2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
# File 'manifests/firewall/docker.pp', line 2
class weave::firewall::docker {
# -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
firewall { '00100 accept related, established traffic returning to docker0 bridge in FORWARD chain':
action => 'accept',
proto => 'all',
chain => 'FORWARD',
outiface => 'docker0',
ctstate => ['RELATED','ESTABLISHED'],
}
# -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
firewall { '00100 accept docker0 traffic to other interfaces on FORWARD chain':
action => 'accept',
proto => 'all',
chain => 'FORWARD',
iniface => 'docker0',
outiface => '! docker0',
}
# -A FORWARD -i docker0 -o docker0 -j ACCEPT
firewall { '00100 accept docker0 to docker0 FORWARD traffic':
action => 'accept',
proto => 'all',
chain => 'FORWARD',
iniface => 'docker0',
outiface => 'docker0',
}
# -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
firewall { '00100 DOCKER table PREROUTING LOCAL traffic':
dst_type => 'LOCAL',
table => 'nat',
proto => 'all',
chain => 'PREROUTING',
jump => 'DOCKER',
}
# -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
firewall { '00100 DOCKER chain, route LOCAL non-loopback traffic to DOCKER':
table => 'nat',
dst_type => 'LOCAL',
chain => 'OUTPUT',
proto => 'all',
destination => '! 127.0.0.1/8',
jump => 'DOCKER',
}
# -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
firewall { '00100 DOCKER chain, MASQUERADE docker bridge traffic not bound to docker bridge':
table => 'nat',
chain => 'POSTROUTING',
proto => 'all',
source => "${::network_docker0}/16",
outiface => '! docker0',
jump => 'MASQUERADE',
}
}
|