Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
/mobyPublic

Commit0274c63

Browse files
authored
Merge pull request#49518 from robmry/docker_forward_chain
Add chain DOCKER-FORWARD
2 parentsf344ab1 +341cafa commit0274c63

File tree

36 files changed

+424
-176
lines changed

36 files changed

+424
-176
lines changed

‎integration-cli/docker_cli_daemon_test.go‎

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@ import (
3030
"github.com/docker/docker/integration-cli/cli"
3131
"github.com/docker/docker/integration-cli/cli/build"
3232
"github.com/docker/docker/integration-cli/daemon"
33+
"github.com/docker/docker/libnetwork/drivers/bridge"
3334
"github.com/docker/docker/libnetwork/iptables"
3435
"github.com/docker/docker/opts"
3536
"github.com/docker/docker/testutil"
@@ -718,7 +719,7 @@ func (s *DockerDaemonSuite) TestDaemonICCPing(c *testing.T) {
718719
d.StartWithBusybox(testutil.GetContext(c),c,"--bridge",bridgeName,"--icc=false")
719720
deferd.Restart(c)
720721

721-
result:=icmd.RunCommand("sh","-c","iptables -vLFORWARD | grep DROP")
722+
result:=icmd.RunCommand("sh","-c","iptables -vL"+bridge.DockerForwardChain+" | grep DROP")
722723
result.Assert(c,icmd.Success)
723724

724725
// strip whitespace and newlines to verify we only found a single DROP
@@ -769,7 +770,7 @@ func (s *DockerDaemonSuite) TestDaemonICCLinkExpose(c *testing.T) {
769770
d.StartWithBusybox(testutil.GetContext(c),c,"--bridge",bridgeName,"--icc=false")
770771
deferd.Restart(c)
771772

772-
result:=icmd.RunCommand("sh","-c","iptables -vLFORWARD | grep DROP")
773+
result:=icmd.RunCommand("sh","-c","iptables -vL"+bridge.DockerForwardChain+" | grep DROP")
773774
result.Assert(c,icmd.Success)
774775

775776
// strip whitespace and newlines to verify we only found a single DROP

‎integration/network/bridge/iptablesdoc/generated/new-daemon.md‎

Lines changed: 29 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,7 @@ Table `filter`:
1111
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
1212
num pkts bytes target prot opt in out source destination
1313
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
14-
2 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
15-
3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
16-
4 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
17-
5 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
14+
2 0 0 DOCKER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
1815

1916
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
2017
num pkts bytes target prot opt in out source destination
@@ -23,6 +20,13 @@ Table `filter`:
2320
num pkts bytes target prot opt in out source destination
2421
1 0 0 DROP 0 -- !docker0 docker0 0.0.0.0/0 0.0.0.0/0
2522

