| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 |
- package libnetwork
- import (
- "github.com/docker/docker/libnetwork/iptables"
- "github.com/sirupsen/logrus"
- )
- const userChain = "DOCKER-USER"
- var ctrl *controller
- func setupArrangeUserFilterRule(c *controller) {
- ctrl = c
- iptables.OnReloaded(arrangeUserFilterRule)
- }
- // This chain allow users to configure firewall policies in a way that persists
- // docker operations/restarts. Docker will not delete or modify any pre-existing
- // rules from the DOCKER-USER filter chain.
- // Note once DOCKER-USER chain is created, docker engine does not remove it when
- // IPTableForwarding is disabled, because it contains rules configured by user that
- // are beyond docker engine's control.
- func arrangeUserFilterRule() {
- if ctrl == nil {
- return
- }
- conds := []struct {
- ipVer iptables.IPVersion
- cond bool
- }{
- {ipVer: iptables.IPv4, cond: ctrl.iptablesEnabled()},
- {ipVer: iptables.IPv6, cond: ctrl.ip6tablesEnabled()},
- }
- for _, ipVerCond := range conds {
- cond := ipVerCond.cond
- if !cond {
- continue
- }
- ipVer := ipVerCond.ipVer
- iptable := iptables.GetIptable(ipVer)
- _, err := iptable.NewChain(userChain, iptables.Filter, false)
- if err != nil {
- logrus.WithError(err).Warnf("Failed to create %s %v chain", userChain, ipVer)
- return
- }
- if err = iptable.AddReturnRule(userChain); err != nil {
- logrus.WithError(err).Warnf("Failed to add the RETURN rule for %s %v", userChain, ipVer)
- return
- }
- err = iptable.EnsureJumpRule("FORWARD", userChain)
- if err != nil {
- logrus.WithError(err).Warnf("Failed to ensure the jump rule for %s %v", userChain, ipVer)
- }
- }
- }
|
