Merge pull request #50340 from akerouanton/split-nat-routed-portmappings
libnet/d/bridge: split NATed and routed port mappings
diff --git a/.github/workflows/.test-unit.yml b/.github/workflows/.test-unit.yml
index 36ef060..07d7ac5 100644
--- a/.github/workflows/.test-unit.yml
+++ b/.github/workflows/.test-unit.yml
@@ -16,7 +16,7 @@
workflow_call:
env:
- GO_VERSION: "1.24.4"
+ GO_VERSION: "1.24.5"
GOTESTLIST_VERSION: v0.3.1
TESTSTAT_VERSION: v0.1.25
SETUP_BUILDX_VERSION: edge
diff --git a/.github/workflows/.test.yml b/.github/workflows/.test.yml
index 67c1a5b..b64b13a 100644
--- a/.github/workflows/.test.yml
+++ b/.github/workflows/.test.yml
@@ -21,7 +21,7 @@
default: "graphdriver"
env:
- GO_VERSION: "1.24.4"
+ GO_VERSION: "1.24.5"
GOTESTLIST_VERSION: v0.3.1
TESTSTAT_VERSION: v0.1.25
ITG_CLI_MATRIX_SIZE: 6
diff --git a/.github/workflows/.windows.yml b/.github/workflows/.windows.yml
index 4d1036e..d33152c 100644
--- a/.github/workflows/.windows.yml
+++ b/.github/workflows/.windows.yml
@@ -28,7 +28,7 @@
default: false
env:
- GO_VERSION: "1.24.4"
+ GO_VERSION: "1.24.5"
GOTESTLIST_VERSION: v0.3.1
TESTSTAT_VERSION: v0.1.25
WINDOWS_BASE_IMAGE: mcr.microsoft.com/windows/servercore
diff --git a/.github/workflows/arm64.yml b/.github/workflows/arm64.yml
index de26e34..715c6c5 100644
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -23,7 +23,7 @@
pull_request:
env:
- GO_VERSION: "1.24.4"
+ GO_VERSION: "1.24.5"
TESTSTAT_VERSION: v0.1.25
DESTDIR: ./build
SETUP_BUILDX_VERSION: edge
diff --git a/.github/workflows/buildkit.yml b/.github/workflows/buildkit.yml
index aae2939..e97b887 100644
--- a/.github/workflows/buildkit.yml
+++ b/.github/workflows/buildkit.yml
@@ -23,7 +23,7 @@
pull_request:
env:
- GO_VERSION: "1.24.4"
+ GO_VERSION: "1.24.5"
DESTDIR: ./build
SETUP_BUILDX_VERSION: edge
SETUP_BUILDKIT_IMAGE: moby/buildkit:latest
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 27b6ce5..3b7b432 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -58,7 +58,7 @@
- name: Update Go
uses: actions/setup-go@v5
with:
- go-version: "1.24.4"
+ go-version: "1.24.5"
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 30d7537..fcb968e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -23,7 +23,7 @@
pull_request:
env:
- GO_VERSION: "1.24.4"
+ GO_VERSION: "1.24.5"
GIT_PAGER: "cat"
PAGER: "cat"
SETUP_BUILDX_VERSION: edge
diff --git a/.golangci.yml b/.golangci.yml
index a362e38..6d14377 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -3,7 +3,7 @@
run:
# prevent golangci-lint from deducting the go version to lint for through go.mod,
# which causes it to fallback to go1.17 semantics.
- go: "1.24.4"
+ go: "1.24.5"
concurrency: 2
# Only supported with go modules enabled (build flag -mod=vendor only valid when using modules)
# modules-download-mode: vendor
diff --git a/Dockerfile b/Dockerfile
index 517df94..5ff93e1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1
-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.24.5
ARG BASE_DEBIAN_DISTRO="bookworm"
