Report firewalld reload time in Info.FirewallBackend

Signed-off-by: Rob Murray <rob.murray@docker.com>
2026-01-11 18:51:37 +00:00 · 2025-04-01 20:29:02 +01:00
parent a527e5a546
commit dbea045e0d
2 changed files with 30 additions and 3 deletions
--- a/libnetwork/controller_linux.go
+++ b/libnetwork/controller_linux.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"sync"
+	"time"

 	"github.com/containerd/log"
 	"github.com/docker/docker/api/types/system"
@@ -20,7 +21,12 @@ func (c *Controller) FirewallBackend() *system.FirewallInfo {
 		return nil
 	}
 	if usingFirewalld {
-		return &system.FirewallInfo{Driver: "iptables+firewalld"}
+		info := &system.FirewallInfo{Driver: "iptables+firewalld"}
+		reloadedAt := iptables.FirewalldReloadedAt()
+		if !reloadedAt.IsZero() {
+			info.Info = append(info.Info, [2]string{"ReloadedAt", reloadedAt.Format(time.RFC3339)})
+		}
+		return info
 	}
 	return &system.FirewallInfo{Driver: "iptables"}
 }
--- a/libnetwork/iptables/firewalld.go
+++ b/libnetwork/iptables/firewalld.go
@@ -6,6 +6,9 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"sync"
+	"sync/atomic"
+	"time"

 	"github.com/containerd/log"
 	"github.com/docker/docker/pkg/rootless"
@@ -33,8 +36,12 @@ var (
 	connection *Conn

 	firewalldInitCalled bool
-	firewalldRunning    bool      // is Firewalld service running
-	onReloaded          []*func() // callbacks when Firewalld has been reloaded
+	firewalldRunning    bool // is Firewalld service running
+	// Time of the last firewalld reload.
+	firewalldReloadedAt atomic.Value
+	// Mutex to serialise firewalld reload callbacks.
+	firewalldReloadMu sync.Mutex
+	onReloaded        []*func() // callbacks when Firewalld has been reloaded
 )

 // UsingFirewalld returns true if iptables rules will be applied via firewalld's
@@ -50,6 +57,17 @@ func UsingFirewalld() (bool, error) {
 	return firewalldRunning, nil
 }

+// FirewalldReloadedAt returns the time at which the daemon last completed a
+// firewalld reload, or a zero-valued time.Time if it has not been reloaded
+// since the daemon started.
+func FirewalldReloadedAt() time.Time {
+	val := firewalldReloadedAt.Load()
+	if val == nil {
+		return time.Time{}
+	}
+	return val.(time.Time)
+}
+
 // firewalldInit initializes firewalld management code.
 func firewalldInit() error {
 	var err error
@@ -149,9 +167,12 @@ func connectionLost() {

 // call all callbacks
 func reloaded() {
+	firewalldReloadMu.Lock()
+	defer firewalldReloadMu.Unlock()
 	for _, pf := range onReloaded {
 		(*pf)()
 	}
+	firewalldReloadedAt.Store(time.Now())
 }

 // OnReloaded add callback