From 1ad9599da798c264a678e87fb81f7c6a52411976 Mon Sep 17 00:00:00 2001 From: Rob Murray Date: Wed, 14 May 2025 15:33:06 +0100 Subject: [PATCH] Drop DOCKER-ISOLATION rules The Inter-Network Communication rules in the iptables chains DOCKER-ISOLATION-STAGE-1 / DOCKER-ISOLATION-STAGE-2 (which are called from filter-FORWARD) currently: - Block access from containers in one bridge network, to ports published to host addresses by containers in other bridge networks, when the userland-proxy is disabled. - But, that access is allowed when the proxy is enabled. - Block access to all ports on container addresses in gateway mode "nat-unprotected" networks. - But, those ports can be accessed from anywhere else, including other hosts. Just not other bridge networks. - Allow access from containers in "nat" bridge networks to published ports on container addresses in "routed" networks. But, to do that, extra INC rules are added for the routed network. The INC rules are no longer needed to block access from containers in one network to unpublished ports on container addresses in other networks. Direct routing to containers in NAT networks is blocked by the "raw-PREROUTING" rules that block access from untrusted interfaces (all interfaces apart from the network's own bridge). Drop these INC rules to resolve the inconsistencies listed above, with this change: - Published ports on host addresses can be accessed from containers in other networks (even without the userland-proxy). - The rules for direct routing between bridge networks are the same as the rules for direct routing from outside the Docker host (allowed for gw modes "routed" and "nat-unprotected", disallowed for "nat"). Fewer rules, so it's simpler, and perhaps slightly faster. Internal networks (with no access to networks outside the host) are also implemented using rules in the DOCKER-ISOLATION chains. This change moves those rules to a new chain, DOCKER-INTERNAL, and drops the DOCKER-ISOLATION chains. Signed-off-by: Rob Murray --- .../iptablesdoc/generated/new-daemon.md | 53 ++-- .../iptablesdoc/generated/swarm-portmap.md | 24 +- .../iptablesdoc/generated/usernet-internal.md | 30 +-- .../generated/usernet-portmap-lo.md | 26 +- .../generated/usernet-portmap-natunprot.md | 26 +- .../generated/usernet-portmap-noicc.md | 26 +- .../generated/usernet-portmap-noproxy.md | 23 +- .../generated/usernet-portmap-routed.md | 37 +-- .../iptablesdoc/generated/usernet-portmap.md | 32 +-- .../iptablesdoc/templates/new-daemon.md | 35 ++- .../iptablesdoc/templates/usernet-internal.md | 4 +- .../templates/usernet-portmap-noproxy.md | 3 - .../templates/usernet-portmap-routed.md | 9 - .../iptablesdoc/templates/usernet-portmap.md | 6 +- integration/networking/bridge_linux_test.go | 227 +++++++++++++----- ...IngressChainPosition_docker_forward.golden | 2 +- .../bridge/internal/iptabler/iptabler.go | 46 ++-- .../bridge/internal/iptabler/iptabler_test.go | 14 +- .../bridge/internal/iptabler/network.go | 112 +-------- ...n=false,wsl2mirrored=true__iptables.golden | 5 +- ...er_cleaned,hairpin=false__ip6tables.golden | 5 +- ...ler_cleaned,hairpin=false__iptables.golden | 5 +- ...in=true,wsl2mirrored=true__iptables.golden | 5 +- ...ler_cleaned,hairpin=true__ip6tables.golden | 5 +- ...bler_cleaned,hairpin=true__iptables.golden | 5 +- ...h=false,wsl2mirrored=true__iptables.golden | 7 +- ...lse,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...alse,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...alse,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...false,gwm=nat,bindlh=true__iptables.golden | 7 +- ...h=false,wsl2mirrored=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...h=false,wsl2mirrored=true__iptables.golden | 9 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...se,gwm=routed,bindlh=true__iptables.golden | 9 +- ...h=false,wsl2mirrored=true__iptables.golden | 7 +- ...rue,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...true,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...true,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...=true,gwm=nat,bindlh=true__iptables.golden | 7 +- ...h=false,wsl2mirrored=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...h=false,wsl2mirrored=true__iptables.golden | 9 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...ue,gwm=routed,bindlh=true__iptables.golden | 9 +- ...h=false,wsl2mirrored=true__iptables.golden | 8 +- ...lse,gwm=nat,bindlh=false__ip6tables.golden | 8 +- ...alse,gwm=nat,bindlh=false__iptables.golden | 8 +- ...lh=true,wsl2mirrored=true__iptables.golden | 8 +- ...alse,gwm=nat,bindlh=true__ip6tables.golden | 8 +- ...false,gwm=nat,bindlh=true__iptables.golden | 8 +- ...h=false,wsl2mirrored=true__iptables.golden | 8 +- ...unprotected,bindlh=false__ip6tables.golden | 8 +- ...-unprotected,bindlh=false__iptables.golden | 8 +- ...lh=true,wsl2mirrored=true__iptables.golden | 8 +- ...-unprotected,bindlh=true__ip6tables.golden | 8 +- ...t-unprotected,bindlh=true__iptables.golden | 8 +- ...h=false,wsl2mirrored=true__iptables.golden | 10 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 10 +- ...e,gwm=routed,bindlh=false__iptables.golden | 10 +- ...lh=true,wsl2mirrored=true__iptables.golden | 10 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 10 +- ...se,gwm=routed,bindlh=true__iptables.golden | 10 +- ...h=false,wsl2mirrored=true__iptables.golden | 8 +- ...rue,gwm=nat,bindlh=false__ip6tables.golden | 8 +- ...true,gwm=nat,bindlh=false__iptables.golden | 8 +- ...lh=true,wsl2mirrored=true__iptables.golden | 8 +- ...true,gwm=nat,bindlh=true__ip6tables.golden | 8 +- ...=true,gwm=nat,bindlh=true__iptables.golden | 8 +- ...h=false,wsl2mirrored=true__iptables.golden | 8 +- ...unprotected,bindlh=false__ip6tables.golden | 8 +- ...-unprotected,bindlh=false__iptables.golden | 8 +- ...lh=true,wsl2mirrored=true__iptables.golden | 8 +- ...-unprotected,bindlh=true__ip6tables.golden | 8 +- ...t-unprotected,bindlh=true__iptables.golden | 8 +- ...h=false,wsl2mirrored=true__iptables.golden | 10 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 10 +- ...e,gwm=routed,bindlh=false__iptables.golden | 10 +- ...lh=true,wsl2mirrored=true__iptables.golden | 10 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 10 +- ...ue,gwm=routed,bindlh=true__iptables.golden | 10 +- ...h=false,wsl2mirrored=true__iptables.golden | 7 +- ...lse,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...alse,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...alse,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...false,gwm=nat,bindlh=true__iptables.golden | 7 +- ...h=false,wsl2mirrored=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...h=false,wsl2mirrored=true__iptables.golden | 9 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...se,gwm=routed,bindlh=true__iptables.golden | 9 +- ...h=false,wsl2mirrored=true__iptables.golden | 7 +- ...rue,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...true,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...true,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...=true,gwm=nat,bindlh=true__iptables.golden | 7 +- ...h=false,wsl2mirrored=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...h=false,wsl2mirrored=true__iptables.golden | 9 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...ue,gwm=routed,bindlh=true__iptables.golden | 9 +- ...h=false,wsl2mirrored=true__iptables.golden | 8 +- ...lse,gwm=nat,bindlh=false__ip6tables.golden | 8 +- ...alse,gwm=nat,bindlh=false__iptables.golden | 8 +- ...lh=true,wsl2mirrored=true__iptables.golden | 8 +- ...alse,gwm=nat,bindlh=true__ip6tables.golden | 8 +- ...false,gwm=nat,bindlh=true__iptables.golden | 8 +- ...h=false,wsl2mirrored=true__iptables.golden | 8 +- ...unprotected,bindlh=false__ip6tables.golden | 8 +- ...-unprotected,bindlh=false__iptables.golden | 8 +- ...lh=true,wsl2mirrored=true__iptables.golden | 8 +- ...-unprotected,bindlh=true__ip6tables.golden | 8 +- ...t-unprotected,bindlh=true__iptables.golden | 8 +- ...h=false,wsl2mirrored=true__iptables.golden | 10 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 10 +- ...e,gwm=routed,bindlh=false__iptables.golden | 10 +- ...lh=true,wsl2mirrored=true__iptables.golden | 10 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 10 +- ...se,gwm=routed,bindlh=true__iptables.golden | 10 +- ...h=false,wsl2mirrored=true__iptables.golden | 8 +- ...rue,gwm=nat,bindlh=false__ip6tables.golden | 8 +- ...true,gwm=nat,bindlh=false__iptables.golden | 8 +- ...lh=true,wsl2mirrored=true__iptables.golden | 8 +- ...true,gwm=nat,bindlh=true__ip6tables.golden | 8 +- ...=true,gwm=nat,bindlh=true__iptables.golden | 8 +- ...h=false,wsl2mirrored=true__iptables.golden | 8 +- ...unprotected,bindlh=false__ip6tables.golden | 8 +- ...-unprotected,bindlh=false__iptables.golden | 8 +- ...lh=true,wsl2mirrored=true__iptables.golden | 8 +- ...-unprotected,bindlh=true__ip6tables.golden | 8 +- ...t-unprotected,bindlh=true__iptables.golden | 8 +- ...h=false,wsl2mirrored=true__iptables.golden | 10 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 10 +- ...e,gwm=routed,bindlh=false__iptables.golden | 10 +- ...lh=true,wsl2mirrored=true__iptables.golden | 10 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 10 +- ...ue,gwm=routed,bindlh=true__iptables.golden | 10 +- ...c=false,wsl2mirrored=true__iptables.golden | 9 +- ...,internal=true,icc=false__ip6tables.golden | 9 +- ...e,internal=true,icc=false__iptables.golden | 9 +- ...cc=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,internal=true,icc=true__ip6tables.golden | 9 +- ...se,internal=true,icc=true__iptables.golden | 9 +- ...lse,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...alse,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...alse,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...false,gwm=nat,bindlh=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...se,gwm=routed,bindlh=true__iptables.golden | 9 +- ...rue,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...true,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...true,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...=true,gwm=nat,bindlh=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...ue,gwm=routed,bindlh=true__iptables.golden | 9 +- ...lse,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...alse,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...alse,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...false,gwm=nat,bindlh=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...se,gwm=routed,bindlh=true__iptables.golden | 9 +- ...rue,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...true,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...true,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...=true,gwm=nat,bindlh=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...ue,gwm=routed,bindlh=true__iptables.golden | 9 +- ...lse,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...alse,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...alse,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...false,gwm=nat,bindlh=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...se,gwm=routed,bindlh=true__iptables.golden | 9 +- ...rue,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...true,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...true,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...=true,gwm=nat,bindlh=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...ue,gwm=routed,bindlh=true__iptables.golden | 9 +- ...lse,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...alse,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...alse,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...false,gwm=nat,bindlh=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...se,gwm=routed,bindlh=true__iptables.golden | 9 +- ...rue,gwm=nat,bindlh=false__ip6tables.golden | 7 +- ...true,gwm=nat,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...true,gwm=nat,bindlh=true__ip6tables.golden | 7 +- ...=true,gwm=nat,bindlh=true__iptables.golden | 7 +- ...unprotected,bindlh=false__ip6tables.golden | 7 +- ...-unprotected,bindlh=false__iptables.golden | 7 +- ...lh=true,wsl2mirrored=true__iptables.golden | 7 +- ...-unprotected,bindlh=true__ip6tables.golden | 7 +- ...t-unprotected,bindlh=true__iptables.golden | 7 +- ...,gwm=routed,bindlh=false__ip6tables.golden | 9 +- ...e,gwm=routed,bindlh=false__iptables.golden | 9 +- ...lh=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,gwm=routed,bindlh=true__ip6tables.golden | 9 +- ...ue,gwm=routed,bindlh=true__iptables.golden | 9 +- ...c=false,wsl2mirrored=true__iptables.golden | 9 +- ...,internal=true,icc=false__ip6tables.golden | 9 +- ...e,internal=true,icc=false__iptables.golden | 9 +- ...cc=true,wsl2mirrored=true__iptables.golden | 9 +- ...e,internal=true,icc=true__ip6tables.golden | 9 +- ...ue,internal=true,icc=true__iptables.golden | 9 +- ...iptables-true_append-false_dockerfwdafter4 | 2 +- ...iptables-true_append-false_dockerfwdafter6 | 2 +- ..._iptables-true_append-false_dockerfwdinit4 | 2 +- ..._iptables-true_append-false_dockerfwdinit6 | 2 +- ..._iptables-true_append-true_dockerfwdafter4 | 2 +- ..._iptables-true_append-true_dockerfwdafter6 | 2 +- ...n_iptables-true_append-true_dockerfwdinit4 | 2 +- ...n_iptables-true_append-true_dockerfwdinit6 | 2 +- 309 files changed, 873 insertions(+), 2112 deletions(-) diff --git a/integration/network/bridge/iptablesdoc/generated/new-daemon.md b/integration/network/bridge/iptablesdoc/generated/new-daemon.md index da42c1ca15..6a3596a54f 100644 --- a/integration/network/bridge/iptablesdoc/generated/new-daemon.md +++ b/integration/network/bridge/iptablesdoc/generated/new-daemon.md @@ -31,17 +31,12 @@ Table `filter`: Chain DOCKER-FORWARD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 2 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination - 1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (1 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -57,8 +52,7 @@ Table `filter`: -N DOCKER-BRIDGE -N DOCKER-CT -N DOCKER-FORWARD - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -66,24 +60,23 @@ Table `filter`: -A DOCKER-BRIDGE -o docker0 -j DOCKER -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP The FORWARD chain's policy shown above is ACCEPT. However: - - For IPv4, [setupIPForwarding][1] sets the POLICY to DROP if the sysctl + - For IPv4, [setupIPv4Forwarding][1] sets the POLICY to DROP if the sysctl net.ipv4.ip_forward was not set to '1', and the daemon set it itself when an IPv4-enabled bridge network was created. - - For IPv6, similar, but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding" + - For IPv6, [similar][2], but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding" and "/proc/sys/net/ipv6/conf/all/forwarding". -[1]: https://github.com/moby/moby/blob/cff4f20c44a3a7c882ed73934dec6a77246c6323/libnetwork/drivers/bridge/setup_ip_forwarding.go#L44 +[1]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPv4Forwarding&type=code +[2]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPv6Forwarding&type=code The FORWARD chain rules, explained in the order they appear in the output above, are: @@ -93,7 +86,7 @@ The FORWARD chain rules, explained in the order they appear in the output above, It's (mostly) kept at the top of the by deleting it and re-creating after each new network is created, while traffic may be running for other networks. 