[WIP] Add DOCKER-USER chain when iptables=true is set ENGCORE-1114#2464
[WIP] Add DOCKER-USER chain when iptables=true is set ENGCORE-1114#2464arkodg wants to merge 3 commits intomoby:masterfrom
Conversation
|
@arkodg , before this change, I noticed arrangeUserFilterRule is getting called white creating NewNetwork(). Now I see we invoke only for bridge driver. Any specific reason why this has been moved from generic code base to inside bridge driver ? |
|
@selansen because this piece of code correctly deciphers whether |
|
@mavenugo , PTAL . |
| iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) }) | ||
|
|
||
| // Add DOCKER-USER chain | ||
| arrangeUserFilterRule() |
There was a problem hiding this comment.
now arrangeUserFIlterRule is called on all systems, linux/windows/bsd etc, is this by intention?
There was a problem hiding this comment.
AFAIK bridge is for linux only
There was a problem hiding this comment.
I suppose for any *nix, we expect to create bridge. I see somewhere there are _bsd specific imple. So I am guessing at some point before at least bsd is supported?
| vethLen = 7 | ||
| defaultContainerVethPrefix = "eth" | ||
| maxAllocatePortAttempts = 10 | ||
| userChain = "DOCKER-USER" |
There was a problem hiding this comment.
I have similar questions as Elango, why move to bridge.go, may be the real problem is that controller.hasIPTableEnabled() isn't the correct value?
There was a problem hiding this comment.
by moving arrangeUserFilterRule to bridge only network, it means unless a bridge network is created, there won't be DOCKER_USER chain. It will work as dockerd always creates docker9 bridge, but for me the original approach is cleaner.
There was a problem hiding this comment.
AFAIK from https://github.com/moby/moby/blob/ad1b781e44fa1e44b9e654e5078929aec56aed66/daemon/config/config_unix.go#L50 and 9c6ab12
EnableIPTables is specific to bridge
|
Is it possible to add an e2e test somewhere that checks that after dockerd startup sequence the output of |
euanh
left a comment
euanh
left a comment
There was a problem hiding this comment.
I'm uncomfortable merging anything else in this area until we have some sort of regression test. It doesn't need to be fancy - just something that checks that the iptables setup looks sane, as @guillaumerose suggested.
|
yah, I wanted to decide where to put the code before I added a TC, added one now |
arkodg
changed the title
arkodg
changed the title
This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Addresses : docker/for-linux#810 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
arkodg
force-pushed
the
fix-user-chain
branch
from
6df0cfd to
57c0854
Compare
Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
arkodg
force-pushed
the
fix-user-chain
branch
from
57c0854 to
1434743
Compare
andrewhsu
changed the title
5 participants
This PR fixes the regression introduced by
#2339 to
DOCKER-USERchain if iptables=true is set in the Daemon configDOCKER-USERis the first chain andDOCKER-INGRESSis the second chain in forwardingDOCKER-INGRESSandDOCKER-USERifiptables=falseAll the logic has been moved to the
bridgedriver sinceEnableIPTablesis a bridge specific configurationAddresses : docker/for-linux#810 ENGCORE-1114
Signed-off-by: Arko Dasgupta arko.dasgupta@docker.com