12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970 |
- package libnetwork
- import (
- "github.com/docker/libnetwork/iptables"
- "github.com/docker/libnetwork/netlabel"
- "github.com/sirupsen/logrus"
- )
- const userChain = "DOCKER-USER"
- func (c *controller) arrangeUserFilterRule() {
- c.Lock()
- if c.hasIPTablesEnabled() {
- arrangeUserFilterRule()
- }
- c.Unlock()
- iptables.OnReloaded(func() {
- c.Lock()
- if c.hasIPTablesEnabled() {
- arrangeUserFilterRule()
- }
- c.Unlock()
- })
- }
- func (c *controller) hasIPTablesEnabled() bool {
- // Locking c should be handled in the calling method.
- if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil {
- return false
- }
- genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData]
- if !ok {
- return false
- }
- optMap := genericData.(map[string]interface{})
- enabled, ok := optMap["EnableIPTables"].(bool)
- if !ok {
- return false
- }
- return enabled
- }
- // This chain allow users to configure firewall policies in a way that persists
- // docker operations/restarts. Docker will not delete or modify any pre-existing
- // rules from the DOCKER-USER filter chain.
- func arrangeUserFilterRule() {
- _, err := iptables.NewChain(userChain, iptables.Filter, false)
- if err != nil {
- logrus.Warnf("Failed to create %s chain: %v", userChain, err)
- return
- }
- if err = iptables.AddReturnRule(userChain); err != nil {
- logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
- return
- }
- err = iptables.EnsureJumpRule("FORWARD", userChain)
- if err != nil {
- logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
- }
- }
|