Puppet Class: nftables::rules::docker_ce
- Defined in:
- manifests/rules/docker_ce.pp
Summary
Default firewall configuration for Docker-CEOverview
The configuration distributed in this class represents the default firewall configuration done by docker-ce when the iptables integration is enabled.
This class is needed as the default docker-ce rules added to ip-filter conflict with the inet-filter forward rules set by default in this module.
When using this class ‘docker::iptables: false’ should be set.
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 |
# File 'manifests/rules/docker_ce.pp', line 19
class nftables::rules::docker_ce (
String[1] $docker_interface = 'docker0',
Stdlib::IP::Address::V4::CIDR $docker_prefix = '172.17.0.0/16',
Boolean $manage_docker_chains = true,
Boolean $manage_base_chains = true,
) {
#
# inet-filter
#
if $manage_docker_chains {
nftables::chain {
'DOCKER': ;
'DOCKER_ISOLATION_STAGE_1': ;
'DOCKER_ISOLATION_STAGE_2': ;
'DOCKER_USER': ;
}
}
nftables::rule {
'DOCKER_ISOLATION_STAGE_1-iifname':
order => '01',
content => "iifname \"${docker_interface}\" oifname != \"${docker_interface}\" counter jump DOCKER_ISOLATION_STAGE_2";
'DOCKER_ISOLATION_STAGE_1-counter':
order => '02',
content => 'counter return';
'DOCKER_ISOLATION_STAGE_2-drop':
order => '01',
content => "oifname \"${docker_interface}\" counter drop";
'DOCKER_ISOLATION_STAGE_2-counter':
order => '02',
content => 'counter return';
'DOCKER_USER-counter':
order => '01',
content => 'counter return',
}
nftables::rule {
'default_fwd-jump_docker_user':
order => '40',
content => 'counter jump DOCKER_USER';
'default_fwd-jump_docker_isolation_stage_1':
order => '41',
content => 'counter jump DOCKER_ISOLATION_STAGE_1';
'default_fwd-out_docker_accept':
order => '42',
content => "oifname \"${docker_interface}\" ct state established,related counter accept";
'default_fwd-jump_docker':
order => '43',
content => "oifname \"${docker_interface}\" counter jump DOCKER";
'default_fwd-idocker_onot_accept':
order => '44',
content => "iifname \"${docker_interface}\" oifname != \"${docker_interface}\" counter accept";
'default_fwd-idocker_odocker_accept':
order => '45',
content => "iifname \"${docker_interface}\" oifname \"${docker_interface}\" counter accept";
}
#
# ip-nat
#
if $manage_docker_chains {
nftables::chain {
"DOCKER-${nftables::nat_table_name}":
table => "ip-${nftables::nat_table_name}",
chain => 'DOCKER';
}
}
if $manage_base_chains {
nftables::chain {
"OUTPUT-${nftables::nat_table_name}":
table => "ip-${nftables::nat_table_name}",
chain => 'OUTPUT';
"INPUT-${nftables::nat_table_name}":
table => "ip-${nftables::nat_table_name}",
chain => 'INPUT';
}
}
nftables::rule {
'POSTROUTING-docker':
table => "ip-${nftables::nat_table_name}",
content => "oifname != \"${docker_interface}\" ip saddr ${docker_prefix} counter masquerade";
'PREROUTING-docker':
table => "ip-${nftables::nat_table_name}",
content => 'fib daddr type local counter jump DOCKER';
"OUTPUT-jump_docker@ip-${nftables::nat_table_name}":
rulename => 'OUTPUT-jump_docker',
table => "ip-${nftables::nat_table_name}",
content => 'ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER';
'DOCKER-counter':
table => "ip-${nftables::nat_table_name}",
content => "iifname \"${docker_interface}\" counter return";
"INPUT-type@ip-${nftables::nat_table_name}":
rulename => 'INPUT-type',
table => "ip-${nftables::nat_table_name}",
order => '01',
content => 'type nat hook input priority 100';
"INPUT-policy@ip-${nftables::nat_table_name}":
rulename => 'INPUT-policy',
table => "ip-${nftables::nat_table_name}",
order => '02',
content => 'policy accept';
}
}
|