Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a filter chain to allow persistent rules #1675

Merged
merged 1 commit into from
May 17, 2017
+82 −42
Merged

Add a filter chain to allow persistent rules #1675

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -844,6 +844,10 @@ addToStore:
c.Unlock()
}

c.Lock()
arrangeUserFilterRule()
c.Unlock()

return network, nil
}

Expand Down
44 changes: 2 additions & 42 deletions drivers/bridge/setup_ip_tables.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func setupIPChains(config *configuration) (*iptables.ChainInfo, *iptables.ChainI
return nil, nil, nil, fmt.Errorf("failed to create FILTER isolation chain: %v", err)
}

if err := addReturnRule(IsolationChain); err != nil {
if err := iptables.AddReturnRule(IsolationChain); err != nil {
return nil, nil, nil, err
}

Expand Down Expand Up @@ -117,7 +117,7 @@ func (n *bridgeNetwork) setupIPTables(config *networkConfiguration, i *bridgeInt
}

d.Lock()
err = ensureJumpRule("FORWARD", IsolationChain)
err = iptables.EnsureJumpRule("FORWARD", IsolationChain)
d.Unlock()
if err != nil {
return err
Expand Down Expand Up @@ -280,46 +280,6 @@ func setINC(iface1, iface2 string, enable bool) error {
return nil
}

func addReturnRule(chain string) error {
var (
table = iptables.Filter
args = []string{"-j", "RETURN"}
)

if iptables.Exists(table, chain, args...) {
return nil
}

err := iptables.RawCombinedOutput(append([]string{"-I", chain}, args...)...)
if err != nil {
return fmt.Errorf("unable to add return rule in %s chain: %s", chain, err.Error())
}

return nil
}

// Ensure the jump rule is on top
func ensureJumpRule(fromChain, toChain string) error {
var (
table = iptables.Filter
args = []string{"-j", toChain}
)

if iptables.Exists(table, fromChain, args...) {
err := iptables.RawCombinedOutput(append([]string{"-D", fromChain}, args...)...)
if err != nil {
return fmt.Errorf("unable to remove jump to %s rule in %s chain: %s", toChain, fromChain, err.Error())
}
}

err := iptables.RawCombinedOutput(append([]string{"-I", fromChain}, args...)...)
if err != nil {
return fmt.Errorf("unable to insert jump to %s rule in %s chain: %s", toChain, fromChain, err.Error())
}

return nil
}

func removeIPChains() {
for _, chainInfo := range []iptables.ChainInfo{
{Name: DockerChain, Table: iptables.Nat},
Expand Down
29 changes: 29 additions & 0 deletions firewall_linux.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
package libnetwork

import (
"github.com/Sirupsen/logrus"
"github.com/docker/libnetwork/iptables"
)

const userChain = "DOCKER-USER"

// This chain allow users to configure firewall policies in a way that persists
// docker operations/restarts. Docker will not delete or modify any pre-existing
// rules from the DOCKER-USER filter chain.
func arrangeUserFilterRule() {
_, err := iptables.NewChain(userChain, iptables.Filter, false)
if err != nil {
logrus.Warnf("Failed to create %s chain: %v", userChain, err)
return
}

if err = iptables.AddReturnRule(userChain); err != nil {
logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
return
}

err = iptables.EnsureJumpRule("FORWARD", userChain)
if err != nil {
logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
}
}
6 changes: 6 additions & 0 deletions firewall_others.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
// +build !linux

package libnetwork

func arrangeUserFilterRule() {
}
41 changes: 41 additions & 0 deletions iptables/iptables.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -498,3 +498,44 @@ func parseVersionNumbers(input string) (major, minor, micro int) {
func supportsCOption(mj, mn, mc int) bool {
return mj > 1 || (mj == 1 && (mn > 4 || (mn == 4 && mc >= 11)))
}

// AddReturnRule adds a return rule for the chain in the filter table
func AddReturnRule(chain string) error {
var (
table = Filter
args = []string{"-j", "RETURN"}
)

if Exists(table, chain, args...) {
return nil
}

err := RawCombinedOutput(append([]string{"-A", chain}, args...)...)
if err != nil {
return fmt.Errorf("unable to add return rule in %s chain: %s", chain, err.Error())
}

return nil
}

// EnsureJumpRule ensures the jump rule is on top
func EnsureJumpRule(fromChain, toChain string) error {
var (
table = Filter
args = []string{"-j", toChain}
)

if Exists(table, fromChain, args...) {
err := RawCombinedOutput(append([]string{"-D", fromChain}, args...)...)
if err != nil {
return fmt.Errorf("unable to remove jump to %s rule in %s chain: %s", toChain, fromChain, err.Error())
}
}

err := RawCombinedOutput(append([]string{"-I", fromChain}, args...)...)
if err != nil {
return fmt.Errorf("unable to insert jump to %s rule in %s chain: %s", toChain, fromChain, err.Error())
}

return nil
}