Save/restore docker0 rules when it isn't defined to Shorewall

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-27 14:09:29 -08:00
parent 71d64ab380
commit 5b163e9bc2
3 changed files with 13 additions and 22 deletions

View File

@ -8071,9 +8071,16 @@ sub save_docker_rules($) {
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER), qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING), qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER), qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION), qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION)
qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD), );
qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
if ( known_interface( 'docker0' ) ) {
emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD) );
} else {
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \$VARDIR/.filter_FORWARD) );
}
emit( qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
qq(else), qq(else),
qq( rm -f \$VARDIR/.nat_DOCKER), qq( rm -f \$VARDIR/.nat_DOCKER),
qq( rm -f \$VARDIR/.nat_POSTROUTING), qq( rm -f \$VARDIR/.nat_POSTROUTING),

View File

@ -637,22 +637,7 @@ sub create_docker_rules() {
add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', ); add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
unless ( known_interface('docker0') ) { if ( known_interface('docker0') ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
incr_cmd_level( $chainref );
#
# Emulate the Docker-generated rules
#
add_ijump_extended( $chainref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, o => 'docker0', conntrack => '--ctstate ESTABLISHED,RELATED' );
#
# Docker creates two ACCEPT rules for traffic forwarded from docker0 -- one for routeback and one for the rest
# We combine them into a single rule
#
add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0' );
decr_cmd_level( $chainref );
add_commands( $chainref, 'fi' );
} else {
add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' ); add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' );
} }

View File

@ -63,9 +63,8 @@
url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>. url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
As shown below, you can control inter-container communication using the As shown below, you can control inter-container communication using the
<option>bridge</option> and <option>routeback</option> options. If docker0 <option>bridge</option> and <option>routeback</option> options. If docker0
is not defined to Shorewall, then Shorewall will generate rules similar to is not defined to Shorewall, then Shorewall will save and restore the
those that Docker creates when --icc=true (Inter-container Communication) FORWARD chain rules involving that interface.</para>
is specified on the Docker daemon runline.</para>
<para><filename>/etc/shorewall/shorewall.conf</filename>:</para> <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>