Docker handling #5

Manually merged
lpoujol merged 2 commits from docker into master 10 months ago
Owner

With this PR, minifirewall, can now handle properly docker networking without breaking it.

There is a new setting 'DOCKER', in the config file that can be either on or off (and should be defined)

off : Minifirewall behaviour stays the same. Docker shall not be used.

on : Minifirewall will :

  • Not purge the nat table on stop as it breaks outgoint network trafic from living containers.
    (Side note: It's better to not have squid, or changes the rules, to not insert squid firewall rules at each restart since the nat table isn't flushed)

  • Create DOCKER-USER chain (if absent), and send "NEW" (according to iptable state) packets into the following chains :

1/ MINIFW-DOCKER-PUB (Public, unfiltered services allowed in SERVICESTCP1 SERVICESUDP1 )
2/ MINIFW-DOCKER-PRIVILEGED (Privileged, filtered services to privileged and trusted IPs, defined by SERVICESTCP2 SERVICESUDP2 )
3/ MINIFW-DOCKER-TRUSTED (Trusted, filtered services to trusted IPs, defined by SERVICESTCP3 SERVICESUDP3 )

Allowed trafic will be matched, and returned to DOCKER-USER chain
if a packet reach the end of MINIFW-DOCKER-TRUSTED, it will be dropped

Notes :

  • SERVICESTCP1p & SERVICESUDP1p are not used !
  • Dropped packets from MINIFW-DOCKER-TRUSTED aren't logged
  • Commit message of 0ec2cb2f4b should be taken as is, as 05104b312c dropped the idea of SERVICESTCP4 & SERVICESUDP4
  • Maybe a preliminary check should ensure that DOCKER variable exists (and is either on or off) ?
  • Outgoing HTTP (80/tcp) from a container isn't filtered by squid

Unless someone raises an issue, or veto it, this PR will be merged on Wednesday, July 22nd

With this PR, minifirewall, can now handle properly docker networking without breaking it. There is a new setting 'DOCKER', in the config file that can be either **on** or **off** (and should be defined) **off** : Minifirewall behaviour stays the same. Docker **shall not** be used. **on** : Minifirewall will : - Not purge the nat table on stop as it breaks outgoint network trafic from living containers. (Side note: It's better to not have squid, or changes the rules, to not insert squid firewall rules at each restart since the nat table isn't flushed) - Create DOCKER-USER chain (if absent), and send "NEW" (according to iptable state) packets into the following chains : 1/ MINIFW-DOCKER-PUB (Public, unfiltered services allowed in SERVICESTCP1 SERVICESUDP1 ) 2/ MINIFW-DOCKER-PRIVILEGED (Privileged, filtered services to privileged and trusted IPs, defined by SERVICESTCP2 SERVICESUDP2 ) 3/ MINIFW-DOCKER-TRUSTED (Trusted, filtered services to trusted IPs, defined by SERVICESTCP3 SERVICESUDP3 ) Allowed trafic will be matched, and returned to DOCKER-USER chain if a packet reach the end of MINIFW-DOCKER-TRUSTED, it will be dropped **Notes** : * SERVICESTCP1p & SERVICESUDP1p are not used ! * Dropped packets from MINIFW-DOCKER-TRUSTED aren't logged * Commit message of 0ec2cb2f4b should be taken as is, as 05104b312c dropped the idea of SERVICESTCP4 & SERVICESUDP4 * Maybe a preliminary check should ensure that DOCKER variable exists (and is either on or off) ? * Outgoing HTTP (80/tcp) from a container isn't filtered by squid Unless someone raises an issue, or veto it, this PR will be merged on **Wednesday, July 22nd**
lpoujol added the
enhancement
label 10 months ago
lpoujol self-assigned this 10 months ago
Owner

yallah!
(we should have evocheck test to verify SQUID and DOCKER are not both enabled)
(why we need to flush DOCKER-USER chain? maybe only iptables -I -j MINIFW-DOCKER-PUB ?)

yallah! (we should have evocheck test to verify SQUID and DOCKER are not both enabled) (why we need to flush DOCKER-USER chain? maybe only `iptables -I -j MINIFW-DOCKER-PUB` ?)
Poster
Owner

Technically, it's not needed.
But I chose to flush it to ensure it only contains minifirewall rules on start.

Technically, it's not needed. But I chose to flush it to ensure it only contains minifirewall rules on start.
lpoujol merged commit 3bcaee5b58 into master 10 months ago manually
The pull request has been manually merged as 3bcaee5b58.
Sign in to join this conversation.
No reviewers
No Milestone
No Assignees
2 Participants
Notifications
Due Date

No due date set.

Dependencies

This pull request currently doesn't have any dependencies.

Loading…
There is no content yet.