Add docker interfaces to firewalld trusted zone

If firewalld is running, add the docker interface to the trusted zone to allow container networking for distros with Firewalld enabled Fixes: #2496 Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
moby · May 4, 2020 · 7378ec4 · 7378ec4
1 parent 1ea375d
commit 7378ec4
Show file tree

Hide file tree

Showing 2 changed files with 66 additions and 0 deletions.
diff --git a/iptables/firewalld.go b/iptables/firewalld.go
@@ -165,3 +165,56 @@ func Passthrough(ipv IPV, args ...string) ([]byte, error) {
 	}
 	return []byte(output), nil
 }
+
+// AddInterfaceFirewalld adds the interface to the trusted zone
+func AddInterfaceFirewalld(intf string) error {
+	zone := "trusted"
+	var intfs []string
+	// Check if interface is already added of the zone
+	if err := connection.sysobj.Call(dbusInterface+".zone.getInterfaces", 0, zone).Store(&intfs); err != nil {
+		return err
+	}
+	// Return if interface is already part of the zone
+	if contains(intfs, intf) {
+		logrus.Infof("Firewalld: interface %s already part of %s zone, returning", intf, zone)
+		return nil
+	}
+
+	logrus.Debugf("Firewalld: adding %s interface to %s zone", intf, zone)
+	var output string
+	if err := connection.sysobj.Call(dbusInterface+".zone.addInterface", 0, zone, intf).Store(&output); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// DelInterfaceFirewalld removes the interface from the trusted zone
+func DelInterfaceFirewalld(intf string) error {
+	zone := "trusted"
+	var intfs []string
+	// Check if interface is already added of the zone
+	if err := connection.sysobj.Call(dbusInterface+".zone.getInterfaces", 0, zone).Store(&intfs); err != nil {
+		return err
+	}
+	// Remove interface if it exists
+	if !contains(intfs, intf) {
+		return fmt.Errorf("Firewalld: unable to find interface %s in %s zone", intf, zone)
+	}
+
+	logrus.Debugf("Firewalld: removing %s interface from %s zone", intf, zone)
+	var output string
+	if err := connection.sysobj.Call(dbusInterface+".zone.removeInterface", 0, zone, intf).Store(&output); err != nil {
+		return err
+	}
+	return nil
+}
+
+func contains(list []string, val string) bool {
+	for _, v := range list {
+		if v == val {
+			return true
+		}
+	}
+	return false
+}
diff --git a/iptables/iptables.go b/iptables/iptables.go
@@ -146,6 +146,19 @@ func ProgramChain(c *ChainInfo, bridgeName string, hairpinMode, enable bool) err
 		return errors.New("Could not program chain, missing chain name")
 	}
 
+	// Either add or remove the interface from the firewalld zone
+	if firewalldRunning {
+		if enable {
+			if err := AddInterfaceFirewalld(bridgeName); err != nil {
+				return err
+			}
+		} else {
+			if err := DelInterfaceFirewalld(bridgeName); err != nil {
+				return err
+			}
+		}
+	}
+
 	switch c.Table {
 	case Nat:
 		preroute := []string{