2. Unconditional jump to DOCKER-FORWARD. - This is set up by libnetwork, in [setupUserChain][10]. + This is set up by libnetwork, in [setupIPChains][11]. Once the daemon has initialised, it doesn't touch these rules. Users are free to append rules to the FORWARD chain, and they'll run after DOCKER's rules (or to @@ -106,12 +99,12 @@ the output above, are: 1. Unconditional jump to DOCKER-CT. Created during driver initialisation, in `setupIPChains`. - 2. Unconditional jump to DOCKER-ISOLATION-STAGE-1. + 2. Unconditional jump to DOCKER-INTERNAL. Also created during driver initialisation, in `setupIPChains`. 3. Unconditional jump to DOCKER-BRIDGE. Also created during driver initialisation, in `setupIPChains`. 4. ACCEPT any packet leaving a network, set up when the network is created, in - `setupIPTablesInternal`. Note that this accepts any packet leaving the + [setupIPTablesInternal][12]. Note that this accepts any packet leaving the network that's made it through the DOCKER and isolation chains, whether the destination is external or another network. @@ -122,29 +115,21 @@ DOCKER-BRIDGE has a rule for each bridge network, to jump to the DOCKER chain. The DOCKER chain implements per-port/protocol filtering for each container. -[10]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/firewall_linux.go#L50 -[11]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L230-L232 -[12]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L227-L229 -[13]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L223-L226 -[15]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L343 +[10]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupUserChain&type=code +[11]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPChains&type=code +[12]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupNonInternalNetworkRules&type=code The DOCKER chain has a single DROP rule for the bridge network, to drop any packets routed to the network that have not originated in the network. Added by -[setDefaultForwardRule][21]. +[setDefaultForwardRule][20]. _This means there is no dependency on the filter-FORWARD chain's default policy. Even if it is ACCEPT, packets will be dropped unless container ports/protocols are published._ -The DOCKER-ISOLATION chains implement inter-network isolation, all (unrelated) -packets are processed by these chains. The rule are inserted at the head of the -chain when a network is created, in [setINC][20]. - - DOCKER-ISOLATION-STAGE-1 jumps to DOCKER-ISOLATION-STAGE-2 for any packet - routed to a docker network that has not come from that docker network. - - DOCKER-ISOLATION-STAGE-2 processes all packets leaving a bridge network, - packets that are destined for any other network are dropped. +[20]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setDefaultForwardRule&type=code -[20]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L369 -[21]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L252 +The DOCKER-INTERNAL chain is for `--internal` networks (bridge networks that +have no external access), it's unused in this example. Table nat: @@ -165,7 +150,6 @@ Table nat: Chain DOCKER (2 references) num pkts bytes target prot opt in out source destination - 1 0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
@@ -179,7 +163,6 @@ Table nat: -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE - -A DOCKER -i docker0 -j RETURN
diff --git a/integration/network/bridge/iptablesdoc/generated/swarm-portmap.md b/integration/network/bridge/iptablesdoc/generated/swarm-portmap.md index 1dbb281ac2..41fe05a4ec 100644 --- a/integration/network/bridge/iptablesdoc/generated/swarm-portmap.md +++ b/integration/network/bridge/iptablesdoc/generated/swarm-portmap.md @@ -36,7 +36,7 @@ The filter table is: num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-INGRESS 0 -- * * 0.0.0.0/0 0.0.0.0/0 2 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 3 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 6 0 0 DROP 0 -- docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0 @@ -48,15 +48,8 @@ The filter table is: 2 0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:8080 ctstate RELATED,ESTABLISHED 3 0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination - 1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (2 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * docker_gwbridge 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -73,8 +66,7 @@ The filter table is: -N DOCKER-CT -N DOCKER-FORWARD -N DOCKER-INGRESS - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -86,7 +78,7 @@ The filter table is: -A DOCKER-CT -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-INGRESS -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT -A DOCKER-FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP @@ -94,10 +86,6 @@ The filter table is: -A DOCKER-INGRESS -p tcp -m tcp --dport 8080 -j ACCEPT -A DOCKER-INGRESS -p tcp -m tcp --sport 8080 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-INGRESS -j RETURN - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-1 -i docker_gwbridge ! -o docker_gwbridge -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o docker_gwbridge -j DROP - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP @@ -132,8 +120,6 @@ And the corresponding nat table: Chain DOCKER (2 references) num pkts bytes target prot opt in out source destination - 1 0 0 RETURN 0 -- docker_gwbridge * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-INGRESS (2 references) num pkts bytes target prot opt in out source destination @@ -157,8 +143,6 @@ And the corresponding nat table: -A POSTROUTING -o docker_gwbridge -m addrtype --src-type LOCAL -j MASQUERADE -A POSTROUTING -s 172.18.0.0/16 ! -o docker_gwbridge -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE - -A DOCKER -i docker_gwbridge -j RETURN - -A DOCKER -i docker0 -j RETURN -A DOCKER-INGRESS -p tcp -m tcp --dport 8080 -j DNAT --to-destination 172.18.0.2:8080 -A DOCKER-INGRESS -j RETURN diff --git a/integration/network/bridge/iptablesdoc/generated/usernet-internal.md b/integration/network/bridge/iptablesdoc/generated/usernet-internal.md index f9d6d5849c..c2bb73fabb 100644 --- a/integration/network/bridge/iptablesdoc/generated/usernet-internal.md +++ b/integration/network/bridge/iptablesdoc/generated/usernet-internal.md @@ -46,23 +46,18 @@ The filter table is updated as follows: Chain DOCKER-FORWARD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 2 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT 0 -- bridgeICC bridgeICC 0.0.0.0/0 0.0.0.0/0 6 0 0 DROP 0 -- bridgeNoICC bridgeNoICC 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DROP 0 -- * bridgeNoICC !198.51.100.0/24 0.0.0.0/0 2 0 0 DROP 0 -- bridgeNoICC * 0.0.0.0/0 !198.51.100.0/24 3 0 0 DROP 0 -- * bridgeICC !192.0.2.0/24 0.0.0.0/0 4 0 0 DROP 0 -- bridgeICC * 0.0.0.0/0 !192.0.2.0/24 - 5 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (1 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -78,8 +73,7 @@ The filter table is updated as follows: -N DOCKER-BRIDGE -N DOCKER-CT -N DOCKER-FORWARD - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -87,17 +81,15 @@ The filter table is updated as follows: -A DOCKER-BRIDGE -o docker0 -j DOCKER -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT -A DOCKER-FORWARD -i bridgeICC -o bridgeICC -j ACCEPT -A DOCKER-FORWARD -i bridgeNoICC -o bridgeNoICC -j DROP - -A DOCKER-ISOLATION-STAGE-1 ! -s 198.51.100.0/24 -o bridgeNoICC -j DROP - -A DOCKER-ISOLATION-STAGE-1 ! -d 198.51.100.0/24 -i bridgeNoICC -j DROP - -A DOCKER-ISOLATION-STAGE-1 ! -s 192.0.2.0/24 -o bridgeICC -j DROP - -A DOCKER-ISOLATION-STAGE-1 ! -d 192.0.2.0/24 -i bridgeICC -j DROP - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP + -A DOCKER-INTERNAL ! -s 198.51.100.0/24 -o bridgeNoICC -j DROP + -A DOCKER-INTERNAL ! -d 198.51.100.0/24 -i bridgeNoICC -j DROP + -A DOCKER-INTERNAL ! -s 192.0.2.0/24 -o bridgeICC -j DROP + -A DOCKER-INTERNAL ! -d 192.0.2.0/24 -i bridgeICC -j DROP @@ -106,11 +98,9 @@ By comparison with the [network with external access][1]: - In the DOCKER-FORWARD chain, there is no ACCEPT rule for outgoing packets (`-i bridgeINC`). - There are no rules for this network in the DOCKER chain. -- In DOCKER-ISOLATION-STAGE-1: +- In DOCKER-INTERNAL: - Rule 1 drops any packet routed to the network that does not have a source address in the network's subnet. - Rule 2 drops any packet routed out of the network that does not have a dest address in the network's subnet. - - There is no jump to DOCKER-ISOLATION-STAGE-2. -- DOCKER-ISOLATION-STAGE-2 is unused. The only difference between `bridgeICC` and `bridgeNoICC` is the rule in the DOCKER-FORWARD chain. To enable ICC, the rule for packets looping through the bridge is ACCEPT. For @@ -137,7 +127,6 @@ And the corresponding nat table: Chain DOCKER (2 references) num pkts bytes target prot opt in out source destination - 1 0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
@@ -151,7 +140,6 @@ And the corresponding nat table: -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE - -A DOCKER -i docker0 -j RETURN
diff --git a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-lo.md b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-lo.md index c884de67f4..2b1037854e 100644 --- a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-lo.md +++ b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-lo.md @@ -42,20 +42,13 @@ The filter and nat tables are identical to [nat mode][0]: Chain DOCKER-FORWARD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 2 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination - 1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (2 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -68,8 +61,7 @@ The filter and nat tables are identical to [nat mode][0]: -N DOCKER-BRIDGE -N DOCKER-CT -N DOCKER-FORWARD - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -81,14 +73,10 @@ The filter and nat tables are identical to [nat mode][0]: -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT -A DOCKER-FORWARD -i bridge1 -j ACCEPT - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP @@ -114,9 +102,7 @@ The filter and nat tables are identical to [nat mode][0]: Chain DOCKER (2 references) num pkts bytes target prot opt in out source destination - 1 0 0 RETURN 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 - 3 0 0 DNAT 6 -- !bridge1 * 0.0.0.0/0 127.0.0.1 tcp dpt:8080 to:192.0.2.2:80 + 1 0 0 DNAT 6 -- !bridge1 * 0.0.0.0/0 127.0.0.1 tcp dpt:8080 to:192.0.2.2:80 -P PREROUTING ACCEPT @@ -128,8 +114,6 @@ The filter and nat tables are identical to [nat mode][0]: -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.0.2.0/24 ! -o bridge1 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE - -A DOCKER -i bridge1 -j RETURN - -A DOCKER -i docker0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i bridge1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.0.2.2:80 diff --git a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md index 160aaf8fca..65c4c16a49 100644 --- a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md +++ b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-natunprot.md @@ -39,20 +39,13 @@ The filter table is: Chain DOCKER-FORWARD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 2 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination - 1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (2 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -68,8 +61,7 @@ The filter table is: -N DOCKER-BRIDGE -N DOCKER-CT -N DOCKER-FORWARD - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -80,14 +72,10 @@ The filter table is: -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT -A DOCKER-FORWARD -i bridge1 -j ACCEPT - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP @@ -128,9 +116,7 @@ The nat table is identical to [nat mode][400]. Chain DOCKER (2 references) num pkts bytes target prot opt in out source destination - 1 0 0 RETURN 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 - 3 0 0 DNAT 6 -- !bridge1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.0.2.2:80 + 1 0 0 DNAT 6 -- !bridge1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.0.2.2:80 -P PREROUTING ACCEPT @@ -142,8 +128,6 @@ The nat table is identical to [nat mode][400]. -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.0.2.0/24 ! -o bridge1 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE - -A DOCKER -i bridge1 -j RETURN - -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i bridge1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.0.2.2:80 diff --git a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md index 9b51956319..d35c92c87e 100644 --- a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md +++ b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-noicc.md @@ -40,21 +40,14 @@ The filter table is: Chain DOCKER-FORWARD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 2 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 5 0 0 DROP 0 -- bridge1 bridge1 0.0.0.0/0 0.0.0.0/0 6 0 0 ACCEPT 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination - 1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (2 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -70,8 +63,7 @@ The filter table is: -N DOCKER-BRIDGE -N DOCKER-CT -N DOCKER-FORWARD - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -83,15 +75,11 @@ The filter table is: -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT -A DOCKER-FORWARD -i bridge1 -o bridge1 -j DROP -A DOCKER-FORWARD -i bridge1 ! -o bridge1 -j ACCEPT - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP @@ -124,9 +112,7 @@ And the corresponding nat table: Chain DOCKER (2 references) num pkts bytes target prot opt in out source destination - 1 0 0 RETURN 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 - 3 0 0 DNAT 6 -- !bridge1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.0.2.2:80 + 1 0 0 DNAT 6 -- !bridge1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.0.2.2:80
