firewall_linux.go 1.5 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
  1. package libnetwork
  2. import (
  3. "github.com/docker/libnetwork/iptables"
  4. "github.com/docker/libnetwork/netlabel"
  5. "github.com/sirupsen/logrus"
  6. )
  7. const userChain = "DOCKER-USER"
  8. func (c *controller) arrangeUserFilterRule() {
  9. c.Lock()
  10. if c.hasIPTablesEnabled() {
  11. arrangeUserFilterRule()
  12. }
  13. c.Unlock()
  14. iptables.OnReloaded(func() {
  15. c.Lock()
  16. if c.hasIPTablesEnabled() {
  17. arrangeUserFilterRule()
  18. }
  19. c.Unlock()
  20. })
  21. }
  22. func (c *controller) hasIPTablesEnabled() bool {
  23. // Locking c should be handled in the calling method.
  24. if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil {
  25. return false
  26. }
  27. genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData]
  28. if !ok {
  29. return false
  30. }
  31. optMap := genericData.(map[string]interface{})
  32. enabled, ok := optMap["EnableIPTables"].(bool)
  33. if !ok {
  34. return false
  35. }
  36. return enabled
  37. }
  38. // This chain allow users to configure firewall policies in a way that persists
  39. // docker operations/restarts. Docker will not delete or modify any pre-existing
  40. // rules from the DOCKER-USER filter chain.
  41. func arrangeUserFilterRule() {
  42. _, err := iptables.NewChain(userChain, iptables.Filter, false)
  43. if err != nil {
  44. logrus.Warnf("Failed to create %s chain: %v", userChain, err)
  45. return
  46. }
  47. if err = iptables.AddReturnRule(userChain); err != nil {
  48. logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
  49. return
  50. }
  51. err = iptables.EnsureJumpRule("FORWARD", userChain)
  52. if err != nil {
  53. logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
  54. }
  55. }