[WIP] Add DOCKER-USER chain when iptables=true is set ENGCORE-1114 #2464
Conversation
|
@arkodg , before this change, I noticed arrangeUserFilterRule is getting called white creating NewNetwork(). Now I see we invoke only for bridge driver. Any specific reason why this has been moved from generic code base to inside bridge driver ? |
|
@selansen because this piece of code correctly deciphers whether |
|
@mavenugo , PTAL . |
| @@ -357,6 +358,13 @@ func (d *driver) configure(option map[string]interface{}) error { | |||
| } | |||
| // Make sure on firewall reload, first thing being re-played is chains creation | |||
| iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) }) | |||
|
|
|||
| // Add DOCKER-USER chain | |||
| arrangeUserFilterRule() | |||
There was a problem hiding this comment.
now arrangeUserFIlterRule is called on all systems, linux/windows/bsd etc, is this by intention?
There was a problem hiding this comment.
AFAIK bridge is for linux only
There was a problem hiding this comment.
I suppose for any *nix, we expect to create bridge. I see somewhere there are _bsd specific imple. So I am guessing at some point before at least bsd is supported?
| @@ -33,6 +33,7 @@ const ( | |||
| vethLen = 7 | |||
| defaultContainerVethPrefix = "eth" | |||
| maxAllocatePortAttempts = 10 | |||
| userChain = "DOCKER-USER" | |||
There was a problem hiding this comment.
I have similar questions as Elango, why move to bridge.go, may be the real problem is that controller.hasIPTableEnabled() isn't the correct value?
There was a problem hiding this comment.
by moving arrangeUserFilterRule to bridge only network, it means unless a bridge network is created, there won't be DOCKER_USER chain. It will work as dockerd always creates docker9 bridge, but for me the original approach is cleaner.
There was a problem hiding this comment.
AFAIK from https://github.com/moby/moby/blob/ad1b781e44fa1e44b9e654e5078929aec56aed66/daemon/config/config_unix.go#L50 and 9c6ab12
EnableIPTables is specific to bridge
|
Is it possible to add an e2e test somewhere that checks that after dockerd startup sequence the output of |
There was a problem hiding this comment.
I'm uncomfortable merging anything else in this area until we have some sort of regression test. It doesn't need to be fancy - just something that checks that the iptables setup looks sane, as @guillaumerose suggested.
|
yah, I wanted to decide where to put the code before I added a TC, added one now |
arkodg
changed the title
arkodg
changed the title
This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Addresses : docker/for-linux#810 Signed-off-by: Arko Dasgupta <[email protected]>
Signed-off-by: Arko Dasgupta <[email protected]>
arkodg
force-pushed
the
fix-user-chain
branch
from
6df0cfd to
57c0854
Compare
Signed-off-by: Arko Dasgupta <[email protected]>
arkodg
force-pushed
the
fix-user-chain
branch
from
57c0854 to
1434743
Compare
andrewhsu
changed the title
This PR fixes the regression introduced by
#2339 to
DOCKER-USERchain if iptables=true is set in the Daemon configDOCKER-USERis the first chain andDOCKER-INGRESSis the second chain in forwardingDOCKER-INGRESSandDOCKER-USERifiptables=falseAll the logic has been moved to the
bridgedriver sinceEnableIPTablesis a bridge specific configurationAddresses : docker/for-linux#810 ENGCORE-1114
Signed-off-by: Arko Dasgupta [email protected]