Skip to content

Commit

Permalink
Merge pull request moby#49538 from robmry/docker_ingress
Browse files Browse the repository at this point in the history 
Jump to DOCKER-INGRESS from DOCKER-FORWARD
  • Loading branch information
@thaJeztah
thaJeztah authored Feb 26, 2025
2 parents 8ae4858 + 558da63 commit bbd0a17
Show file tree
Hide file tree
Showing 3 changed files with 26 additions and 17 deletions.
20 changes: 10 additions & 10 deletions integration/network/bridge/iptablesdoc/generated/swarm-portmap.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,7 @@ The filter table is:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 DOCKER-INGRESS 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 DOCKER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 DOCKER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
Expand All @@ -35,12 +34,13 @@ The filter table is:

Chain DOCKER-FORWARD (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
5 0 0 DROP 0 -- docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0
6 0 0 ACCEPT 0 -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
1 0 0 DOCKER-INGRESS 0 -- * * 0.0.0.0/0 0.0.0.0/0
2 0 0 DOCKER-CT 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
4 0 0 DOCKER-BRIDGE 0 -- * * 0.0.0.0/0 0.0.0.0/0
5 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
6 0 0 DROP 0 -- docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0
7 0 0 ACCEPT 0 -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0

Chain DOCKER-INGRESS (1 references)
num pkts bytes target prot opt in out source destination
Expand Down Expand Up @@ -78,14 +78,14 @@ The filter table is:
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-INGRESS
-A FORWARD -j DOCKER-FORWARD
-A DOCKER ! -i docker0 -o docker0 -j DROP
-A DOCKER ! -i docker_gwbridge -o docker_gwbridge -j DROP
-A DOCKER-BRIDGE -o docker0 -j DOCKER
-A DOCKER-BRIDGE -o docker_gwbridge -j DOCKER
-A DOCKER-CT -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-CT -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-FORWARD -j DOCKER-INGRESS
-A DOCKER-FORWARD -j DOCKER-CT
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
-A DOCKER-FORWARD -j DOCKER-BRIDGE
Expand All @@ -109,7 +109,7 @@ Note that:
- There's a bridge network called `docker_gwbridge` for swarm ingress.
- Its rules follow the usual pattern for a network with inter-container communication disabled.
- There's an additional chain `DOCKER-INGRESS`.
- The jump to `DOCKER-INGRESS` is in the `FORWARD` chain.
- The jump to `DOCKER-INGRESS` is first in the `DOCKER-FORWARD` chain.

And the corresponding nat table:

Expand Down
2 changes: 1 addition & 1 deletion integration/network/bridge/iptablesdoc/templates/swarm-portmap.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ Note that:
- There's a bridge network called `docker_gwbridge` for swarm ingress.
- Its rules follow the usual pattern for a network with inter-container communication disabled.
- There's an additional chain `DOCKER-INGRESS`.
- The jump to `DOCKER-INGRESS` is in the `FORWARD` chain.
- The jump to `DOCKER-INGRESS` is first in the `DOCKER-FORWARD` chain.

And the corresponding nat table:

Expand Down
21 changes: 15 additions & 6 deletions libnetwork/service_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import (
"syscall"

"github.com/containerd/log"
"github.com/docker/docker/libnetwork/drivers/bridge"
"github.com/docker/docker/libnetwork/iptables"
"github.com/docker/docker/libnetwork/ns"
"github.com/ishidawataru/sctp"
Expand Down Expand Up @@ -359,13 +360,21 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
}
}

if !iptable.Exists(iptables.Filter, "FORWARD", "-j", ingressChain) {
if err := iptable.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil {
return fmt.Errorf("failed to add jump rule to %s in filter table forward chain: %v", ingressChain, err)
// The DOCKER-FORWARD chain is created by the bridge driver on startup. It's a stable place to
// put the jump to DOCKER-INGRESS (nothing else will ever be inserted before it, and the jump
// will precede the bridge driver's other rules).
if !iptable.Exists(iptables.Filter, bridge.DockerForwardChain, "-j", ingressChain) {
if err := iptable.RawCombinedOutput("-I", bridge.DockerForwardChain, "-j", ingressChain); err != nil {
return fmt.Errorf("failed to add jump rule to %s in filter table %s chain: %v",
ingressChain, bridge.DockerForwardChain, err)
}
// The jump to DOCKER-USER needs to be before the jump to DOCKER-INGRESS.
if err := setupUserChain(iptables.IPv4); err != nil {
log.G(context.TODO()).Warnf("Failed to restore "+userChain+" after creating "+ingressChain+": %v", err)
}
// Remove the jump from FORWARD to DOCKER-INGRESS, if it was created there by a version of
// the daemon older than 28.0.1.
// FIXME(robmry) - should only do this once, on startup.
if iptable.Exists(iptables.Filter, "FORWARD", "-j", ingressChain) {
if err := iptable.RawCombinedOutput("-D", "FORWARD", "-j", ingressChain); err != nil {
log.G(context.TODO()).WithError(err).Debug("Failed to delete jump from FORWARD to " + ingressChain)
}
}

Expand Down

0 comments on commit bbd0a17

Please sign in to comment.