@@ -141,8 +127,6 @@ And the corresponding nat table: -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.0.2.0/24 ! -o bridge1 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE - -A DOCKER -i bridge1 -j RETURN - -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i bridge1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.0.2.2:80 diff --git a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md index 621fc6c7b0..b52e797a47 100644 --- a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md +++ b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-noproxy.md @@ -43,20 +43,13 @@ The filter table is the same as with the userland proxy enabled. Chain DOCKER-FORWARD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 2 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination - 1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (2 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -69,8 +62,7 @@ The filter table is the same as with the userland proxy enabled. -N DOCKER-BRIDGE -N DOCKER-CT -N DOCKER-FORWARD - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -82,14 +74,10 @@ The filter table is the same as with the userland proxy enabled. -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT -A DOCKER-FORWARD -i bridge1 -j ACCEPT - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
@@ -144,8 +132,6 @@ Differences from [running with the proxy][0] are: - The jump from the OUTPUT chain to DOCKER happens even for loopback addresses. [ProgramChain][1]. - - The "SKIP DNAT" RETURN rule for packets routed to the bridge is omitted from - the DOCKER chain [setupIPTablesInternal][2]. - A MASQUERADE rule is added for packets sent from the container to one of its own published ports on the host. - A MASQUERADE rule for packets from a LOCAL source address is included in @@ -154,6 +140,5 @@ Differences from [running with the proxy][0] are: [0]: usernet-portmap.md [1]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L302 -[2]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L293 [3]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L302 [4]: https://github.com/moby/moby/blob/675c2ac2db93e38bb9c5a6615d4155a969535fd9/libnetwork/drivers/bridge/port_mapping_linux.go#L772 diff --git a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md index 8d0bb44c8e..76fe007580 100644 --- a/integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md +++ b/integration/network/bridge/iptablesdoc/generated/usernet-portmap-routed.md @@ -41,22 +41,13 @@ The filter table is: Chain DOCKER-FORWARD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 2 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination - 1 0 0 ACCEPT 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED - 2 0 0 RETURN 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 - 3 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - 4 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (2 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -72,8 +63,7 @@ The filter table is: -N DOCKER-BRIDGE -N DOCKER-CT -N DOCKER-FORWARD - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -86,31 +76,16 @@ The filter table is: -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT -A DOCKER-FORWARD -i bridge1 -j ACCEPT - -A DOCKER-ISOLATION-STAGE-1 -i bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT - -A DOCKER-ISOLATION-STAGE-1 -o bridge1 -j RETURN - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP Compared to the equivalent [nat mode network][1]: -- In DOCKER-ISOLATION-STAGE-1: - - Rule 1 accepts outgoing packets related to established connections. This - is for responses to containers on NAT networks that would not normally - accept packets from another network, and may have port/protocol filtering - rules in place that would otherwise drop these responses. - - Rule 2 skips the jump to DOCKER-ISOLATION-STAGE-2 for any packet routed - to the routed-mode network. So, it will accept packets from other networks, - if they make it through the port/protocol filtering rules in the DOCKER - chain. - In the DOCKER chain: - A rule is added by [setICMP][5] to allow ICMP. *ALL* ICMP message types are allowed. @@ -163,8 +138,6 @@ The nat table is: Chain DOCKER (2 references) num pkts bytes target prot opt in out source destination - 1 0 0 RETURN 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
@@ -178,8 +151,6 @@ The nat table is: -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE - -A DOCKER -i bridge1 -j RETURN - -A DOCKER -i docker0 -j RETURN
diff --git a/integration/network/bridge/iptablesdoc/generated/usernet-portmap.md b/integration/network/bridge/iptablesdoc/generated/usernet-portmap.md index 13df8091c2..5d412cf1a4 100644 --- a/integration/network/bridge/iptablesdoc/generated/usernet-portmap.md +++ b/integration/network/bridge/iptablesdoc/generated/usernet-portmap.md @@ -39,20 +39,13 @@ The filter table is updated as follows: Chain DOCKER-FORWARD (1 references) num pkts bytes target prot opt in out source destination 1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0 + 2 0 0 DOCKER-INTERNAL 0 -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0 4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 5 0 0 ACCEPT 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - Chain DOCKER-ISOLATION-STAGE-1 (1 references) + Chain DOCKER-INTERNAL (1 references) num pkts bytes target prot opt in out source destination - 1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DOCKER-ISOLATION-STAGE-2 0 -- bridge1 !bridge1 0.0.0.0/0 0.0.0.0/0 - - Chain DOCKER-ISOLATION-STAGE-2 (2 references) - num pkts bytes target prot opt in out source destination - 1 0 0 DROP 0 -- * bridge1 0.0.0.0/0 0.0.0.0/0 - 2 0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 Chain DOCKER-USER (1 references) num pkts bytes target prot opt in out source destination @@ -68,8 +61,7 @@ The filter table is updated as follows: -N DOCKER-BRIDGE -N DOCKER-CT -N DOCKER-FORWARD - -N DOCKER-ISOLATION-STAGE-1 - -N DOCKER-ISOLATION-STAGE-2 + -N DOCKER-INTERNAL -N DOCKER-USER -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-FORWARD @@ -81,14 +73,10 @@ The filter table is updated as follows: -A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-CT -o bridge1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT - -A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 + -A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i docker0 -j ACCEPT -A DOCKER-FORWARD -i bridge1 -j ACCEPT - -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2 - -A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP - -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP @@ -98,8 +86,6 @@ Note that: - In the DOCKER-FORWARD chain, rule 5 for outgoing traffic from the new network has been appended to the end of the chain. - The DOCKER-CT and DOCKER-FORWARD chains each have a rule for the new network. - - In the DOCKER-ISOLATION chains, rules equivalent to the docker0 rules have - also been inserted for the new bridge. - In the DOCKER chain, there is an ACCEPT rule for TCP port 80 packets routed to the container's address. This rule is added when the container is created (unlike all the other rules so-far, which were created during driver or @@ -110,8 +96,8 @@ Note that: created before `bridge1`, the `bridge1` rules appear above and below the `docker0` DROP rule. -[1]: https://github.com/moby/moby/blob/675c2ac2db93e38bb9c5a6615d4155a969535fd9/libnetwork/drivers/bridge/port_mapping_linux.go#L795 -[2]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L252 +[1]: https://github.com/search?q=repo%3Amoby%2Fmoby+setPerPortForwarding&type=code +[2]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setDefaultForwardRule&type=code The corresponding nat table: @@ -133,9 +119,7 @@ The corresponding nat table: Chain DOCKER (2 references) num pkts bytes target prot opt in out source destination - 1 0 0 RETURN 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0 - 2 0 0 RETURN 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0 - 3 0 0 DNAT 6 -- !bridge1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.0.2.2:80 + 1 0 0 DNAT 6 -- !bridge1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.0.2.2:80
@@ -150,8 +134,6 @@ The corresponding nat table: -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.0.2.0/24 ! -o bridge1 -j MASQUERADE -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE - -A DOCKER -i bridge1 -j RETURN - -A DOCKER -i docker0 -j RETURN -A DOCKER ! -i bridge1 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.0.2.2:80 diff --git a/integration/network/bridge/iptablesdoc/templates/new-daemon.md b/integration/network/bridge/iptablesdoc/templates/new-daemon.md index 2e0de2e310..68bddf8837 100644 --- a/integration/network/bridge/iptablesdoc/templates/new-daemon.md +++ b/integration/network/bridge/iptablesdoc/templates/new-daemon.md @@ -16,13 +16,14 @@ Table `filter`: The FORWARD chain's policy shown above is ACCEPT. However: - - For IPv4, [setupIPForwarding][1] sets the POLICY to DROP if the sysctl + - For IPv4, [setupIPv4Forwarding][1] sets the POLICY to DROP if the sysctl net.ipv4.ip_forward was not set to '1', and the daemon set it itself when an IPv4-enabled bridge network was created. - - For IPv6, similar, but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding" + - For IPv6, [similar][2], but for sysctls "/proc/sys/net/ipv6/conf/default/forwarding" and "/proc/sys/net/ipv6/conf/all/forwarding". -[1]: https://github.com/moby/moby/blob/cff4f20c44a3a7c882ed73934dec6a77246c6323/libnetwork/drivers/bridge/setup_ip_forwarding.go#L44 +[1]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPv4Forwarding&type=code +[2]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPv6Forwarding&type=code The FORWARD chain rules, explained in the order they appear in the output above, are: @@ -32,7 +33,7 @@ The FORWARD chain rules, explained in the order they appear in the output above, It's (mostly) kept at the top of the by deleting it and re-creating after each new network is created, while traffic may be running for other networks. 2. Unconditional jump to DOCKER-FORWARD. - This is set up by libnetwork, in [setupUserChain][10]. + This is set up by libnetwork, in [setupIPChains][11]. Once the daemon has initialised, it doesn't touch these rules. Users are free to append rules to the FORWARD chain, and they'll run after DOCKER's rules (or to @@ -45,12 +46,12 @@ the output above, are: 1. Unconditional jump to DOCKER-CT. Created during driver initialisation, in `setupIPChains`. - 2. Unconditional jump to DOCKER-ISOLATION-STAGE-1. + 2. Unconditional jump to DOCKER-INTERNAL. Also created during driver initialisation, in `setupIPChains`. 3. Unconditional jump to DOCKER-BRIDGE. Also created during driver initialisation, in `setupIPChains`. 4. ACCEPT any packet leaving a network, set up when the network is created, in - `setupIPTablesInternal`. Note that this accepts any packet leaving the + [setupIPTablesInternal][12]. Note that this accepts any packet leaving the network that's made it through the DOCKER and isolation chains, whether the destination is external or another network. @@ -61,29 +62,21 @@ DOCKER-BRIDGE has a rule for each bridge network, to jump to the DOCKER chain. The DOCKER chain implements per-port/protocol filtering for each container. -[10]: https://github.com/moby/moby/blob/e05848c0025b67a16aaafa8cdff95d5e2c064105/libnetwork/firewall_linux.go#L50 -[11]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L230-L232 -[12]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L227-L229 -[13]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L223-L226 -[15]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L343 +[10]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupUserChain&type=code +[11]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupIPChains&type=code +[12]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setupNonInternalNetworkRules&type=code The DOCKER chain has a single DROP rule for the bridge network, to drop any packets routed to the network that have not originated in the network. Added by -[setDefaultForwardRule][21]. +[setDefaultForwardRule][20]. _This means there is no dependency on the filter-FORWARD chain's default policy. Even if it is ACCEPT, packets will be dropped unless container ports/protocols are published._ -The DOCKER-ISOLATION chains implement inter-network isolation, all (unrelated) -packets are processed by these chains. The rule are inserted at the head of the -chain when a network is created, in [setINC][20]. - - DOCKER-ISOLATION-STAGE-1 jumps to DOCKER-ISOLATION-STAGE-2 for any packet - routed to a docker network that has not come from that docker network. - - DOCKER-ISOLATION-STAGE-2 processes all packets leaving a bridge network, - packets that are destined for any other network are dropped. +[20]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setDefaultForwardRule&type=code -[20]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L369 -[21]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L252 +The DOCKER-INTERNAL chain is for `--internal` networks (bridge networks that +have no external access), it's unused in this example. Table nat: diff --git a/integration/network/bridge/iptablesdoc/templates/usernet-internal.md b/integration/network/bridge/iptablesdoc/templates/usernet-internal.md index e9215682a7..aac2b98202 100644 --- a/integration/network/bridge/iptablesdoc/templates/usernet-internal.md +++ b/integration/network/bridge/iptablesdoc/templates/usernet-internal.md @@ -33,11 +33,9 @@ By comparison with the [network with external access][1]: - In the DOCKER-FORWARD chain, there is no ACCEPT rule for outgoing packets (`-i bridgeINC`). - There are no rules for this network in the DOCKER chain. -- In DOCKER-ISOLATION-STAGE-1: +- In DOCKER-INTERNAL: - Rule 1 drops any packet routed to the network that does not have a source address in the network's subnet. - Rule 2 drops any packet routed out of the network that does not have a dest address in the network's subnet. - - There is no jump to DOCKER-ISOLATION-STAGE-2. -- DOCKER-ISOLATION-STAGE-2 is unused. The only difference between `bridgeICC` and `bridgeNoICC` is the rule in the DOCKER-FORWARD chain. To enable ICC, the rule for packets looping through the bridge is ACCEPT. For diff --git a/integration/network/bridge/iptablesdoc/templates/usernet-portmap-noproxy.md b/integration/network/bridge/iptablesdoc/templates/usernet-portmap-noproxy.md