Merge pull request #381 from JoinVerse/feature/disable-ipforward

Disable IP forwarding inside the container netns.
projectcalico · Oct 17, 2017 · b4b3746 · b4b3746
2 parents 161e5f1 + b0ae715
commit b4b3746
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/utils/network.go b/utils/network.go
@@ -157,6 +157,10 @@ func DoNetworking(args *skel.CmdArgs, conf NetConf, result *current.Result, logg
 			}
 		}
 
+		if err = configureContainerSysctls(hasIPv4, hasIPv6); err != nil {
+			return fmt.Errorf("error configuring sysctls for the container netns, error: %s", err)
+		}
+
 		// Now that the everything has been successfully set up in the container, move the "host" end of the
 		// veth into the host namespace.
 		if err = netlink.LinkSetNsFd(hostVeth, int(hostNS.Fd())); err != nil {
@@ -295,6 +299,28 @@ func configureSysctls(hostVethName string, hasIPv4, hasIPv6 bool) error {
 	return nil
 }
 
+// configureContainerSysctls configures necessary sysctls required inside the container netns.
+func configureContainerSysctls(hasIPv4, hasIPv6 bool) error {
+	var err error
+
+	// Globally disable IP forwarding of packets inside the container netns.
+	// Generally, we don't expect containers to be routing anything.
+
+	if hasIPv4 {
+		if err = writeProcSys("/proc/sys/net/ipv4/ip_forward", "0"); err != nil {
+			return err
+		}
+	}
+
+	if hasIPv6 {
+		if err = writeProcSys("/proc/sys/net/ipv6/conf/all/forwarding", "0"); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 // writeProcSys takes the sysctl path and a string value to set i.e. "0" or "1" and sets the sysctl.
 func writeProcSys(path, value string) error {
 	f, err := os.OpenFile(path, os.O_WRONLY, 0)