Add Docker article

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-02-26 15:30:39 -08:00 · 2016-02-26 15:30:39 -08:00 · 64de3d0e83
commit 64de3d0e83
parent 36d8518562
3 changed files with 141 additions and 42 deletions
--- a/docs/Docker.xml
+++ b/docs/Docker.xml
@ -0,0 +1,94 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Docker Support</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2016</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Shorewall 5.0.5 and Earlier</title>
+
+    <para>Both Docker and Shorewall assume that they 'own' the iptables
+    configuration. This leads to problems when Shorewall is restarted or
+    reloaded, because it drops all of the rules added by Docker. Fortunately,
+    the extensibility features in Shorewall allow users to <ulink
+    url="https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/#">create
+    their own solution</ulink> for saving the Docker-generated rules before
+    these operations and restoring them afterwards.</para>
+  </section>
+
+  <section>
+    <title>Shorewall 5.0.6 and Later</title>
+
+    <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
+    Docker. This support is enabled by setting DOCKER=Yes in shorewall.conf.
+    With this setting, the generated script saves the Docker-created ruleset
+    before executing a <command>stop</command>, <command>start</command>,
+    <command>restart</command> or <command>reload</command> operation and
+    restores those rules along with the Shorewall-generated ruleset.</para>
+
+    <para>This support assumes that the default Docker bridge (docker0) is
+    being used. It is recommended that this bridge be defined to Shorewall in
+    <ulink
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces(8)</ulink>.
+    As shown below, you can control inter-container communication using the
+    <option>bridge</option> and <option>routeback</option> options. If docker0
+    is not defined to Shorewall, then Shorewall will generate rules similar to
+    those that Docker creates when --icc=true (Inter-container Communication)
+    is specified on the Docker daemon runline.</para>
+
+    <para><filename>/etc/shorewall/shorewall.conf</filename>:</para>
+
+    <programlisting>DOCKER=Yes</programlisting>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>#ZONE         TYPE        OPTIONS
+dock          ipv4        #'dock' is just an example -- call it anything you like</programlisting>
+
+    <para><filename>/etc/shorewall/policy</filename>:</para>
+
+    <programlisting>#SOURCE        DEST        POLICY         LEVEL
+dock           $FW         REJECT
+dock           all         ACCEPT</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge   #Allow ICC (bridge implies routeback=1)</programlisting>
+
+    <para>or</para>
+
+    <programlisting>#ZONE          INTERFACE        OPTIONS
+dock           docker0          bridge,routeback=0   #Disallow ICC</programlisting>
+  </section>
+</article>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@ -265,7 +265,7 @@
          </row>

          <row>
-            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>
+            <entry><ulink url="Docker.html">Docker</ulink></entry>

            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>
@ -275,8 +275,7 @@
          </row>

          <row>
-            <entry><ulink url="ECN.html">ECN Disabling by host or
-            subnet</ulink></entry>
+            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>

            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>
@ -285,7 +284,8 @@
          </row>

          <row>
-            <entry><ulink url="Events.html">Events</ulink></entry>
+            <entry><ulink url="ECN.html">ECN Disabling by host or
+            subnet</ulink></entry>

            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>
@ -294,8 +294,7 @@
          </row>

          <row>
-            <entry><ulink url="shorewall_extension_scripts.htm">Extension
-            Scripts (User Exits)</ulink></entry>
+            <entry><ulink url="Events.html">Events</ulink></entry>

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

@ -304,8 +303,8 @@
          </row>

          <row>
-            <entry><ulink
-            url="fallback.htm">Fallback/Uninstall</ulink></entry>
+            <entry><ulink url="shorewall_extension_scripts.htm">Extension
+            Scripts (User Exits)</ulink></entry>

            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>
@ -315,7 +314,8 @@
          </row>

          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+            <entry><ulink
+            url="fallback.htm">Fallback/Uninstall</ulink></entry>

            <entry><ulink url="ports.htm">Port Information</ulink></entry>

@ -324,8 +324,7 @@
          </row>

          <row>
-            <entry><ulink
-            url="shorewall_features.htm">Features</ulink></entry>
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>

            <entry><ulink url="PortKnocking.html">Port Knocking
            (deprecated)</ulink></entry>
@ -334,8 +333,8 @@
          </row>

          <row>
-            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
-            Same Interface</ulink></entry>
+            <entry><ulink
+            url="shorewall_features.htm">Features</ulink></entry>

            <entry><ulink url="Events.html">Port Knocking, Auto Blacklisting
            and Other Uses of the 'Recent Match'</ulink></entry>
@ -344,18 +343,28 @@
          </row>

          <row>
-            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
+            Same Interface</ulink></entry>

            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>

            <entry/>
          </row>

+          <row>
+            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>
+
+            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+
+            <entry/>
+          </row>
+
          <row>
            <entry><ulink url="FoolsFirewall.html">Fool's
            Firewall</ulink></entry>

-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            Guides</ulink></entry>

            <entry/>
          </row>
@ -364,8 +373,7 @@
            <entry><ulink url="Helpers.html">Helpers/Helper
            Modules</ulink></entry>

-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
-            Guides</ulink></entry>
+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>

            <entry/>
          </row>
@ -374,14 +382,6 @@
            <entry><ulink
            url="Install.htm">Installation/Upgrade</ulink></entry>

-            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
-
-            <entry/>
-          </row>
-
-          <row>
-            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>
-
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>

@ -389,7 +389,7 @@
          </row>

          <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>

            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>
@ -398,7 +398,7 @@
          </row>

          <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>

            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>
@ -407,18 +407,27 @@
          </row>

          <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>

            <entry><ulink url="samba.htm">Samba</ulink></entry>

            <entry/>
          </row>

+          <row>
+            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
+
+            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+
+            <entry/>
+          </row>
+
          <row>
            <entry><ulink url="ISO-3661.html">ISO 3661 Country
            Codes</ulink></entry>

-            <entry><ulink url="Events.html">Shorewall Events</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
+            Init</ulink></entry>

            <entry/>
          </row>
@ -427,8 +436,8 @@
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>

-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            Lite</ulink></entry>

            <entry/>
          </row>
@ -437,8 +446,7 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>

-            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Lite</ulink></entry>
+            <entry/>

            <entry/>
          </row>
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>Shorewall 4.4/4.5/4.6 Features</title>
+    <title>Shorewall 5.0 Features</title>

    <author>
      <firstname>Tom</firstname>
@ -16,7 +16,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2014</year>
+      <year>2001-2016</year>

      <holder>Thomas M Eastep</holder>
    </copyright>
@ -32,13 +32,6 @@
    </legalnotice>
  </articleinfo>

-  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
-    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5 then please see the documentation for that
-    release.</emphasis></para>
-  </caution>
-
  <section id="Features">
    <title>Features</title>

@ -278,6 +271,10 @@
          <listitem>
            <para><ulink url="LXC.html">LXC</ulink></para>
          </listitem>
+
+          <listitem>
+            <para>Docker (Shorewall 5.0.6 and later)</para>
+          </listitem>
        </itemizedlist>
      </listitem>
    </itemizedlist>