LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

docker-ce: add device option to expand interface blocking 

If docker-ce handles the firewall and fw3 is not envolved because the
rules get not proceed, then not only docker0 should be handled but also
other interfaces and therefore other docker networks.

This commit extends the handling and introduces a new uci option
`device` in the docker config firewall section. This can be used to specify
which device is allowed to access the container. Up to now only docker0
is covert.

Signed-off-by: Florian Eckert <fe@dev.tdt.de>
lilik-openwrt-22.03
Florian Eckert 4 years ago
parent
7c9ed12fa1
commit
19fc933330
2 changed files with 34 additions and 10 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +33
    -10
      utils/docker-ce/files/dockerd.init
  2. +1
    -0
      utils/docker-ce/files/etc/config/dockerd

+ 33
- 10
utils/docker-ce/files/dockerd.init View File

@ -181,16 +181,39 @@ service_triggers() {
procd_add_reload_trigger 'dockerd'
}
add_docker_firewall_rules() {
. /lib/functions/network.sh
local device interface="${1}"
# Ignore errors as it might already be present
iptables --table filter --new DOCKER-USER 2>/dev/null
network_get_physdev device "${interface}"
if ! iptables --table filter --check DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP 2>/dev/null; then
iptables --table filter --insert DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP
fi
iptables_add_blocking_rule() {
local cfg="$1"
local device=""
handle_iptables_rule() {
local interface="$1"
local outbound="$2"
local inbound=""
. /lib/functions/network.sh
network_get_physdev inbound "${interface}"
[ -z "$inbound" ] && {
logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
return
}
if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP 2>/dev/null; then
logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP
fi
}
config_get device "$cfg" device
[ -z "$device" ] && {
logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
return
}
config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
}
ip4tables_remove_nat() {


+ 1
- 0
utils/docker-ce/files/etc/config/dockerd View File

@ -16,4 +16,5 @@ config globals 'globals'
# Docker ignores fw3 rules and by default all external source IPs are allowed
# to connect to the Docker host. See https://docs.docker.com/network/iptables/
config firewall 'firewall'
option device 'docker0'
list blocked_interfaces 'wan'

Write Preview
Loading…
Cancel
Save