React to firewalld's reload/restart

jpopelka · jpopelka · commit b052827e0252 · 2015-04-20T13:02:09.000+02:00
When firewalld (or iptables service) restarts/reloads, all previously added docker firewall rules are flushed. With firewalld we can react to its Reloaded() [1] D-Bus signal and recreate the firewall rules. Also when firewalld gets restarted (stopped & started) we can catch the NameOwnerChanged signal [2]. To specify which signals we want to react to we use AddMatch [3]. Libvirt has been doing this for quite a long time now. Docker changes firewall rules on basically 3 places. 1) daemon/networkdriver/portmapper/mapper.go - port mappings Portmapper fortunatelly keeps list of mapped ports, so we can easily recreate firewall rules on firewalld restart/reload New ReMapAll() function does that 2) daemon/networkdriver/bridge/driver.go When setting a bridge, basic firewall rules are created. This is done at once during start, it's parametrized and nowhere tracked so how can one know what and how to set it again when there's been firewalld restart/reload ? The only solution that came to my mind is using of closures [4], i.e. I keep list of references to closures (anonymous functions together with a referencing environment) and when there's firewalld restart/reload I re-call them in the same order. 3) links/links.go - linking containers Link is added in Enable() and removed in Disable(). In Enable() we add a callback function, which creates the link, that's OK so far. It'd be ideal if we could remove the same function from the list in Disable(). Unfortunatelly that's not possible AFAICT, because we don't know the reference to that function at that moment, so we can only add a reference to function, which removes the link. That means that after creating and removing a link there are 2 functions in the list, one adding and one removing the link and after firewalld restart/reload both are called. It works, but it's far from ideal. [1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded [2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed [3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules [4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29 Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
diff --git a/daemon/networkdriver/bridge/driver.go b/daemon/networkdriver/bridge/driver.go
@@ -232,7 +232,8 @@ func InitDriver(config *Config) error {
 			logrus.Errorf("Error configuing iptables: %s", err)
 			return err
 		}
-
+		// call this on Firewalld reload
+		iptables.OnReloaded(func() { setupIPTables(addrv4, config.InterContainerCommunication, config.EnableIpMasq) })
 	}
 
 	if config.EnableIpForward {
@@ -262,10 +263,16 @@ func InitDriver(config *Config) error {
 		if err != nil {
 			return err
 		}
+		// call this on Firewalld reload
+		iptables.OnReloaded(func() { iptables.NewChain("DOCKER", bridgeIface, iptables.Nat) })
+
 		chain, err := iptables.NewChain("DOCKER", bridgeIface, iptables.Filter)
 		if err != nil {
 			return err
 		}
+		// call this on Firewalld reload
+		iptables.OnReloaded(func() { iptables.NewChain("DOCKER", bridgeIface, iptables.Filter) })
+
 		portMapper.SetIptablesChain(chain)
 	}
 
@@ -298,6 +305,10 @@ func InitDriver(config *Config) error {
 	// Block BridgeIP in IP allocator
 	ipAllocator.RequestIP(bridgeIPv4Network, bridgeIPv4Network.IP)
 
+	if config.EnableIptables {
+		iptables.OnReloaded(portMapper.ReMapAll) // call this on Firewalld reload
+	}
+
 	return nil
 }
 
diff --git a/daemon/networkdriver/portmapper/mapper.go b/daemon/networkdriver/portmapper/mapper.go
@@ -132,6 +132,18 @@ func (pm *PortMapper) Map(container net.Addr, hostIP net.IP, hostPort int) (host
 	return m.host, nil
 }
 
+// re-apply all port mappings
+func (pm *PortMapper) ReMapAll() {
+	logrus.Debugln("Re-applying all port mappings.")
+	for _, data := range pm.currentMappings {
+		containerIP, containerPort := getIPAndPort(data.container)
+		hostIP, hostPort := getIPAndPort(data.host)
+		if err := pm.forward(iptables.Append, data.proto, hostIP, hostPort, containerIP.String(), containerPort); err != nil {
+			logrus.Errorf("Error on iptables add: %s", err)
+		}
+	}
+}
+
 func (pm *PortMapper) Unmap(host net.Addr) error {
 	pm.lock.Lock()
 	defer pm.lock.Unlock()
diff --git a/links/links.go b/links/links.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/docker/docker/daemon/networkdriver/bridge"
 	"github.com/docker/docker/nat"
+	"github.com/docker/docker/pkg/iptables"
 )
 
 type Link struct {
@@ -143,6 +144,8 @@ func (l *Link) Enable() error {
 	if err := l.toggle("-A", false); err != nil {
 		return err
 	}
+	// call this on Firewalld reload
+	iptables.OnReloaded(func() { l.toggle("-I", false) })
 	l.IsEnabled = true
 	return nil
 }
@@ -152,7 +155,8 @@ func (l *Link) Disable() {
 	// exist in iptables
 	// -D == iptables delete flag
 	l.toggle("-D", true)
-
+	// call this on Firewalld reload
+	iptables.OnReloaded(func() { l.toggle("-D", true) })
 	l.IsEnabled = false
 }
 
diff --git a/pkg/iptables/firewalld.go b/pkg/iptables/firewalld.go
@@ -1,8 +1,10 @@
 package iptables
 
 import (
+	"fmt"
 	"github.com/Sirupsen/logrus"
 	"github.com/godbus/dbus"
+	"strings"
 )
 
 type IPV string
@@ -26,7 +28,8 @@ type Conn struct {
 
 var (
 	connection       *Conn
-	firewalldRunning bool // is Firewalld service running
+	firewalldRunning bool      // is Firewalld service running
+	onReloaded       []*func() // callbacks when Firewalld has been reloaded
 )
 
 func FirewalldInit() {
@@ -63,9 +66,75 @@ func (c *Conn) initConnection() error {
 	// This never fails, even if the service is not running atm.
 	c.sysobj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusPath))
 
