mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-12 20:56:43 +02:00
Infrastructure required by Docker
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
caba1cd770
commit
61f6cacc30
@ -2989,6 +2989,8 @@ sub initialize_chain_table($) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my $chainref;
|
||||||
|
|
||||||
if ( $full ) {
|
if ( $full ) {
|
||||||
#
|
#
|
||||||
# Create this chain early in case it is needed by Policy actions
|
# Create this chain early in case it is needed by Policy actions
|
||||||
@ -2996,11 +2998,18 @@ sub initialize_chain_table($) {
|
|||||||
new_standard_chain 'reject';
|
new_standard_chain 'reject';
|
||||||
|
|
||||||
if ( $config{DOCKER} ) {
|
if ( $config{DOCKER} ) {
|
||||||
my $chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
|
$chainref = new_nat_chain( $globals{POSTROUTING} = 'SHOREWALL' );
|
||||||
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $config{DOCKER} ) {
|
||||||
|
$chainref = new_standard_chain( 'DOCKER' );
|
||||||
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
|
$chainref = new_nat_chain( 'DOCKER' );
|
||||||
|
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
|
||||||
|
}
|
||||||
|
|
||||||
my $ruleref = transform_rule( $globals{LOGLIMIT} );
|
my $ruleref = transform_rule( $globals{LOGLIMIT} );
|
||||||
|
|
||||||
$globals{iLOGLIMIT} =
|
$globals{iLOGLIMIT} =
|
||||||
|
|||||||
@ -646,6 +646,26 @@ sub add_common_rules ( $ ) {
|
|||||||
my $level = $config{BLACKLIST_LOG_LEVEL};
|
my $level = $config{BLACKLIST_LOG_LEVEL};
|
||||||
my $tag = $globals{BLACKLIST_LOG_TAG};
|
my $tag = $globals{BLACKLIST_LOG_TAG};
|
||||||
my $rejectref = $filter_table->{reject};
|
my $rejectref = $filter_table->{reject};
|
||||||
|
#
|
||||||
|
# Insure that Docker jumps are early in the builtin chains
|
||||||
|
#
|
||||||
|
if ( $config{DOCKER} ) {
|
||||||
|
my $forwardref = $filter_table->{FORWARD};
|
||||||
|
|
||||||
|
add_ijump( $nat_table->{PREROUTING}, j => 'DOCKER', addrtype => '--dst-type LOCAL' );
|
||||||
|
add_ijump( $nat_table->{OUTPUT}, j => 'DOCKER', d => '127.0.0.0/8', addrtype => '--dst-type LOCAL' );
|
||||||
|
|
||||||
|
add_ijump_extended( $forwardref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
|
||||||
|
|
||||||
|
unless ( known_interface('docker0') ) {
|
||||||
|
#
|
||||||
|
# Emulate the Docker-generated rules
|
||||||
|
#
|
||||||
|
add_ijump_extended( $forwardref, j => 'ACCEPT', $origin{DOCKER}, o => 'docker0', conntrack => '--ctstate ESTABLISHED,RELATED' );
|
||||||
|
add_ijump_extended( $forwardref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0', o => '! docker0' );
|
||||||
|
add_ijump_extended( $forwardref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0', o => 'docker0' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ( $config{DYNAMIC_BLACKLIST} ) {
|
if ( $config{DYNAMIC_BLACKLIST} ) {
|
||||||
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
|
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user