Browse Source

docker-ce: add device option to expand interface blocking

If docker-ce handles the firewall and fw3 is not envolved because the
rules get not proceed, then not only docker0 should be handled but also
other interfaces and therefore other docker networks.

This commit extends the handling and introduces a new uci option
`device` in the docker config firewall section. This can be used to specify
which device is allowed to access the container. Up to now only docker0
is covert.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
lilik-openwrt-22.03
Florian Eckert 4 years ago
parent
commit
19fc933330
2 changed files with 34 additions and 10 deletions
  1. +33
    -10
      utils/docker-ce/files/dockerd.init
  2. +1
    -0
      utils/docker-ce/files/etc/config/dockerd

+ 33
- 10
utils/docker-ce/files/dockerd.init View File

@ -181,16 +181,39 @@ service_triggers() {
procd_add_reload_trigger 'dockerd'
}
add_docker_firewall_rules() {
. /lib/functions/network.sh
local device interface="${1}"
# Ignore errors as it might already be present
iptables --table filter --new DOCKER-USER 2>/dev/null
network_get_physdev device "${interface}"
if ! iptables --table filter --check DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP 2>/dev/null; then
iptables --table filter --insert DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP
fi
iptables_add_blocking_rule() {
local cfg="$1"
local device=""
handle_iptables_rule() {
local interface="$1"
local outbound="$2"
local inbound=""
. /lib/functions/network.sh
network_get_physdev inbound "${interface}"
[ -z "$inbound" ] && {
logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
return
}
if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP 2>/dev/null; then
logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP
fi
}
config_get device "$cfg" device
[ -z "$device" ] && {
logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
return
}
config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
}
ip4tables_remove_nat() {


+ 1
- 0
utils/docker-ce/files/etc/config/dockerd View File

@ -16,4 +16,5 @@ config globals 'globals'
# Docker ignores fw3 rules and by default all external source IPs are allowed
# to connect to the Docker host. See https://docs.docker.com/network/iptables/
config firewall 'firewall'
option device 'docker0'
list blocked_interfaces 'wan'

Loading…
Cancel
Save