mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-03 00:15:54 +02:00
Accommodate Docker version 18.06
- Optionally replace DOCKER-ISOLATION with DOCKER-ISOLATION-STAGE-1 and -2 Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
5e57c895b3
commit
131a2cd40d
@ -3340,10 +3340,17 @@ sub initialize_chain_table($) {
|
|||||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
|
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
|
||||||
$chainref = new_standard_chain( 'DOCKER-INGRESS' );
|
$chainref = new_standard_chain( 'DOCKER-INGRESS' );
|
||||||
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
|
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
|
||||||
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
|
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
|
||||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
|
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
|
||||||
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
|
$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
|
||||||
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
|
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
|
||||||
|
$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-2' );
|
||||||
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
|
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 >&3' );
|
||||||
}
|
}
|
||||||
|
|
||||||
my $ruleref = transform_rule( $globals{LOGLIMIT} );
|
my $ruleref = transform_rule( $globals{LOGLIMIT} );
|
||||||
@ -8620,7 +8627,19 @@ sub save_docker_rules($) {
|
|||||||
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
|
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
|
||||||
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
|
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
|
||||||
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
|
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
|
||||||
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
|
qq(),
|
||||||
|
qq( case "\$g_dockernetwork" in),
|
||||||
|
qq( One\)),
|
||||||
|
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
|
||||||
|
qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
|
||||||
|
qq( ;;),
|
||||||
|
qq( Two\)),
|
||||||
|
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
|
||||||
|
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
|
||||||
|
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
|
||||||
|
qq( ;;),
|
||||||
|
qq( esac),
|
||||||
|
qq(),
|
||||||
);
|
);
|
||||||
|
|
||||||
if ( known_interface( 'docker0' ) ) {
|
if ( known_interface( 'docker0' ) ) {
|
||||||
@ -8636,7 +8655,7 @@ sub save_docker_rules($) {
|
|||||||
q( rm -f ${VARDIR}/.nat_POSTROUTING),
|
q( rm -f ${VARDIR}/.nat_POSTROUTING),
|
||||||
q( rm -f ${VARDIR}/.filter_DOCKER),
|
q( rm -f ${VARDIR}/.filter_DOCKER),
|
||||||
q( rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
|
q( rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
|
||||||
q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
|
q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION*),
|
||||||
q( rm -f ${VARDIR}/.filter_FORWARD),
|
q( rm -f ${VARDIR}/.filter_FORWARD),
|
||||||
q(fi)
|
q(fi)
|
||||||
)
|
)
|
||||||
@ -9140,7 +9159,11 @@ sub create_netfilter_load( $ ) {
|
|||||||
enter_cat_mode;
|
enter_cat_mode;
|
||||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||||
enter_cmd_mode;
|
enter_cmd_mode;
|
||||||
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||||
|
enter_cat_mode;
|
||||||
|
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
|
||||||
|
enter_cmd_mode;
|
||||||
|
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
|
||||||
enter_cat_mode;
|
enter_cat_mode;
|
||||||
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
||||||
enter_cmd_mode;
|
enter_cmd_mode;
|
||||||
@ -9247,9 +9270,13 @@ sub preview_netfilter_load() {
|
|||||||
print "\n";
|
print "\n";
|
||||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||||
enter_cmd_mode1 unless $mode == CMD_MODE;
|
enter_cmd_mode1 unless $mode == CMD_MODE;
|
||||||
print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||||
print "\n";
|
print "\n";
|
||||||
enter_cat_mode1;
|
enter_cat_mode1;
|
||||||
|
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
|
||||||
|
enter_cmd_mode1 unless $mode == CMD_MODE;
|
||||||
|
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
|
||||||
|
enter_cat_mode1;
|
||||||
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
||||||
enter_cmd_mode1 unless $mode == CMD_MODE;
|
enter_cmd_mode1 unless $mode == CMD_MODE;
|
||||||
print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
|
print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
|
||||||
@ -9342,6 +9369,10 @@ sub create_stop_load( $ ) {
|
|||||||
enter_cmd_mode;
|
enter_cmd_mode;
|
||||||
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||||
enter_cat_mode;
|
enter_cat_mode;
|
||||||
|
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
|
||||||
|
enter_cmd_mode;
|
||||||
|
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
|
||||||
|
enter_cat_mode;
|
||||||
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
||||||
enter_cmd_mode;
|
enter_cmd_mode;
|
||||||
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
|
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
|
||||||
|
|||||||
@ -269,7 +269,11 @@ sub generate_script_2() {
|
|||||||
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
|
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
|
||||||
);
|
);
|
||||||
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
|
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
|
||||||
emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
|
emit( 'if chain_exists DOCKER-ISOLATION; then',
|
||||||
|
' g_dockernetwork=One',
|
||||||
|
'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
|
||||||
|
' g_dockernetwork=Two',
|
||||||
|
'fi' );
|
||||||
}
|
}
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
|
|||||||
@ -668,7 +668,16 @@ sub create_docker_rules() {
|
|||||||
my $chainref = $filter_table->{FORWARD};
|
my $chainref = $filter_table->{FORWARD};
|
||||||
|
|
||||||
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
|
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
|
||||||
add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
|
add_commands( $chainref ,
|
||||||
|
'',
|
||||||
|
'case "$g_dockernetwork" in',
|
||||||
|
' One)',
|
||||||
|
' echo "-A FORWARD -j DOCKER-ISOLATION"',
|
||||||
|
' ;;',
|
||||||
|
' Two)',
|
||||||
|
' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1"',
|
||||||
|
' ;;',
|
||||||
|
'esac' );
|
||||||
|
|
||||||
if ( my $dockerref = known_interface('docker0') ) {
|
if ( my $dockerref = known_interface('docker0') ) {
|
||||||
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
|
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user