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
ARG XX_VERSION=1.6.1
diff --git a/Dockerfile.simple b/Dockerfile.simple
index d8e721c..05e08a8 100644
--- a/Dockerfile.simple
+++ b/Dockerfile.simple
@@ -5,7 +5,7 @@
# This represents the bare minimum required to build and test Docker.
-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.24.5
ARG BASE_DEBIAN_DISTRO="bookworm"
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
diff --git a/Dockerfile.windows b/Dockerfile.windows
index ed1c1f2..4e8184d 100644
--- a/Dockerfile.windows
+++ b/Dockerfile.windows
@@ -161,7 +161,7 @@
# Use PowerShell as the default shell
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.24.5
# GOTESTSUM_VERSION is the version of gotest.tools/gotestsum to install.
ARG GOTESTSUM_VERSION=v1.12.3
diff --git a/client/buildkit/buildkit.go b/client/buildkit/buildkit.go
deleted file mode 100644
index 4c18ca5..0000000
--- a/client/buildkit/buildkit.go
+++ /dev/null
@@ -1,27 +0,0 @@
-package buildkit
-
-import (
- "context"
- "net"
-
- "github.com/docker/docker/client"
- bkclient "github.com/moby/buildkit/client"
-)
-
-// ClientOpts returns a list of buildkit client options which allows the
-// caller to create a buildkit client which will connect to the buildkit
-// API provided by the daemon. These options can be passed to [bkclient.New].
-//
-// Example:
-//
-// bkclient.New(ctx, "", ClientOpts(c)...)
-func ClientOpts(c client.HijackDialer) []bkclient.ClientOpt {
- return []bkclient.ClientOpt{
- bkclient.WithSessionDialer(func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
- return c.DialHijack(ctx, "/session", proto, meta)
- }),
- bkclient.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
- return c.DialHijack(ctx, "/grpc", "h2c", nil)
- }),
- }
-}
diff --git a/hack/dockerfiles/generate-files.Dockerfile b/hack/dockerfiles/generate-files.Dockerfile
index 3b07d64..f43776c 100644
--- a/hack/dockerfiles/generate-files.Dockerfile
+++ b/hack/dockerfiles/generate-files.Dockerfile
@@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1
-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.24.5
ARG BASE_DEBIAN_DISTRO="bookworm"
ARG PROTOC_VERSION=3.11.4
diff --git a/hack/dockerfiles/govulncheck.Dockerfile b/hack/dockerfiles/govulncheck.Dockerfile
index bff2f61..1452f31 100644
--- a/hack/dockerfiles/govulncheck.Dockerfile
+++ b/hack/dockerfiles/govulncheck.Dockerfile
@@ -1,6 +1,6 @@
# syntax=docker/dockerfile:1
-ARG GO_VERSION=1.24.4
+ARG GO_VERSION=1.24.5
ARG GOVULNCHECK_VERSION=v1.1.4
ARG FORMAT=text
diff --git a/integration/build/build_traces_test.go b/integration/build/build_traces_test.go
index 7ca9c21..deb38ad 100644
--- a/integration/build/build_traces_test.go
+++ b/integration/build/build_traces_test.go
@@ -3,10 +3,10 @@
import (
"context"
"errors"
+ "net"
"testing"
"time"
- "github.com/docker/docker/client/buildkit"
"github.com/docker/docker/testutil"
moby_buildkit_v1 "github.com/moby/buildkit/api/services/control"
"github.com/moby/buildkit/client"
@@ -33,7 +33,15 @@
ctx := testutil.StartSpan(baseContext, t)
- opts := buildkit.ClientOpts(testEnv.APIClient())
+ c := testEnv.APIClient()
+ opts := []client.ClientOpt{
+ client.WithSessionDialer(func(ctx context.Context, proto string, meta map[string][]string) (net.Conn, error) {
+ return c.DialHijack(ctx, "/session", proto, meta)
+ }),
+ client.WithContextDialer(func(ctx context.Context, _ string) (net.Conn, error) {
+ return c.DialHijack(ctx, "/grpc", "h2c", nil)
+ }),
+ }
bc, err := client.New(ctx, "", opts...)
