Infrastructure required by Docker

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 23:53:30 +01:00 · 2016-02-20 14:01:48 -08:00 · 2016-02-20 14:01:48 -08:00 · 61f6cacc30
commit 61f6cacc30
parent caba1cd770
2 changed files with 30 additions and 1 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -2989,6 +2989,8 @@ sub initialize_chain_table($) {
 	}
    }

+    my $chainref;
+
    if ( $full ) {
 	#
 	# Create this chain early in case it is needed by Policy actions
@ -2996,11 +2998,18 @@ sub initialize_chain_table($) {
 	new_standard_chain 'reject';

 	if ( $config{DOCKER} ) {
-	    my $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
+	    $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
 	    set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	}
    }

+    if ( $config{DOCKER} ) {
+	$chainref = new_standard_chain( 'DOCKER' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	$chainref = new_nat_chain( 'DOCKER' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+    }
+
    my $ruleref = transform_rule( $globals{LOGLIMIT} );

    $globals{iLOGLIMIT} =
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -646,6 +646,26 @@ sub add_common_rules ( $ ) {
    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $tag       = $globals{BLACKLIST_LOG_TAG};
    my $rejectref = $filter_table->{reject};
+    #
+    # Insure that Docker jumps are early in the builtin chains
+    #
+    if ( $config{DOCKER} ) {
+	my $forwardref = $filter_table->{FORWARD};
+
+	add_ijump( $nat_table->{PREROUTING}, j => 'DOCKER', addrtype => '--dst-type LOCAL' );
+	add_ijump( $nat_table->{OUTPUT},     j => 'DOCKER', d => '127.0.0.0/8', addrtype => '--dst-type LOCAL' );
+
+	add_ijump_extended( $forwardref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
+
+	unless ( known_interface('docker0') ) {
+	    #
+	    # Emulate the Docker-generated rules
+	    #
+	    add_ijump_extended( $forwardref, j => 'ACCEPT', $origin{DOCKER}, o => 'docker0', conntrack => '--ctstate ESTABLISHED,RELATED' );
+	    add_ijump_extended( $forwardref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0', o => '! docker0' );
+	    add_ijump_extended( $forwardref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0', o => 'docker0' );
+	}
+    }

    if ( $config{DYNAMIC_BLACKLIST} ) {
 	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level , $tag);