "bridge-nf-call-iptables" or "bridge-nf-call-ip6tables" was gated on "--iptables=true", it didn't check "--ip6tables=true". So, split the top level call into IPv4/IPv6 so that the iptables-enable settings can be checked independently, and simplfied the implementation. Signed-off-by: Rob Murray <rob.murray@docker.com>
Configuration menu - View commit details
-
Copy full SHA for 4df97f2 - Browse repository at this point
Copy the full SHA 4df97f2View commit details -
Enable filtering on IPv6 bridges with no IPv6 address
Check forwarding, then set bridge-nf-call-ip6tables, on a bridge if IPv6 is enabled - even if no IPv6 address has been assigned. Signed-off-by: Rob Murray <rob.murray@docker.com>
Configuration menu - View commit details
-
Copy full SHA for d6b6a51 - Browse repository at this point
Copy the full SHA d6b6a51View commit details -
Make it an error to set up filtering on an unnamed bridge
In setupIPv6BridgeNetFiltering(), the bridge should always be named. Don't fall back to checking the "default" setting for a new bridge. Signed-off-by: Rob Murray <rob.murray@docker.com>
Configuration menu - View commit details
-
Copy full SHA for 5705cbf - Browse repository at this point
Copy the full SHA 5705cbfView commit details -
Enable 'ip6tables' by default, don't require 'experimental'.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Configuration menu - View commit details
-
Copy full SHA for 07ccaf0 - Browse repository at this point
Copy the full SHA 07ccaf0View commit details -
Don't explicitly enable ip6tables in tests
Tests no longer need to use "--experimental --ip6tables", now ip6tables is the default behaviour. Signed-off-by: Rob Murray <rob.murray@docker.com>
Configuration menu - View commit details
-
Copy full SHA for 41ddc47 - Browse repository at this point
Copy the full SHA 41ddc47View commit details