From 96479f54d0261d1b6be070b584124d9e50e1c241 Mon Sep 17 00:00:00 2001
From: Alessandro Boch <aboch@docker.com>
Date: Fri, 28 Oct 2016 11:42:50 -0700
Subject: [PATCH] Respect icc option for internal networks

Signed-off-by: Alessandro Boch <aboch@docker.com>
(cherry picked from commit 59d91e52216418abb7632c9e68054707c97e6826)
---
 drivers/bridge/setup_ip_tables.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/bridge/setup_ip_tables.go b/drivers/bridge/setup_ip_tables.go
index 78ab10f0..862d9e44 100644
--- a/drivers/bridge/setup_ip_tables.go
+++ b/drivers/bridge/setup_ip_tables.go
@@ -79,11 +79,11 @@ func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInt
 		Mask: i.bridgeIPv4.Mask,
 	}
 	if config.Internal {
-		if err = setupInternalNetworkRules(config.BridgeName, maskedAddrv4, true); err != nil {
+		if err = setupInternalNetworkRules(config.BridgeName, maskedAddrv4, config.EnableICC, true); err != nil {
 			return fmt.Errorf("Failed to Setup IP tables: %s", err.Error())
 		}
 		n.registerIptCleanFunc(func() error {
-			return setupInternalNetworkRules(config.BridgeName, maskedAddrv4, false)
+			return setupInternalNetworkRules(config.BridgeName, maskedAddrv4, config.EnableICC, false)
 		})
 	} else {
 		if err = setupIPTablesInternal(config.BridgeName, maskedAddrv4, config.EnableICC, config.EnableIPMasquerade, hairpinMode, true); err != nil {
@@ -333,7 +333,7 @@ func removeIPChains() {
 	}
 }
 
-func setupInternalNetworkRules(bridgeIface string, addr net.Addr, insert bool) error {
+func setupInternalNetworkRules(bridgeIface string, addr net.Addr, icc, insert bool) error {
 	var (
 		inDropRule  = iptRule{table: iptables.Filter, chain: IsolationChain, args: []string{"-i", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"}}
 		outDropRule = iptRule{table: iptables.Filter, chain: IsolationChain, args: []string{"-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"}}
@@ -344,5 +344,9 @@ func setupInternalNetworkRules(bridgeIface string, addr net.Addr, insert bool) e
 	if err := programChainRule(outDropRule, "DROP OUTGOING", insert); err != nil {
 		return err
 	}
+	// Set Inter Container Communication.
+	if err := setIcc(bridgeIface, icc, insert); err != nil {
+		return err
+	}
 	return nil
 }