| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162 |
- package libnetwork
- import (
- "context"
- "github.com/containerd/containerd/log"
- "github.com/docker/docker/libnetwork/iptables"
- )
- const userChain = "DOCKER-USER"
- var ctrl *Controller
- func setupArrangeUserFilterRule(c *Controller) {
- ctrl = c
- iptables.OnReloaded(arrangeUserFilterRule)
- }
- // This chain allow users to configure firewall policies in a way that persists
- // docker operations/restarts. Docker will not delete or modify any pre-existing
- // rules from the DOCKER-USER filter chain.
- // Note once DOCKER-USER chain is created, docker engine does not remove it when
- // IPTableForwarding is disabled, because it contains rules configured by user that
- // are beyond docker engine's control.
- func arrangeUserFilterRule() {
- if ctrl == nil {
- return
- }
- conds := []struct {
- ipVer iptables.IPVersion
- cond bool
- }{
- {ipVer: iptables.IPv4, cond: ctrl.iptablesEnabled()},
- {ipVer: iptables.IPv6, cond: ctrl.ip6tablesEnabled()},
- }
- for _, ipVerCond := range conds {
- cond := ipVerCond.cond
- if !cond {
- continue
- }
- ipVer := ipVerCond.ipVer
- iptable := iptables.GetIptable(ipVer)
- _, err := iptable.NewChain(userChain, iptables.Filter, false)
- if err != nil {
- log.G(context.TODO()).WithError(err).Warnf("Failed to create %s %v chain", userChain, ipVer)
- return
- }
- if err = iptable.AddReturnRule(userChain); err != nil {
- log.G(context.TODO()).WithError(err).Warnf("Failed to add the RETURN rule for %s %v", userChain, ipVer)
- return
- }
- err = iptable.EnsureJumpRule("FORWARD", userChain)
- if err != nil {
- log.G(context.TODO()).WithError(err).Warnf("Failed to ensure the jump rule for %s %v", userChain, ipVer)
- }
- }
- }
|
