holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add DOCKER network support

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-02-27 13:36:47 -08:00
parent 64de3d0e83
commit 71d64ab380
7 changed files with 74 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3004,7 +3004,7 @@ sub initialize_chain_table($) {
} }
} }
if ( $config{DOCKER} ) { if ( my $docker = $config{DOCKER} ) {
add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' ); add_commands( $nat_table->{POSTROUTING}, '[ -f ${VARDIR}/.nat_POSTROUTING ] && cat ${VARDIR}/.nat_POSTROUTING >&3' );
$chainref = new_standard_chain( 'DOCKER' ); $chainref = new_standard_chain( 'DOCKER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
@ -3012,6 +3012,9 @@ sub initialize_chain_table($) {
$chainref = new_nat_chain( 'DOCKER' ); $chainref = new_nat_chain( 'DOCKER' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE ); set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' ); add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
} }
my $ruleref = transform_rule( $globals{LOGLIMIT} ); my $ruleref = transform_rule( $globals{LOGLIMIT} );
@ -8068,10 +8071,15 @@ sub save_docker_rules($) {
qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER), qq( $tool -t nat -S DOCKER | tail -n +2 > \$VARDIR/.nat_DOCKER),
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING), qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \$VARDIR/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER), qq( $tool -t filter -S DOCKER | tail -n +2 > \$VARDIR/.filter_DOCKER),
qq( [ -n "\$g_dockernetwork" ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \$VARDIR/.filter_DOCKER-ISOLATION),
qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \$VARDIR/.filter_FORWARD),
qq( [ -s \$VARDIR/.filter_FORWARD ] || rm -f \$VARDIR/.filter_FORWARD),
qq(else), qq(else),
qq( rm -f \$VARDIR/.nat_DOCKER), qq( rm -f \$VARDIR/.nat_DOCKER),
qq( rm -f \$VARDIR/.nat_POSTROUTING), qq( rm -f \$VARDIR/.nat_POSTROUTING),
qq( rm -f \$VARDIR/.filter_DOCKER), qq( rm -f \$VARDIR/.filter_DOCKER),
qq( rm -f \$VARDIR/.filter_DOCKER-ISOLATION),
qq( rm -f \$VARDIR/.filter_FORWARD),
qq(fi) qq(fi)
) )
} }
@ -8452,7 +8460,7 @@ sub create_netfilter_load( $ ) {
my @chains; my @chains;
# #
# iptables-restore seems to be quite picky about the order of the builtin chains # Iptables-restore seems to be quite picky about the order of the builtin chains
# #
for my $chain ( @builtins ) { for my $chain ( @builtins ) {
my $chainref = $chain_table{$table}{$chain}; my $chainref = $chain_table{$table}{$chain};
@ -8470,10 +8478,19 @@ sub create_netfilter_load( $ ) {
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
my $name = $chainref->{name}; my $name = $chainref->{name};
assert( $chainref->{cmdlevel} == 0 , $name ); assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name eq 'DOCKER' ) {
enter_cmd_mode; if ( $name =~ /^DOCKER/ ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); if ( $name eq 'DOCKER' ) {
enter_cat_mode; enter_cmd_mode;
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else { } else {
emit_unindented ":$name - [0:0]"; emit_unindented ":$name - [0:0]";
} }
@ -8565,10 +8582,18 @@ sub preview_netfilter_load() {
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
my $name = $chainref->{name}; my $name = $chainref->{name};
assert( $chainref->{cmdlevel} == 0 , $name ); assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name eq 'DOCKER' ) { if ( $name =~ /^DOCKER/ ) {
enter_cmd_mode; if ( $name eq 'DOCKER' ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); enter_cmd_mode;
enter_cat_mode; emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else { } else {
emit_unindented ":$name - [0:0]"; emit_unindented ":$name - [0:0]";
} }
@ -8793,10 +8818,18 @@ sub create_stop_load( $ ) {
unless ( $chainref->{builtin} ) { unless ( $chainref->{builtin} ) {
my $name = $chainref->{name}; my $name = $chainref->{name};
assert( $chainref->{cmdlevel} == 0 , $name ); assert( $chainref->{cmdlevel} == 0 , $name );
if ( $name eq 'DOCKER' ) { if ( $name =~ /^DOCKER/ ) {
enter_cmd_mode; if ( $name eq 'DOCKER' ) {
emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); enter_cmd_mode;
enter_cat_mode; emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
enter_cat_mode;
} elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode;
emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
} else { } else {
emit_unindented ":$name - [0:0]"; emit_unindented ":$name - [0:0]";
} }