23+
Chain DOCKER-FORWARD (1 references)
24+
num pkts bytes target prot opt in out source destination
25+
1 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
26+
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
27+
3 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
28+
4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
29+
2630
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
2731
num pkts bytes target prot opt in out source destination
2832
1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
@@ -43,15 +47,17 @@ Table `filter`:
4347
-P FORWARD ACCEPT
4448
-P OUTPUT ACCEPT
4549
-N DOCKER
50+
-N DOCKER-FORWARD
4651
-N DOCKER-ISOLATION-STAGE-1
4752
-N DOCKER-ISOLATION-STAGE-2
4853
-N DOCKER-USER
4954
-A FORWARD -j DOCKER-USER
50-
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
51-
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
52-
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
53-
-A FORWARD -i docker0 -j ACCEPT
55+
-A FORWARD -j DOCKER-FORWARD
5456
-A DOCKER ! -i docker0 -o docker0 -j DROP
57+
-A DOCKER-FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
58+
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
59+
-A DOCKER-FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
60+
-A DOCKER-FORWARD -i docker0 -j ACCEPT
5561
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
5662
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
5763
-A DOCKER-USER -j RETURN
@@ -76,18 +82,29 @@ The FORWARD chain rules are numbered in the output above, they are:
7682
Docker won't add rules to the DOCKER-USER chain, it's only for user-defined rules.
7783
It's (mostly) kept at the top of the by deleting it and re-creating after each
7884
new network is created, while traffic may be running for other networks.
79-
2. Early ACCEPT for any RELATED,ESTABLISHED traffic to a docker bridge. This rule
85+
2. Unconditional jump to DOCKER-FORWARD.
86+
This is set up by libnetwork, in[setupUserChain][10].
87+
88+
Once the daemon has initialised, it doesn't touch these rules. Users are free to
89+
append rules to the FORWARD chain, and they'll run after DOCKER's rules (or to
90+
the DOCKER-USER chain, for rules that run before DOCKER's).
91+
92+
The DOCKER-FORWARD chain contains the first stage of Docker's filter rules. Initial
93+
rules are inserted at the top of the table, then not touched. Per-network rules
94+
are appended.
95+
96+
1. Early ACCEPT for any RELATED,ESTABLISHED traffic to a docker bridge. This rule
8097
matches against an`ipset` called`docker-ext-bridges-v4` (`v6` for IPv6). The
8198
set contains the CIDR address of each docker network, and it is updated as networks
8299
are created and deleted. This rule is created during driver initialisation, in
83100
`setupIPChains`.
84-
3. Unconditional jump to DOCKER-ISOLATION-STAGE-1.
101+
2. Unconditional jump to DOCKER-ISOLATION-STAGE-1.
85102
Also created during driver initialisation, in`setupIPChains`.
86-
4. Jump to DOCKER, for any packet destined for any bridge network, identified by
103+
3. Jump to DOCKER, for any packet destined for any bridge network, identified by
87104
matching against the`docker-ext-bridge-v[46]` set.
88105
Also created during driver initialisation, in`setupIPChains`.
89106
The DOCKER chain implements per-port/protocol filtering for each container.
90-
5. ACCEPT any packet leaving a network, set up when the network is created, in
107+
4. ACCEPT any packet leaving a network, set up when the network is created, in
91108
`setupIPTablesInternal`. Note that this accepts any packet leaving the
92109
network that's made it through the DOCKER and isolation chains, whether the
93110
destination is external or another network.

‎integration/network/bridge/iptablesdoc/generated/swarm-portmap.md‎

Lines changed: 19 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,7 @@ The filter table is:
1313
num pkts bytes target prot opt in out source destination
1414
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
1515
2 0 0 DOCKER-INGRESS 0 -- * * 0.0.0.0/0 0.0.0.0/0
16-
3 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
17-
4 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
18-
5 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
19-
6 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
20-
7 0 0 DROP 0 -- docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0
21-
8 0 0 ACCEPT 0 -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
16+
3 0 0 DOCKER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
2217

2318
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
2419
num pkts bytes target prot opt in out source destination
@@ -28,6 +23,15 @@ The filter table is:
2823
1 0 0 DROP 0 -- !docker0 docker0 0.0.0.0/0 0.0.0.0/0
2924
2 0 0 DROP 0 -- !docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0
3025

26+
Chain DOCKER-FORWARD (1 references)
27+
num pkts bytes target prot opt in out source destination
28+
1 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
29+
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
30+
3 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
31+
4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
32+
5 0 0 DROP 0 -- docker_gwbridge docker_gwbridge 0.0.0.0/0 0.0.0.0/0
33+
6 0 0 ACCEPT 0 -- docker_gwbridge !docker_gwbridge 0.0.0.0/0 0.0.0.0/0
34+
3135
Chain DOCKER-INGRESS (1 references)
3236
num pkts bytes target prot opt in out source destination
3337
1 0 0 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
@@ -56,20 +60,22 @@ The filter table is:
5660
-P FORWARD ACCEPT
5761
-P OUTPUT ACCEPT
5862
-N DOCKER
63+
-N DOCKER-FORWARD
5964
-N DOCKER-INGRESS
6065
-N DOCKER-ISOLATION-STAGE-1
6166
-N DOCKER-ISOLATION-STAGE-2
6267
-N DOCKER-USER
6368
-A FORWARD -j DOCKER-USER
6469
-A FORWARD -j DOCKER-INGRESS
65-
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
66-
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
67-
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
68-
-A FORWARD -i docker0 -j ACCEPT
69-
-A FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
70-
-A FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
70+
-A FORWARD -j DOCKER-FORWARD
7171
-A DOCKER ! -i docker0 -o docker0 -j DROP
7272
-A DOCKER ! -i docker_gwbridge -o docker_gwbridge -j DROP
73+
-A DOCKER-FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
74+
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
75+
-A DOCKER-FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
76+
-A DOCKER-FORWARD -i docker0 -j ACCEPT
77+
-A DOCKER-FORWARD -i docker_gwbridge -o docker_gwbridge -j DROP
78+
-A DOCKER-FORWARD -i docker_gwbridge ! -o docker_gwbridge -j ACCEPT
7379
-A DOCKER-INGRESS -p tcp -m tcp --dport 8080 -j ACCEPT
7480
-A DOCKER-INGRESS -p tcp -m tcp --sport 8080 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
7581
-A DOCKER-INGRESS -j RETURN
@@ -87,7 +93,7 @@ Note that:
8793
- There's a bridge network called`docker_gwbridge` for swarm ingress.
8894
- Its rules follow the usual pattern for a network with inter-container communication disabled.
8995
- There's an additional chain`DOCKER-INGRESS`.
90-
- The jump to`DOCKER-INGRESS` is in the`FORWARD` chain, after the jump to`DOCKER-USER`.
96+
- The jump to`DOCKER-INGRESS` is in the`FORWARD` chain.
9197

