Docker handling #5
Loading…
Reference in a new issue
No description provided.
Delete branch "docker"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
With this PR, minifirewall, can now handle properly docker networking without breaking it.
There is a new setting 'DOCKER', in the config file that can be either on or off (and should be defined)
off : Minifirewall behaviour stays the same. Docker shall not be used.
on : Minifirewall will :
Not purge the nat table on stop as it breaks outgoint network trafic from living containers.
(Side note: It's better to not have squid, or changes the rules, to not insert squid firewall rules at each restart since the nat table isn't flushed)
Create DOCKER-USER chain (if absent), and send "NEW" (according to iptable state) packets into the following chains :
1/ MINIFW-DOCKER-PUB (Public, unfiltered services allowed in SERVICESTCP1 SERVICESUDP1 )
2/ MINIFW-DOCKER-PRIVILEGED (Privileged, filtered services to privileged and trusted IPs, defined by SERVICESTCP2 SERVICESUDP2 )
3/ MINIFW-DOCKER-TRUSTED (Trusted, filtered services to trusted IPs, defined by SERVICESTCP3 SERVICESUDP3 )
Allowed trafic will be matched, and returned to DOCKER-USER chain
if a packet reach the end of MINIFW-DOCKER-TRUSTED, it will be dropped
Notes :
0ec2cb2f4b
should be taken as is, as 05104b312c dropped the idea of SERVICESTCP4 & SERVICESUDP4Unless someone raises an issue, or veto it, this PR will be merged on Wednesday, July 22nd
yallah!
(we should have evocheck test to verify SQUID and DOCKER are not both enabled)
(why we need to flush DOCKER-USER chain? maybe only
iptables -I -j MINIFW-DOCKER-PUB
?)Technically, it's not needed.
But I chose to flush it to ensure it only contains minifirewall rules on start.