Add DOCKER-USER chain when iptables=true is set

This PR fixes the regression introduced by moby#2339 to correctly insert the DOCKER-USER chain if iptables=true is set in the Daemon config Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
arkodg · Oct 9, 2019 · 38ceb4e · 38ceb4e
1 parent 3e10ae9
commit 38ceb4e
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 79 deletions.
diff --git a/controller.go b/controller.go
@@ -910,8 +910,6 @@ addToStore:
 		c.Unlock()
 	}
 
-	c.arrangeUserFilterRule()
-
 	return network, nil
 }
 

diff --git a/drivers/bridge/bridge.go b/drivers/bridge/bridge.go
@@ -33,6 +33,7 @@ const (
 	vethLen                    = 7
 	defaultContainerVethPrefix = "eth"
 	maxAllocatePortAttempts    = 10
+	userChain                  = "DOCKER-USER"
 )
 
 const (
@@ -357,6 +358,13 @@ func (d *driver) configure(option map[string]interface{}) error {
 		}
 		// Make sure on firewall reload, first thing being re-played is chains creation
 		iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) })
+
+		// Add DOCKER-USER chain
+		arrangeUserFilterRule()
+		iptables.OnReloaded(func() {
+			logrus.Debugf("Recreating DOCKER-USER iptables chain on firewall reload")
+			arrangeUserFilterRule()
+		})
 	}
 
 	if config.EnableIPForwarding {
@@ -1504,3 +1512,24 @@ func electMacAddress(epConfig *endpointConfiguration, ip net.IP) net.HardwareAdd
 	}
 	return netutils.GenerateMACFromIP(ip)
 }
+
+// This chain allow users to configure firewall policies in a way that persists
+// docker operations/restarts. Docker will not delete or modify any pre-existing
+// rules from the DOCKER-USER filter chain.
+func arrangeUserFilterRule() {
+	_, err := iptables.NewChain(userChain, iptables.Filter, false)
+	if err != nil {
+		logrus.Warnf("Failed to create %s chain: %v", userChain, err)
+		return
+	}
+
+	if err = iptables.AddReturnRule(userChain); err != nil {
+		logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
+		return
+	}
+
+	err = iptables.EnsureJumpRule("FORWARD", userChain)
+	if err != nil {
+		logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
+	}
+}
diff --git a/firewall_linux.go b/firewall_linux.go
diff --git a/firewall_others.go b/firewall_others.go
diff --git a/service_linux.go b/service_linux.go
@@ -366,7 +366,6 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
 			if err := iptables.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil {
 				return fmt.Errorf("failed to add jump rule to %s in filter table forward chain: %v", ingressChain, err)
 			}
-			arrangeUserFilterRule()
 		}
 
 		oifName, err := findOIFName(gwIP)