9298
And the corresponding nat table:
9399

‎integration/network/bridge/iptablesdoc/generated/usernet-internal.md‎

Lines changed: 20 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -26,12 +26,7 @@ The filter table is updated as follows:
2626
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
2727
num pkts bytes target prot opt in out source destination
2828
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
29-
2 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
30-
3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
31-
4 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
32-
5 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
33-
6 0 0 ACCEPT 0 -- bridgeICC bridgeICC 0.0.0.0/0 0.0.0.0/0
34-
7 0 0 DROP 0 -- bridgeNoICC bridgeNoICC 0.0.0.0/0 0.0.0.0/0
29+
2 0 0 DOCKER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
3530

3631
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
3732
num pkts bytes target prot opt in out source destination
@@ -40,6 +35,15 @@ The filter table is updated as follows:
4035
num pkts bytes target prot opt in out source destination
4136
1 0 0 DROP 0 -- !docker0 docker0 0.0.0.0/0 0.0.0.0/0
4237

38+
Chain DOCKER-FORWARD (1 references)
39+
num pkts bytes target prot opt in out source destination
40+
1 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
41+
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
42+
3 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
43+
4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
44+
5 0 0 ACCEPT 0 -- bridgeICC bridgeICC 0.0.0.0/0 0.0.0.0/0
45+
6 0 0 DROP 0 -- bridgeNoICC bridgeNoICC 0.0.0.0/0 0.0.0.0/0
46+
4347
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
4448
num pkts bytes target prot opt in out source destination
4549
1 0 0 DROP 0 -- * bridgeNoICC !198.51.100.0/24 0.0.0.0/0
@@ -64,17 +68,19 @@ The filter table is updated as follows:
6468
-P FORWARD ACCEPT
6569
-P OUTPUT ACCEPT
6670
-N DOCKER
71+
-N DOCKER-FORWARD
6772
-N DOCKER-ISOLATION-STAGE-1
6873
-N DOCKER-ISOLATION-STAGE-2
6974
-N DOCKER-USER
7075
-A FORWARD -j DOCKER-USER
71-
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
72-
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
73-
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
74-
-A FORWARD -i docker0 -j ACCEPT
75-
-A FORWARD -i bridgeICC -o bridgeICC -j ACCEPT
76-
-A FORWARD -i bridgeNoICC -o bridgeNoICC -j DROP
76+
-A FORWARD -j DOCKER-FORWARD
7777
-A DOCKER ! -i docker0 -o docker0 -j DROP
78+
-A DOCKER-FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
79+
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
80+
-A DOCKER-FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
81+
-A DOCKER-FORWARD -i docker0 -j ACCEPT
82+
-A DOCKER-FORWARD -i bridgeICC -o bridgeICC -j ACCEPT
83+
-A DOCKER-FORWARD -i bridgeNoICC -o bridgeNoICC -j DROP
7884
-A DOCKER-ISOLATION-STAGE-1 ! -s 198.51.100.0/24 -o bridgeNoICC -j DROP
7985
-A DOCKER-ISOLATION-STAGE-1 ! -d 198.51.100.0/24 -i bridgeNoICC -j DROP
8086
-A DOCKER-ISOLATION-STAGE-1 ! -s 192.0.2.0/24 -o bridgeICC -j DROP
@@ -88,15 +94,15 @@ The filter table is updated as follows:
8894