+	rule := fmt.Sprintf("type='signal',path='%s',interface='%s',sender='%s',member='Reloaded'",
+		dbusPath, dbusInterface, dbusInterface)
+	c.sysconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0, rule)
+
+	rule = fmt.Sprintf("type='signal',interface='org.freedesktop.DBus',member='NameOwnerChanged',path='/org/freedesktop/DBus',sender='org.freedesktop.DBus',arg0='%s'",
+		dbusInterface)
+	c.sysconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0, rule)
+
+	c.signal = make(chan *dbus.Signal, 10)
+	c.sysconn.Signal(c.signal)
+	go signalHandler()
+
 	return nil
 }
 
+func signalHandler() {
+	if connection != nil {
+		for signal := range connection.signal {
+			if strings.Contains(signal.Name, "NameOwnerChanged") {
+				firewalldRunning = checkRunning()
+				dbusConnectionChanged(signal.Body)
+			} else if strings.Contains(signal.Name, "Reloaded") {
+				reloaded()
+			}
+		}
+	}
+}
+
+func dbusConnectionChanged(args []interface{}) {
+	name := args[0].(string)
+	old_owner := args[1].(string)
+	new_owner := args[2].(string)
+
+	if name != dbusInterface {
+		return
+	}
+
+	if len(new_owner) > 0 {
+		connectionEstablished()
+	} else if len(old_owner) > 0 {
+		connectionLost()
+	}
+}
+
+func connectionEstablished() {
+	reloaded()
+}
+
+func connectionLost() {
+	// Doesn't do anything for now. Libvirt also doesn't react to this.
+}
+
+// call all callbacks
+func reloaded() {
+	for _, pf := range onReloaded {
+		(*pf)()
+	}
+}
+
+// add callback
+func OnReloaded(callback func()) {
+	for _, pf := range onReloaded {
+		if pf == &callback {
+			return
+		}
+	}
+	onReloaded = append(onReloaded, &callback)
+}
+
 // Call some remote method to see whether the service is actually running.
 func checkRunning() bool {
 	var zone string

Original file line number	Diff line number	Diff line change
`@@ -232,7 +232,8 @@ func InitDriver(config *Config) error {`
`232`	`232`	`logrus.Errorf("Error configuing iptables: %s", err)`
`233`	`233`	`return err`
`234`	`234`	`}`
`235`		`-`
	`235`	`+ // call this on Firewalld reload`
	`236`	`+ iptables.OnReloaded(func() { setupIPTables(addrv4, config.InterContainerCommunication, config.EnableIpMasq) })`
`236`	`237`	`}`
`237`	`238`
`238`	`239`	`if config.EnableIpForward {`
`@@ -262,10 +263,16 @@ func InitDriver(config *Config) error {`
`262`	`263`	`if err != nil {`
`263`	`264`	`return err`
`264`	`265`	`}`
	`266`	`+ // call this on Firewalld reload`
	`267`	`+ iptables.OnReloaded(func() { iptables.NewChain("DOCKER", bridgeIface, iptables.Nat) })`
	`268`	`+`
`265`	`269`	`chain, err := iptables.NewChain("DOCKER", bridgeIface, iptables.Filter)`
`266`	`270`	`if err != nil {`
`267`	`271`	`return err`
`268`	`272`	`}`
	`273`	`+ // call this on Firewalld reload`
	`274`	`+ iptables.OnReloaded(func() { iptables.NewChain("DOCKER", bridgeIface, iptables.Filter) })`
	`275`	`+`
`269`	`276`	`portMapper.SetIptablesChain(chain)`
`270`	`277`	`}`
`271`	`278`
`@@ -298,6 +305,10 @@ func InitDriver(config *Config) error {`
`298`	`305`	`// Block BridgeIP in IP allocator`
`299`	`306`	`ipAllocator.RequestIP(bridgeIPv4Network, bridgeIPv4Network.IP)`
`300`	`307`
	`308`	`+ if config.EnableIptables {`
	`309`	`+ iptables.OnReloaded(portMapper.ReMapAll) // call this on Firewalld reload`
	`310`	`+ }`
	`311`	`+`
`301`	`312`	`return nil`
`302`	`313`	`}`
`303`	`314`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`
`8`	`8`	`"github.com/docker/docker/daemon/networkdriver/bridge"`
`9`	`9`	`"github.com/docker/docker/nat"`
	`10`	`+ "github.com/docker/docker/pkg/iptables"`
`10`	`11`	`)`
`11`	`12`
`12`	`13`	`type Link struct {`
`@@ -143,6 +144,8 @@ func (l *Link) Enable() error {`
`143`	`144`	`if err := l.toggle("-A", false); err != nil {`
`144`	`145`	`return err`
`145`	`146`	`}`
	`147`	`+ // call this on Firewalld reload`
	`148`	`+ iptables.OnReloaded(func() { l.toggle("-I", false) })`
`146`	`149`	`l.IsEnabled = true`
`147`	`150`	`return nil`
`148`	`151`	`}`
`@@ -152,7 +155,8 @@ func (l *Link) Disable() {`
`152`	`155`	`// exist in iptables`
`153`	`156`	`// -D == iptables delete flag`
`154`	`157`	`l.toggle("-D", true)`
`155`		`-`
	`158`	`+ // call this on Firewalld reload`
	`159`	`+ iptables.OnReloaded(func() { l.toggle("-D", true) })`
`156`	`160`	`l.IsEnabled = false`
`157`	`161`	`}`
`158`	`162`