Add internal n/w bridge to firewalld docker zone
Containers attached to an 'internal' bridge network are unable to communicate when the host is running firewalld. Non-internal bridges are added to a trusted 'docker' firewalld zone, but internal bridges were not. DOCKER-ISOLATION iptables rules are still configured for an internal network, they block traffic to/from addresses outside the network's subnet. Signed-off-by: Rob Murray <rob.murray@docker.com>
This commit is contained in:
Rob Murray
parent
f472dda2e9
commit
2cc627932a
1 changed files with 12 additions and 0 deletions
|
|
@ -8,6 +8,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/containerd/log"
|
||||
"github.com/docker/docker/errdefs"
|
||||
"github.com/docker/docker/libnetwork/iptables"
|
||||
"github.com/docker/docker/libnetwork/types"
|
||||
"github.com/vishvananda/netlink"
|
||||
|
|
@ -408,6 +409,17 @@ func setupInternalNetworkRules(bridgeIface string, addr *net.IPNet, icc, insert
|
|||
var version iptables.IPVersion
|
||||
var inDropRule, outDropRule iptRule
|
||||
|
||||
// Either add or remove the interface from the firewalld zone, if firewalld is running.
|
||||
if insert {
|
||||
if err := iptables.AddInterfaceFirewalld(bridgeIface); err != nil {
|
||||
return err
|
||||
}
|
||||
} else {
|
||||
if err := iptables.DelInterfaceFirewalld(bridgeIface); err != nil && !errdefs.IsNotFound(err) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if addr.IP.To4() != nil {
|
||||
version = iptables.IPv4
|
||||
inDropRule = iptRule{
|
||||
|
|
|
|||
Loading…
Reference in a new issue