github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/libnetwork/firewall_linux.go

github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/libnetwork/firewall_linux.go (about)

     1  package libnetwork
     2  
     3  import (
     4  	"github.com/docker/libnetwork/iptables"
     5  	"github.com/sirupsen/logrus"
     6  )
     7  
     8  const userChain = "DOCKER-USER"
     9  
    10  var (
    11  	ctrl *controller = nil
    12  )
    13  
    14  func setupArrangeUserFilterRule(c *controller) {
    15  	ctrl = c
    16  	iptables.OnReloaded(arrangeUserFilterRule)
    17  }
    18  
    19  // This chain allow users to configure firewall policies in a way that persists
    20  // docker operations/restarts. Docker will not delete or modify any pre-existing
    21  // rules from the DOCKER-USER filter chain.
    22  // Note once DOCKER-USER chain is created, docker engine does not remove it when
    23  // IPTableForwarding is disabled, because it contains rules configured by user that
    24  // are beyond docker engine's control.
    25  func arrangeUserFilterRule() {
    26  	if ctrl == nil || !ctrl.iptablesEnabled() {
    27  		return
    28  	}
    29  	// TODO IPv6 support
    30  	iptable := iptables.GetIptable(iptables.IPv4)
    31  	_, err := iptable.NewChain(userChain, iptables.Filter, false)
    32  	if err != nil {
    33  		logrus.Warnf("Failed to create %s chain: %v", userChain, err)
    34  		return
    35  	}
    36  
    37  	if err = iptable.AddReturnRule(userChain); err != nil {
    38  		logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
    39  		return
    40  	}
    41  
    42  	err = iptable.EnsureJumpRule("FORWARD", userChain)
    43  	if err != nil {
    44  		logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
    45  	}
    46  }