mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 15:48:56 +01:00
Save/restore nat OUTPUT jump to DOCKER
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
99f83da3ab
commit
2bb143b28c
@ -3004,6 +3004,7 @@ sub initialize_chain_table($) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( my $docker = $config{DOCKER} ) {
|
if ( my $docker = $config{DOCKER} ) {
|
||||||
|
add_commands( $nat_table->{OUTPUT}, '[ -f ${VARDIR}/.nat_OUTPUT ] && cat ${VARDIR}/.nat_OUTPUT >&3' );
|
||||||
add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
|
add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
|
||||||
$chainref = new_standard_chain( 'DOCKER' );
|
$chainref = new_standard_chain( 'DOCKER' );
|
||||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
@ -8068,6 +8069,7 @@ sub save_docker_rules($) {
|
|||||||
|
|
||||||
emit( qq(if [ -n "\$g_docker" ]; then),
|
emit( qq(if [ -n "\$g_docker" ]; then),
|
||||||
qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
|
qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
|
||||||
|
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
|
||||||
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
|
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
|
||||||
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
|
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
|
||||||
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
|
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION)
|
||||||
@ -8079,14 +8081,15 @@ sub save_docker_rules($) {
|
|||||||
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
|
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
|
||||||
}
|
}
|
||||||
|
|
||||||
emit( qq( [ -s \${VARDIR}/.filter_FORWARD ] || rm -f \${VARDIR}/.filter_FORWARD),
|
emit( q( [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
|
||||||
qq(else),
|
q(else),
|
||||||
qq( rm -f \${VARDIR}/.nat_DOCKER),
|
q( rm -f ${VARDIR}/.nat_DOCKER),
|
||||||
qq( rm -f \${VARDIR}/.nat_POSTROUTING),
|
q( rm -f ${VARDIR}/.net_OUTPUT),
|
||||||
qq( rm -f \${VARDIR}/.filter_DOCKER),
|
q( rm -f ${VARDIR}/.nat_POSTROUTING),
|
||||||
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION),
|
q( rm -f ${VARDIR}/.filter_DOCKER),
|
||||||
qq( rm -f \${VARDIR}/.filter_FORWARD),
|
q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION),
|
||||||
qq(fi)
|
q( rm -f ${VARDIR}/.filter_FORWARD),
|
||||||
|
q(fi)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -630,7 +630,6 @@ sub process_stoppedrules() {
|
|||||||
|
|
||||||
sub create_docker_rules() {
|
sub create_docker_rules() {
|
||||||
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
|
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
|
||||||
add_commands( $nat_table->{OUTPUT} , '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
|
|
||||||
|
|
||||||
my $chainref = $filter_table->{FORWARD};
|
my $chainref = $filter_table->{FORWARD};
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user