Skip to content

Commit 2449e0a

Browse files
msilveirabrmsilveirabr
committed
Better approach to fix firewalld zone
* Better approach to fix firewalld+nftables docker zone
1 parent 076bbe7 commit 2449e0a

2 files changed

Lines changed: 19 additions & 21 deletions

File tree

libnetwork/drivers/bridge/setup_ip_tables.go

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -291,6 +291,22 @@ func programChainRule(version iptables.IPVersion, rule iptRule, ruleDescr string
291291
return nil
292292
}
293293

294+
// SetupInternalICC is used to add or remove the internal interface to/from the firewalld docker zone ( ICC )
295+
// https://github.com/moby/libnetwork/issues/2647
296+
func SetupInternalICC(bridgeIface string, include bool) error {
297+
// Either add or remove the interface from the firewalld docker zone
298+
if include {
299+
if err := iptables.AddInterfaceFirewalld(bridgeIface); err != nil {
300+
return fmt.Errorf("Failed to add interface %s to firewalld docker zone: %s", bridgeIface, err.Error())
301+
}
302+
} else {
303+
if err := iptables.DelInterfaceFirewalld(bridgeIface); err != nil {
304+
return fmt.Errorf("Failed to remove interface %s from firewalld docker zone: %s", bridgeIface, err.Error())
305+
}
306+
}
307+
return nil
308+
}
309+
294310
func setIcc(version iptables.IPVersion, bridgeIface string, iccEnable, insert bool) error {
295311
iptable := iptables.GetIptable(version)
296312
var (
@@ -413,10 +429,10 @@ func setupInternalNetworkRules(bridgeIface string, addr *net.IPNet, icc, insert
413429
if err := programChainRule(version, outDropRule, "DROP OUTGOING", insert); err != nil {
414430
return err
415431
}
416-
//Add internal interface to docker zone if ICC is enabled
417432
if icc {
418-
iiptable := iptables.GetIptable(version)
419-
iiptable.SetupInternalICC(bridgeIface, insert)
433+
if err := SetupInternalICC(bridgeIface, insert); err != nil {
434+
return err
435+
}
420436
}
421437
// Set Inter Container Communication.
422438
return setIcc(version, bridgeIface, icc, insert)

libnetwork/iptables/iptables.go

Lines changed: 0 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -173,24 +173,6 @@ func (iptable IPTable) LoopbackByVersion() string {
173173
return "127.0.0.0/8"
174174
}
175175

176-
// SetupInternalICC is used to add or remove the internal interface from the firewalld zone ( ICC )
177-
// https://github.com/moby/libnetwork/issues/2647
178-
func (iptable IPTable) SetupInternalICC(bridgeIface string, include bool) error {
179-
// Either add or remove the interface from the firewalld zone
180-
if firewalldRunning {
181-
if include {
182-
if err := AddInterfaceFirewalld(bridgeIface); err != nil {
183-
return fmt.Errorf("Failed to add interface %s to firewalld zone: %s", bridgeIface, err.Error())
184-
}
185-
} else {
186-
if err := DelInterfaceFirewalld(bridgeIface); err != nil {
187-
return fmt.Errorf("Failed to remove interface %s from firewalld zone: %s", bridgeIface, err.Error())
188-
}
189-
}
190-
}
191-
return nil
192-
}
193-
194176
// ProgramChain is used to add rules to a chain
195177
func (iptable IPTable) ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) error {
196178
if c.Name == "" {

0 commit comments

Comments
 (0)