From 2cc627932ace937a8f063b264024ddeedbeb31d2 Mon Sep 17 00:00:00 2001
From: Rob Murray <rob.murray@docker.com>
Date: Thu, 1 Feb 2024 11:49:53 +0000
Subject: [PATCH] Add internal n/w bridge to firewalld docker zone

Containers attached to an 'internal' bridge network are unable to
communicate when the host is running firewalld.

Non-internal bridges are added to a trusted 'docker' firewalld zone, but
internal bridges were not.

DOCKER-ISOLATION iptables rules are still configured for an internal
network, they block traffic to/from addresses outside the network's subnet.

Signed-off-by: Rob Murray <rob.murray@docker.com>
---
 libnetwork/drivers/bridge/setup_ip_tables_linux.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/libnetwork/drivers/bridge/setup_ip_tables_linux.go b/libnetwork/drivers/bridge/setup_ip_tables_linux.go
index d7f5966dc0..328c58bced 100644
--- a/libnetwork/drivers/bridge/setup_ip_tables_linux.go
+++ b/libnetwork/drivers/bridge/setup_ip_tables_linux.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/containerd/log"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/libnetwork/iptables"
 	"github.com/docker/docker/libnetwork/types"
 	"github.com/vishvananda/netlink"
@@ -408,6 +409,17 @@ func setupInternalNetworkRules(bridgeIface string, addr *net.IPNet, icc, insert
 	var version iptables.IPVersion
 	var inDropRule, outDropRule iptRule
 
+	// Either add or remove the interface from the firewalld zone, if firewalld is running.
+	if insert {
+		if err := iptables.AddInterfaceFirewalld(bridgeIface); err != nil {
+			return err
+		}
+	} else {
+		if err := iptables.DelInterfaceFirewalld(bridgeIface); err != nil && !errdefs.IsNotFound(err) {
+			return err
+		}
+	}
+
 	if addr.IP.To4() != nil {
 		version = iptables.IPv4
 		inDropRule = iptRule{