diff --git a/controller.go b/controller.go index 5a499aa428..1ca8fb96f4 100644 --- a/controller.go +++ b/controller.go @@ -910,8 +910,6 @@ addToStore: c.Unlock() } - c.arrangeUserFilterRule() - return network, nil } diff --git a/drivers/bridge/bridge.go b/drivers/bridge/bridge.go index b617ea7bc4..e438f9c3d6 100644 --- a/drivers/bridge/bridge.go +++ b/drivers/bridge/bridge.go @@ -33,6 +33,7 @@ const ( vethLen = 7 defaultContainerVethPrefix = "eth" maxAllocatePortAttempts = 10 + userChain = "DOCKER-USER" ) const ( @@ -357,6 +358,13 @@ func (d *driver) configure(option map[string]interface{}) error { } // Make sure on firewall reload, first thing being re-played is chains creation iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) }) + + // Add DOCKER-USER chain + arrangeUserFilterRule() + iptables.OnReloaded(func() { + logrus.Debugf("Recreating DOCKER-USER iptables chain on firewall reload") + arrangeUserFilterRule() + }) } if config.EnableIPForwarding { @@ -1504,3 +1512,24 @@ func electMacAddress(epConfig *endpointConfiguration, ip net.IP) net.HardwareAdd } return netutils.GenerateMACFromIP(ip) } + +// This chain allow users to configure firewall policies in a way that persists +// docker operations/restarts. Docker will not delete or modify any pre-existing +// rules from the DOCKER-USER filter chain. +func arrangeUserFilterRule() { + _, err := iptables.NewChain(userChain, iptables.Filter, false) + if err != nil { + logrus.Warnf("Failed to create %s chain: %v", userChain, err) + return + } + + if err = iptables.AddReturnRule(userChain); err != nil { + logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err) + return + } + + err = iptables.EnsureJumpRule("FORWARD", userChain) + if err != nil { + logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err) + } +} diff --git a/firewall_linux.go b/firewall_linux.go deleted file mode 100644 index d27f60ca0c..0000000000 --- a/firewall_linux.go +++ /dev/null @@ -1,70 +0,0 @@ -package libnetwork - -import ( - "github.com/docker/libnetwork/iptables" - "github.com/docker/libnetwork/netlabel" - "github.com/sirupsen/logrus" -) - -const userChain = "DOCKER-USER" - -func (c *controller) arrangeUserFilterRule() { - c.Lock() - - if c.hasIPTablesEnabled() { - arrangeUserFilterRule() - } - - c.Unlock() - - iptables.OnReloaded(func() { - c.Lock() - - if c.hasIPTablesEnabled() { - arrangeUserFilterRule() - } - - c.Unlock() - }) -} - -func (c *controller) hasIPTablesEnabled() bool { - // Locking c should be handled in the calling method. - if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil { - return false - } - - genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] - if !ok { - return false - } - - optMap := genericData.(map[string]interface{}) - enabled, ok := optMap["EnableIPTables"].(bool) - if !ok { - return false - } - - return enabled -} - -// This chain allow users to configure firewall policies in a way that persists -// docker operations/restarts. Docker will not delete or modify any pre-existing -// rules from the DOCKER-USER filter chain. -func arrangeUserFilterRule() { - _, err := iptables.NewChain(userChain, iptables.Filter, false) - if err != nil { - logrus.Warnf("Failed to create %s chain: %v", userChain, err) - return - } - - if err = iptables.AddReturnRule(userChain); err != nil { - logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err) - return - } - - err = iptables.EnsureJumpRule("FORWARD", userChain) - if err != nil { - logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err) - } -} diff --git a/firewall_others.go b/firewall_others.go deleted file mode 100644 index 901f568fed..0000000000 --- a/firewall_others.go +++ /dev/null @@ -1,6 +0,0 @@ -// +build !linux - -package libnetwork - -func (c *controller) arrangeUserFilterRule() { -} diff --git a/service_linux.go b/service_linux.go index 451f760b61..322fa49f5a 100644 --- a/service_linux.go +++ b/service_linux.go @@ -366,7 +366,6 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro if err := iptables.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil { return fmt.Errorf("failed to add jump rule to %s in filter table forward chain: %v", ingressChain, err) } - arrangeUserFilterRule() } oifName, err := findOIFName(gwIP)