root / manifests / rules / docker_ce.pp @ de3e7bb0
Historique | Voir | Annoter | Télécharger (3,93 ko)
| 1 | 6be2adf7 | Luis Fernández Álvarez | # @summary Default firewall configuration for Docker-CE |
|---|---|---|---|
| 2 | # |
||
| 3 | # The configuration distributed in this class represents the default firewall |
||
| 4 | # configuration done by docker-ce when the iptables integration is enabled. |
||
| 5 | # |
||
| 6 | # This class is needed as the default docker-ce rules added to ip-filter conflict |
||
| 7 | # with the inet-filter forward rules set by default in this module. |
||
| 8 | # |
||
| 9 | # When using this class 'docker::iptables: false' should be set. |
||
| 10 | # |
||
| 11 | # @param docker_interface |
||
| 12 | 9dca9bc3 | Luis Fernández Álvarez | # Interface name used by docker. |
| 13 | 6be2adf7 | Luis Fernández Álvarez | # @param docker_prefix |
| 14 | 9dca9bc3 | Luis Fernández Álvarez | # The address space used by docker. |
| 15 | 1bf717d9 | Luis Fernández Álvarez | # @param manage_docker_chains |
| 16 | # Flag to control whether the class should create the docker related chains. |
||
| 17 | # @param manage_base_chains |
||
| 18 | # Flag to control whether the class should create the base common chains. |
||
| 19 | 6be2adf7 | Luis Fernández Álvarez | class nftables::rules::docker_ce ( |
| 20 | 1bf717d9 | Luis Fernández Álvarez | String[1] $docker_interface = 'docker0', |
| 21 | Stdlib::IP::Address::V4::CIDR $docker_prefix = '172.17.0.0/16', |
||
| 22 | Boolean $manage_docker_chains = true, |
||
| 23 | Boolean $manage_base_chains = true, |
||
| 24 | 6be2adf7 | Luis Fernández Álvarez | ) {
|
| 25 | # |
||
| 26 | # inet-filter |
||
| 27 | # |
||
| 28 | 1bf717d9 | Luis Fernández Álvarez | if $manage_docker_chains {
|
| 29 | nftables::chain {
|
||
| 30 | 'DOCKER': ; |
||
| 31 | 'DOCKER_ISOLATION_STAGE_1': ; |
||
| 32 | 'DOCKER_ISOLATION_STAGE_2': ; |
||
| 33 | 'DOCKER_USER': ; |
||
| 34 | } |
||
| 35 | 6be2adf7 | Luis Fernández Álvarez | } |
| 36 | |||
| 37 | nftables::rule {
|
||
| 38 | 'DOCKER_ISOLATION_STAGE_1-iifname': |
||
| 39 | order => '01', |
||
| 40 | content => "iifname \"${docker_interface}\" oifname != \"${docker_interface}\" counter jump DOCKER_ISOLATION_STAGE_2";
|
||
| 41 | 'DOCKER_ISOLATION_STAGE_1-counter': |
||
| 42 | order => '02', |
||
| 43 | content => 'counter return'; |
||
| 44 | 'DOCKER_ISOLATION_STAGE_2-drop': |
||
| 45 | order => '01', |
||
| 46 | content => "oifname \"${docker_interface}\" counter drop";
|
||
| 47 | 'DOCKER_ISOLATION_STAGE_2-counter': |
||
| 48 | order => '02', |
||
| 49 | content => 'counter return'; |
||
| 50 | 'DOCKER_USER-counter': |
||
| 51 | order => '01', |
||
| 52 | content => 'counter return', |
||
| 53 | } |
||
| 54 | |||
| 55 | nftables::rule {
|
||
| 56 | 'default_fwd-jump_docker_user': |
||
| 57 | order => '40', |
||
| 58 | content => 'counter jump DOCKER_USER'; |
||
| 59 | 'default_fwd-jump_docker_isolation_stage_1': |
||
| 60 | order => '41', |
||
| 61 | content => 'counter jump DOCKER_ISOLATION_STAGE_1'; |
||
| 62 | 'default_fwd-out_docker_accept': |
||
| 63 | order => '42', |
||
| 64 | content => "oifname \"${docker_interface}\" ct state established,related counter accept";
|
||
| 65 | 'default_fwd-jump_docker': |
||
| 66 | order => '43', |
||
| 67 | content => "oifname \"${docker_interface}\" counter jump DOCKER";
|
||
| 68 | 'default_fwd-idocker_onot_accept': |
||
| 69 | order => '44', |
||
| 70 | content => "iifname \"${docker_interface}\" oifname != \"${docker_interface}\" counter accept";
|
||
| 71 | 'default_fwd-idocker_odocker_accept': |
||
| 72 | order => '45', |
||
| 73 | content => "iifname \"${docker_interface}\" oifname \"${docker_interface}\" counter accept";
|
||
| 74 | } |
||
| 75 | |||
| 76 | # |
||
| 77 | # ip-nat |
||
| 78 | # |
||
| 79 | |||
| 80 | 1bf717d9 | Luis Fernández Álvarez | if $manage_docker_chains {
|
| 81 | nftables::chain {
|
||
| 82 | 'DOCKER-nat': |
||
| 83 | table => 'ip-nat', |
||
| 84 | chain => 'DOCKER'; |
||
| 85 | } |
||
| 86 | } |
||
| 87 | |||
| 88 | if $manage_base_chains {
|
||
| 89 | nftables::chain {
|
||
| 90 | 'OUTPUT-nat': |
||
| 91 | table => 'ip-nat', |
||
| 92 | chain => 'OUTPUT'; |
||
| 93 | 'INPUT-nat': |
||
| 94 | table => 'ip-nat', |
||
| 95 | chain => 'INPUT'; |
||
| 96 | } |
||
| 97 | 6be2adf7 | Luis Fernández Álvarez | } |
| 98 | |||
| 99 | nftables::rule {
|
||
| 100 | 'POSTROUTING-docker': |
||
| 101 | table => 'ip-nat', |
||
| 102 | content => "oifname != \"${docker_interface}\" ip saddr ${docker_prefix} counter masquerade";
|
||
| 103 | 'PREROUTING-docker': |
||
| 104 | table => 'ip-nat', |
||
| 105 | content => 'fib daddr type local counter jump DOCKER'; |
||
| 106 | 'OUTPUT-jump_docker@ip-nat': |
||
| 107 | c3515492 | Luis Fernández Álvarez | rulename => 'OUTPUT-jump_docker', |
| 108 | table => 'ip-nat', |
||
| 109 | content => 'ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER'; |
||
| 110 | 6be2adf7 | Luis Fernández Álvarez | 'DOCKER-counter': |
| 111 | table => 'ip-nat', |
||
| 112 | content => "iifname \"${docker_interface}\" counter return";
|
||
| 113 | 'INPUT-type@ip-nat': |
||
| 114 | rulename => 'INPUT-type', |
||
| 115 | table => 'ip-nat', |
||
| 116 | order => '01', |
||
| 117 | content => 'type nat hook input priority 100'; |
||
| 118 | 'INPUT-policy@ip-nat': |
||
| 119 | rulename => 'INPUT-policy', |
||
| 120 | table => 'ip-nat', |
||
| 121 | order => '02', |
||
| 122 | content => 'policy accept'; |
||
| 123 | } |
||
| 124 | } |