Fix ICC on Firewalld enabled fedora systems, add in missing firewalld functionality to re-apply configuration when reloaded

Signed-off-by: Alec Benson <albenson@redhat.com>

libnetwork/drivers/bridge/bridge.go

@@ -660,6 +660,10 @@ func (d *driver) CreateNetwork(id types.UUID, option map[string]interface{}) err
 		// Setup IPTables.
 		{config.EnableIPTables, network.setupIPTables},
 
+		//We want to track firewalld configuration so that
+		//if it is started/reloaded, the rules can be applied correctly
+		{config.EnableIPTables, network.setupFirewalld},
+
 		// Setup DefaultGatewayIPv4
 		{config.DefaultGatewayIPv4 != nil, setupGatewayIPv4},
 

libnetwork/drivers/bridge/link.go

@@ -32,7 +32,12 @@ func newLink(parentIP, childIP string, ports []types.TransportPort, bridge strin
 
 func (l *link) Enable() error {
 	// -A == iptables append flag
-	return linkContainers("-A", l.parentIP, l.childIP, l.ports, l.bridge, false)
+	linkFunction := func() error {
+		return linkContainers("-A", l.parentIP, l.childIP, l.ports, l.bridge, false)
+	}
+
+	iptables.OnReloaded(func() { linkFunction() })
+	return linkFunction()
 }
 
 func (l *link) Disable() {

libnetwork/drivers/bridge/setup_firewalld.go

@@ -0,0 +1,15 @@
+package bridge
+
+import "github.com/docker/libnetwork/iptables"
+
+func (n *bridgeNetwork) setupFirewalld(config *networkConfiguration, i *bridgeInterface) error {
+	// Sanity check.
+	if config.EnableIPTables == false {
+		return IPTableCfgError(config.BridgeName)
+	}
+
+	iptables.OnReloaded(func() { n.setupIPTables(config, i) })
+	iptables.OnReloaded(n.portMapper.ReMapAll)
+
+	return nil
+}

libnetwork/drivers/bridge/setup_ip_tables.go

@@ -149,7 +149,7 @@ func setIcc(bridgeIface string, iccEnable, insert bool) error {
 			iptables.Raw(append([]string{"-D", chain}, dropArgs...)...)
 
 			if !iptables.Exists(table, chain, acceptArgs...) {
-				if output, err := iptables.Raw(append([]string{"-A", chain}, acceptArgs...)...); err != nil {
+				if output, err := iptables.Raw(append([]string{"-I", chain}, acceptArgs...)...); err != nil {
 					return fmt.Errorf("Unable to allow intercontainer communication: %s", err.Error())
 				} else if len(output) != 0 {
 					return fmt.Errorf("Error enabling intercontainer communication: %s", output)

libnetwork/portmapper/mapper.go

@@ -179,6 +179,18 @@ func (pm *PortMapper) Unmap(host net.Addr) error {
 	return nil
 }
 
+//ReMapAll will re-apply all port mappings
+func (pm *PortMapper) ReMapAll() {
+	logrus.Debugln("Re-applying all port mappings.")
+	for _, data := range pm.currentMappings {
+		containerIP, containerPort := getIPAndPort(data.container)
+		hostIP, hostPort := getIPAndPort(data.host)
+		if err := pm.forward(iptables.Append, data.proto, hostIP, hostPort, containerIP.String(), containerPort); err != nil {
+			logrus.Errorf("Error on iptables add: %s", err)
+		}
+	}
+}
+
 func getKey(a net.Addr) string {
 	switch t := a.(type) {
 	case *net.TCPAddr: