1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
package libnetwork
import (
"github.com/docker/docker/libnetwork/iptables"
"github.com/sirupsen/logrus"
)
const userChain = "DOCKER-USER"
var ctrl *Controller
func setupArrangeUserFilterRule(c *Controller) {
ctrl = c
iptables.OnReloaded(arrangeUserFilterRule)
}
// This chain allow users to configure firewall policies in a way that persists
// docker operations/restarts. Docker will not delete or modify any pre-existing
// rules from the DOCKER-USER filter chain.
// Note once DOCKER-USER chain is created, docker engine does not remove it when
// IPTableForwarding is disabled, because it contains rules configured by user that
// are beyond docker engine's control.
func arrangeUserFilterRule() {
if ctrl == nil {
return
}
conds := []struct {
ipVer iptables.IPVersion
cond bool
}{
{ipVer: iptables.IPv4, cond: ctrl.iptablesEnabled()},
{ipVer: iptables.IPv6, cond: ctrl.ip6tablesEnabled()},
}
for _, ipVerCond := range conds {
cond := ipVerCond.cond
if !cond {
continue
}
ipVer := ipVerCond.ipVer
iptable := iptables.GetIptable(ipVer)
_, err := iptable.NewChain(userChain, iptables.Filter, false)
if err != nil {
logrus.WithError(err).Warnf("Failed to create %s %v chain", userChain, ipVer)
return
}
if err = iptable.AddReturnRule(userChain); err != nil {
logrus.WithError(err).Warnf("Failed to add the RETURN rule for %s %v", userChain, ipVer)
return
}
err = iptable.EnsureJumpRule("FORWARD", userChain)
if err != nil {
logrus.WithError(err).Warnf("Failed to ensure the jump rule for %s %v", userChain, ipVer)
}
}
}
|
