github.com/tonistiigi/docker@v0.10.1-0.20240229224939-974013b0dc6a/libnetwork/firewall_linux.go (about) 1 package libnetwork 2 3 import ( 4 "context" 5 "fmt" 6 7 "github.com/containerd/log" 8 "github.com/docker/docker/libnetwork/iptables" 9 ) 10 11 const userChain = "DOCKER-USER" 12 13 var ctrl *Controller 14 15 func setupArrangeUserFilterRule(c *Controller) { 16 ctrl = c 17 iptables.OnReloaded(arrangeUserFilterRule) 18 } 19 20 // arrangeUserFilterRule sets up the DOCKER-USER chain for each iptables version 21 // (IPv4, IPv6) that's enabled in the controller's configuration. 22 func arrangeUserFilterRule() { 23 if ctrl == nil { 24 return 25 } 26 for _, ipVersion := range ctrl.enabledIptablesVersions() { 27 if err := setupUserChain(ipVersion); err != nil { 28 log.G(context.TODO()).WithError(err).Warn("arrangeUserFilterRule") 29 } 30 } 31 } 32 33 // setupUserChain sets up the DOCKER-USER chain for the given [iptables.IPVersion]. 34 // 35 // This chain allows users to configure firewall policies in a way that 36 // persist daemon operations/restarts. The daemon does not delete or modify 37 // any pre-existing rules from the DOCKER-USER filter chain. 38 // 39 // Once the DOCKER-USER chain is created, the daemon does not remove it when 40 // IPTableForwarding is disabled, because it contains rules configured by user 41 // that are beyond the daemon's control. 42 func setupUserChain(ipVersion iptables.IPVersion) error { 43 ipt := iptables.GetIptable(ipVersion) 44 if _, err := ipt.NewChain(userChain, iptables.Filter, false); err != nil { 45 return fmt.Errorf("failed to create %s %v chain: %v", userChain, ipVersion, err) 46 } 47 if err := ipt.AddReturnRule(userChain); err != nil { 48 return fmt.Errorf("failed to add the RETURN rule for %s %v: %w", userChain, ipVersion, err) 49 } 50 if err := ipt.EnsureJumpRule("FORWARD", userChain); err != nil { 51 return fmt.Errorf("failed to ensure the jump rule for %s %v: %w", userChain, ipVersion, err) 52 } 53 return nil 54 }