assert.NilError(t, err)
defer bc.Close()
diff --git a/libnetwork/drivers/bridge/internal/nftabler/endpoint.go b/libnetwork/drivers/bridge/internal/nftabler/endpoint.go
index f2e1bc9..2e2d929 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/endpoint.go
+++ b/libnetwork/drivers/bridge/internal/nftabler/endpoint.go
@@ -4,13 +4,63 @@
import (
"context"
+ "fmt"
"net/netip"
+ "strings"
+
+ "github.com/docker/docker/libnetwork/drivers/bridge/internal/firewaller"
+ "github.com/docker/docker/libnetwork/internal/nftables"
)
func (n *network) AddEndpoint(ctx context.Context, epIPv4, epIPv6 netip.Addr) error {
- return nil
+ return n.modEndpoint(ctx, epIPv4, epIPv6, true)
}
func (n *network) DelEndpoint(ctx context.Context, epIPv4, epIPv6 netip.Addr) error {
+ return n.modEndpoint(ctx, epIPv4, epIPv6, false)
+}
+
+func (n *network) modEndpoint(ctx context.Context, epIPv4, epIPv6 netip.Addr, enable bool) error {
+ if n.fw.config.IPv4 && epIPv4.IsValid() {
+ if err := n.filterDirectAccess(ctx, n.fw.table4, n.config.Config4, epIPv4, enable); err != nil {
+ return err
+ }
+ if err := nftApply(ctx, n.fw.table4); err != nil {
+ return fmt.Errorf("adding rules for bridge %s: %w", n.config.IfName, err)
+ }
+ }
+ if n.fw.config.IPv6 && epIPv6.IsValid() {
+ if err := n.filterDirectAccess(ctx, n.fw.table6, n.config.Config6, epIPv6, enable); err != nil {
+ return err
+ }
+ if err := nftApply(ctx, n.fw.table6); err != nil {
+ return fmt.Errorf("adding rules for bridge %s: %w", n.config.IfName, err)
+ }
+ }
return nil
}
+
+// filterDirectAccess drops packets addressed directly to the container's IP address,
+// when direct routing is not permitted by network configuration.
+//
+// It is a no-op if:
+// - gateway mode is "nat-unprotected" or "routed".
+// - direct routing is enabled at the daemon level.
+// - "raw" rules are disabled (possibly because the host doesn't have the necessary
+// kernel support).
+//
+// Packets originating on the bridge's own interface and addressed directly to the
+// container are allowed - the host always has direct access to its own containers
+// (it doesn't need to use the port mapped to its own addresses, although it can).
+//
+// "Trusted interfaces" are treated in the same way as the bridge itself.
+func (n *network) filterDirectAccess(ctx context.Context, table nftables.TableRef, conf firewaller.NetworkConfigFam, epIP netip.Addr, enable bool) error {
+ if n.config.Internal || conf.Unprotected || conf.Routed || n.fw.config.AllowDirectRouting {
+ return nil
+ }
+ updater := table.ChainUpdateFunc(ctx, rawPreroutingChain, enable)
+ ifNames := strings.Join(n.config.TrustedHostInterfaces, ", ")
+ return updater(ctx, rawPreroutingPortsRuleGroup,
+ `%s daddr %s iifname != { %s, %s } counter drop comment "DROP DIRECT ACCESS"`,
+ table.Family(), epIP, n.config.IfName, ifNames)
+}
diff --git a/libnetwork/drivers/bridge/internal/nftabler/nftabler.go b/libnetwork/drivers/bridge/internal/nftabler/nftabler.go
index ba737ca..d94f58a 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/nftabler.go
+++ b/libnetwork/drivers/bridge/internal/nftabler/nftabler.go
@@ -38,6 +38,10 @@
fwdInFinalRuleGroup
)
+const (
+ rawPreroutingPortsRuleGroup = iota + initialRuleGroup + 1
+)
+
type nftabler struct {
config firewaller.Config
table4 nftables.TableRef
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
index 3017086..58d6401 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
index b85849a..4e9cb62 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
index a4d3c90..0b027ae 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 3017086..58d6401 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
index b85849a..4e9cb62 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
index a4d3c90..0b027ae 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
index 3017086..58d6401 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
index b85849a..4e9cb62 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
index a4d3c90..0b027ae 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 3017086..58d6401 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
index b85849a..4e9cb62 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
index a4d3c90..0b027ae 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
index 69d58be..52d2d02 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
index a0be1a3..5f03357 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
index d7a985d..2a12212 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 69d58be..52d2d02 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
index a0be1a3..5f03357 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
index d7a985d..2a12212 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
index c36eb09..2b46d44 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
index 3fb3072..9b834dc 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
index 604e0af..e9a1bcd 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index c36eb09..2b46d44 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
index 3fb3072..9b834dc 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
index 604e0af..e9a1bcd 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
index 5f137c7..806f217 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
index eb3ddde..559b18c 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
