mirror of
https://gitlab.com/shorewall/code.git
synced 2025-02-02 10:59:27 +01:00
Accomodate both DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-*
Previously, the code assumed that either DOCKER-ISOLATION or DOCKER-ISOLATION-STAGE-* would exist but not both. That has been corrected
This commit is contained in:
Tom Eastep
parent
3f5e1b5b60
commit
6798c2f2b0
@ -8703,20 +8703,15 @@ sub save_docker_rules($) {
|
|||||||
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
|
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
|
||||||
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
|
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
|
||||||
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
|
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
|
||||||
|
qq( rm -f \${VARDIR}/.filter_DOCKER-*),
|
||||||
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
|
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
|
||||||
qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
|
qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
|
||||||
|
qq( [ -n "\$g_dockeriso" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
|
||||||
qq(),
|
qq(),
|
||||||
qq( case "\$g_dockernetwork" in),
|
qq( if [ -n "\$g_dockerisostage" ]; then),
|
||||||
qq( One\)),
|
|
||||||
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
|
|
||||||
qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
|
|
||||||
qq( ;;),
|
|
||||||
qq( Two\)),
|
|
||||||
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
|
|
||||||
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
|
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
|
||||||
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
|
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
|
||||||
qq( ;;),
|
qq( fi),
|
||||||
qq( esac),
|
|
||||||
qq(),
|
qq(),
|
||||||
);
|
);
|
||||||
|
|
||||||
@ -9237,10 +9232,10 @@ sub create_netfilter_load( $ ) {
|
|||||||
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||||
ensure_cmd_mode;
|
ensure_cmd_mode;
|
||||||
emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||||
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
|
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
|
||||||
ensure_cmd_mode;
|
ensure_cmd_mode;
|
||||||
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
|
emit( qq([ "\$g_dockerisostage" = Two ] && echo ":$name - [0:0]" >&3) );
|
||||||
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
||||||
ensure_cmd_mode;
|
ensure_cmd_mode;
|
||||||
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
|
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
|
||||||
@ -9352,11 +9347,11 @@ sub preview_netfilter_load() {
|
|||||||
print "\n";
|
print "\n";
|
||||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||||
ensure_cmd_mode1;
|
ensure_cmd_mode1;
|
||||||
print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||||
print "\n";
|
print "\n";
|
||||||
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
|
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
|
||||||
ensure_cmd_mode1;
|
ensure_cmd_mode1;
|
||||||
print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
|
print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
|
||||||
print "\n";
|
print "\n";
|
||||||
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
||||||
ensure_cmd_mode1;
|
ensure_cmd_mode1;
|
||||||
@ -9453,10 +9448,10 @@ sub create_stop_load( $ ) {
|
|||||||
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
|
||||||
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
|
||||||
ensure_cmd_mode;
|
ensure_cmd_mode;
|
||||||
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
|
||||||
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
|
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
|
||||||
ensure_cmd_mode;
|
ensure_cmd_mode;
|
||||||
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
|
emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
|
||||||
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
} elsif ( $name eq 'DOCKER-INGRESS' ) {
|
||||||
ensure_cmd_mode;
|
ensure_cmd_mode;
|
||||||
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
|
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
|
||||||
|
|||||||
@ -270,11 +270,8 @@ sub generate_script_2() {
|
|||||||
);
|
);
|
||||||
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
|
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
|
||||||
emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
|
emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
|
||||||
emit( 'if chain_exists DOCKER-ISOLATION; then',
|
emit( 'chain_exists DOCKER-ISOLATION && dockeriso=Yes' );
|
||||||
' g_dockernetwork=One',
|
emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && dockerisostage=Yes' );
|
||||||
'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
|
|
||||||
' g_dockernetwork=Two',
|
|
||||||
'fi' );
|
|
||||||
}
|
}
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
|
|||||||
@ -679,18 +679,10 @@ sub create_docker_rules() {
|
|||||||
|
|
||||||
my $chainref = $filter_table->{FORWARD};
|
my $chainref = $filter_table->{FORWARD};
|
||||||
|
|
||||||
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
|
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
|
||||||
add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', );
|
add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3' );
|
||||||
add_commands( $chainref ,
|
add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
|
||||||
'',
|
add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
|
||||||
'case "$g_dockernetwork" in',
|
|
||||||
' One)',
|
|
||||||
' echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
|
|
||||||
' ;;',
|
|
||||||
' Two)',
|
|
||||||
' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
|
|
||||||
' ;;',
|
|
||||||
'esac' );
|
|
||||||
|
|
||||||
if ( my $dockerref = known_interface('docker0') ) {
|
if ( my $dockerref = known_interface('docker0') ) {
|
||||||
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
|
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
|
||||||
|
|||||||
@ -148,7 +148,8 @@ g_compiled=
|
|||||||
g_file=
|
g_file=
|
||||||
g_docker=
|
g_docker=
|
||||||
g_dockeringress=
|
g_dockeringress=
|
||||||
g_dockernetwork=
|
g_dockeriso=
|
||||||
|
g_dockerisostage=
|
||||||
g_forcereload=
|
g_forcereload=
|
||||||
g_fallback=
|
g_fallback=
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user