root / manifests / rules / docker_ce.pp @ c94658e1
Historique | Voir | Annoter | Télécharger (3,93 ko)
| 1 |
# @summary Default firewall configuration for Docker-CE |
|---|---|
| 2 |
# |
| 3 |
# The configuration distributed in this class represents the default firewall |
| 4 |
# configuration done by docker-ce when the iptables integration is enabled. |
| 5 |
# |
| 6 |
# This class is needed as the default docker-ce rules added to ip-filter conflict |
| 7 |
# with the inet-filter forward rules set by default in this module. |
| 8 |
# |
| 9 |
# When using this class 'docker::iptables: false' should be set. |
| 10 |
# |
| 11 |
# @param docker_interface |
| 12 |
# Interface name used by docker. |
| 13 |
# @param docker_prefix |
| 14 |
# The address space used by docker. |
| 15 |
# @param manage_docker_chains |
| 16 |
# Flag to control whether the class should create the docker related chains. |
| 17 |
# @param manage_base_chains |
| 18 |
# Flag to control whether the class should create the base common chains. |
| 19 |
class nftables::rules::docker_ce ( |
| 20 |
String[1] $docker_interface = 'docker0', |
| 21 |
Stdlib::IP::Address::V4::CIDR $docker_prefix = '172.17.0.0/16', |
| 22 |
Boolean $manage_docker_chains = true, |
| 23 |
Boolean $manage_base_chains = true, |
| 24 |
) {
|
| 25 |
# |
| 26 |
# inet-filter |
| 27 |
# |
| 28 |
if $manage_docker_chains {
|
| 29 |
nftables::chain {
|
| 30 |
'DOCKER': ; |
| 31 |
'DOCKER_ISOLATION_STAGE_1': ; |
| 32 |
'DOCKER_ISOLATION_STAGE_2': ; |
| 33 |
'DOCKER_USER': ; |
| 34 |
} |
| 35 |
} |
| 36 |
|
| 37 |
nftables::rule {
|
| 38 |
'DOCKER_ISOLATION_STAGE_1-iifname': |
| 39 |
order => '01', |
| 40 |
content => "iifname \"${docker_interface}\" oifname != \"${docker_interface}\" counter jump DOCKER_ISOLATION_STAGE_2";
|
| 41 |
'DOCKER_ISOLATION_STAGE_1-counter': |
| 42 |
order => '02', |
| 43 |
content => 'counter return'; |
| 44 |
'DOCKER_ISOLATION_STAGE_2-drop': |
| 45 |
order => '01', |
| 46 |
content => "oifname \"${docker_interface}\" counter drop";
|
| 47 |
'DOCKER_ISOLATION_STAGE_2-counter': |
| 48 |
order => '02', |
| 49 |
content => 'counter return'; |
| 50 |
'DOCKER_USER-counter': |
| 51 |
order => '01', |
| 52 |
content => 'counter return', |
| 53 |
} |
| 54 |
|
| 55 |
nftables::rule {
|
| 56 |
'default_fwd-jump_docker_user': |
| 57 |
order => '40', |
| 58 |
content => 'counter jump DOCKER_USER'; |
| 59 |
'default_fwd-jump_docker_isolation_stage_1': |
| 60 |
order => '41', |
| 61 |
content => 'counter jump DOCKER_ISOLATION_STAGE_1'; |
| 62 |
'default_fwd-out_docker_accept': |
| 63 |
order => '42', |
| 64 |
content => "oifname \"${docker_interface}\" ct state established,related counter accept";
|
| 65 |
'default_fwd-jump_docker': |
| 66 |
order => '43', |
| 67 |
content => "oifname \"${docker_interface}\" counter jump DOCKER";
|
| 68 |
'default_fwd-idocker_onot_accept': |
| 69 |
order => '44', |
| 70 |
content => "iifname \"${docker_interface}\" oifname != \"${docker_interface}\" counter accept";
|
| 71 |
'default_fwd-idocker_odocker_accept': |
| 72 |
order => '45', |
| 73 |
content => "iifname \"${docker_interface}\" oifname \"${docker_interface}\" counter accept";
|
| 74 |
} |
| 75 |
|
| 76 |
# |
| 77 |
# ip-nat |
| 78 |
# |
| 79 |
|
| 80 |
if $manage_docker_chains {
|
| 81 |
nftables::chain {
|
| 82 |
'DOCKER-nat': |
| 83 |
table => 'ip-nat', |
| 84 |
chain => 'DOCKER'; |
| 85 |
} |
| 86 |
} |
| 87 |
|
| 88 |
if $manage_base_chains {
|
| 89 |
nftables::chain {
|
| 90 |
'OUTPUT-nat': |
| 91 |
table => 'ip-nat', |
| 92 |
chain => 'OUTPUT'; |
| 93 |
'INPUT-nat': |
| 94 |
table => 'ip-nat', |
| 95 |
chain => 'INPUT'; |
| 96 |
} |
| 97 |
} |
| 98 |
|
| 99 |
nftables::rule {
|
| 100 |
'POSTROUTING-docker': |
| 101 |
table => 'ip-nat', |
| 102 |
content => "oifname != \"${docker_interface}\" ip saddr ${docker_prefix} counter masquerade";
|
| 103 |
'PREROUTING-docker': |
| 104 |
table => 'ip-nat', |
| 105 |
content => 'fib daddr type local counter jump DOCKER'; |
| 106 |
'OUTPUT-jump_docker@ip-nat': |
| 107 |
rulename => 'OUTPUT-jump_docker', |
| 108 |
table => 'ip-nat', |
| 109 |
content => 'ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER'; |
| 110 |
'DOCKER-counter': |
| 111 |
table => 'ip-nat', |
| 112 |
content => "iifname \"${docker_interface}\" counter return";
|
| 113 |
'INPUT-type@ip-nat': |
| 114 |
rulename => 'INPUT-type', |
| 115 |
table => 'ip-nat', |
| 116 |
order => '01', |
| 117 |
content => 'type nat hook input priority 100'; |
| 118 |
'INPUT-policy@ip-nat': |
| 119 |
rulename => 'INPUT-policy', |
| 120 |
table => 'ip-nat', |
| 121 |
order => '02', |
| 122 |
content => 'policy accept'; |
| 123 |
} |
| 124 |
} |