With this PR, minifirewall, can now handle properly docker networking without breaking it.
There is a new setting 'DOCKER', in the config file that can be either on or off (and should be defined)
off : Minifirewall behaviour stays the same. Docker shall not be used.
on : Minifirewall will :
Not purge the nat table on stop as it breaks outgoint network trafic from living containers.
(Side note: It's better to not have squid, or changes the rules, to not insert squid firewall rules at each restart since the nat table isn't flushed)
Create DOCKER-USER chain (if absent), and send "NEW" (according to iptable state) packets into the following chains :
1/ MINIFW-DOCKER-PUB (Public, unfiltered services allowed in SERVICESTCP1 SERVICESUDP1 )
2/ MINIFW-DOCKER-PRIVILEGED (Privileged, filtered services to privileged and trusted IPs, defined by SERVICESTCP2 SERVICESUDP2 )
3/ MINIFW-DOCKER-TRUSTED (Trusted, filtered services to trusted IPs, defined by SERVICESTCP3 SERVICESUDP3 )
Allowed trafic will be matched, and returned to DOCKER-USER chain
if a packet reach the end of MINIFW-DOCKER-TRUSTED, it will be dropped
SERVICESTCP1p & SERVICESUDP1p are not used !
Dropped packets from MINIFW-DOCKER-TRUSTED aren't logged
Commit message of 0ec2cb2f4b should be taken as is, as 05104b312c dropped the idea of SERVICESTCP4 & SERVICESUDP4
Maybe a preliminary check should ensure that DOCKER variable exists (and is either on or off) ?
Outgoing HTTP (80/tcp) from a container isn't filtered by squid
Unless someone raises an issue, or veto it, this PR will be merged on Wednesday, July 22nd