holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Corrections to DOCKER-ISOLATION change

Browse Source 
- Handle DOCKER-USER

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2018-10-28 09:17:54 -07:00
parent 4b7d346911
commit 282ca14182
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
3 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3342,6 +3342,9 @@ sub initialize_chain_table($) {
$chainref = new_standard_chain( 'DOCKER-INGRESS' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
$chainref = new_standard_chain( 'DOCKER-USER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
@ -8627,6 +8630,7 @@ sub save_docker_rules($) {
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
qq(),
qq( case "\$g_dockernetwork" in),
qq( One\)),
@ -8655,6 +8659,7 @@ sub save_docker_rules($) {
q( rm -f ${VARDIR}/.nat_POSTROUTING),
q( rm -f ${VARDIR}/.filter_DOCKER),
q( rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
q( rm -f ${VARDIR}/.filter_DOCKER-USER),
q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION*),
q( rm -f ${VARDIR}/.filter_FORWARD),
q(fi)
@ -9169,6 +9174,10 @@ sub create_netfilter_load( $ ) {
enter_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-USER' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
@ -9282,6 +9291,11 @@ sub preview_netfilter_load() {
print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
print "\n";
enter_cat_mode1;
} elsif ( $name eq 'DOCKER-USER' ) {
enter_cmd_mode1 unless $mode == CMD_MODE;
print( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
print "\n";
enter_cat_mode1;
} else {
enter_cmd_mode1 unless $mode == CMD_MODE;
print( ":$name - [0:0]\n" );
@ -9377,6 +9391,10 @@ sub create_stop_load( $ ) {
enter_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-USER' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}

1
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -269,6 +269,7 @@ sub generate_script_2() {
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
);
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
emit( 'if chain_exists DOCKER-ISOLATION; then',
' g_dockernetwork=One',
'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',

7
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -667,15 +667,16 @@ sub create_docker_rules() {
my $chainref = $filter_table->{FORWARD};
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', );
add_commands( $chainref ,
'',
'case "$g_dockernetwork" in',
' One)',
' echo "-A FORWARD -j DOCKER-ISOLATION"',
' echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
' ;;',
' Two)',
' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1"',
' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
' ;;',
'esac' );