11
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -263,10 +263,13 @@ sub generate_script_2() {
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
); );
emit( '', if ( $config{DOCKER} ) {
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes', emit( '',
'' 'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
) if $config{DOCKER}; );
emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes]' );
emit( '' );
}
pop_indent; pop_indent;

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -5859,7 +5859,7 @@ sub get_configuration( $$$$ ) {
default_yes_no 'INLINE_MATCHES' , ''; default_yes_no 'INLINE_MATCHES' , '';
default_yes_no 'BASIC_FILTERS' , ''; default_yes_no 'BASIC_FILTERS' , '';
default_yes_no 'WORKAROUNDS' , 'Yes'; default_yes_no 'WORKAROUNDS' , 'Yes';
default_yes_no 'DOCKER' , ''; default_yes_no 'DOCKER' , '';
if ( $config{DOCKER} ) { if ( $config{DOCKER} ) {
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6; fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;

8
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -633,9 +633,11 @@ sub create_docker_rules() {
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' ); add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
add_commands( $nat_table->{OUTPUT} , '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' ); add_commands( $nat_table->{OUTPUT} , '[ -n "$g_docker" ] && echo "-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
unless ( known_interface('docker0') ) { my $chainref = $filter_table->{FORWARD};
my $chainref = $filter_table->{FORWARD};
add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
unless ( known_interface('docker0') ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' ); add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
incr_cmd_level( $chainref ); incr_cmd_level( $chainref );
# #
@ -653,6 +655,8 @@ sub create_docker_rules() {
} else { } else {
add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' ); add_commands( $filter_table->{FORWARD}, '[ -n "$g_docker" ] && echo "-A FORWARD -o docker0 -j DOCKER" >&3' );
} }
add_commands( $chainref, '[ -f $VARDIR/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
} }
sub setup_mss(); sub setup_mss();

1
Shorewall/Perl/prog.footer
View File

@ -126,6 +126,7 @@ g_counters=
g_compiled= g_compiled=
g_file= g_file=
g_docker= g_docker=
g_dockernetwork=
initialize initialize

12
Shorewall/manpages/shorewall.conf.xml
View File

@ -738,11 +738,15 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem> <listitem>
<para>Added in Shorewall 5.0.6. When set to Yes, the generated <para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
script will save Docker-generated rules before and restore them the generated script will save Docker-generated rules before and
after executing the start, reload and restart commands. If set to No restore them after executing the <command>start</command>,
<command>stop</command>, <command>reload</command> and
<command>restart</command> commands. If set to <option>No</option>
(the default), the generated script will delete any Docker-generated (the default), the generated script will delete any Docker-generated
rules when executing those commands.</para> rules when executing those commands. See<ulink url="/Docker.html">
http://www.shorewall.net/Docker.html</ulink> for additional
information.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

7
docs/Docker.xml
View File

@ -50,9 +50,10 @@
<title>Shorewall 5.0.6 and Later</title> <title>Shorewall 5.0.6 and Later</title>
<para>Beginning with Shorewall 5.0.6, Shorewall has native support for <para>Beginning with Shorewall 5.0.6, Shorewall has native support for
Docker. This support is enabled by setting DOCKER=Yes in shorewall.conf. simple Docker configurations. This support is enabled by setting
With this setting, the generated script saves the Docker-created ruleset DOCKER=Yes in shorewall.conf. With this setting, the generated script
before executing a <command>stop</command>, <command>start</command>, saves the Docker-created ruleset before executing a
<command>stop</command>, <command>start</command>,
<command>restart</command> or <command>reload</command> operation and <command>restart</command> or <command>reload</command> operation and
restores those rules along with the Shorewall-generated ruleset.</para> restores those rules along with the Shorewall-generated ruleset.</para>