procd_add_reload_trigger 'dockerd'
}
-add_docker_firewall_rules() {
- . /lib/functions/network.sh
- local device interface="${1}"
-
- # Ignore errors as it might already be present
- iptables --table filter --new DOCKER-USER 2>/dev/null
- network_get_physdev device "${interface}"
- if ! iptables --table filter --check DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP 2>/dev/null; then
- iptables --table filter --insert DOCKER-USER --in-interface "${device}" --out-interface docker0 --jump DROP
- fi
+iptables_add_blocking_rule() {
+ local cfg="$1"
+
+ local device=""
+
+ handle_iptables_rule() {
+ local interface="$1"
+ local outbound="$2"
+
+ local inbound=""
+
+ . /lib/functions/network.sh
+ network_get_physdev inbound "${interface}"
+
+ [ -z "$inbound" ] && {
+ logger -t "dockerd-init" -p notice "Unable to get physical device for interface ${interface}"
+ return
+ }
+
+ if ! iptables --table filter --check DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP 2>/dev/null; then
+ logger -t "dockerd-init" -p notice "Drop traffic from ${inbound} to ${outbound}"
+ iptables --table filter --insert DOCKER-USER --in-interface "${inbound}" --out-interface "${outbound}" --jump DROP
+ fi
+ }
+
+ config_get device "$cfg" device
+
+ [ -z "$device" ] && {
+ logger -t "dockerd-init" -p notice "No device configured for ${cfg}"
+ return
+ }
+
+ config_list_foreach "$cfg" blocked_interfaces handle_iptables_rule "$device"
}
ip4tables_remove_nat() {
# Docker ignores fw3 rules and by default all external source IPs are allowed
# to connect to the Docker host. See https://docs.docker.com/network/iptables/
config firewall 'firewall'
+ option device 'docker0'
list blocked_interfaces 'wan'
projects / feed / packages.git / commitdiff