holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Accomodate both DOCKER-ISOLATION and DOCKER-ISOLATION-STAGE-*

Browse Source 
Previously, the code assumed that either DOCKER-ISOLATION or
DOCKER-ISOLATION-STAGE-* would exist but not both. That has been corrected
This commit is contained in:
Tom Eastep 2020-02-22 11:31:19 -08:00
parent 3f5e1b5b60
commit 6798c2f2b0
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
4 changed files with 31 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3369,13 +3369,13 @@ sub initialize_chain_table($) {
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
$chainref = new_standard_chain( 'DOCKER-INGRESS' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
$chainref = new_standard_chain( 'DOCKER-USER' );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
$chainref = new_standard_chain( 'DOCKER-USER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
@ -8703,20 +8703,15 @@ sub save_docker_rules($) {
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
qq( rm -f \${VARDIR}/.filter_DOCKER-*),
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
qq( [ -n "\$g_dockeriso" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
qq(),
qq( case "\$g_dockernetwork" in),
qq( One\)),
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
qq( ;;),
qq( Two\)),
qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
qq( ;;),
qq( esac),
qq( if [ -n "\$g_dockerisostage" ]; then),
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
qq( fi),
qq(),
);
@ -9237,10 +9232,10 @@ sub create_netfilter_load( $ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode;
emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
emit( qq([ "\$g_dockerisostage" = Two ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@ -9352,11 +9347,11 @@ sub preview_netfilter_load() {
print "\n";
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode1;
print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
print "\n";
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode1;
print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
print "\n";
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode1;
@ -9453,10 +9448,10 @@ sub create_stop_load( $ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
} elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
ensure_cmd_mode;
emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
} elsif ( $name eq 'DOCKER-INGRESS' ) {
ensure_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );

11
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -268,13 +268,10 @@ sub generate_script_2() {
emit( '',
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
);
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
emit( 'if chain_exists DOCKER-ISOLATION; then',
' g_dockernetwork=One',
'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
' g_dockernetwork=Two',
'fi' );
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
emit( 'chain_exists DOCKER-ISOLATION && dockeriso=Yes' );
emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && dockerisostage=Yes' );
}
pop_indent;

16
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -679,18 +679,10 @@ sub create_docker_rules() {
my $chainref = $filter_table->{FORWARD};
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', );
add_commands( $chainref ,
'',
'case "$g_dockernetwork" in',
' One)',
' echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
' ;;',
' Two)',
' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
' ;;',
'esac' );
add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3' );
add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
if ( my $dockerref = known_interface('docker0') ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );

3
Shorewall/Perl/prog.footer
View File

@ -148,7 +148,8 @@ g_compiled=
g_file=
g_docker=
g_dockeringress=
g_dockernetwork=
g_dockeriso=
g_dockerisostage=
g_forcereload=
g_fallback=