Commit 446b688
committed
Limited bridge netfilter application.
libnetwork uses the br-netfilter module to allow filtering of
packets passing through a bridge. To do so, it sets
/proc/sys/net/bridge/bridge-nf-call-ip[6]tables to 1, forcing
iptables for every bridge on the system, whether this is desired
or not. This overrides anything set in /etc/sysctl.conf.
This change prevents libnetwork from setting the system-wide
/proc/sys/net/bridge/bridge-nf-call-ip[6]tables and instead sets
/sys/class/net/<bridge-name>/bridge/nf_call_ip[6]tables for each
bridge which has ICC disabled.
Note that this does introduce a change in the behaviour of docker.
For a default network configuration, with the existing behaviour,
both `docker_gwbridge` and `docker0` bridges have iptables enabled
while this change results in `docker_gwbridge` having iptables
enabled but `docker0` having iptables disabled, because ICC is
enabled by default. As far as I can tell, iptables should not be
enabled on the `docker0` bridge when ICC is enabled (the code
which implements this seems to assume that iptables is enabled
per-bridge and not systemwide) so I think this change is correct,
but it is still a change in behaviour.
Signed-off-by: Tom Cook <tom.k.cook@gmail.com>1 parent feeff4f commit 446b688
1 file changed
Lines changed: 5 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
64 | 64 | | |
65 | 65 | | |
66 | 66 | | |
67 | | - | |
| 67 | + | |
68 | 68 | | |
69 | 69 | | |
70 | 70 | | |
71 | | - | |
| 71 | + | |
72 | 72 | | |
73 | 73 | | |
74 | 74 | | |
| |||
108 | 108 | | |
109 | 109 | | |
110 | 110 | | |
111 | | - | |
| 111 | + | |
112 | 112 | | |
113 | 113 | | |
114 | | - | |
| 114 | + | |
115 | 115 | | |
116 | | - | |
| 116 | + | |
117 | 117 | | |
118 | 118 | | |
119 | 119 | | |
| |||
0 commit comments