index 05d64bd..34c4f9e 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 5f137c7..806f217 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
index eb3ddde..559b18c 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
index 05d64bd..34c4f9e 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
index 5f137c7..806f217 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
index eb3ddde..559b18c 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
index 05d64bd..34c4f9e 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 5f137c7..806f217 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
index eb3ddde..559b18c 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
index 05d64bd..34c4f9e 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
index cc0049b..2c07c70 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
index d299baf..7743ae7 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
index c09fcdf..38d4e07 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index cc0049b..2c07c70 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
index d299baf..7743ae7 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
index c09fcdf..38d4e07 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
index 746eb6c..58fa5d7 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
index 92b7ff9..a201853 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
index 58efbdd..92e328e 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 746eb6c..58fa5d7 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -47,6 +47,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
index 92b7ff9..a201853 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
index 58efbdd..92e328e 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
index 37af477..5ed7f81 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
index 2cdbffc..ea75ce3 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 37af477..5ed7f81 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
index 37af477..5ed7f81 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
index 2cdbffc..ea75ce3 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
index 9947c0f..beea65d 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
index 602cc58..64d10f9 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 9947c0f..beea65d 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
index 9947c0f..beea65d 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
index 602cc58..64d10f9 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
index 1a2c204..6e24c67 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
index 18992e4..31e18ee 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 1a2c204..6e24c67 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
index 1a2c204..6e24c67 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
index 18992e4..31e18ee 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
index c20e362..cd44928 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
index 94bb6ac..e121238 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index c20e362..cd44928 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
index c20e362..cd44928 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
index 94bb6ac..e121238 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
index ed6ec3c..4692ed8 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
index 654d43b..ecf9bb0 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index ed6ec3c..4692ed8 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
index ed6ec3c..4692ed8 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
index 654d43b..ecf9bb0 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
index 4344a15..76c2e39 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
index d78837c..d393366 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 4344a15..76c2e39 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
index 4344a15..76c2e39 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
index d78837c..d393366 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
index fd83ffa..a1c453d 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
index d93a353..382936d 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index fd83ffa..a1c453d 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
index fd83ffa..a1c453d 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
index d93a353..382936d 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
index 141481a..9c1aeb2 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
index fa25df3..7297550 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
index 141481a..9c1aeb2 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
index 141481a..9c1aeb2 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip daddr 192.168.0.2 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
diff --git a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
index fa25df3..7297550 100644
--- a/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
+++ b/libnetwork/drivers/bridge/internal/nftabler/testdata/TestNftabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6.golden
@@ -46,6 +46,7 @@
chain raw-PREROUTING {
type filter hook prerouting priority raw; policy accept;
+ ip6 daddr fd49:efd7:54aa::1 iifname != "br-dummy" counter packets 0 bytes 0 drop comment "DROP DIRECT ACCESS"
}
chain filter-forward-in__br-dummy {
