From deb0c57b304fde774867a2c1b21972efabf3b610 Mon Sep 17 00:00:00 2001 From: Samuel Karp Date: Fri, 3 Apr 2020 16:23:18 -0700 Subject: [PATCH] bridge: disable IPv6 router advertisements Signed-off-by: Samuel Karp (cherry picked from commit 153d0769a1181bf591a9637fd487a541ec7db1e6) Signed-off-by: Sebastiaan van Stijn --- drivers/bridge/bridge.go | 6 ++++++ drivers/bridge/setup_device.go | 19 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/drivers/bridge/bridge.go b/drivers/bridge/bridge.go index 734390c165..88fbafaea3 100644 --- a/drivers/bridge/bridge.go +++ b/drivers/bridge/bridge.go @@ -689,6 +689,12 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) { bridgeAlreadyExists := bridgeIface.exists() if !bridgeAlreadyExists { bridgeSetup.queueStep(setupDevice) + bridgeSetup.queueStep(setupDefaultSysctl) + } + + // For the default bridge, set expected sysctls + if config.DefaultBridge { + bridgeSetup.queueStep(setupDefaultSysctl) } // Even if a bridge exists try to setup IPv4. diff --git a/drivers/bridge/setup_device.go b/drivers/bridge/setup_device.go index 548ad951df..1343305ae9 100644 --- a/drivers/bridge/setup_device.go +++ b/drivers/bridge/setup_device.go @@ -2,6 +2,9 @@ package bridge import ( "fmt" + "io/ioutil" + "os" + "path/filepath" "github.com/docker/docker/pkg/parsers/kernel" "github.com/docker/libnetwork/netutils" @@ -49,6 +52,22 @@ func setupDevice(config *networkConfiguration, i *bridgeInterface) error { return err } +func setupDefaultSysctl(config *networkConfiguration, i *bridgeInterface) error { + // Disable IPv6 router advertisements originating on the bridge + sysPath := filepath.Join("/proc/sys/net/ipv6/conf/", config.BridgeName, "accept_ra") + if _, err := os.Stat(sysPath); err != nil { + logrus. + WithField("bridge", config.BridgeName). + WithField("syspath", sysPath). + Info("failed to read ipv6 net.ipv6.conf..accept_ra") + return nil + } + if err := ioutil.WriteFile(sysPath, []byte{'0', '\n'}, 0644); err != nil { + return fmt.Errorf("libnetwork: Unable to disable IPv6 router advertisement: %v", err) + } + return nil +} + // SetupDeviceUp ups the given bridge interface. func setupDeviceUp(config *networkConfiguration, i *bridgeInterface) error { err := i.nlh.LinkSetUp(i.Link)