diff --git a/libnetwork/drivers/bridge/bridge.go b/libnetwork/drivers/bridge/bridge.go index 7a86239a8f..23be408fc9 100644 --- a/libnetwork/drivers/bridge/bridge.go +++ b/libnetwork/drivers/bridge/bridge.go @@ -660,6 +660,10 @@ func (d *driver) CreateNetwork(id types.UUID, option map[string]interface{}) err // Setup IPTables. {config.EnableIPTables, network.setupIPTables}, + //We want to track firewalld configuration so that + //if it is started/reloaded, the rules can be applied correctly + {config.EnableIPTables, network.setupFirewalld}, + // Setup DefaultGatewayIPv4 {config.DefaultGatewayIPv4 != nil, setupGatewayIPv4}, diff --git a/libnetwork/drivers/bridge/link.go b/libnetwork/drivers/bridge/link.go index 4e4444e074..894c5e772c 100644 --- a/libnetwork/drivers/bridge/link.go +++ b/libnetwork/drivers/bridge/link.go @@ -32,7 +32,12 @@ func newLink(parentIP, childIP string, ports []types.TransportPort, bridge strin func (l *link) Enable() error { // -A == iptables append flag - return linkContainers("-A", l.parentIP, l.childIP, l.ports, l.bridge, false) + linkFunction := func() error { + return linkContainers("-A", l.parentIP, l.childIP, l.ports, l.bridge, false) + } + + iptables.OnReloaded(func() { linkFunction() }) + return linkFunction() } func (l *link) Disable() { diff --git a/libnetwork/drivers/bridge/setup_firewalld.go b/libnetwork/drivers/bridge/setup_firewalld.go new file mode 100644 index 0000000000..eeb7764801 --- /dev/null +++ b/libnetwork/drivers/bridge/setup_firewalld.go @@ -0,0 +1,15 @@ +package bridge + +import "github.com/docker/libnetwork/iptables" + +func (n *bridgeNetwork) setupFirewalld(config *networkConfiguration, i *bridgeInterface) error { + // Sanity check. + if config.EnableIPTables == false { + return IPTableCfgError(config.BridgeName) + } + + iptables.OnReloaded(func() { n.setupIPTables(config, i) }) + iptables.OnReloaded(n.portMapper.ReMapAll) + + return nil +} diff --git a/libnetwork/drivers/bridge/setup_ip_tables.go b/libnetwork/drivers/bridge/setup_ip_tables.go index 70e4df652b..fa241c1b34 100644 --- a/libnetwork/drivers/bridge/setup_ip_tables.go +++ b/libnetwork/drivers/bridge/setup_ip_tables.go @@ -149,7 +149,7 @@ func setIcc(bridgeIface string, iccEnable, insert bool) error { iptables.Raw(append([]string{"-D", chain}, dropArgs...)...) if !iptables.Exists(table, chain, acceptArgs...) { - if output, err := iptables.Raw(append([]string{"-A", chain}, acceptArgs...)...); err != nil { + if output, err := iptables.Raw(append([]string{"-I", chain}, acceptArgs...)...); err != nil { return fmt.Errorf("Unable to allow intercontainer communication: %s", err.Error()) } else if len(output) != 0 { return fmt.Errorf("Error enabling intercontainer communication: %s", output) diff --git a/libnetwork/portmapper/mapper.go b/libnetwork/portmapper/mapper.go index ac32f66ef1..b928e3c619 100644 --- a/libnetwork/portmapper/mapper.go +++ b/libnetwork/portmapper/mapper.go @@ -179,6 +179,18 @@ func (pm *PortMapper) Unmap(host net.Addr) error { return nil } +//ReMapAll will re-apply all port mappings +func (pm *PortMapper) ReMapAll() { + logrus.Debugln("Re-applying all port mappings.") + for _, data := range pm.currentMappings { + containerIP, containerPort := getIPAndPort(data.container) + hostIP, hostPort := getIPAndPort(data.host) + if err := pm.forward(iptables.Append, data.proto, hostIP, hostPort, containerIP.String(), containerPort); err != nil { + logrus.Errorf("Error on iptables add: %s", err) + } + } +} + func getKey(a net.Addr) string { switch t := a.(type) { case *net.TCPAddr: