libnet/pm/routed: don't set up firewall rules directly

Instead of setting up firewall rules directly in the routed port mapper, we now rely on the bridge driver to handle firewall reconfiguration. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2026-01-11 18:51:37 +00:00 · 2025-08-11 02:21:34 +02:00
parent 9d9b05446c
commit 9b1c4ad3b1
2 changed files with 8 additions and 16 deletions
--- a/daemon/libnetwork/drivers/bridge/port_mapping_linux_test.go
+++ b/daemon/libnetwork/drivers/bridge/port_mapping_linux_test.go
@@ -45,7 +45,6 @@ func TestPortMappingConfig(t *testing.T) {

 	config := &configuration{
 		EnableIPTables: true,
-		Hairpin:        true,
 	}
 	genericOption := make(map[string]any)
 	genericOption[netlabel.GenericData] = config
--- a/daemon/libnetwork/portmappers/routed/mapper_linux.go
+++ b/daemon/libnetwork/portmappers/routed/mapper_linux.go
@@ -4,9 +4,7 @@ import (
 	"context"

 	"github.com/containerd/log"
-	"github.com/moby/moby/v2/daemon/internal/sliceutil"
 	"github.com/moby/moby/v2/daemon/libnetwork/portmapperapi"
-	"github.com/moby/moby/v2/daemon/libnetwork/types"
 )

 const driverName = "routed"
@@ -22,16 +20,19 @@ func NewPortMapper() PortMapper {
 	return PortMapper{}
 }

-// MapPorts sets up firewall rules to allow direct remote access to pbs.
+// MapPorts returns a PortBinding for every PortBindingReq received, with Forwarding enabled for each. If a HostPort is
+// specified, it's logged and ignored.
 func (pm PortMapper) MapPorts(ctx context.Context, reqs []portmapperapi.PortBindingReq, fwn portmapperapi.Firewaller) ([]portmapperapi.PortBinding, error) {
 	if len(reqs) == 0 {
 		return nil, nil
 	}

 	res := make([]portmapperapi.PortBinding, 0, len(reqs))
-	bindings := make([]types.PortBinding, 0, len(reqs))
 	for _, c := range reqs {
-		pb := portmapperapi.PortBinding{PortBinding: c.Copy()}
+		pb := portmapperapi.PortBinding{
+			PortBinding: c.Copy(),
+			Forwarding:  true,
+		}
 		if pb.HostPort != 0 || pb.HostPortEnd != 0 {
 			log.G(ctx).WithFields(log.Fields{"mapping": pb}).Infof(
 				"Host port ignored, because NAT is disabled")
@@ -39,19 +40,11 @@ func (pm PortMapper) MapPorts(ctx context.Context, reqs []portmapperapi.PortBind
 			pb.HostPortEnd = 0
 		}
 		res = append(res, pb)
-		bindings = append(bindings, pb.PortBinding)
-	}
-
-	if err := fwn.AddPorts(ctx, bindings); err != nil {
-		return nil, err
 	}

 	return res, nil
 }

-// UnmapPorts removes firewall rules allowing direct remote access to the pbs.
-func (pm PortMapper) UnmapPorts(ctx context.Context, pbs []portmapperapi.PortBinding, fwn portmapperapi.Firewaller) error {
-	return fwn.DelPorts(ctx, sliceutil.Map(pbs, func(pb portmapperapi.PortBinding) types.PortBinding {
-		return pb.PortBinding
-	}))
+func (pm PortMapper) UnmapPorts(_ context.Context, _ []portmapperapi.PortBinding, _ portmapperapi.Firewaller) error {
+	return nil
 }