From ca59556d4496f04228769d039475249672d71f31 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 7 Mar 2020 11:03:35 -0800 Subject: [PATCH] Add DOCKER_BRIDGE option Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 6 +++-- Shorewall/Perl/Shorewall/Config.pm | 4 +++ Shorewall/Perl/Shorewall/Misc.pm | 12 +++++---- Shorewall/Samples/Universal/shorewall.conf | 2 ++ .../Samples/one-interface/shorewall.conf | 2 ++ .../Samples/three-interfaces/shorewall.conf | 2 ++ .../Samples/two-interfaces/shorewall.conf | 2 ++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/manpages/shorewall.conf.xml | 26 ++++++++++++++----- 9 files changed, 44 insertions(+), 14 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index a9fa504ed..863441928 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8712,6 +8712,8 @@ sub emitr1( $$ ) { sub save_docker_rules($) { my $tool = $_[0]; + my $bridge = $config{DOCKER_BRIDGE}; + emit( qq(if [ -n "\$g_docker" ]; then), qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER), qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT), @@ -8729,10 +8731,10 @@ sub save_docker_rules($) { qq(), ); - if ( known_interface( 'docker0' ) ) { + if ( known_interface( $bridge ) ) { emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) ); } else { - emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) ); + emit( qq( $tool -t filter -S FORWARD | egrep "^-A FORWARD.\*\[io\] ($bridge|br-\[a-z0-9\]\{12\})" > \${VARDIR}/.filter_FORWARD) ); } emit( q( [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD), diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 80c8a2fcf..e9b4b62ea 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1010,6 +1010,7 @@ sub initialize($;$$$) { PERL_HASH_SEED => undef , USE_NFLOG_SIZE => undef , RENAME_COMBINED => undef , + DOCKER_BRIDGE => undef , # # Packet Disposition # @@ -6569,6 +6570,9 @@ sub get_configuration( $$$ ) { fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6; require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' ); require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' ); + default( 'DOCKER_BRIDGE' , 'docker0' ); + } elsif ( $family == F_IPV6 ) { + warning_message( "DOCKER_BRIDGE=$val ignored by shorewall6" ) if supplied( $val = $config{DOCKER_BRIDGE} ); } if ( supplied( $val = $config{RESTART} ) ) { diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 7c995cf2e..8437e40db 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -675,6 +675,8 @@ sub process_stoppedrules() { # Generate the rules required when DOCKER=Yes # sub create_docker_rules() { + my $bridge = $config{DOCKER_BRIDGE}; + add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' ); my $chainref = $filter_table->{FORWARD}; @@ -684,13 +686,13 @@ sub create_docker_rules() { add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' ); add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' ); - if ( my $dockerref = known_interface('docker0') ) { + if ( my $dockerref = known_interface( $bridge ) ) { add_commands( $chainref, 'if [ -n "$g_docker" ]; then' ); incr_cmd_level( $chainref ); - add_ijump( $chainref, j => 'DOCKER', o => 'docker0' ); - add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' ); - add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' ); - add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback}; + add_ijump( $chainref, j => 'DOCKER', o => $bridge ); + add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' ); + add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" ); + add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback}; decr_cmd_level( $chainref ); add_commands( $chainref, 'fi' ); diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index 90e72042e..21533aa93 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -163,6 +163,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index d1b95dae7..29795e56a 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -174,6 +174,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index 54af15f58..07d36b5e3 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -171,6 +171,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index 93da85f97..b4d875af0 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -174,6 +174,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index dcfe7e96d..6ba2ac8a6 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -167,6 +167,8 @@ DISABLE_IPV6=No DOCKER=No +DOCKER_BRIDGE=docker0 + DONT_LOAD= DYNAMIC_BLACKLIST=Yes diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index 2d6953782..e4d705cd2 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -834,18 +834,30 @@ role="bold">Yes|No] - Added in Shorewall 5.0.6. When set to , - the generated script will save Docker-generated rules before and - restore them after executing the start, - stop, reload and - restart commands. If set to - (the default), the generated script will delete any Docker-generated - rules when executing those commands. See + Added in Shorewall 5.0.6; IPv4 only. When set to + , the generated script will save + Docker-generated rules before and restore them after executing the + start, stop, + reload and restart commands. + If set to (the default), the generated script + will delete any Docker-generated rules when executing those + commands. See http://www.shorewall.net/Docker.html for additional information. + + DOCKER_BRIDGE=[bridgename] + + + Added in Shorewall 5.2.4; IPv4 only. Specifies the name of the + default Docker bridge. If not specified, the value 'docker0' is + assumed. + + + DONT_LOAD=[module[,module]...]