github.com/adityamillind98/moby@v23.0.0-rc.4+incompatible/libnetwork/firewall_linux.go (about) 1 package libnetwork 2 3 import ( 4 "github.com/docker/docker/libnetwork/iptables" 5 "github.com/sirupsen/logrus" 6 ) 7 8 const userChain = "DOCKER-USER" 9 10 var ctrl *controller 11 12 func setupArrangeUserFilterRule(c *controller) { 13 ctrl = c 14 iptables.OnReloaded(arrangeUserFilterRule) 15 } 16 17 // This chain allow users to configure firewall policies in a way that persists 18 // docker operations/restarts. Docker will not delete or modify any pre-existing 19 // rules from the DOCKER-USER filter chain. 20 // Note once DOCKER-USER chain is created, docker engine does not remove it when 21 // IPTableForwarding is disabled, because it contains rules configured by user that 22 // are beyond docker engine's control. 23 func arrangeUserFilterRule() { 24 if ctrl == nil { 25 return 26 } 27 28 conds := []struct { 29 ipVer iptables.IPVersion 30 cond bool 31 }{ 32 {ipVer: iptables.IPv4, cond: ctrl.iptablesEnabled()}, 33 {ipVer: iptables.IPv6, cond: ctrl.ip6tablesEnabled()}, 34 } 35 36 for _, ipVerCond := range conds { 37 cond := ipVerCond.cond 38 if !cond { 39 continue 40 } 41 42 ipVer := ipVerCond.ipVer 43 iptable := iptables.GetIptable(ipVer) 44 _, err := iptable.NewChain(userChain, iptables.Filter, false) 45 if err != nil { 46 logrus.WithError(err).Warnf("Failed to create %s %v chain", userChain, ipVer) 47 return 48 } 49 50 if err = iptable.AddReturnRule(userChain); err != nil { 51 logrus.WithError(err).Warnf("Failed to add the RETURN rule for %s %v", userChain, ipVer) 52 return 53 } 54 55 err = iptable.EnsureJumpRule("FORWARD", userChain) 56 if err != nil { 57 logrus.WithError(err).Warnf("Failed to ensure the jump rule for %s %v", userChain, ipVer) 58 } 59 } 60 }