index 4721987288..06bbc902c1 100644 --- a/integration/network/bridge/iptablesdoc/templates/usernet-portmap-noproxy.md +++ b/integration/network/bridge/iptablesdoc/templates/usernet-portmap-noproxy.md @@ -34,8 +34,6 @@ Differences from [running with the proxy][0] are: - The jump from the OUTPUT chain to DOCKER happens even for loopback addresses. [ProgramChain][1]. - - The "SKIP DNAT" RETURN rule for packets routed to the bridge is omitted from - the DOCKER chain [setupIPTablesInternal][2]. - A MASQUERADE rule is added for packets sent from the container to one of its own published ports on the host. - A MASQUERADE rule for packets from a LOCAL source address is included in @@ -44,6 +42,5 @@ Differences from [running with the proxy][0] are: [0]: usernet-portmap.md [1]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L302 -[2]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L293 [3]: https://github.com/moby/moby/blob/333cfa640239153477bf635a8131734d0e9d099d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L302 [4]: https://github.com/moby/moby/blob/675c2ac2db93e38bb9c5a6615d4155a969535fd9/libnetwork/drivers/bridge/port_mapping_linux.go#L772 diff --git a/integration/network/bridge/iptablesdoc/templates/usernet-portmap-routed.md b/integration/network/bridge/iptablesdoc/templates/usernet-portmap-routed.md index 64a748135a..44d2981d31 100644 --- a/integration/network/bridge/iptablesdoc/templates/usernet-portmap-routed.md +++ b/integration/network/bridge/iptablesdoc/templates/usernet-portmap-routed.md @@ -21,15 +21,6 @@ The filter table is: Compared to the equivalent [nat mode network][1]: -- In DOCKER-ISOLATION-STAGE-1: - - Rule 1 accepts outgoing packets related to established connections. This - is for responses to containers on NAT networks that would not normally - accept packets from another network, and may have port/protocol filtering - rules in place that would otherwise drop these responses. - - Rule 2 skips the jump to DOCKER-ISOLATION-STAGE-2 for any packet routed - to the routed-mode network. So, it will accept packets from other networks, - if they make it through the port/protocol filtering rules in the DOCKER - chain. - In the DOCKER chain: - A rule is added by [setICMP][5] to allow ICMP. *ALL* ICMP message types are allowed. diff --git a/integration/network/bridge/iptablesdoc/templates/usernet-portmap.md b/integration/network/bridge/iptablesdoc/templates/usernet-portmap.md index fcefa1b9a3..d610197ebd 100644 --- a/integration/network/bridge/iptablesdoc/templates/usernet-portmap.md +++ b/integration/network/bridge/iptablesdoc/templates/usernet-portmap.md @@ -23,8 +23,6 @@ Note that: - In the DOCKER-FORWARD chain, rule 5 for outgoing traffic from the new network has been appended to the end of the chain. - The DOCKER-CT and DOCKER-FORWARD chains each have a rule for the new network. - - In the DOCKER-ISOLATION chains, rules equivalent to the docker0 rules have - also been inserted for the new bridge. - In the DOCKER chain, there is an ACCEPT rule for TCP port 80 packets routed to the container's address. This rule is added when the container is created (unlike all the other rules so-far, which were created during driver or @@ -35,8 +33,8 @@ Note that: created before `bridge1`, the `bridge1` rules appear above and below the `docker0` DROP rule. -[1]: https://github.com/moby/moby/blob/675c2ac2db93e38bb9c5a6615d4155a969535fd9/libnetwork/drivers/bridge/port_mapping_linux.go#L795 -[2]: https://github.com/robmry/moby/blob/52c89d467fc5326149e4bbb8903d23589b66ff0d/libnetwork/drivers/bridge/setup_ip_tables_linux.go#L252 +[1]: https://github.com/search?q=repo%3Amoby%2Fmoby+setPerPortForwarding&type=code +[2]: https://github.com/search?q=repo%3Amoby%2Fmoby%20setDefaultForwardRule&type=code The corresponding nat table: diff --git a/integration/networking/bridge_linux_test.go b/integration/networking/bridge_linux_test.go index a1dc8de671..a149c1b5b0 100644 --- a/integration/networking/bridge_linux_test.go +++ b/integration/networking/bridge_linux_test.go @@ -496,40 +496,39 @@ func TestBridgeINCRouted(t *testing.T) { } } -// TestRoutedAccessToPublishedPort checks that: -// - with docker-proxy enabled, a container in a gw-mode=routed network can access a port -// published to the host by a container in a gw-mode=nat network. -// - if the proxy is disabled, those packets are dropped by the network isolation rules -// - working around those INC rules by adding a rule to DOCKER-USER enables access to the -// published port (so, packets from the mode-routed network are still DNAT'd). +// TestAccessToPublishedPort checks that a container in one network can +// access a port published to the host by a container in another network, +// with various combinations of gateway-mode, with and without the +// userland proxy. // // Regression test for https://github.com/moby/moby/issues/49509 -func TestRoutedAccessToPublishedPort(t *testing.T) { +func TestAccessToPublishedPort(t *testing.T) { skip.If(t, testEnv.IsRootless, "Published port not accessible from rootless netns") ctx := setupTest(t) testcases := []struct { - name string - userlandProxy bool - skipINC bool - expResponseIptables bool - expResponseNftables bool + name string + clientGwMode string + userlandProxy bool }{ { - name: "proxy=true/skipINC=false", - userlandProxy: true, - expResponseIptables: true, - expResponseNftables: true, + name: "client=routed/proxy=true", + clientGwMode: "routed", + userlandProxy: true, }, { - name: "proxy=false/skipINC=false", - expResponseNftables: true, + name: "client=routed/proxy=false", + clientGwMode: "routed", }, { - name: "proxy=false/skipINC=true", - skipINC: true, - expResponseIptables: true, + name: "client=nat/proxy=true", + clientGwMode: "nat", + userlandProxy: true, + }, + { + name: "client=nat/proxy=false", + clientGwMode: "nat", }, } @@ -538,61 +537,36 @@ func TestRoutedAccessToPublishedPort(t *testing.T) { d := daemon.New(t) d.StartWithBusybox(ctx, t, "--ipv6", "--userland-proxy="+strconv.FormatBool(tc.userlandProxy)) defer d.Stop(t) - usingNftables := d.FirewallBackendDriver(t) == "nftables" - if usingNftables && tc.skipINC { - t.Skip("Skipping iptables skip-INC test, using nftables") - } c := d.NewClientT(t) defer c.Close() - const natNetName = "tnet-nat" - const natBridgeName = "br-nat" - network.CreateNoError(ctx, t, c, natNetName, + const serverNetName = "tnet-server" + network.CreateNoError(ctx, t, c, serverNetName, network.WithDriver("bridge"), network.WithIPv6(), - network.WithOption(bridge.BridgeName, natBridgeName), + network.WithOption(bridge.BridgeName, "br-server"), ) - defer network.RemoveNoError(ctx, t, c, natNetName) + defer network.RemoveNoError(ctx, t, c, serverNetName) ctrId := container.Run(ctx, t, c, - container.WithNetworkMode(natNetName), - container.WithName("ctr-nat"), + container.WithNetworkMode(serverNetName), + container.WithName("ctr-server"), container.WithExposedPorts("80/tcp"), container.WithPortMap(nat.PortMap{"80/tcp": {nat.PortBinding{HostPort: "8080"}}}), container.WithCmd("httpd", "-f"), ) defer c.ContainerRemove(ctx, ctrId, containertypes.RemoveOptions{Force: true}) - const routedNetName = "tnet-routed" - network.CreateNoError(ctx, t, c, routedNetName, + const clientNetName = "tnet-client" + network.CreateNoError(ctx, t, c, clientNetName, network.WithDriver("bridge"), network.WithIPv6(), - network.WithOption(bridge.BridgeName, "br-routed"), - network.WithOption(bridge.IPv4GatewayMode, "routed"), - network.WithOption(bridge.IPv6GatewayMode, "routed"), + network.WithOption(bridge.BridgeName, "br-client"), + network.WithOption(bridge.IPv4GatewayMode, tc.clientGwMode), + network.WithOption(bridge.IPv6GatewayMode, tc.clientGwMode), ) - defer network.RemoveNoError(ctx, t, c, routedNetName) - - // With docker-proxy disabled, a container can't normally access a port published - // from a container in a different bridge network. But, users can add rules to - // the DOCKER-USER chain to get around that limitation of docker's iptables rules. - // Do that here, if the test requires it. - if tc.skipINC { - for _, ipv := range []iptables.IPVersion{iptables.IPv4, iptables.IPv6} { - rule := iptables.Rule{ - IPVer: ipv, Table: iptables.Filter, Chain: "DOCKER-USER", - Args: []string{"-o", natBridgeName, "-j", "ACCEPT"}, - } - err := rule.Insert() - assert.NilError(t, err) - defer func() { - if err := rule.Delete(); err != nil { - t.Errorf("Failed to delete %s DOCKER-USER rule: %v", ipv, err) - } - }() - } - } + defer network.RemoveNoError(ctx, t, c, clientNetName) // Use the default bridge addresses as host addresses (like "host-gateway", but // there's no way to tell wget to prefer ipv4/ipv6 transport, so just use the @@ -607,17 +581,148 @@ func TestRoutedAccessToPublishedPort(t *testing.T) { t.Run(ipv, func(t *testing.T) { url := "http://" + net.JoinHostPort(ipamCfg.Gateway, "8080") res := container.RunAttach(ctx, t, c, - container.WithNetworkMode(routedNetName), + container.WithNetworkMode(clientNetName), container.WithCmd("wget", "-O-", "-T3", url), ) - if (usingNftables && tc.expResponseNftables) || (!usingNftables && tc.expResponseIptables) { + // 404 Not Found means the server responded, but it's got nothing to serve. + assert.Check(t, is.Contains(res.Stderr.String(), "404 Not Found"), "url: %s", url) + }) + } + }) + } +} + +// TestInterNetworkDirectRouting checks whether containers in one network +// can access ports on container addresses in other networks for combinations +// of gateway mode, published and unpublished ports, with and without the +// userland-proxy. (This is about direct routing between containers, so the +// docker-proxy shouldn't be involved - but the firewall config is a bit +// different, so it's worth testing.) +// +// Regression test for https://github.com/moby/moby/issues/49509 +func TestInterNetworkDirectRouting(t *testing.T) { + ctx := setupTest(t) + + testcases := []struct { + name string + serverGwMode string + userlandProxy bool + expPubResp bool + expUnpubResp bool + }{ + { + name: "server=nat/proxy=true", + serverGwMode: "nat", + userlandProxy: true, + expPubResp: false, // Direct routing is blocked by raw-prerouting rules. + expUnpubResp: false, // Direct routing is blocked by raw-prerouting rules. + }, + { + name: "server=nat/proxy=false", + serverGwMode: "nat", + expPubResp: false, // Direct routing is blocked by raw-prerouting rules. + expUnpubResp: false, // Direct routing is blocked by raw-prerouting rules. + }, + { + name: "server=routed/proxy=true", + serverGwMode: "routed", + userlandProxy: true, + expPubResp: true, + expUnpubResp: false, // Unpublished ports are blocked by port-filtering rules. + }, + { + name: "server=routed/proxy=false", + serverGwMode: "routed", + expPubResp: true, + expUnpubResp: false, // Unpublished ports are blocked by port-filtering rules. + }, + { + name: "server=nat-unprotected/proxy=true", + serverGwMode: "nat-unprotected", + userlandProxy: true, + expPubResp: true, + expUnpubResp: true, + }, + { + name: "server=nat-unprotected/proxy=false", + serverGwMode: "nat-unprotected", + expPubResp: true, + expUnpubResp: true, + }, + } + + for _, tc := range testcases { + t.Run(tc.name, func(t *testing.T) { + d := daemon.New(t) + d.StartWithBusybox(ctx, t, "--ipv6", "--userland-proxy="+strconv.FormatBool(tc.userlandProxy)) + defer d.Stop(t) + + c := d.NewClientT(t) + defer c.Close() + + const serverNetName = "tnet-server" + network.CreateNoError(ctx, t, c, serverNetName, + network.WithDriver("bridge"), + network.WithIPv6(), + network.WithOption(bridge.BridgeName, "br-server"), + network.WithOption(bridge.IPv4GatewayMode, tc.serverGwMode), + network.WithOption(bridge.IPv6GatewayMode, tc.serverGwMode), + ) + defer network.RemoveNoError(ctx, t, c, serverNetName) + + ctrPubId := container.Run(ctx, t, c, + container.WithNetworkMode(serverNetName), + container.WithName("ctr-pub"), + container.WithExposedPorts("80/tcp"), + container.WithPortMap(nat.PortMap{"80/tcp": {nat.PortBinding{HostPort: "8080"}}}), + container.WithCmd("httpd", "-f"), + ) + defer c.ContainerRemove(ctx, ctrPubId, containertypes.RemoveOptions{Force: true}) + inspPub := container.Inspect(ctx, t, c, ctrPubId) + pub4 := inspPub.NetworkSettings.Networks[serverNetName].IPAddress + pub6 := inspPub.NetworkSettings.Networks[serverNetName].GlobalIPv6Address + + ctrUnpubId := container.Run(ctx, t, c, + container.WithNetworkMode(serverNetName), + container.WithName("ctr-unpub"), + container.WithCmd("httpd", "-f"), + ) + defer c.ContainerRemove(ctx, ctrUnpubId, containertypes.RemoveOptions{Force: true}) + inspUnpub := container.Inspect(ctx, t, c, ctrUnpubId) + unpub4 := inspUnpub.NetworkSettings.Networks[serverNetName].IPAddress + unpub6 := inspUnpub.NetworkSettings.Networks[serverNetName].GlobalIPv6Address + + const clientNetName = "tnet-client" + network.CreateNoError(ctx, t, c, clientNetName, + network.WithDriver("bridge"), + network.WithIPv6(), + network.WithOption(bridge.BridgeName, "br-client"), + ) + defer network.RemoveNoError(ctx, t, c, clientNetName) + + checkHTTP := func(addr string, expResp bool) func(t *testing.T) { + return func(t *testing.T) { + t.Parallel() + t.Helper() + url := "http://" + net.JoinHostPort(addr, "80") + res := container.RunAttach(ctx, t, c, + container.WithNetworkMode(clientNetName), + container.WithCmd("wget", "-O-", "-T3", url), + ) + if expResp { // 404 Not Found means the server responded, but it's got nothing to serve. assert.Check(t, is.Contains(res.Stderr.String(), "404 Not Found"), "url: %s", url) } else { assert.Check(t, is.Contains(res.Stderr.String(), "download timed out"), "url: %s", url) } - }) + } } + t.Run("w", func(t *testing.T) { // Wait for the parallel tests to complete. + t.Run("ipv4/pub", checkHTTP(pub4, tc.expPubResp)) + t.Run("ipv6/pub", checkHTTP(pub6, tc.expPubResp)) + t.Run("ipv4/unpub", checkHTTP(unpub4, tc.expUnpubResp)) + t.Run("ipv6/unpub", checkHTTP(unpub6, tc.expUnpubResp)) + }) }) } } diff --git a/integration/service/testdata/TestDockerIngressChainPosition_docker_forward.golden b/integration/service/testdata/TestDockerIngressChainPosition_docker_forward.golden index 04c880219c..48be692fa8 100644 --- a/integration/service/testdata/TestDockerIngressChainPosition_docker_forward.golden +++ b/integration/service/testdata/TestDockerIngressChainPosition_docker_forward.golden @@ -1,5 +1,5 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-INGRESS -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE diff --git a/libnetwork/drivers/bridge/internal/iptabler/iptabler.go