From 9c4a6541057dca9784311639e7bf85585ef0b3f6 Mon Sep 17 00:00:00 2001 From: Roman Dodin Date: Wed, 15 Jan 2025 16:03:54 +0100 Subject: [PATCH] added v6 rule for mgmt bridge with nftables --- docs/manual/network.md | 15 ++++++++++----- runtime/docker/firewall.go | 2 +- runtime/docker/firewall/nftables/client.go | 18 +++++++++++++++--- 3 files changed, 26 insertions(+), 9 deletions(-) diff --git a/docs/manual/network.md b/docs/manual/network.md index 57915b038..ca94520de 100644 --- a/docs/manual/network.md +++ b/docs/manual/network.md @@ -247,17 +247,22 @@ With this approach, users can prevent IP address overlap with nodes deployed on #### external access -Containerlab will attempt to enable external access to the nodes by default. This means that external systems/hosts will be able to communicate with the nodes of your topology without requiring any manual iptables/nftables rules to be installed. +Containerlab will attempt to enable external management access to the nodes by default. This means that external systems/hosts will be able to communicate with the nodes of your topology without requiring any manual iptables/nftables rules to be installed. -To allow external communications containerlab installs a rule in the `DOCKER-USER` chain, allowing all packets targeting containerlab's management network. The rule looks like follows: +To allow external communications containerlab installs a rule in the `DOCKER-USER` chain for v4 and v6, allowing all packets targeting containerlab's management network. The rule looks like follows: ```shell -❯ sudo iptables -vnL DOCKER-USER +sudo iptables -vnL DOCKER-USER +``` + +
+```{.no-copy .no-select} Chain DOCKER-USER (1 references) - pkts bytes target prot opt in out source destination + pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * br-a8b9fc8b33a2 0.0.0.0/0 0.0.0.0/0 /* set by containerlab */ -12719 79M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 +12719 79M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ``` +
1. The `br-a8b9fc8b33a2` bridge interface is the interface that backs up the containerlab's management network (`clab` docker network). diff --git a/runtime/docker/firewall.go b/runtime/docker/firewall.go index e5a60a676..0905ea1ea 100644 --- a/runtime/docker/firewall.go +++ b/runtime/docker/firewall.go @@ -20,7 +20,7 @@ func (d *DockerRuntime) deleteFwdRule() (err error) { } // installFwdRule installs the `allow` rule for traffic destined to the nodes -// on the clab management network. +// on the clab management network for v4 and v6. // This rule is required for external access to the nodes. func (d *DockerRuntime) installFwdRule() (err error) { if !*d.mgmt.ExternalAccess { diff --git a/runtime/docker/firewall/nftables/client.go b/runtime/docker/firewall/nftables/client.go index eb61d54ff..40fc61ab1 100644 --- a/runtime/docker/firewall/nftables/client.go +++ b/runtime/docker/firewall/nftables/client.go @@ -90,11 +90,23 @@ func (c *NftablesClient) DeleteForwardingRules() error { return nil } -// InstallForwardingRules installs the forwarding rules. +// InstallForwardingRules installs the forwarding rules for v4 and v6 address families. func (c *NftablesClient) InstallForwardingRules() error { defer c.close() - rules, err := c.getRules(definitions.DockerFWUserChain, definitions.DockerFWTable, nftables.TableFamilyIPv4) + err := c.InstallForwardingRulesForAF(nftables.TableFamilyIPv4) + if err != nil { + return err + } + + return c.InstallForwardingRulesForAF(nftables.TableFamilyIPv6) + +} + +// InstallForwardingRulesForAF installs the forwarding rules for the specified address family. +func (c *NftablesClient) InstallForwardingRulesForAF(af nftables.TableFamily) error { + + rules, err := c.getRules(definitions.DockerFWUserChain, definitions.DockerFWTable, af) if err != nil { return fmt.Errorf("%w. See http://containerlab.dev/manual/network/#external-access", err) } @@ -107,7 +119,7 @@ func (c *NftablesClient) InstallForwardingRules() error { log.Debugf("Installing iptables rules for bridge %q", c.bridgeName) // create a new rule - rule, err := c.newClabNftablesRule(definitions.DockerFWUserChain, definitions.DockerFWTable, nftables.TableFamilyIPv4, 0) + rule, err := c.newClabNftablesRule(definitions.DockerFWUserChain, definitions.DockerFWTable, af, 0) if err != nil { return err }