diff options
| author | Jacob Wen <jian.w.wen@oracle.com> | 2017-07-20 15:51:32 +0800 |
|---|---|---|
| committer | Jacob Wen <jian.w.wen@oracle.com> | 2017-07-20 16:38:14 +0800 |
| commit | 5c01dcd401e8d26b1c137ff0222776e3343094fa (patch) | |
| tree | 118f2d11956a9425003af7090e4746683697b943 /libnetwork/service_linux.go | |
| parent | 5f1caa9a4f61592583e8c179ac863edae666503a (diff) | |
| download | docker-5c01dcd401e8d26b1c137ff0222776e3343094fa.tar.gz | |
iptables: jump to DOCKER-USER first
Fixes #1827
Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
Diffstat (limited to 'libnetwork/service_linux.go')
| -rw-r--r-- | libnetwork/service_linux.go | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/libnetwork/service_linux.go b/libnetwork/service_linux.go index 1cf7ee91aa..784c1784ec 100644 --- a/libnetwork/service_linux.go +++ b/libnetwork/service_linux.go @@ -372,6 +372,7 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro if err := iptables.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil { return fmt.Errorf("failed to add jump rule to %s in filter table forward chain: %v", ingressChain, err) } + arrangeUserFilterRule() } oifName, err := findOIFName(gwIP) @@ -438,7 +439,9 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro return nil } -// In the filter table FORWARD chain first rule should be to jump to INGRESS-CHAIN +// In the filter table FORWARD chain the first rule should be to jump to +// DOCKER-USER so the user is able to filter packet first. +// The second rule should be jump to INGRESS-CHAIN. // This chain has the rules to allow access to the published ports for swarm tasks // from local bridge networks and docker_gwbridge (ie:taks on other swarm netwroks) func arrangeIngressFilterRule() { |