diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 4eeb49b63..8e203dd70 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3340,10 +3340,17 @@ sub initialize_chain_table($) { set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' ); $chainref = new_standard_chain( 'DOCKER-INGRESS' ); + set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' ); $chainref = new_standard_chain( 'DOCKER-ISOLATION' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); + $chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' ); + set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' ); + $chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-2' ); + set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2 >&3' ); } my $ruleref = transform_rule( $globals{LOGLIMIT} ); @@ -8620,7 +8627,19 @@ sub save_docker_rules($) { qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING), qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER), qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), - qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION) + qq(), + qq( case "\$g_dockernetwork" in), + qq( One\)), + qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*), + qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION), + qq( ;;), + qq( Two\)), + qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*), + qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1), + qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2), + qq( ;;), + qq( esac), + qq(), ); if ( known_interface( 'docker0' ) ) { @@ -8636,7 +8655,7 @@ sub save_docker_rules($) { q( rm -f ${VARDIR}/.nat_POSTROUTING), q( rm -f ${VARDIR}/.filter_DOCKER), q( rm -f ${VARDIR}/.filter_DOCKER-INGRESS), - q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION), + q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION*), q( rm -f ${VARDIR}/.filter_FORWARD), q(fi) ) @@ -9140,7 +9159,11 @@ sub create_netfilter_load( $ ) { enter_cat_mode; } elsif ( $name eq 'DOCKER-ISOLATION' ) { enter_cmd_mode; - emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + enter_cat_mode; + } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + enter_cmd_mode; + emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); enter_cat_mode; } elsif ( $name eq 'DOCKER-INGRESS' ) { enter_cmd_mode; @@ -9247,9 +9270,13 @@ sub preview_netfilter_load() { print "\n"; } elsif ( $name eq 'DOCKER-ISOLATION' ) { enter_cmd_mode1 unless $mode == CMD_MODE; - print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); print "\n"; enter_cat_mode1; + } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + enter_cmd_mode1 unless $mode == CMD_MODE; + emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + enter_cat_mode1; } elsif ( $name eq 'DOCKER-INGRESS' ) { enter_cmd_mode1 unless $mode == CMD_MODE; print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); @@ -9342,6 +9369,10 @@ sub create_stop_load( $ ) { enter_cmd_mode; emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); enter_cat_mode; + } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + enter_cmd_mode; + emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + enter_cat_mode; } elsif ( $name eq 'DOCKER-INGRESS' ) { enter_cmd_mode; emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index b47319fc7..29af2374c 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -269,7 +269,11 @@ sub generate_script_2() { 'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes', ); emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' ); - emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' ); + emit( 'if chain_exists DOCKER-ISOLATION; then', + ' g_dockernetwork=One', + 'elif chain_exists DOCKER-ISOLATION-STAGE-1; then', + ' g_dockernetwork=Two', + 'fi' ); } pop_indent; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 8544aa0a0..37fb3c84b 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -668,7 +668,16 @@ sub create_docker_rules() { my $chainref = $filter_table->{FORWARD}; add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', ); - add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', ); + add_commands( $chainref , + '', + 'case "$g_dockernetwork" in', + ' One)', + ' echo "-A FORWARD -j DOCKER-ISOLATION"', + ' ;;', + ' Two)', + ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1"', + ' ;;', + 'esac' ); if ( my $dockerref = known_interface('docker0') ) { add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );