Add DOCKER network support

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -3004,7 +3004,7 @@ sub initialize_chain_table($) {
 	}
     }
 
-    if ( $config{DOCKER} ) {
+    if ( my $docker = $config{DOCKER} ) {
 	add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
 	$chainref = new_standard_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
@@ -3012,6 +3012,9 @@ sub initialize_chain_table($) {
 	$chainref = new_nat_chain( 'DOCKER' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
+	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
+	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
     }
 
     my $ruleref = transform_rule( $globals{LOGLIMIT} );
@@ -8068,10 +8071,15 @@ sub save_docker_rules($) {
 	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
 	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
+	  qq(    [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION),
+	  qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD),
+	  qq(    [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
 	  qq(else),
 	  qq(    rm -f \$VARDIR/.nat_DOCKER),
 	  qq(    rm -f \$VARDIR/.nat_POSTROUTING),
 	  qq(    rm -f \$VARDIR/.filter_DOCKER),
+	  qq(    rm -f \$VARDIR/.filter_DOCKER-ISOLATION),
+	  qq(    rm -f \$VARDIR/.filter_FORWARD),
 	  qq(fi)
 	)
 }
@@ -8452,7 +8460,7 @@ sub create_netfilter_load( $ ) {
 
 	my @chains;
 	#
-	# iptables-restore seems to be quite picky about the order of the builtin chains
+	# Iptables-restore seems to be quite picky about the order of the builtin chains
 	#
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
@@ -8470,10 +8478,19 @@ sub create_netfilter_load( $ ) {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
-		    enter_cmd_mode;
-		    emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-		    enter_cat_mode;
+
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
@@ -8565,10 +8582,18 @@ sub preview_netfilter_load() {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
-		    enter_cmd_mode;
-		    emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-		    enter_cat_mode;
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}
@@ -8793,10 +8818,18 @@ sub create_stop_load( $ ) {
 	    unless ( $chainref->{builtin} ) {
 		my $name = $chainref->{name};
 		assert( $chainref->{cmdlevel} == 0 , $name );
-		if ( $name eq 'DOCKER' ) {
-		    enter_cmd_mode;
-		    emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
-		    enter_cat_mode;
+		if ( $name =~ /^DOCKER/ ) {
+		    if ( $name eq 'DOCKER' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
+			enter_cat_mode;
+		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
+			enter_cmd_mode;
+			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			enter_cat_mode;
+		    } else {		    
+			emit_unindented ":$name - [0:0]";
+		    }
 		} else {
 		    emit_unindented ":$name - [0:0]";
 		}

Shorewall/Perl/Shorewall/Compiler.pm

@@ -263,10 +263,13 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	);
 
-    emit( '',
-	  'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
-	  ''
-	) if $config{DOCKER};
+    if ( $config{DOCKER} ) {
+	emit( '',
+	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
+	    );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
+	emit( '' );
+    }
 
     pop_indent;
 

Shorewall/Perl/Shorewall/Config.pm

@@ -5859,7 +5859,7 @@ sub get_configuration( $$$$ ) {
     default_yes_no 'INLINE_MATCHES'             , '';
     default_yes_no 'BASIC_FILTERS'              , '';
     default_yes_no 'WORKAROUNDS'                , 'Yes';
-    default_yes_no 'DOCKER'                     , '';
+    default_yes_no 'DOCKER'                      , '';
 
     if ( $config{DOCKER} ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;

Shorewall/Perl/Shorewall/Misc.pm

@@ -633,9 +633,11 @@ sub create_docker_rules() {
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
     add_commands( $nat_table->{OUTPUT} ,     '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
-    unless ( known_interface('docker0') ) {
-	my $chainref = $filter_table->{FORWARD};
+    my $chainref = $filter_table->{FORWARD};
 
+    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
+
+    unless ( known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
 	#
@@ -653,6 +655,8 @@ sub create_docker_rules() {
     } else {
 	add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' );
     }
+
+    add_commands( $chainref, '[ -f $VARDIR/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
 }
 
 sub setup_mss();

Shorewall/Perl/prog.footer

@@ -126,6 +126,7 @@ g_counters=
 g_compiled=
 g_file=
 g_docker=
+g_dockernetwork=
 
 initialize
 

Shorewall/manpages/shorewall.conf.xml

@@ -738,11 +738,15 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
-          <para>Added in Shorewall 5.0.6. When set to Yes, the generated
-          script will save Docker-generated rules before and restore them
-          after executing the start, reload and restart commands. If set to No
+          <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
+          the generated script will save Docker-generated rules before and
+          restore them after executing the <command>start</command>,
+          <command>stop</command>, <command>reload</command> and
+          <command>restart</command> commands. If set to <option>No</option>
           (the default), the generated script will delete any Docker-generated
-          rules when executing those commands.</para>
+          rules when executing those commands. See<ulink url="/Docker.html">
+          http://www.shorewall.net/Docker.html</ulink> for additional
+          information.</para>
         </listitem>
       </varlistentry>
 

docs/Docker.xml

@@ -50,9 +50,10 @@
     <title>Shorewall 5.0.6 and Later</title>
 
     <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
-    Docker. This support is enabled by setting DOCKER=Yes in shorewall.conf.
-    With this setting, the generated script saves the Docker-created ruleset
-    before executing a <command>stop</command>, <command>start</command>,
+    simple Docker configurations. This support is enabled by setting
+    DOCKER=Yes in shorewall.conf. With this setting, the generated script
+    saves the Docker-created ruleset before executing a
+    <command>stop</command>, <command>start</command>,
     <command>restart</command> or <command>reload</command> operation and
     restores those rules along with the Shorewall-generated ruleset.</para>