github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/libnetwork/firewall_linux.go

github.com/Heebron/moby@v0.0.0-20221111184709-6eab4f55faf7/libnetwork/firewall_linux.go (about)

     1  package libnetwork
     2  
     3  import (
     4  	"github.com/docker/docker/libnetwork/iptables"
     5  	"github.com/sirupsen/logrus"
     6  )
     7  
     8  const userChain = "DOCKER-USER"
     9  
    10  var ctrl *controller
    11  
    12  func setupArrangeUserFilterRule(c *controller) {
    13  	ctrl = c
    14  	iptables.OnReloaded(arrangeUserFilterRule)
    15  }
    16  
    17  // This chain allow users to configure firewall policies in a way that persists
    18  // docker operations/restarts. Docker will not delete or modify any pre-existing
    19  // rules from the DOCKER-USER filter chain.
    20  // Note once DOCKER-USER chain is created, docker engine does not remove it when
    21  // IPTableForwarding is disabled, because it contains rules configured by user that
    22  // are beyond docker engine's control.
    23  func arrangeUserFilterRule() {
    24  	if ctrl == nil || !ctrl.iptablesEnabled() {
    25  		return
    26  	}
    27  	// TODO IPv6 support
    28  	iptable := iptables.GetIptable(iptables.IPv4)
    29  	_, err := iptable.NewChain(userChain, iptables.Filter, false)
    30  	if err != nil {
    31  		logrus.Warnf("Failed to create %s chain: %v", userChain, err)
    32  		return
    33  	}
    34  
    35  	if err = iptable.AddReturnRule(userChain); err != nil {
    36  		logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
    37  		return
    38  	}
    39  
    40  	err = iptable.EnsureJumpRule("FORWARD", userChain)
    41  	if err != nil {
    42  		logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
    43  	}
    44  }