holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add DOCKER_BRIDGE option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2020-03-07 11:03:35 -08:00
parent 639dc86e1b
commit d3de75dd12
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
9 changed files with 44 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8727,6 +8727,8 @@ sub emitr1( $$ ) {
sub save_docker_rules($) {
my $tool = $_[0];
my $bridge = $config{DOCKER_BRIDGE};
emit( qq(if [ -n "\$g_docker" ]; then),
qq( $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
qq( $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
@ -8744,10 +8746,10 @@ sub save_docker_rules($) {
qq(),
);
if ( known_interface( 'docker0' ) ) {
if ( known_interface( $bridge ) ) {
emit( qq( $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
} else {
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
emit( qq( $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] ($bridge|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
}
emit( q( [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),

4
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1010,6 +1010,7 @@ sub initialize($;$$$) {
PERL_HASH_SEED => undef ,
USE_NFLOG_SIZE => undef ,
RENAME_COMBINED => undef ,
DOCKER_BRIDGE => undef ,
#
# Packet Disposition
#
@ -6569,6 +6570,9 @@ sub get_configuration( $$$ ) {
fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
require_capability( 'ADDRTYPE', ' DOCKER=Yes', 's' );
default( 'DOCKER_BRIDGE' , 'docker0' );
} elsif ( $family == F_IPV6 ) {
warning_message( "DOCKER_BRIDGE=$val ignored by shorewall6" ) if supplied( $val = $config{DOCKER_BRIDGE} );
}
if ( supplied( $val = $config{RESTART} ) ) {

12
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -675,6 +675,8 @@ sub process_stoppedrules() {
# Generate the rules required when DOCKER=Yes
#
sub create_docker_rules() {
my $bridge = $config{DOCKER_BRIDGE};
add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
my $chainref = $filter_table->{FORWARD};
@ -684,13 +686,13 @@ sub create_docker_rules() {
add_commands( $chainref, '[ -n "$g_dockeriso" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
if ( my $dockerref = known_interface('docker0') ) {
if ( my $dockerref = known_interface( $bridge ) ) {
add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
incr_cmd_level( $chainref );
add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
add_ijump( $chainref, j => 'DOCKER', o => $bridge );
add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' );
add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" );
add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback};
decr_cmd_level( $chainref );
add_commands( $chainref, 'fi' );

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -163,6 +163,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -174,6 +174,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -171,6 +171,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -174,6 +174,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No

2
Shorewall/configfiles/shorewall.conf
View File

@ -167,6 +167,8 @@ DISABLE_IPV6=No
DOCKER=No
DOCKER_BRIDGE=docker0
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes

26
Shorewall/manpages/shorewall.conf.xml
View File

@ -834,18 +834,30 @@
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.0.6. When set to <option>Yes</option>,
the generated script will save Docker-generated rules before and
restore them after executing the <command>start</command>,
<command>stop</command>, <command>reload</command> and
<command>restart</command> commands. If set to <option>No</option>
(the default), the generated script will delete any Docker-generated
rules when executing those commands. See<ulink url="/Docker.html">
<para>Added in Shorewall 5.0.6; IPv4 only. When set to
<option>Yes</option>, the generated script will save
Docker-generated rules before and restore them after executing the
<command>start</command>, <command>stop</command>,
<command>reload</command> and <command>restart</command> commands.
If set to <option>No</option> (the default), the generated script
will delete any Docker-generated rules when executing those
commands. See<ulink url="/Docker.html">
http://www.shorewall.org/Docker.html</ulink> for additional
information.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DOCKER_BRIDGE=</emphasis>[<emphasis>bridgename</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.2.4; IPv4 only. Specifies the name of the
default Docker bridge. If not specified, the value 'docker0' is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">DONT_LOAD=</emphasis>[<emphasis>module</emphasis>[,<emphasis>module</emphasis>]...]</term>