From 5e34060735b93be498375093269615cbf606ecf5 Mon Sep 17 00:00:00 2001 From: David O'Rourke Date: Wed, 20 Feb 2019 14:41:56 +0000 Subject: [PATCH 1/2] controller: Check if IPTables is enabled for arrangeUserFilterRule This allows the `--iptables=false` argument to the `dockerd` to actually work. Signed-off-by: David O'Rourke --- controller.go | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/controller.go b/controller.go index 2896011dbf..b3985719aa 100644 --- a/controller.go +++ b/controller.go @@ -679,6 +679,29 @@ func (c *controller) isAgent() bool { return c.cfg.Daemon.ClusterProvider.IsAgent() } +func (c *controller) hasIPTablesEnabled() bool { + c.Lock() + defer c.Unlock() + + if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil { + return false + } + + genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] + if !ok { + return false + } + + optMap := genericData.(map[string]interface{}) + + enabled, ok := optMap["EnableIPTables"].(bool) + if !ok { + return false + } + + return enabled +} + func (c *controller) isDistributedControl() bool { return !c.isManager() && !c.isAgent() } @@ -902,7 +925,9 @@ addToStore: c.Unlock() } - c.arrangeUserFilterRule() + if c.hasIPTablesEnabled() { + c.arrangeUserFilterRule() + } return network, nil } From a232658db31d1736a38721ed8d6508977f0a0e3e Mon Sep 17 00:00:00 2001 From: David O'Rourke Date: Mon, 29 Apr 2019 13:50:21 +0100 Subject: [PATCH 2/2] Move hasIPTablesEnabled check into firewall_linux.go Signed-off-by: David O'Rourke --- controller.go | 27 +-------------------------- firewall_linux.go | 34 ++++++++++++++++++++++++++++++++-- 2 files changed, 33 insertions(+), 28 deletions(-) diff --git a/controller.go b/controller.go index b3985719aa..2896011dbf 100644 --- a/controller.go +++ b/controller.go @@ -679,29 +679,6 @@ func (c *controller) isAgent() bool { return c.cfg.Daemon.ClusterProvider.IsAgent() } -func (c *controller) hasIPTablesEnabled() bool { - c.Lock() - defer c.Unlock() - - if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil { - return false - } - - genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] - if !ok { - return false - } - - optMap := genericData.(map[string]interface{}) - - enabled, ok := optMap["EnableIPTables"].(bool) - if !ok { - return false - } - - return enabled -} - func (c *controller) isDistributedControl() bool { return !c.isManager() && !c.isAgent() } @@ -925,9 +902,7 @@ addToStore: c.Unlock() } - if c.hasIPTablesEnabled() { - c.arrangeUserFilterRule() - } + c.arrangeUserFilterRule() return network, nil } diff --git a/firewall_linux.go b/firewall_linux.go index 54f9621f81..d27f60ca0c 100644 --- a/firewall_linux.go +++ b/firewall_linux.go @@ -2,6 +2,7 @@ package libnetwork import ( "github.com/docker/libnetwork/iptables" + "github.com/docker/libnetwork/netlabel" "github.com/sirupsen/logrus" ) @@ -9,15 +10,44 @@ const userChain = "DOCKER-USER" func (c *controller) arrangeUserFilterRule() { c.Lock() - arrangeUserFilterRule() + + if c.hasIPTablesEnabled() { + arrangeUserFilterRule() + } + c.Unlock() + iptables.OnReloaded(func() { c.Lock() - arrangeUserFilterRule() + + if c.hasIPTablesEnabled() { + arrangeUserFilterRule() + } + c.Unlock() }) } +func (c *controller) hasIPTablesEnabled() bool { + // Locking c should be handled in the calling method. + if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil { + return false + } + + genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] + if !ok { + return false + } + + optMap := genericData.(map[string]interface{}) + enabled, ok := optMap["EnableIPTables"].(bool) + if !ok { + return false + } + + return enabled +} + // This chain allow users to configure firewall policies in a way that persists // docker operations/restarts. Docker will not delete or modify any pre-existing // rules from the DOCKER-USER filter chain.