8995
By comparison with the[network with external access][1]:
9096

91-
- In the FORWARD chain, there is no ACCEPT rule for outgoing packets (`-i bridgeINC`).
97+
- In theDOCKER-FORWARD chain, there is no ACCEPT rule for outgoing packets (`-i bridgeINC`).
9298
- There are no rules for this network in the DOCKER chain.
9399
- In DOCKER-ISOLATION-STAGE-1:
94100
- Rule 1 drops any packet routed to the network that does not have a source address in the network's subnet.
95101
- Rule 2 drops any packet routed out of the network that does not have a dest address in the network's subnet.
96102
- There is no jump to DOCKER-ISOLATION-STAGE-2.
97103
- DOCKER-ISOLATION-STAGE-2 is unused.
98104

99-
The only difference between`bridgeICC` and`bridgeNoICC` is the rule in the FORWARD
105+
The only difference between`bridgeICC` and`bridgeNoICC` is the rule in theDOCKER-FORWARD
100106
chain. To enable ICC, the rule for packets looping through the bridge is ACCEPT. For
101107
no-ICC it's DROP.
102108

‎integration/network/bridge/iptablesdoc/generated/usernet-portmap-lo.md‎

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,7 @@ The filter and nat tables are identical to [nat mode][0]:
1818
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
1919
num pkts bytes target prot opt in out source destination
2020
1 0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
21-
2 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
22-
3 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
23-
4 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
24-
5 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
25-
6 0 0 ACCEPT 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0
21+
2 0 0 DOCKER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0
2622

2723
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
2824
num pkts bytes target prot opt in out source destination
@@ -33,6 +29,14 @@ The filter and nat tables are identical to [nat mode][0]:
3329
2 0 0 DROP 0 -- !docker0 docker0 0.0.0.0/0 0.0.0.0/0
3430
3 0 0 DROP 0 -- !bridge1 bridge1 0.0.0.0/0 0.0.0.0/0
3531

32+
Chain DOCKER-FORWARD (1 references)
33+
num pkts bytes target prot opt in out source destination
34+
1 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst ctstate RELATED,ESTABLISHED
35+
2 0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
36+
3 0 0 DOCKER 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set docker-ext-bridges-v4 dst
37+
4 0 0 ACCEPT 0 -- docker0 * 0.0.0.0/0 0.0.0.0/0
38+
5 0 0 ACCEPT 0 -- bridge1 * 0.0.0.0/0 0.0.0.0/0
39+
3640
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
3741
num pkts bytes target prot opt in out source destination
3842
1 0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
@@ -52,18 +56,20 @@ The filter and nat tables are identical to [nat mode][0]:
5256
-P FORWARD ACCEPT
5357
-P OUTPUT ACCEPT
5458
-N DOCKER
59+
-N DOCKER-FORWARD
5560
-N DOCKER-ISOLATION-STAGE-1
5661
-N DOCKER-ISOLATION-STAGE-2
5762
-N DOCKER-USER
5863
-A FORWARD -j DOCKER-USER
59-
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
60-
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
61-
-A FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
62-
-A FORWARD -i docker0 -j ACCEPT
63-
-A FORWARD -i bridge1 -j ACCEPT
64+
-A FORWARD -j DOCKER-FORWARD
6465
-A DOCKER -d 192.0.2.2/32 ! -i bridge1 -o bridge1 -p tcp -m tcp --dport 80 -j ACCEPT
6566
-A DOCKER ! -i docker0 -o docker0 -j DROP
6667
-A DOCKER ! -i bridge1 -o bridge1 -j DROP
68+
-A DOCKER-FORWARD -m set --match-set docker-ext-bridges-v4 dst -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
69+
-A DOCKER-FORWARD -j DOCKER-ISOLATION-STAGE-1
70+
-A DOCKER-FORWARD -m set --match-set docker-ext-bridges-v4 dst -j DOCKER
71+
-A DOCKER-FORWARD -i docker0 -j ACCEPT
72+
-A DOCKER-FORWARD -i bridge1 -j ACCEPT
6773
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
6874
-A DOCKER-ISOLATION-STAGE-1 -i bridge1 ! -o bridge1 -j DOCKER-ISOLATION-STAGE-2
6975
-A DOCKER-ISOLATION-STAGE-2 -o bridge1 -j DROP

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp