From 5fee5af8a1dd64404fd71b063caaca7985c52626 Mon Sep 17 00:00:00 2001 From: Kashif Saadat Date: Tue, 10 Apr 2018 16:45:11 +0100 Subject: [PATCH] Make the iptables FORWARD chain rules optional --- main.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/main.go b/main.go index 1a47afe4a4..c0be209211 100644 --- a/main.go +++ b/main.go @@ -96,6 +96,7 @@ type CmdLineOpts struct { charonExecutablePath string charonViciUri string iptablesResyncSeconds int + iptablesForwardRules bool } var ( @@ -126,6 +127,7 @@ func init() { flannelFlags.StringVar(&opts.healthzIP, "healthz-ip", "0.0.0.0", "the IP address for healthz server to listen") flannelFlags.IntVar(&opts.healthzPort, "healthz-port", 0, "the port for healthz server to listen(0 to disable)") flannelFlags.IntVar(&opts.iptablesResyncSeconds, "iptables-resync", 5, "resync period for iptables rules, in seconds") + flannelFlags.BoolVar(&opts.iptablesForwardRules, "iptables-forward-rules", true, "add default accept rules to FORWARD chain in iptables") // glog will log to tmp files by default. override so all entries // can flow into journald (if running under systemd) @@ -296,7 +298,9 @@ func main() { // Always enables forwarding rules. This is needed for Docker versions >1.13 (https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#container-communication-between-hosts) // In Docker 1.12 and earlier, the default FORWARD chain policy was ACCEPT. // In Docker 1.13 and later, Docker sets the default policy of the FORWARD chain to DROP. - go network.SetupAndEnsureIPTables(network.ForwardRules(config.Network.String()), opts.iptablesResyncSeconds) + if opts.iptablesForwardRules { + go network.SetupAndEnsureIPTables(network.ForwardRules(config.Network.String()), opts.iptablesResyncSeconds) + } if err := WriteSubnetFile(opts.subnetFile, config.Network, opts.ipMasq, bn); err != nil { // Continue, even though it failed.