b/libnetwork/drivers/bridge/internal/iptabler/iptabler.go index 4ca27bbd75..1e85ca8d37 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/iptabler.go +++ b/libnetwork/drivers/bridge/internal/iptabler/iptabler.go @@ -18,19 +18,19 @@ const ( // DockerForwardChain contains Docker's filter-FORWARD rules. // // FIXME(robmry) - only exported because it's used to set up the jump to swarm's DOCKER-INGRESS chain. - DockerForwardChain = "DOCKER-FORWARD" - dockerBridgeChain = "DOCKER-BRIDGE" - dockerCTChain = "DOCKER-CT" + DockerForwardChain = "DOCKER-FORWARD" + dockerBridgeChain = "DOCKER-BRIDGE" + dockerCTChain = "DOCKER-CT" + dockerInternalChain = "DOCKER-INTERNAL" - // Isolation between bridge networks is achieved in two stages by means - // of the following two chains in the filter table. The first chain matches - // on the source interface being a bridge network's bridge and the - // destination being a different interface. A positive match leads to the - // second isolation chain. No match returns to the parent chain. The second - // isolation chain matches on destination interface being a bridge network's - // bridge. A positive match identifies a packet originated from one bridge - // network's bridge destined to another bridge network's bridge and will - // result in the packet being dropped. No match returns to the parent chain. + // These INC (inter-network communication) chains are no longer needed, packets + // sent to unpublished ports in other networks are now dropped by rules in the DOCKER + // chain. Packets sent directly to published ports in a different network don't need + // to be dropped: + // - containers in other networks have access via the host's address, and + // - it was surprising that a container in a gwmode=nat network couldn't talk to a + // published port in a gwmode=routed network, but anything outside a bridge + // network could. isolationChain1 = "DOCKER-ISOLATION-STAGE-1" isolationChain2 = "DOCKER-ISOLATION-STAGE-2" ) @@ -180,26 +180,14 @@ func setupIPChains(ctx context.Context, version iptables.IPVersion, iptCfg firew } }() - _, err = iptable.NewChain(isolationChain1, iptables.Filter) + _, err = iptable.NewChain(dockerInternalChain, iptables.Filter) if err != nil { - return fmt.Errorf("failed to create FILTER isolation chain: %v", err) + return fmt.Errorf("failed to create FILTER internal chain: %v", err) } defer func() { if retErr != nil { - if err := iptable.RemoveExistingChain(isolationChain1, iptables.Filter); err != nil { - log.G(ctx).Warnf("failed on removing iptables FILTER chain %s on cleanup: %v", isolationChain1, err) - } - } - }() - - _, err = iptable.NewChain(isolationChain2, iptables.Filter) - if err != nil { - return fmt.Errorf("failed to create FILTER isolation chain: %v", err) - } - defer func() { - if retErr != nil { - if err := iptable.RemoveExistingChain(isolationChain2, iptables.Filter); err != nil { - log.G(ctx).Warnf("failed on removing iptables FILTER chain %s on cleanup: %v", isolationChain2, err) + if err := iptable.RemoveExistingChain(dockerInternalChain, iptables.Filter); err != nil { + log.G(ctx).Warnf("failed on removing iptables FILTER chain %s on cleanup: %v", dockerInternalChain, err) } } }() @@ -224,7 +212,7 @@ func setupIPChains(ctx context.Context, version iptables.IPVersion, iptCfg firew if err := iptable.EnsureJumpRule(DockerForwardChain, dockerBridgeChain); err != nil { return err } - if err := iptable.EnsureJumpRule(DockerForwardChain, isolationChain1); err != nil { + if err := iptable.EnsureJumpRule(DockerForwardChain, dockerInternalChain); err != nil { return err } if err := iptable.EnsureJumpRule(DockerForwardChain, dockerCTChain); err != nil { diff --git a/libnetwork/drivers/bridge/internal/iptabler/iptabler_test.go b/libnetwork/drivers/bridge/internal/iptabler/iptabler_test.go index 5f28b1a136..f23af87b92 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/iptabler_test.go +++ b/libnetwork/drivers/bridge/internal/iptabler/iptabler_test.go @@ -39,12 +39,14 @@ func TestCleanupIptableRules(t *testing.T) { expRemoved bool }{ {name: dockerChain, table: iptables.Nat, expRemoved: true}, - // The filter-FORWARD chain has references to dockerChain and isolationChain1, - // so the chains won't be removed - but they should be flushed. (This has - // long/always been the case for the daemon, its filter-FORWARD rules aren't - // removed.) - {name: dockerChain, table: iptables.Filter}, - {name: isolationChain1, table: iptables.Filter}, + // The filter-FORWARD chain has a reference to dockerForwardChain, so it won't be + // removed - but it should be flushed. (This has long/always been the case for + // the daemon, its filter-FORWARD rules aren't removed.) + {name: DockerForwardChain, table: iptables.Filter}, + {name: dockerCTChain, table: iptables.Filter, expRemoved: true}, + {name: dockerBridgeChain, table: iptables.Filter, expRemoved: true}, + {name: dockerChain, table: iptables.Filter, expRemoved: true}, + {name: dockerInternalChain, table: iptables.Filter, expRemoved: true}, } ipVersions := []iptables.IPVersion{iptables.IPv4, iptables.IPv6} diff --git a/libnetwork/drivers/bridge/internal/iptabler/network.go b/libnetwork/drivers/bridge/internal/iptabler/network.go index 04e724f1f1..6d31dc325d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/network.go +++ b/libnetwork/drivers/bridge/internal/iptabler/network.go @@ -71,15 +71,9 @@ func (n *network) DelNetworkLevelRules(_ context.Context) error { func (n *network) configure(ctx context.Context, ipv iptables.IPVersion, conf firewaller.NetworkConfigFam) error { if !conf.Prefix.IsValid() { - // Delete INC rules, in case they were created by a 28.0.0 daemon that didn't check - // whether the network had iptables/ip6tables enabled. - // This preserves https://github.com/moby/moby/commit/8cc4d1d4a2b6408232041f9ba4dff966eba80cc0 - return setINC(ctx, ipv, n.config.IfName, conf.Routed, false) + return nil } - if err := n.setupIPTables(ctx, ipv, conf); err != nil { - return err - } - return nil + return n.setupIPTables(ctx, ipv, conf) } func (n *network) registerCleanFunc(clean iptableCleanFunc) { @@ -145,15 +139,6 @@ func (n *network) setupIPTables(ctx context.Context, ipVersion iptables.IPVersio n.registerCleanFunc(func() error { return appendOrDelChainRule(jumpToDockerRule, "jump to docker", false) }) - - // Register the cleanup function first. Then, if setINC fails after creating - // some rules, they will be deleted. - n.registerCleanFunc(func() error { - return setINC(ctx, ipVersion, n.config.IfName, config.Routed, false) - }) - if err := setINC(ctx, ipVersion, n.config.IfName, config.Routed, true); err != nil { - return err - } } return nil } @@ -311,26 +296,6 @@ func (n *network) setupNonInternalNetworkRules(ctx context.Context, ipVer iptabl return err } } - // If the userland proxy is running (!hairpin), skip DNAT for packets originating from - // this new network. Then, the proxy can pick up the packet from the host address the dest - // port is published to. Otherwise, if the packet is DNAT'd, it's forwarded straight to the - // target network, and will be dropped by network isolation rules if it didn't originate in - // the same bridge network. (So, with the proxy enabled, this skip allows a container in one - // network to reach a port published by a container in another bridge network.) - // - // If the userland proxy is disabled, don't skip, so packets will be DNAT'd. That will - // enable access to ports published by containers in the same network. But, the INC rules - // will block access to that published port from containers in other networks. (However, - // users may add a rule to DOCKER-USER to work around the INC rules if needed.) - if !n.ipt.config.Hairpin { - skipDNAT := iptables.Rule{IPVer: ipVer, Table: iptables.Nat, Chain: dockerChain, Args: []string{ - "-i", n.config.IfName, - "-j", "RETURN", - }} - if err := programChainRule(skipDNAT, "SKIP DNAT", enable); err != nil { - return err - } - } } // In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down @@ -434,70 +399,6 @@ func setIcc(ctx context.Context, version iptables.IPVersion, bridgeIface string, return nil } -// Control Inter-Network Communication. -// Install rules only if they aren't present, remove only if they are. -// If this method returns an error, it doesn't roll back any rules it has added. -// No error is returned if rules cannot be removed (errors are just logged). -func setINC(ctx context.Context, version iptables.IPVersion, iface string, routed, enable bool) (retErr error) { - iptable := iptables.GetIptable(version) - actionI, actionA := iptables.Insert, iptables.Append - actionMsg := "add" - if !enable { - actionI, actionA = iptables.Delete, iptables.Delete - actionMsg = "remove" - } - - if routed { - // Anything is allowed into a routed network at this stage, so RETURN. Port - // filtering rules in the DOCKER chain will drop anything that's not destined - // for an open port. - if err := iptable.ProgramRule(iptables.Filter, isolationChain1, actionI, []string{ - "-o", iface, - "-j", "RETURN", - }); err != nil { - log.G(ctx).WithError(err).Warnf("Failed to %s inter-network communication rule", actionMsg) - if enable { - return fmt.Errorf("%s inter-network communication rule: %w", actionMsg, err) - } - } - - // Allow responses from the routed network into whichever network made the request. - if err := iptable.ProgramRule(iptables.Filter, isolationChain1, actionI, []string{ - "-i", iface, - "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", - "-j", "ACCEPT", - }); err != nil { - log.G(ctx).WithError(err).Warnf("Failed to %s inter-network communication rule", actionMsg) - if enable { - return fmt.Errorf("%s inter-network communication rule: %w", actionMsg, err) - } - } - } - - if err := iptable.ProgramRule(iptables.Filter, isolationChain1, actionA, []string{ - "-i", iface, - "!", "-o", iface, - "-j", isolationChain2, - }); err != nil { - log.G(ctx).WithError(err).Warnf("Failed to %s inter-network communication rule", actionMsg) - if enable { - return fmt.Errorf("%s inter-network communication rule: %w", actionMsg, err) - } - } - - if err := iptable.ProgramRule(iptables.Filter, isolationChain2, actionI, []string{ - "-o", iface, - "-j", "DROP", - }); err != nil { - log.G(ctx).WithError(err).Warnf("Failed to %s inter-network communication rule", actionMsg) - if enable { - return fmt.Errorf("%s inter-network communication rule: %w", actionMsg, err) - } - } - - return nil -} - // Obsolete chain from previous docker versions const oldIsolationChain = "DOCKER-ISOLATION" @@ -514,6 +415,7 @@ func removeIPChains(ctx context.Context, version iptables.IPVersion) { {Name: DockerForwardChain, Table: iptables.Filter, IPVersion: version}, {Name: dockerBridgeChain, Table: iptables.Filter, IPVersion: version}, {Name: dockerCTChain, Table: iptables.Filter, IPVersion: version}, + {Name: dockerInternalChain, Table: iptables.Filter, IPVersion: version}, {Name: isolationChain1, Table: iptables.Filter, IPVersion: version}, {Name: isolationChain2, Table: iptables.Filter, IPVersion: version}, {Name: oldIsolationChain, Table: iptables.Filter, IPVersion: version}, @@ -544,13 +446,13 @@ func setupInternalNetworkRules(ctx context.Context, bridgeIface string, prefix n inDropRule = iptables.Rule{ IPVer: version, Table: iptables.Filter, - Chain: isolationChain1, + Chain: dockerInternalChain, Args: []string{"-i", bridgeIface, "!", "-d", prefix.String(), "-j", "DROP"}, } outDropRule = iptables.Rule{ IPVer: version, Table: iptables.Filter, - Chain: isolationChain1, + Chain: dockerInternalChain, Args: []string{"-o", bridgeIface, "!", "-s", prefix.String(), "-j", "DROP"}, } } else { @@ -558,13 +460,13 @@ func setupInternalNetworkRules(ctx context.Context, bridgeIface string, prefix n inDropRule = iptables.Rule{ IPVer: version, Table: iptables.Filter, - Chain: isolationChain1, + Chain: dockerInternalChain, Args: []string{"-i", bridgeIface, "!", "-o", bridgeIface, "!", "-d", prefix.String(), "-j", "DROP"}, } outDropRule = iptables.Rule{ IPVer: version, Table: iptables.Filter, - Chain: isolationChain1, + Chain: dockerInternalChain, Args: []string{"!", "-i", bridgeIface, "-o", bridgeIface, "!", "-s", prefix.String(), "-j", "DROP"}, } } diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false,wsl2mirrored=true__iptables.golden index a1b6e6f04c..9d8fd99d96 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false,wsl2mirrored=true__iptables.golden @@ -10,11 +10,10 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE COMMIT *nat diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__ip6tables.golden index b04e74a3b1..1299e08add 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__ip6tables.golden @@ -10,11 +10,10 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE COMMIT *nat diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__iptables.golden index cb1d7f12c2..5a94250782 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=false__iptables.golden @@ -10,11 +10,10 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE COMMIT *nat diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true,wsl2mirrored=true__iptables.golden index 22b1768c1e..d761616d69 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true,wsl2mirrored=true__iptables.golden @@ -10,11 +10,10 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE COMMIT *nat diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__ip6tables.golden index 22b1768c1e..d761616d69 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__ip6tables.golden @@ -10,11 +10,10 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE COMMIT *nat diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__iptables.golden index 22b1768c1e..d761616d69 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_cleaned,hairpin=true__iptables.golden @@ -10,11 +10,10 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE COMMIT *nat diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden index 09a7f8dd0f..d47e649bb7 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden index 390b6f2925..13661d0703 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden index d5ff027ccf..29d5008e9e 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 572d1cf94e..bdd73103ab 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,20 +13,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden index 1756ca56d9..4a33abce21 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden index 73cdd2bbec..eb55cd8a64 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden @@ -12,20 +12,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden