mirror of
https://github.com/moby/moby.git
synced 2026-07-13 02:52:20 +00:00
full diffs: -fc5a7d91d5...62a13ae87c-b2de5d10e3...v1.0.0 -604eaf189e...13995c7128ccc8e51e9a6bd2b551020a27180abd notable changes in libnetwork: - docker/libnetwork#2366 Bump vishvananda/netlink to 1.0.0 - docker/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule - addresses docker/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER - addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules - addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway - docker/libnetwork#2394 Make DNS records and queries case-insensitive - addresses moby/moby#28689 Embedded DNS is case-sensitive - addresses moby/moby#21169 hostnames with new networking are case-sensitive Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
71 lines
1.5 KiB
Go
71 lines
1.5 KiB
Go
package libnetwork
|
|
|
|
import (
|
|
"github.com/docker/libnetwork/iptables"
|
|
"github.com/docker/libnetwork/netlabel"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
const userChain = "DOCKER-USER"
|
|
|
|
func (c *controller) arrangeUserFilterRule() {
|
|
c.Lock()
|
|
|
|
if c.hasIPTablesEnabled() {
|
|
arrangeUserFilterRule()
|
|
}
|
|
|
|
c.Unlock()
|
|
|
|
iptables.OnReloaded(func() {
|
|
c.Lock()
|
|
|
|
if c.hasIPTablesEnabled() {
|
|
arrangeUserFilterRule()
|
|
}
|
|
|
|
c.Unlock()
|
|
})
|
|
}
|
|
|
|
func (c *controller) hasIPTablesEnabled() bool {
|
|
// Locking c should be handled in the calling method.
|
|
if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil {
|
|
return false
|
|
}
|
|
|
|
genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData]
|
|
if !ok {
|
|
return false
|
|
}
|
|
|
|
optMap := genericData.(map[string]interface{})
|
|
enabled, ok := optMap["EnableIPTables"].(bool)
|
|
if !ok {
|
|
return false
|
|
}
|
|
|
|
return enabled
|
|
}
|
|
|
|
// This chain allow users to configure firewall policies in a way that persists
|
|
// docker operations/restarts. Docker will not delete or modify any pre-existing
|
|
// rules from the DOCKER-USER filter chain.
|
|
func arrangeUserFilterRule() {
|
|
_, err := iptables.NewChain(userChain, iptables.Filter, false)
|
|
if err != nil {
|
|
logrus.Warnf("Failed to create %s chain: %v", userChain, err)
|
|
return
|
|
}
|
|
|
|
if err = iptables.AddReturnRule(userChain); err != nil {
|
|
logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
|
|
return
|
|
}
|
|
|
|
err = iptables.EnsureJumpRule("FORWARD", userChain)
|
|
if err != nil {
|
|
logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
|
|
}
|
|
}
|