From ed5ed46f0aee11f3e4e0fcc2b2ce391460bd4550 Mon Sep 17 00:00:00 2001 From: chenjiankun Date: Wed, 8 May 2024 10:03:36 +0800 Subject: [PATCH] docker: Disable IPv6 for endpoints in '--ipv6=false' networks No IPAM IPv6 address is given to an interface in a network with '--ipv6=false', but the kernel would assign a link-local address and, in a macvlan/ipvlan network, the interface may get a SLAAC-assigned address. So, disable IPv6 on the interface to avoid that. Signed-off-by: Rob Murray Conflict:no Reference:https://github.com/moby/moby/commit/7cef0d9cd1cf221d8c0b7b7aeda69552649e0642 --- .../docker/libnetwork/osl/interface_linux.go | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go index a924af4bd..63d0e5650 100644 --- a/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go +++ b/components/engine/vendor/github.com/docker/libnetwork/osl/interface_linux.go @@ -377,17 +377,24 @@ func setInterfaceIP(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error { } func setInterfaceIPv6(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error { - if i.AddressIPv6() == nil { + addr := i.AddressIPv6() + // IPv6 must be enabled on the interface if and only if the network is + // IPv6-enabled. For an interface on an IPv4-only network, if IPv6 isn't + // disabled, the interface will be put into IPv6 multicast groups making + // it unexpectedly susceptible to NDP cache poisoning, route injection, etc. + // (At present, there will always be a pre-configured IPv6 address if the + // network is IPv6-enabled.) + if err := setIPv6(i.ns.path, i.DstName(), addr != nil); err != nil { + return fmt.Errorf("failed to configure ipv6: %v", err) + } + if addr == nil { return nil } - if err := checkRouteConflict(nlh, i.AddressIPv6(), netlink.FAMILY_V6); err != nil { + if err := checkRouteConflict(nlh, addr, netlink.FAMILY_V6); err != nil { return err } - if err := setIPv6(i.ns.path, i.DstName(), true); err != nil { - return fmt.Errorf("failed to enable ipv6: %v", err) - } - ipAddr := &netlink.Addr{IPNet: i.AddressIPv6(), Label: "", Flags: syscall.IFA_F_NODAD} - return nlh.AddrAdd(iface, ipAddr) + nlAddr := &netlink.Addr{IPNet: addr, Label: "", Flags: syscall.IFA_F_NODAD} + return nlh.AddrAdd(iface, nlAddr) } func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error { -- 2.33.0