index e108829216..c8992bb3f2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden index 55b12b5519..1e9c3e17c3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden index 8df0420036..33465074f8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 58aa734232..f3c5124030 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 5d78ffc885..81308e8c29 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden index 81ed1c8d61..d20c4be38b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden index c29c86bd16..0ebde204ac 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden index 9cac6bd23e..2c793070b9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden index c60b79859d..a49c3d43cd 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 0db9614b35..42daa320c3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,14 +20,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden index f7ba8a081d..53dca26b7a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden index f09624435d..9d6d4bfff9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,14 +19,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden index 09a7f8dd0f..d47e649bb7 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden index 390b6f2925..13661d0703 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden index d5ff027ccf..29d5008e9e 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 572d1cf94e..bdd73103ab 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,20 +13,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden index 1756ca56d9..4a33abce21 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden index 73cdd2bbec..eb55cd8a64 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden @@ -12,20 +12,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden index e108829216..c8992bb3f2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden index 55b12b5519..1e9c3e17c3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden index 8df0420036..33465074f8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 58aa734232..f3c5124030 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 5d78ffc885..81308e8c29 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden index 81ed1c8d61..d20c4be38b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden index c29c86bd16..0ebde204ac 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden index 9cac6bd23e..2c793070b9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden index c60b79859d..a49c3d43cd 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 0db9614b35..42daa320c3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,14 +20,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden index f7ba8a081d..53dca26b7a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden index f09624435d..9d6d4bfff9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,14 +19,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden index 59f93e9b0b..6f4de6e870 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,7 +32,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden index 6ad4c6dffd..340a2074dd 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +32,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden index eb0e81ec46..5b1834f740 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +32,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 5e026322e7..7af1dc7119 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,20 +13,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -37,7 +34,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden index 27d27a4fd8..3c2ddae749 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +32,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden index 98c2186588..a534647ef3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden @@ -12,20 +12,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +33,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden index c58d969e26..3761c6e7b1 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,7 +30,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden index 0fc3e8bf60..b726faf38d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,6 +30,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden index 92a816e7dd..ffdc43e333 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,6 +30,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 1440431259..b93c6e1e4d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,7 +32,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden index d81165727e..da76de2dc3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,6 +30,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden index d9d0279609..659b6eff83 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,6 +31,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden index 6f42b97765..0ebde204ac 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,7 +31,6 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden index a76a822fb7..2c793070b9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +31,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden index ed9cc4a3ef..a49c3d43cd 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +31,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 25a60dbdc4..42daa320c3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,14 +20,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -38,7 +33,6 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden index c399513a37..53dca26b7a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +31,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden index 02023c8270..9d6d4bfff9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,14 +19,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -37,6 +32,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden index 82400b410c..7f39acbed2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,7 +32,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden index 347d65657c..4938a9b2c6 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +32,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden index 556820bf0c..5be35ebd80 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +32,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index ec2dd5af09..b22eda4855 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,20 +13,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -37,7 +34,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden index 7d803719cd..25be47a3c7 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +32,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden index cde564f824..e00a42ae19 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden @@ -12,20 +12,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +33,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden index 559f38c817..bcc2888063 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,7 +30,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden index dd6eade39e..b52c4845a0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,6 +30,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden index 0f060e7cb7..4c4da0c61a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,6 +30,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index d8535f4f00..9308519ac2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,7 +32,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 22d5045657..a103d60154 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,6 +30,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden index 993d79fcf7..37fa092a19 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,6 +31,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden index 6f42b97765..0ebde204ac 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,7 +31,6 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden index a76a822fb7..2c793070b9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +31,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden index ed9cc4a3ef..a49c3d43cd 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +31,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 25a60dbdc4..42daa320c3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,14 +20,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -38,7 +33,6 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden index c399513a37..53dca26b7a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +31,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden index 02023c8270..9d6d4bfff9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,14 +19,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -37,6 +32,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden index 25560144b7..003c7acfdc 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden index 88694639c4..7540a28711 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden index 7c772ab221..76ae94ee6f 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 4030d97352..cc8bba5a95 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,19 +13,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden index b675b02778..5d47bd253e 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden index ff8fecbf9f..392e44317b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden index 3c6995dac6..d71094dc3b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden index 19ed79f064..ff0ad82f7b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden index 1384b412e3..a9a0d86ac5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 3c7e173621..c1375f5a67 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,18 +12,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 85d25e22ff..e518af05f7 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden index 4fc2feb71c..1777a78e46 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,18 +11,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden index 13006aa786..50bc1fe8ab 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden index 9b5e1d0fd4..13b48892b9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden index ec43b6801b..b3954fa704 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index d94eee2be7..550a6c40f8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,13 +20,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden index 4db5f3ae98..2f3a72ccb4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden index d2608f5771..25ad2624e5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,13 +19,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden index 25560144b7..003c7acfdc 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden index 88694639c4..7540a28711 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden index 7c772ab221..76ae94ee6f 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 4030d97352..cc8bba5a95 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,19 +13,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden index b675b02778..5d47bd253e 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden index ff8fecbf9f..392e44317b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden index 3c6995dac6..d71094dc3b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden index 19ed79f064..ff0ad82f7b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden index 1384b412e3..a9a0d86ac5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 3c7e173621..c1375f5a67 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,18 +12,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 85d25e22ff..e518af05f7 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden index 4fc2feb71c..1777a78e46 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,18 +11,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden index 13006aa786..50bc1fe8ab 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden index 9b5e1d0fd4..13b48892b9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden index ec43b6801b..b3954fa704 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index d94eee2be7..550a6c40f8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,13 +20,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden index 4db5f3ae98..2f3a72ccb4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden index d2608f5771..25ad2624e5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,13 +19,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden index f32872b833..07f6aa0fd0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,7 +31,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden index 8ece20e4b1..4d9f6e6287 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,6 +31,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden index 57c87a5472..19faf27959 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,6 +31,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 15fb7c0829..696b11084b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,19 +13,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,7 +33,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden index 4df14b9ea6..749e9e8edb 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,6 +31,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden index 57bbb0a24f..58488a2a9a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +32,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden index 6d53bd608f..3597621b1a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -32,7 +29,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden index fbe5d80edb..8d9f70d561 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -32,6 +29,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden index ff005d1185..5005b70735 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -32,6 +29,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index c6ff6be352..0ad27c9c1c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,18 +12,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,7 +31,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 1a0923d3c0..78ffc873f9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -32,6 +29,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden index 7f6ffab372..77caab8a75 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,18 +11,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,6 +30,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j MASQUERADE --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden index 423787389d..50bc1fe8ab 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,7 +30,6 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden index b6f5d9c637..13b48892b9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +30,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden index 9e82925d8b..b3954fa704 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +30,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 