mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 23:53:30 +01:00
Don't create Docker chains/rules if Docker isn't running
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
83b899b030
commit
fc6a1f6d0d
@ -8064,16 +8064,13 @@ sub save_docker_rules($) {
|
||||
my $tool = $_[0];
|
||||
|
||||
emit( qq(),
|
||||
qq(if chain_exists DOCKER nat; then),
|
||||
qq(if [ -n "\$g_docker" ]; then),
|
||||
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
|
||||
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
|
||||
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
|
||||
qq(else),
|
||||
qq( rm -f \$VARDIR/.nat_DOCKER),
|
||||
qq( rm -f \$VARDIR/.nat_POSTROUTING),
|
||||
qq(fi\n),
|
||||
qq(if chain_exists DOCKER; then),
|
||||
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
|
||||
qq(else),
|
||||
qq( rm -f \$VARDIR/.filter_DOCKER),
|
||||
qq(fi)
|
||||
)
|
||||
@ -8471,8 +8468,18 @@ sub create_netfilter_load( $ ) {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
|
||||
emit_unindented ":$chainref->{name} - [0:0]";
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( 'if [ -n "$g_docker" ]; then',
|
||||
' echo ":DOCKER - [0:0]" >&3',
|
||||
'fi' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
@ -8558,8 +8565,18 @@ sub preview_netfilter_load() {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
|
||||
print ":$chainref->{name} - [0:0]\n";
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( 'if [ -n "$g_docker" ]; then',
|
||||
' echo ":DOCKER - [0:0]" >&3',
|
||||
'fi' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
@ -8778,8 +8795,18 @@ sub create_stop_load( $ ) {
|
||||
for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
|
||||
my $chainref = $chain_table{$table}{$chain};
|
||||
unless ( $chainref->{builtin} ) {
|
||||
assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
|
||||
emit_unindented ":$chainref->{name} - [0:0]";
|
||||
my $name = $chainref->{name};
|
||||
assert( $chainref->{cmdlevel} == 0 , $name );
|
||||
if ( $name eq 'DOCKER' ) {
|
||||
enter_cmd_mode;
|
||||
emit( 'if [ -n "$g_docker" ]; then',
|
||||
' echo ":DOCKER - [0:0]" >&3',
|
||||
'fi' );
|
||||
enter_cat_mode;
|
||||
} else {
|
||||
emit_unindented ":$name - [0:0]";
|
||||
}
|
||||
|
||||
push @chains, $chainref;
|
||||
}
|
||||
}
|
||||
|
||||
@ -261,7 +261,12 @@ sub generate_script_2() {
|
||||
'# The library requires that ${VARDIR} exist',
|
||||
'#',
|
||||
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
|
||||
);
|
||||
);
|
||||
|
||||
emit( '',
|
||||
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
|
||||
''
|
||||
) if $config{DOCKER};
|
||||
|
||||
pop_indent;
|
||||
|
||||
|
||||
@ -652,9 +652,20 @@ sub add_common_rules ( $ ) {
|
||||
if ( $config{DOCKER} ) {
|
||||
my $forwardref = $filter_table->{FORWARD};
|
||||
|
||||
add_ijump( $nat_table->{PREROUTING}, j => 'DOCKER', addrtype => '--dst-type LOCAL' );
|
||||
add_ijump( $nat_table->{OUTPUT}, j => 'DOCKER', d => '127.0.0.0/8', addrtype => '--dst-type LOCAL' );
|
||||
add_commands( $chainref = $nat_table->{PREROUTING} , 'if [ -n "$g_docker" ]; then' );
|
||||
incr_cmd_level( $chainref );
|
||||
add_ijump( $chainref, j => 'DOCKER', addrtype => '--dst-type LOCAL' );
|
||||
decr_cmd_level( $chainref );
|
||||
add_commands( $chainref, 'fi' );
|
||||
|
||||
add_commands( $chainref = $nat_table->{OUTPUT} , 'if [ -n "$g_docker" ]; then' );
|
||||
incr_cmd_level( $chainref );
|
||||
add_ijump( $nat_table->{OUTPUT}, j => 'DOCKER', d => '127.0.0.0/8', addrtype => '--dst-type LOCAL' );
|
||||
decr_cmd_level( $chainref );
|
||||
add_commands( $chainref, 'fi' );
|
||||
|
||||
add_commands( $forwardref , 'if [ -n "$g_docker" ]; then' );
|
||||
incr_cmd_level( $forwardref );
|
||||
add_ijump_extended( $forwardref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
|
||||
|
||||
unless ( known_interface('docker0') ) {
|
||||
@ -665,6 +676,9 @@ sub add_common_rules ( $ ) {
|
||||
add_ijump_extended( $forwardref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0', o => '! docker0' );
|
||||
add_ijump_extended( $forwardref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0', o => 'docker0' );
|
||||
}
|
||||
|
||||
decr_cmd_level( $forwardref );
|
||||
add_commands( $forwardref, 'fi' );
|
||||
}
|
||||
|
||||
if ( $config{DYNAMIC_BLACKLIST} ) {
|
||||
|
||||
@ -125,6 +125,7 @@ g_sha1sum2=
|
||||
g_counters=
|
||||
g_compiled=
|
||||
g_file=
|
||||
g_docker=
|
||||
|
||||
initialize
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user