forked from extern/shorewall_code
Save/restore docker0 rules when it isn't defined to Shorewall
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
71d64ab380
commit
5b163e9bc2
@ -8071,9 +8071,16 @@ sub save_docker_rules($) {
|
||||
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
|
||||
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
|
||||
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
|
||||
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION),
|
||||
qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD),
|
||||
qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
|
||||
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION)
|
||||
);
|
||||
|
||||
if ( known_interface( 'docker0' ) ) {
|
||||
emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD) );
|
||||
} else {
|
||||
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \$VARDIR/.filter_FORWARD) );
|
||||
}
|
||||
|
||||
emit( qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
|
||||
qq(else),
|
||||
qq( rm -f \$VARDIR/.nat_DOCKER),
|
||||
qq( rm -f \$VARDIR/.nat_POSTROUTING),
|
||||
|
@ -637,22 +637,7 @@ sub create_docker_rules() {
|
||||
|
||||
add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
|
||||
|
||||
unless ( known_interface('docker0') ) {
|
||||
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
|
||||
incr_cmd_level( $chainref );
|
||||
#
|
||||
# Emulate the Docker-generated rules
|
||||
#
|
||||
add_ijump_extended( $chainref, j => 'DOCKER', $origin{DOCKER}, o => 'docker0' );
|
||||
add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, o => 'docker0', conntrack => '--ctstate ESTABLISHED,RELATED' );
|
||||
#
|
||||
# Docker creates two ACCEPT rules for traffic forwarded from docker0 -- one for routeback and one for the rest
|
||||
# We combine them into a single rule
|
||||
#
|
||||
add_ijump_extended( $chainref, j => 'ACCEPT', $origin{DOCKER}, i => 'docker0' );
|
||||
decr_cmd_level( $chainref );
|
||||
add_commands( $chainref, 'fi' );
|
||||
} else {
|
||||
if ( known_interface('docker0') ) {
|
||||
add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' );
|
||||
}
|
||||
|
||||
|
@ -63,9 +63,8 @@
|
||||
url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
|
||||
As shown below, you can control inter-container communication using the
|
||||
<option>bridge</option> and <option>routeback</option> options. If docker0
|
||||
is not defined to Shorewall, then Shorewall will generate rules similar to
|
||||
those that Docker creates when --icc=true (Inter-container Communication)
|
||||
is specified on the Docker daemon runline.</para>
|
||||
is not defined to Shorewall, then Shorewall will save and restore the
|
||||
FORWARD chain rules involving that interface.</para>
|
||||
|
||||
<para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user