@@ -824,7 +824,8 @@ func (d *driver) createNetwork(config *networkConfiguration) (err error) {

 		{d.config.EnableIPTables || d.config.EnableIP6Tables, setupNetworkIsolationRules},

 		// Configure bridge networking filtering if ICC is off and IP tables are enabled

-		{!config.EnableICC && d.config.EnableIPTables, setupBridgeNetFiltering},

+		{!config.EnableICC && d.config.EnableIPTables, setupIPv4BridgeNetFiltering},

+		{!config.EnableICC && d.config.EnableIP6Tables, setupIPv6BridgeNetFiltering},

 	} {

 		if step.Condition {

 			bridgeSetup.queueStep(step.Fn)

@@ -12,27 +12,44 @@ import (

 	"github.com/containerd/log"

 )

-// Enumeration type saying which versions of IP protocol to process.

-type ipVersion int

-

-const (

-	ipvnone ipVersion = iota

-	ipv4

-	ipv6

-	ipvboth

-)

+// setupIPv4BridgeNetFiltering checks whether IPv4 forwarding is enabled and, if

+// it is, sets kernel param "bridge-nf-call-iptables=1" so that packets traversing

+// the bridge are filtered.

+func setupIPv4BridgeNetFiltering(*networkConfiguration, *bridgeInterface) error {

+	if enabled, err := getKernelBoolParam("/proc/sys/net/ipv4/ip_forward"); err != nil {

+		log.G(context.TODO()).Warnf("failed to check IPv4 forwarding: %v", err)

+		return nil

+	} else if enabled {

+		return enableBridgeNetFiltering("/proc/sys/net/bridge/bridge-nf-call-iptables")

+	}

+	return nil

+}

-// getIPVersion gets the IP version in use ( [ipv4], [ipv6] or [ipv4 and ipv6] )

-func getIPVersion(config *networkConfiguration) ipVersion {

-	ipVer := ipv4

-	if config.AddressIPv6 != nil || config.EnableIPv6 {

-		ipVer |= ipv6

+// setupIPv6BridgeNetFiltering checks whether IPv6 forwarding is enabled for the

+// bridge and, if it is, sets kernel param "bridge-nf-call-ip6tables=1" so that

+// packets traversing the bridge are filtered.

+func setupIPv6BridgeNetFiltering(config *networkConfiguration, _ *bridgeInterface) error {

+	if !config.EnableIPv6 || config.AddressIPv6 == nil {

+		return nil

+	}

+	bn := config.BridgeName

+	if bn == "" {

+		// No interface name, check the default used for new interfaces.

+		bn = "default"

+	}

+	if enabled, err := getKernelBoolParam("/proc/sys/net/ipv6/conf/" + bn + "/forwarding"); err != nil {

+		log.G(context.TODO()).Warnf("failed to check IPv6 forwarding: %v", err)

+		return nil

+	} else if enabled {

+		return enableBridgeNetFiltering("/proc/sys/net/bridge/bridge-nf-call-ip6tables")

 	}

-	return ipVer

+	return nil

 }

-func setupBridgeNetFiltering(config *networkConfiguration, _ *bridgeInterface) error {

-	if err := checkBridgeNetFiltering(config); err != nil {

+// Enable bridge net filtering if not already enabled. See github issue #11404

+func enableBridgeNetFiltering(nfParam string) error {

+	enabled, err := getKernelBoolParam(nfParam)

+	if err != nil {

 		var pathErr *os.PathError

 		if errors.As(err, &pathErr) && errors.Is(pathErr, syscall.ENOENT) {

 			if isRunningInContainer() {

@@ -43,115 +60,19 @@ func setupBridgeNetFiltering(config *networkConfiguration, _ *bridgeInterface) e

 		}

 		return fmt.Errorf("cannot restrict inter-container communication: %v", err)

 	}

-	return nil

-}

-

-// Enable bridge net filtering if ip forwarding is enabled. See github issue #11404

-func checkBridgeNetFiltering(config *networkConfiguration) error {

-	ipVer := getIPVersion(config)

-	iface := config.BridgeName

-	doEnable := func(ipVer ipVersion) error {

-		enabled, err := isPacketForwardingEnabled(ipVer, iface)

-		if err != nil {

-			var ipVerName string

-			if ipVer == ipv4 {

-				ipVerName = "IPv4"

-			} else {

-				ipVerName = "IPv6"

-			}

-			log.G(context.TODO()).Warnf("failed to check %s forwarding: %v", ipVerName, err)

-		} else if enabled {

-			enabled, err := getKernelBoolParam(getBridgeNFKernelParam(ipVer))

-			if err != nil || enabled {

-				return err

-			}

-			return setKernelBoolParam(getBridgeNFKernelParam(ipVer), true)

-		}

-		return nil

-	}

-

-	switch ipVer {

-	case ipv4, ipv6:

-		return doEnable(ipVer)

-	case ipvboth:

-		v4err := doEnable(ipv4)

-		v6err := doEnable(ipv6)

-		if v4err == nil {

-			return v6err

-		}

-		return v4err

-	default:

-		return nil

-	}

-}

-

-// Get kernel param path saying whether IPv${ipVer} traffic is being forwarded

-// on particular interface. Interface may be specified for IPv6 only. If

-// `iface` is empty, `default` will be assumed, which represents default value

-// for new interfaces.

-func getForwardingKernelParam(ipVer ipVersion, iface string) string {

-	switch ipVer {

-	case ipv4:

-		return "/proc/sys/net/ipv4/ip_forward"

-	case ipv6:

-		if iface == "" {

-			iface = "default"

-		}

-		return fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/forwarding", iface)

-	default:

-		return ""

-	}

-}

-

-// Get kernel param path saying whether bridged IPv${ipVer} traffic shall be

-// passed to ip${ipVer}tables' chains.

-func getBridgeNFKernelParam(ipVer ipVersion) string {

-	switch ipVer {

-	case ipv4:

-		return "/proc/sys/net/bridge/bridge-nf-call-iptables"

-	case ipv6:

-		return "/proc/sys/net/bridge/bridge-nf-call-ip6tables"

-	default:

-		return ""

+	if !enabled {

+		return os.WriteFile(nfParam, []byte{'1', '\n'}, 0o644)

 	}

+	return nil

 }

 // Gets the value of the kernel parameters located at the given path

 func getKernelBoolParam(path string) (bool, error) {

-	enabled := false

 	line, err := os.ReadFile(path)

 	if err != nil {

 		return false, err

 	}

-	if len(line) > 0 {

-		enabled = line[0] == '1'

-	}

-	return enabled, err

-}

-

-// Sets the value of the kernel parameter located at the given path

-func setKernelBoolParam(path string, on bool) error {

-	value := byte('0')

-	if on {

-		value = byte('1')

-	}

-	return os.WriteFile(path, []byte{value, '\n'}, 0o644)

-}

-

-// Checks to see if packet forwarding is enabled

-func isPacketForwardingEnabled(ipVer ipVersion, iface string) (bool, error) {

-	switch ipVer {

-	case ipv4, ipv6:

-		return getKernelBoolParam(getForwardingKernelParam(ipVer, iface))

-	case ipvboth:

-		enabled, err := getKernelBoolParam(getForwardingKernelParam(ipv4, ""))

-		if err != nil || !enabled {

-			return enabled, err

-		}

-		return getKernelBoolParam(getForwardingKernelParam(ipv6, iface))

-	default:

-		return true, nil

-	}

+	return len(line) > 0 && line[0] == '1', nil

 }

 func isRunningInContainer() bool {

deleted file mode 100644

@@ -1,14 +0,0 @@

-//go:build linux

-

-package bridge

-

-import "testing"

-

-func TestIPConstantValues(t *testing.T) {

-	if ipv4|ipv6 != ipvboth {

-		t.Fatalf("bitwise or of ipv4(%04b) and ipv6(%04b) must yield ipvboth(%04b)", ipv4, ipv6, ipvboth)

-	}

-	if ipvboth&(^(ipv4 | ipv6)) != ipvnone {

-		t.Fatalf("ipvboth(%04b) with unset ipv4(%04b) and ipv6(%04b) bits shall equal to ipvnone", ipvboth, ipv4, ipv6)

-	}

-}