Properly set rp_filter on interfaces (fix #320)

KatharaFramework · Nov 19, 2024 · 5db707d · 5db707d
1 parent 5f17f67
commit 5db707d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 10 deletions.
diff --git a/src/Kathara/manager/docker/DockerMachine.py b/src/Kathara/manager/docker/DockerMachine.py
@@ -11,8 +11,8 @@
 import docker.models.containers
 from docker import DockerClient
 from docker.errors import APIError
-from docker.utils import version_lt, version_gte
 from docker.types import Ulimit
+from docker.utils import version_lt, version_gte
 
 from .DockerImage import DockerImage
 from .stats.DockerMachineStats import DockerMachineStats
@@ -187,7 +187,7 @@ def _deploy_and_start_machine(self, machine_item: Tuple[str, Machine]) -> None:
         self.start(machine)
 
         EventDispatcher.get_instance().dispatch("machine_deployed", item=machine)
-    
+
     def _create_ulimit_instances(self, ulimits: Optional[Dict[str, Dict[str, int]]] = None) -> List[Ulimit]:
         """Create an array of Ulimit instances from the ulimits dictionary
         Args:
@@ -201,7 +201,7 @@ def _create_ulimit_instances(self, ulimits: Optional[Dict[str, Dict[str, int]]]
                 ulimit_instance = Ulimit(name=key, soft=value["soft"], hard=value["hard"])
                 ulimit_list.append(ulimit_instance)
         return ulimit_list
-        
+
     def create(self, machine: Machine) -> None:
         """Create a Docker container representing the device and assign it to machine.api_object.
 
@@ -407,6 +407,8 @@ def _create_driver_opt(self, machine: Machine, interface: Interface) -> dict[str
             else:
                 driver_opt["com.docker.network.endpoint.sysctls"] = \
                     "net.ipv6.conf.IFNAME.disable_ipv6=1"
+            driver_opt["com.docker.network.endpoint.sysctls"] = (
+                    driver_opt["com.docker.network.endpoint.sysctls"] + ",net.ipv4.conf.IFNAME.rp_filter=0")
         if interface.mac_address:
             driver_opt['kathara.mac_addr'] = interface.mac_address
         return driver_opt

diff --git a/tests/manager/docker/docker_machine_test.py b/tests/manager/docker/docker_machine_test.py
@@ -597,7 +597,7 @@ def test_start_one_mac_addr(docker_machine, default_device, default_link, defaul
     default_link_b.api_object.connect.assert_called_once_with(
         default_device.api_object,
         driver_opt={
-            'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1',
+            'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1,net.ipv4.conf.IFNAME.rp_filter=0',
             'kathara.mac_addr': expected_mac_addr
         }
     )
@@ -625,14 +625,14 @@ def test_start_two_mac_addr(docker_machine, default_device, default_link, defaul
     default_link_b.api_object.connect.assert_called_once_with(
         default_device.api_object,
         driver_opt={
-            'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1',
+            'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1,net.ipv4.conf.IFNAME.rp_filter=0',
             'kathara.mac_addr': expected_mac_addr_1
         }
     )
     default_link_c.api_object.connect.assert_called_once_with(
         default_device.api_object,
         driver_opt={
-            'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1',
+            'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1,net.ipv4.conf.IFNAME.rp_filter=0',
             'kathara.mac_addr': expected_mac_addr_2
         }
     )
@@ -851,7 +851,7 @@ def test_connect_interface_mac_addr(docker_machine, default_device, default_link
     default_link_b.api_object.connect.assert_called_once_with(
         default_device.api_object,
         driver_opt={
-            'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1',
+            'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1,net.ipv4.conf.IFNAME.rp_filter=0',
             'kathara.mac_addr': expected_mac_addr
         }
     )
@@ -890,14 +890,16 @@ def test_connect_interface_plugin_api_error(default_device, default_link, docker
     default_link.api_object.connect.side_effect = error
     with pytest.raises(APIError):
         docker_machine.connect_interface(default_device, interface)
+
+
 #
 # TEST:_create_driver_opt
 #
 def test_create_driver_opt_no_ipv6(docker_machine, default_device, default_link):
     interface = default_device.add_interface(default_link)
     driver_opt = docker_machine._create_driver_opt(default_device, interface)
     assert driver_opt == {
-        'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1',
+        'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1,net.ipv4.conf.IFNAME.rp_filter=0',
     }
 
 
@@ -906,7 +908,7 @@ def test_create_driver_opt_mac_address(docker_machine, default_device, default_l
     interface.mac_address = '00:00:00:00:00:01'
     driver_opt = docker_machine._create_driver_opt(default_device, interface)
     assert driver_opt == {
-        'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1',
+        'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=1,net.ipv4.conf.IFNAME.rp_filter=0',
         'kathara.mac_addr': '00:00:00:00:00:01'
     }
 
@@ -916,7 +918,7 @@ def test_create_driver_opt_ipv6(docker_machine, default_device, default_link):
     default_device.add_meta('ipv6', True)
     driver_opt = docker_machine._create_driver_opt(default_device, interface)
     assert driver_opt == {
-        'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=0,net.ipv6.conf.IFNAME.forwarding=1',
+        'com.docker.network.endpoint.sysctls': 'net.ipv6.conf.IFNAME.disable_ipv6=0,net.ipv6.conf.IFNAME.forwarding=1,net.ipv4.conf.IFNAME.rp_filter=0',
     }