diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 4c65f0f8f..404554b45 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3369,13 +3369,13 @@ sub initialize_chain_table($) { add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' ); $chainref = new_standard_chain( 'DOCKER-INGRESS' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' ); - $chainref = new_standard_chain( 'DOCKER-USER' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' ); + $chainref = new_standard_chain( 'DOCKER-USER' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' ); $chainref = new_standard_chain( 'DOCKER-ISOLATION' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); - add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); + add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' ); $chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' ); @@ -8703,20 +8703,15 @@ sub save_docker_rules($) { qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT), qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING), qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER), - qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), - qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER), + qq( rm -f \${VARDIR}/.filter_DOCKER-*), + qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS), + qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER), + qq( [ -n "\$g_dockeriso" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION), qq(), - qq( case "\$g_dockernetwork" in), - qq( One\)), - qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*), - qq( $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION), - qq( ;;), - qq( Two\)), - qq( rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*), - qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1), - qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2), - qq( ;;), - qq( esac), + qq( if [ -n "\$g_dockerisostage" ]; then), + qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1), + qq( $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2), + qq( fi), qq(), ); @@ -9237,10 +9232,10 @@ sub create_netfilter_load( $ ) { emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode; - emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode; - emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + emit( qq([ "\$g_dockerisostage" = Two ] && echo ":$name - [0:0]" >&3) ); } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode; emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); @@ -9352,11 +9347,11 @@ sub preview_netfilter_load() { print "\n"; } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode1; - print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); print "\n"; - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode1; - print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) ); print "\n"; } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode1; @@ -9453,10 +9448,10 @@ sub create_stop_load( $ ) { emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); } elsif ( $name eq 'DOCKER-ISOLATION' ) { ensure_cmd_mode; - emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); - } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) { + emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); + } elsif ( $name =~ /^DOCKER-ISOLATION/ ) { ensure_cmd_mode; - emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) ); + emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) ); } elsif ( $name eq 'DOCKER-INGRESS' ) { ensure_cmd_mode; emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' ); diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index a666af0b0..c8977bd4b 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -268,13 +268,10 @@ sub generate_script_2() { emit( '', 'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes', ); - emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' ); - emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' ); - emit( 'if chain_exists DOCKER-ISOLATION; then', - ' g_dockernetwork=One', - 'elif chain_exists DOCKER-ISOLATION-STAGE-1; then', - ' g_dockernetwork=Two', - 'fi' ); + emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' ); + emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' ); + emit( 'chain_exists DOCKER-ISOLATION && dockeriso=Yes' ); + emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && dockerisostage=Yes' ); } pop_indent; diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 0ff7fea09..55ed6ba53 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -679,18 +679,10 @@ sub create_docker_rules() { my $chainref = $filter_table->{FORWARD}; - add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', ); - add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3', ); - add_commands( $chainref , - '', - 'case "$g_dockernetwork" in', - ' One)', - ' echo "-A FORWARD -j DOCKER-ISOLATION" >&3', - ' ;;', - ' Two)', - ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3', - ' ;;', - 'esac' ); + add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3' ); + add_commands( $chainref, '[ -n "$g_dockeruser" ] && echo "-A FORWARD -j DOCKER-USER" >&3' ); + add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' ); + add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' ); if ( my $dockerref = known_interface('docker0') ) { add_commands( $chainref, 'if [ -n "$g_docker" ]; then' ); diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index f72f648c9..5b5ccba01 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -148,7 +148,8 @@ g_compiled= g_file= g_docker= g_dockeringress= -g_dockernetwork= +g_dockeriso= +g_dockerisostage= g_forcereload= g_fallback=