74fb7fb307..550a6c40f8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,13 +20,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -37,7 +32,6 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden index 92f2905980..2f3a72ccb4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +30,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden index 487fe77b3b..25ad2624e5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,13 +19,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +31,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden index bc748672a4..d7d37cf7ae 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false,wsl2mirrored=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,7 +31,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden index 5fcd3ca7c6..287c381dbc 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,6 +31,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden index f1b720ccad..8df81e686c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,6 +31,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 3c1f7d38b7..26e7ed9187 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,19 +13,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,7 +33,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden index 83cf135dbb..7da2650bce 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,6 +31,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden index be56c835e0..ab770c1479 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +32,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden index 4a7aa34100..b0c4eebef7 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -32,7 +29,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden index bc8025e641..355bd12737 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -32,6 +29,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden index 3dc131ab4c..066eab8cf4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -32,6 +29,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 471df7c3a3..19914cd9c5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,18 +12,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -34,7 +31,6 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 0825321d3d..be19928332 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -32,6 +29,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s fd49:efd7:54aa::/64 ! -o br-dummy -j SNAT --to-source fd34:d0d4:672f::123 --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden index 9a91985ca6..087f3d4aa4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,18 +11,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -33,6 +30,5 @@ COMMIT -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 192.168.0.0/24 ! -o br-dummy -j SNAT --to-source 192.168.123.0 --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden index 423787389d..50bc1fe8ab 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false,wsl2mirrored=true__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,7 +30,6 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden index b6f5d9c637..13b48892b9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +30,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden index 9e82925d8b..b3954fa704 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +30,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 74fb7fb307..550a6c40f8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,13 +20,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -37,7 +32,6 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.0/8 -i loopback0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden index 92f2905980..2f3a72ccb4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -35,6 +30,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d ::1/128 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER ! -s fe80::/10 -d ::1/128 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination [fd49:efd7:54aa::1]:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden index 487fe77b3b..25ad2624e5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,13 +19,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] @@ -36,6 +31,5 @@ COMMIT :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER --A DOCKER -i br-dummy -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i br-dummy -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.2:80 COMMIT diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false,wsl2mirrored=true__iptables.golden index 5a4fcd5afe..6dde8f1b1e 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false,wsl2mirrored=true__iptables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -s 192.168.0.0/24 -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d 192.168.0.0/24 -i br-dummy -j DROP +-A DOCKER-INTERNAL ! -s 192.168.0.0/24 -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d 192.168.0.0/24 -i br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false__ip6tables.golden index 7dcb341218..e6c636ae13 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false__ip6tables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -s fd49:efd7:54aa::/64 ! -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d fd49:efd7:54aa::/64 -i br-dummy ! -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -s fd49:efd7:54aa::/64 ! -i br-dummy -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d fd49:efd7:54aa::/64 -i br-dummy ! -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false__iptables.golden index 8fe7955989..3fc9199a3c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=false__iptables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -s 192.168.0.0/24 -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d 192.168.0.0/24 -i br-dummy -j DROP +-A DOCKER-INTERNAL ! -s 192.168.0.0/24 -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d 192.168.0.0/24 -i br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true,wsl2mirrored=true__iptables.golden index 0eb5925ed9..12d46a49ec 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true,wsl2mirrored=true__iptables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 ! -s 192.168.0.0/24 -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d 192.168.0.0/24 -i br-dummy -j DROP +-A DOCKER-INTERNAL ! -s 192.168.0.0/24 -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d 192.168.0.0/24 -i br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true__ip6tables.golden index 8d30240c26..2b46775f64 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true__ip6tables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 ! -s fd49:efd7:54aa::/64 ! -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d fd49:efd7:54aa::/64 -i br-dummy ! -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -s fd49:efd7:54aa::/64 ! -i br-dummy -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d fd49:efd7:54aa::/64 -i br-dummy ! -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true__iptables.golden index 7c87194591..2155c03aec 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=false,internal=true,icc=true__iptables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 ! -s 192.168.0.0/24 -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d 192.168.0.0/24 -i br-dummy -j DROP +-A DOCKER-INTERNAL ! -s 192.168.0.0/24 -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d 192.168.0.0/24 -i br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden index 5b81de1e72..fcdca203b3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden index dbcc24d818..c0340bfff3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 4714ee8ac5..82378d435b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,20 +13,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden index ef3a802a0c..003c4fd436 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden index c3e57870a4..4187408c4b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden @@ -12,20 +12,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden index 5622d96487..ebe90d7e22 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden index ce3bb626fb..eaeed01c25 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 67ac98724c..fdad78f673 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 75eba802e9..76dcd7f5a3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden index 0460e5531c..36fb4fb0d2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden index 7b7dfa5454..527c3150eb 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden index 57ec4acb58..d75c96ab8b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 7c33f48f3b..93592338a2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,14 +20,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden index 6af1e71d68..2cd556f2a7 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden index d8405378ae..d37acc0884 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,14 +19,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden index 9b23a16d3d..6ceb95f8d2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden index 1745c64838..b9bd771d03 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 4a5b8aca35..668de093a8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,20 +13,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden index a21f92b560..42806b74bf 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden index 5a622ba9fc..e076ff9596 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden @@ -12,20 +12,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden index f656e572a8..15c50e4fff 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden index 5b12b6d589..81980cd34d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 7e168bdd5a..d9e6d3050a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden index a229e44f5b..00cb0eea0d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden index 3279e66e12..e0dbcb1e78 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden index f3b825b364..429b9e319b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden index 7380846dfa..80c0615e23 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 0369e22767..66f2aab78d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,14 +20,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden index 0b4d181768..80896998b0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden index 0f837aca1c..0c2f822594 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,14 +19,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden index 97c7db0923..0ead1d4ff6 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden index 4eb3102f19..d51a4f095e 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 8429bf56e6..f0d441a6c3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,20 +13,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden index 328d019be5..c073965be3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden index 823f07d258..4fc33676d3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden @@ -12,20 +12,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden index be87dbf779..497cba3e11 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden index b5cb6388db..184513aa87 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index a2daf7e296..b5a526a7a6 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden index de1d3187b9..5e5011411b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden index 26ef3e2a56..a00365cef4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden index 7b7dfa5454..527c3150eb 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden index 57ec4acb58..d75c96ab8b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 7c33f48f3b..93592338a2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,14 +20,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden index 6af1e71d68..2cd556f2a7 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden index d8405378ae..d37acc0884 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,14 +19,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden index 91730f8859..45bad2b2d8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden index 9719c7ced9..ff38035256 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 7b6e22e7ff..e5a5b65892 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,20 +13,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden index 8697dc9e48..f50bda309d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden @@ -11,20 +11,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden index 33fa487f07..f7c8faa201 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden @@ -12,20 +12,17 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden index be2cdad161..e547909d1c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden index 14256a5d12..7a57c5dd20 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 6659f493b9..74d1cbf4ce 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden index c1d6759278..05549e06d3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,19 +10,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden index 0ee90b90bd..7579500df5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden index f3b825b364..429b9e319b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden index 7380846dfa..80c0615e23 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 0369e22767..66f2aab78d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,14 +20,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden index 0b4d181768..80896998b0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,14 +18,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden index 0f837aca1c..0c2f822594 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=false,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,14 +19,10 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP -A DOCKER-FORWARD -i br-dummy ! -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden index 91561d69a4..19ec810f52 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden index b51c394141..a6578f564a 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=false__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 66b3d12082..af276d52b8 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,19 +13,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden index 3a9c626d6d..e1ff4d654f 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden index 1ff73acc2c..5cb2a0d0d4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat,bindlh=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden index ef92d5f74e..ead5b4cc67 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden index c23789f8d7..757a44b792 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index a41344d851..b1b6b4b525 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,18 +12,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 0c8ca6e24c..6111265e5b 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden index 2f511fc849..0636a3999e 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,18 +11,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden index 92911d7501..8294b18c11 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden index 917516b715..aa3cd13bd2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 62aecf1331..9eeb0782fa 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,13 +20,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden index 12df370514..ae1aa59744 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden index 113585ee6c..d1475530a0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=false,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,13 +19,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden index 051a6f8f54..3f619cb43f 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden index a51c8b1368..238d6a49e1 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=false__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index f020ef7a99..7f788582d5 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,19 +13,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden index 596250cf6e..1e11bf2ec3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden index a2581db3e0..b3253e6df9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat,bindlh=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden index a1c0b24121..fe1296ea36 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden index 2047dd2a6f..d7e591f5c2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index ef8eafa360..6dd21c0707 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,18 +12,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden index ec62e2a939..3437f39a8d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden index c9e0eb3e8d..5a6b54c5a3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,18 +11,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden index a40433fec2..4b28f95ccc 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden index 485d47ef68..c063d9770c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 46c97abead..7d11ef1e6c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,13 +20,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden index 778533fb0b..0feff391e4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden index 87f34d5426..53b385b4ad 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=false,snat=true,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,13 +19,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden index 971e0fedd3..340d453586 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden index dc38c34b53..3f877363c4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=false__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 910debc164..5bf91653d0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,19 +13,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden index cb34f4744b..5aaa74a87d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden index feaa954f84..7570e7a1d9 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat,bindlh=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden index 0db016604f..5dc6349b0d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden index e323f91b8a..5322ba8e13 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index 70d348dd1e..5b0af41fca 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,18 +12,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 5013c7df9c..14dec9d14e 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden index c841fadcb5..77e4b30e04 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,18 +11,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden index 92911d7501..8294b18c11 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden index 917516b715..aa3cd13bd2 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 62aecf1331..9eeb0782fa 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,13 +20,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden index 12df370514..ae1aa59744 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden index 113585ee6c..d1475530a0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=false,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,13 +19,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden index 52b91a1f23..5bc104baff 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden index a051f81e3a..afd20b8793 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=false__iptables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden index 10f10f1394..514c5ff432 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true,wsl2mirrored=true__iptables.golden @@ -13,19 +13,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden index 073b1410c3..350dffdfa6 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__ip6tables.golden @@ -11,19 +11,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden index a0f8f4788c..20f34333f1 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat,bindlh=true__iptables.golden @@ -12,19 +12,16 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER ! -i br-dummy -o br-dummy -j DROP -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden index 4f5b1f6dd5..a7e23929b0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden index eca87cb7e4..6a849ba0e0 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=false__iptables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden index edbc79e8bd..404978c3e4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,18 +12,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden index 6933fa4e05..0e2258bb88 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__ip6tables.golden @@ -10,18 +10,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden index be55afb906..91a1862af3 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=nat-unprotected,bindlh=true__iptables.golden @@ -11,18 +11,15 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER ! -i br-dummy -o br-dummy -j ACCEPT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden index a40433fec2..4b28f95ccc 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden index 485d47ef68..c063d9770c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=false__iptables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden index 46c97abead..7d11ef1e6c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true,wsl2mirrored=true__iptables.golden @@ -12,8 +12,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -21,13 +20,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden index 778533fb0b..0feff391e4 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__ip6tables.golden @@ -10,8 +10,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d fd49:efd7:54aa::1/128 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p ipv6-icmp -j ACCEPT @@ -19,13 +18,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden index 87f34d5426..53b385b4ad 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=false,icc=true,masq=true,snat=true,gwm=routed,bindlh=true__iptables.golden @@ -11,8 +11,7 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER -d 192.168.0.2/32 ! -i br-dummy -o br-dummy -p tcp -m tcp --dport 80 -j ACCEPT -A DOCKER -o br-dummy -p icmp -j ACCEPT @@ -20,13 +19,9 @@ COMMIT -A DOCKER-BRIDGE -o br-dummy -j DOCKER -A DOCKER-CT -o br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -i br-dummy -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 -o br-dummy -j RETURN --A DOCKER-ISOLATION-STAGE-1 -i br-dummy ! -o br-dummy -j DOCKER-ISOLATION-STAGE-2 --A DOCKER-ISOLATION-STAGE-2 -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false,wsl2mirrored=true__iptables.golden index 8ce494ce2f..182e18a06c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false,wsl2mirrored=true__iptables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -s 192.168.0.0/24 -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d 192.168.0.0/24 -i br-dummy -j DROP +-A DOCKER-INTERNAL ! -s 192.168.0.0/24 -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d 192.168.0.0/24 -i br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false__ip6tables.golden index 536c5d17f4..790aef249d 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false__ip6tables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -s fd49:efd7:54aa::/64 ! -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d fd49:efd7:54aa::/64 -i br-dummy ! -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -s fd49:efd7:54aa::/64 ! -i br-dummy -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d fd49:efd7:54aa::/64 -i br-dummy ! -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false__iptables.golden index 8ce494ce2f..182e18a06c 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=false__iptables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -s 192.168.0.0/24 -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d 192.168.0.0/24 -i br-dummy -j DROP +-A DOCKER-INTERNAL ! -s 192.168.0.0/24 -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d 192.168.0.0/24 -i br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true,wsl2mirrored=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true,wsl2mirrored=true__iptables.golden index 0f7fdd575d..fce9c80bff 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true,wsl2mirrored=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true,wsl2mirrored=true__iptables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 ! -s 192.168.0.0/24 -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d 192.168.0.0/24 -i br-dummy -j DROP +-A DOCKER-INTERNAL ! -s 192.168.0.0/24 -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d 192.168.0.0/24 -i br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true__ip6tables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true__ip6tables.golden index 0719b84d99..df272bbd16 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true__ip6tables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true__ip6tables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 ! -s fd49:efd7:54aa::/64 ! -i br-dummy -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d fd49:efd7:54aa::/64 -i br-dummy ! -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -s fd49:efd7:54aa::/64 ! -i br-dummy -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d fd49:efd7:54aa::/64 -i br-dummy ! -o br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true__iptables.golden b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true__iptables.golden index 0f7fdd575d..fce9c80bff 100644 --- a/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true__iptables.golden +++ b/libnetwork/drivers/bridge/internal/iptabler/testdata/TestIptabler_hairpin=true,internal=true,icc=true__iptables.golden @@ -10,15 +10,14 @@ COMMIT :DOCKER-BRIDGE - [0:0] :DOCKER-CT - [0:0] :DOCKER-FORWARD - [0:0] -:DOCKER-ISOLATION-STAGE-1 - [0:0] -:DOCKER-ISOLATION-STAGE-2 - [0:0] +:DOCKER-INTERNAL - [0:0] -A FORWARD -j DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE -A DOCKER-FORWARD -i br-dummy -o br-dummy -j ACCEPT --A DOCKER-ISOLATION-STAGE-1 ! -s 192.168.0.0/24 -o br-dummy -j DROP --A DOCKER-ISOLATION-STAGE-1 ! -d 192.168.0.0/24 -i br-dummy -j DROP +-A DOCKER-INTERNAL ! -s 192.168.0.0/24 -o br-dummy -j DROP +-A DOCKER-INTERNAL ! -d 192.168.0.0/24 -i br-dummy -j DROP COMMIT *nat :PREROUTING ACCEPT [0:0] diff --git a/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdafter4 b/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdafter4 index af14da8ba6..6b056379c1 100644 --- a/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdafter4 +++ b/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdafter4 @@ -1,4 +1,4 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE diff --git a/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdafter6 b/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdafter6 index af14da8ba6..6b056379c1 100644 --- a/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdafter6 +++ b/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdafter6 @@ -1,4 +1,4 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE diff --git a/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdinit4 b/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdinit4 index af14da8ba6..6b056379c1 100644 --- a/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdinit4 +++ b/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdinit4 @@ -1,4 +1,4 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE diff --git a/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdinit6 b/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdinit6 index af14da8ba6..6b056379c1 100644 --- a/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdinit6 +++ b/libnetwork/testdata/TestUserChain_iptables-true_append-false_dockerfwdinit6 @@ -1,4 +1,4 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE diff --git a/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdafter4 b/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdafter4 index af14da8ba6..6b056379c1 100644 --- a/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdafter4 +++ b/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdafter4 @@ -1,4 +1,4 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE diff --git a/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdafter6 b/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdafter6 index af14da8ba6..6b056379c1 100644 --- a/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdafter6 +++ b/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdafter6 @@ -1,4 +1,4 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE diff --git a/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdinit4 b/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdinit4 index af14da8ba6..6b056379c1 100644 --- a/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdinit4 +++ b/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdinit4 @@ -1,4 +1,4 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE diff --git a/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdinit6 b/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdinit6 index af14da8ba6..6b056379c1 100644 --- a/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdinit6 +++ b/libnetwork/testdata/TestUserChain_iptables-true_append-true_dockerfwdinit6 @@ -1,4 +1,4 @@ -N DOCKER-FORWARD -A DOCKER-FORWARD -j DOCKER-CT --A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1 +-A DOCKER-FORWARD -j DOCKER-INTERNAL -A DOCKER-FORWARD -j DOCKER-BRIDGE