Add internal n/w bridge to firewalld docker zone

robmry · robmry · commit 2cc627932ace · 2024-02-01T11:49:53.000Z
Containers attached to an 'internal' bridge network are unable to
communicate when the host is running firewalld.

Non-internal bridges are added to a trusted 'docker' firewalld zone, but
internal bridges were not.

DOCKER-ISOLATION iptables rules are still configured for an internal
network, they block traffic to/from addresses outside the network's subnet.

Signed-off-by: Rob Murray &lt;rob.murray@docker.com&gt;
diff --git a/libnetwork/drivers/bridge/setup_ip_tables_linux.go b/libnetwork/drivers/bridge/setup_ip_tables_linux.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/containerd/log"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/libnetwork/iptables"
 	"github.com/docker/docker/libnetwork/types"
 	"github.com/vishvananda/netlink"
@@ -408,6 +409,17 @@ func setupInternalNetworkRules(bridgeIface string, addr *net.IPNet, icc, insert
 	var version iptables.IPVersion
 	var inDropRule, outDropRule iptRule
 
+	// Either add or remove the interface from the firewalld zone, if firewalld is running.
+	if insert {
+		if err := iptables.AddInterfaceFirewalld(bridgeIface); err != nil {
+			return err
+		}
+	} else {
+		if err := iptables.DelInterfaceFirewalld(bridgeIface); err != nil && !errdefs.IsNotFound(err) {
+			return err
+		}
+	}
+
 	if addr.IP.To4() != nil {
 		version = iptables.IPv4
 		inDropRule = iptRule{
