WIP: support default network verdict within the same network

pitkley · Sep 13, 2023 · 8962329 · 8962329
1 parent 663a4e1
commit 8962329
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/src/nftables/process.rs b/src/nftables/process.rs
@@ -326,6 +326,30 @@ impl Process<Nftables> for ContainerToContainer {
             self.default_policy,
         )];
 
+        if let Some(same_network_verdict) = self.same_network_verdict {
+            for network in ctx.network_map.values() {
+                let network_id = network.id.as_ref().expect("Docker network ID missing");
+                let bridge_name = get_bridge_name(network_id)?;
+                trace!(ctx.logger, "Got bridge name";
+                       o!("network_name" => &network.name,
+                          "bridge_name" => &bridge_name));
+
+                let rule = RuleBuilder::default()
+                    .in_interface(&bridge_name)
+                    .out_interface(&bridge_name)
+                    .verdict(same_network_verdict)
+                    .build()?;
+
+                debug!(ctx.logger, "Add forward rule for same network verdict for bridge";
+                       o!("part" => "container_to_container",
+                          "bridge_name" => bridge_name,
+                          "same_network_verdict" => &self.same_network_verdict,
+                          "rule" => &rule));
+
+                rules.push(add_rule(Family::Inet, "dfw", "forward", &rule));
+            }
+        }
+
         if let Some(mut ctc_rules) = self.rules.process(ctx)? {
             rules.append(&mut ctc_rules);
         }

diff --git a/src/types.rs b/src/types.rs
@@ -192,6 +192,8 @@ pub struct ContainerToContainer {
     ///
     /// To permanently set this configuration, take a look at `man sysctl.d` and `man sysctl.conf`.
     pub default_policy: ChainPolicy,
+    #[allow(missing_docs)]
+    pub same_network_verdict: Option<RuleVerdict>,
     /// An optional list of rules, see
     /// [`ContainerToContainerRule`](struct.ContainerToContainerRule.html).
     ///

diff --git a/tests/types.rs b/tests/types.rs
@@ -58,6 +58,7 @@ fn parse_conf_file() {
     };
     let container_to_container = ContainerToContainer {
         default_policy: ChainPolicy::Drop,
+        same_network_verdict: None,
         rules: Some(vec![ContainerToContainerRule {
             network: "network".to_owned(),
             src_container: Some("src_container".to_owned()),
@@ -161,6 +162,7 @@ fn parse_conf_path() {
     };
     let container_to_container = ContainerToContainer {
         default_policy: ChainPolicy::Drop,
+        same_network_verdict: None,
         rules: Some(vec![ContainerToContainerRule {
             network: "network".to_owned(),
             src_container: Some("src_container".to_owned()),