From c2b0796f47ba12237bafb98da5f0677c3f122a34 Mon Sep 17 00:00:00 2001 From: Casey Callendrello Date: Tue, 12 May 2020 15:34:11 +0200 Subject: [PATCH] ptp, bridge: disable accept_ra on the host-side interface The interface plugins should have absolute control over their addressing and routing. --- pkg/ip/link_linux.go | 9 +++++++-- plugins/main/bridge/bridge.go | 4 ++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/pkg/ip/link_linux.go b/pkg/ip/link_linux.go index 9bd7f471f..f8781cf19 100644 --- a/pkg/ip/link_linux.go +++ b/pkg/ip/link_linux.go @@ -21,10 +21,12 @@ import ( "net" "os" - "github.com/containernetworking/plugins/pkg/ns" - "github.com/containernetworking/plugins/pkg/utils/hwaddr" "github.com/safchain/ethtool" "github.com/vishvananda/netlink" + + "github.com/containernetworking/plugins/pkg/ns" + "github.com/containernetworking/plugins/pkg/utils/hwaddr" + "github.com/containernetworking/plugins/pkg/utils/sysctl" ) var ( @@ -158,6 +160,9 @@ func SetupVethWithName(contVethName, hostVethName string, mtu int, hostNS ns.Net if err = netlink.LinkSetUp(hostVeth); err != nil { return fmt.Errorf("failed to set %q up: %v", hostVethName, err) } + + // we want to own the routes for this interface + _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", hostVethName), "0") return nil }) if err != nil { diff --git a/plugins/main/bridge/bridge.go b/plugins/main/bridge/bridge.go index 13d5cc330..c6a0690de 100644 --- a/plugins/main/bridge/bridge.go +++ b/plugins/main/bridge/bridge.go @@ -36,6 +36,7 @@ import ( "github.com/containernetworking/plugins/pkg/ns" "github.com/containernetworking/plugins/pkg/utils" bv "github.com/containernetworking/plugins/pkg/utils/buildversion" + "github.com/containernetworking/plugins/pkg/utils/sysctl" ) // For testcases to force an error after IPAM has been performed @@ -248,6 +249,9 @@ func ensureBridge(brName string, mtu int, promiscMode, vlanFiltering bool) (*net return nil, err } + // we want to own the routes for this interface + _, _ = sysctl.Sysctl(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", brName), "0") + if err := netlink.LinkSetUp(br); err != nil { return nil, err }