On 10/27/18 10:44 AM, Anthony Rogers wrote: > Hi Tom, > > I have attached the iptables -L after a 'docker restart' and then after > running the shorewall script. > > The diff of those two log files is: > > 14,16d13 > < DOCKER-USER all -- anywhere anywhere > < DOCKER-ISOLATION-STAGE-1 all -- anywhere > anywhere > < ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > 17a15 >> ACCEPT all -- anywhere anywhere ctstate > RELATED,ESTABLISHED > 45c43 > < Chain DOCKER-ISOLATION-STAGE-1 (1 references) > --- >> Chain DOCKER-ISOLATION-STAGE-1 (0 references) > 57,60d54 > < Chain DOCKER-USER (1 references) > < target prot opt source destination > < RETURN all -- anywhere anywhere > < > 124c118 > < Chain sha-lh-e5cf36ce25c75630550b (0 references) > --- >> Chain sha-lh-a054db08bd2f8e099a19 (0 references) > 127c121 > < Chain sha-rh-f96c7a0b6585893a1b9f (0 references) > --- >> Chain sha-rh-3dc25e45009adb1cfa85 (0 references) > > Regards, > > Tony. >
Okay - please apply the attached patch on top of the previous one. Thanks Tony, -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 8e203dd70..2b0bd9239 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3341,7 +3341,10 @@ sub initialize_chain_table($) {
add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
$chainref = new_standard_chain( 'DOCKER-INGRESS' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
- add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
+ $chainref = new_standard_chain( 'DOCKER-USER' );
+ set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
+ add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
@@ -8627,6 +8630,7 @@ sub save_docker_rules($) {
qq( $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
qq( $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
qq( [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
+ qq( [ -n "\$g_dockeruser" ] && $tool -t filter -S DOCKER-USER | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
qq(),
qq( case "\$g_dockernetwork" in),
qq( One\)),
@@ -8655,6 +8659,7 @@ sub save_docker_rules($) {
q( rm -f ${VARDIR}/.nat_POSTROUTING),
q( rm -f ${VARDIR}/.filter_DOCKER),
q( rm -f ${VARDIR}/.filter_DOCKER-INGRESS),
+ q( rm -f ${VARDIR}/.filter_DOCKER-USER),
q( rm -f ${VARDIR}/.filter_DOCKER-ISOLATION*),
q( rm -f ${VARDIR}/.filter_FORWARD),
q(fi)
@@ -9169,6 +9174,10 @@ sub create_netfilter_load( $ ) {
enter_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
enter_cat_mode;
+ } elsif ( $name eq 'DOCKER-USER' ) {
+ enter_cmd_mode;
+ emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
+ enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
@@ -9282,6 +9291,11 @@ sub preview_netfilter_load() {
print( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
print "\n";
enter_cat_mode1;
+ } elsif ( $name eq 'DOCKER-USER' ) {
+ enter_cmd_mode1 unless $mode == CMD_MODE;
+ print( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
+ print "\n";
+ enter_cat_mode1;
} else {
enter_cmd_mode1 unless $mode == CMD_MODE;
print( ":$name - [0:0]\n" );
@@ -9377,6 +9391,10 @@ sub create_stop_load( $ ) {
enter_cmd_mode;
emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
enter_cat_mode;
+ } elsif ( $name eq 'DOCKER-USER' ) {
+ enter_cmd_mode;
+ emit( '[ -n "$g_dockeruser" ] && echo ":DOCKER-USER - [0:0]" >&3' );
+ enter_cat_mode;
} else {
emit_unindented ":$name - [0:0]";
}
diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm
index 29af2374c..f609e7f05 100644
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -269,6 +269,7 @@ sub generate_script_2() {
'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
);
emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
+ emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
emit( 'if chain_exists DOCKER-ISOLATION; then',
' g_dockernetwork=One',
'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 37fb3c84b..43cbaa343 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -667,15 +667,16 @@ sub create_docker_rules() {
my $chainref = $filter_table->{FORWARD};
- add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
+ add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
+ add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-USER" >&3', );
add_commands( $chainref ,
'',
'case "$g_dockernetwork" in',
' One)',
- ' echo "-A FORWARD -j DOCKER-ISOLATION"',
+ ' echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
' ;;',
' Two)',
- ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1"',
+ ' echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
' ;;',
'esac' );
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
