InTheForest/moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2026-01-11 18:51:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dfe36fa2267e6bdea426fadcd2dd459113a8b407
moby/libnetwork/firewall_linux.go
Rob Murray e05848c002 Set up bridge-specific iptables rules in the bridge driver 
Use the bridge driver's iptables types to set up portmapping related
iptables rules - instead of using iptables.Forward, which is bridge
specific code in the iptables package.

Remove iptables.Forward() and its unit test, the bridge driver's
version is covered by TestAddPortMappings.

Remove hairpinMode from iptables.ChainInfo hairpinMode relates to bridge
driver specific behaviour, that is now implemented in the bridge driver.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-06-11 16:50:16 +00:00

55 lines
1.7 KiB
Go
Raw Blame History

package libnetwork
import (
"context"
"fmt"
"github.com/containerd/log"
"github.com/docker/docker/libnetwork/iptables"
)
const userChain = "DOCKER-USER"
var ctrl *Controller
func setupArrangeUserFilterRule(c *Controller) {
ctrl = c
iptables.OnReloaded(arrangeUserFilterRule)
}
// arrangeUserFilterRule sets up the DOCKER-USER chain for each iptables version
// (IPv4, IPv6) that's enabled in the controller's configuration.
func arrangeUserFilterRule() {
if ctrl == nil {
return
}
for _, ipVersion := range ctrl.enabledIptablesVersions() {
if err := setupUserChain(ipVersion); err != nil {
log.G(context.TODO()).WithError(err).Warn("arrangeUserFilterRule")
}
}
}
// setupUserChain sets up the DOCKER-USER chain for the given [iptables.IPVersion].
//
// This chain allows users to configure firewall policies in a way that
// persist daemon operations/restarts. The daemon does not delete or modify
// any pre-existing rules from the DOCKER-USER filter chain.
//
// Once the DOCKER-USER chain is created, the daemon does not remove it when
// IPTableForwarding is disabled, because it contains rules configured by user
// that are beyond the daemon's control.
func setupUserChain(ipVersion iptables.IPVersion) error {
ipt := iptables.GetIptable(ipVersion)
if _, err := ipt.NewChain(userChain, iptables.Filter); err != nil {
return fmt.Errorf("failed to create %s %v chain: %v", userChain, ipVersion, err)
}
if err := ipt.AddReturnRule(userChain); err != nil {
return fmt.Errorf("failed to add the RETURN rule for %s %v: %w", userChain, ipVersion, err)
}
if err := ipt.EnsureJumpRule("FORWARD", userChain); err != nil {
return fmt.Errorf("failed to ensure the jump rule for %s %v: %w", userChain, ipVersion, err)
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink