extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-17 02:00:57 +01:00
Code Issues Packages Projects Releases Wiki Activity

Save/Restore Docker-generated rules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-20 14:02:54 -08:00
parent 61f6cacc30
commit 83b899b030
1 changed files with 37 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3004,10 +3004,13 @@ sub initialize_chain_table($) {
} }
if ( $config{DOCKER} ) { if ( $config{DOCKER} ) {
add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
$chainref = new_standard_chain( 'DOCKER' ); $chainref = new_standard_chain( 'DOCKER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER ] && cat ${VARDIR}/.filter_DOCKER >&3' );
$chainref = new_nat_chain( 'DOCKER' ); $chainref = new_nat_chain( 'DOCKER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
} }
my $ruleref = transform_rule( $globals{LOGLIMIT} ); my $ruleref = transform_rule( $globals{LOGLIMIT} );
@ -8057,6 +8060,24 @@ sub emitr1( $$ ) {
# #
# Emit code to save the dynamic chains to hidden files in ${VARDIR} # Emit code to save the dynamic chains to hidden files in ${VARDIR}
# #
sub save_docker_rules($) {
my $tool = $_[0];
emit( qq(),
qq(if chain_exists DOCKER nat; then),
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
qq(else),
qq( rm -f \$VARDIR/.nat_DOCKER),
qq( rm -f \$VARDIR/.nat_POSTROUTING),
qq(fi\n),
qq(if chain_exists DOCKER; then),
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
qq(else),
qq( rm -f \$VARDIR/.filter_DOCKER),
qq(fi)
)
}
sub save_dynamic_chains() { sub save_dynamic_chains() {
@ -8091,6 +8112,7 @@ else
rm -f \${VARDIR}/.dynamic rm -f \${VARDIR}/.dynamic
fi fi
EOF EOF
save_docker_rules( $tool ) if $config{DOCKER};
} else { } else {
emit <<"EOF"; emit <<"EOF";
if chain_exists 'UPnP -t nat'; then if chain_exists 'UPnP -t nat'; then
@ -8126,6 +8148,7 @@ EOF
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then), emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
qq( if chain_exists dynamic; then), qq( if chain_exists dynamic; then),
qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) ); qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
save_docker_rules( $tool ) if $config{DOCKER};
} else { } else {
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then), emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
qq( if chain_exists dynamic; then), qq( if chain_exists dynamic; then),
@ -8721,13 +8744,11 @@ sub create_stop_load( $ ) {
emit ''; emit '';
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY, save_progress_message "Preparing $utility input...";
'',
'progress_message2 "Running $command..."',
'',
'$command <<__EOF__' );
$mode = CAT_MODE; emit "exec 3>\${VARDIR}/.${utility}-stop-input";
enter_cat_mode;
unless ( $test ) { unless ( $test ) {
my $date = localtime; my $date = localtime;
@ -8771,10 +8792,19 @@ sub create_stop_load( $ ) {
# #
# Commit the changes to the table # Commit the changes to the table
# #
enter_cat_mode unless $mode == CAT_MODE;
emit_unindented 'COMMIT'; emit_unindented 'COMMIT';
} }
emit_unindented '__EOF__'; enter_cmd_mode;
emit( '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY );
emit( '',
'progress_message2 "Running $command..."',
'',
"cat \${VARDIR}/.${utility}-stop-input | \$command # Use this nonsensical form to appease SELinux",
);
# #
# Test result # Test result
# #