From 8962329d561caf40bf5286ff8500c4a82d7bac0a Mon Sep 17 00:00:00 2001
From: Pit Kleyersburg <pitkley@googlemail.com>
Date: Wed, 13 Sep 2023 18:45:26 +0200
Subject: [PATCH] WIP: support default network verdict within the same network

---
 src/nftables/process.rs | 24 ++++++++++++++++++++++++
 src/types.rs            |  2 ++
 tests/types.rs          |  2 ++
 3 files changed, 28 insertions(+)

diff --git a/src/nftables/process.rs b/src/nftables/process.rs
index f9a5564e..e0e36374 100644
--- a/src/nftables/process.rs
+++ b/src/nftables/process.rs
@@ -326,6 +326,30 @@ impl Process<Nftables> for ContainerToContainer {
             self.default_policy,
         )];
 
+        if let Some(same_network_verdict) = self.same_network_verdict {
+            for network in ctx.network_map.values() {
+                let network_id = network.id.as_ref().expect("Docker network ID missing");
+                let bridge_name = get_bridge_name(network_id)?;
+                trace!(ctx.logger, "Got bridge name";
+                       o!("network_name" => &network.name,
+                          "bridge_name" => &bridge_name));
+
+                let rule = RuleBuilder::default()
+                    .in_interface(&bridge_name)
+                    .out_interface(&bridge_name)
+                    .verdict(same_network_verdict)
+                    .build()?;
+
+                debug!(ctx.logger, "Add forward rule for same network verdict for bridge";
+                       o!("part" => "container_to_container",
+                          "bridge_name" => bridge_name,
+                          "same_network_verdict" => &self.same_network_verdict,
+                          "rule" => &rule));
+
+                rules.push(add_rule(Family::Inet, "dfw", "forward", &rule));
+            }
+        }
+
         if let Some(mut ctc_rules) = self.rules.process(ctx)? {
             rules.append(&mut ctc_rules);
         }
diff --git a/src/types.rs b/src/types.rs
index fdf2fb86..c2709d71 100644
--- a/src/types.rs
+++ b/src/types.rs
@@ -192,6 +192,8 @@ pub struct ContainerToContainer {
     ///
     /// To permanently set this configuration, take a look at `man sysctl.d` and `man sysctl.conf`.
     pub default_policy: ChainPolicy,
+    #[allow(missing_docs)]
+    pub same_network_verdict: Option<RuleVerdict>,
     /// An optional list of rules, see
     /// [`ContainerToContainerRule`](struct.ContainerToContainerRule.html).
     ///
diff --git a/tests/types.rs b/tests/types.rs
index 8d646f52..476e3513 100644
--- a/tests/types.rs
+++ b/tests/types.rs
@@ -58,6 +58,7 @@ fn parse_conf_file() {
     };
     let container_to_container = ContainerToContainer {
         default_policy: ChainPolicy::Drop,
+        same_network_verdict: None,
         rules: Some(vec![ContainerToContainerRule {
             network: "network".to_owned(),
             src_container: Some("src_container".to_owned()),
@@ -161,6 +162,7 @@ fn parse_conf_path() {
     };
     let container_to_container = ContainerToContainer {
         default_policy: ChainPolicy::Drop,
+        same_network_verdict: None,
         rules: Some(vec![ContainerToContainerRule {
             network: "network".to_owned(),
             src_container: Some("src_container".to_owned()),