libnetwork/firewall_linux.go - third_party/github.com/moby/moby - Git at Google

 package libnetwork

 import (
 	"github.com/docker/docker/libnetwork/iptables"
 	"github.com/sirupsen/logrus"
 )

 const userChain = "DOCKER-USER"

 var ctrl *Controller

 func setupArrangeUserFilterRule(c *Controller) {
 	ctrl = c
 	iptables.OnReloaded(arrangeUserFilterRule)
 }

 // This chain allow users to configure firewall policies in a way that persists
 // docker operations/restarts. Docker will not delete or modify any pre-existing
 // rules from the DOCKER-USER filter chain.
 // Note once DOCKER-USER chain is created, docker engine does not remove it when
 // IPTableForwarding is disabled, because it contains rules configured by user that
 // are beyond docker engine's control.
 func arrangeUserFilterRule() {
 	if ctrl == nil {
 		return
 	}

 	conds := []struct {
 		ipVer iptables.IPVersion
 		cond  bool
 	}{
 		{ipVer: iptables.IPv4, cond: ctrl.iptablesEnabled()},
 		{ipVer: iptables.IPv6, cond: ctrl.ip6tablesEnabled()},
 	}

 	for _, ipVerCond := range conds {
 		cond := ipVerCond.cond
 		if !cond {
 			continue
 		}

 		ipVer := ipVerCond.ipVer
 		iptable := iptables.GetIptable(ipVer)
 		_, err := iptable.NewChain(userChain, iptables.Filter, false)
 		if err != nil {
 			logrus.WithError(err).Warnf("Failed to create %s %v chain", userChain, ipVer)
 			return
 		}

 		if err = iptable.AddReturnRule(userChain); err != nil {
 			logrus.WithError(err).Warnf("Failed to add the RETURN rule for %s %v", userChain, ipVer)
 			return
 		}

 		err = iptable.EnsureJumpRule("FORWARD", userChain)
 		if err != nil {
 			logrus.WithError(err).Warnf("Failed to ensure the jump rule for %s %v", userChain, ipVer)
 		}
 	}
 }
	package libnetwork

	import (
	"github.com/docker/docker/libnetwork/iptables"
	"github.com/sirupsen/logrus"
	)

	const userChain = "DOCKER-USER"

	var ctrl *Controller

	func setupArrangeUserFilterRule(c *Controller) {
	ctrl = c
	iptables.OnReloaded(arrangeUserFilterRule)
	}

	// This chain allow users to configure firewall policies in a way that persists
	// docker operations/restarts. Docker will not delete or modify any pre-existing
	// rules from the DOCKER-USER filter chain.
	// Note once DOCKER-USER chain is created, docker engine does not remove it when
	// IPTableForwarding is disabled, because it contains rules configured by user that
	// are beyond docker engine's control.
	func arrangeUserFilterRule() {
	if ctrl == nil {
	return
	}

	conds := []struct {
	ipVer iptables.IPVersion
	cond bool
	}{
	{ipVer: iptables.IPv4, cond: ctrl.iptablesEnabled()},
	{ipVer: iptables.IPv6, cond: ctrl.ip6tablesEnabled()},
	}

	for _, ipVerCond := range conds {
	cond := ipVerCond.cond
	if !cond {
	continue
	}

	ipVer := ipVerCond.ipVer
	iptable := iptables.GetIptable(ipVer)
	_, err := iptable.NewChain(userChain, iptables.Filter, false)
	if err != nil {
	logrus.WithError(err).Warnf("Failed to create %s %v chain", userChain, ipVer)
	return
	}

	if err = iptable.AddReturnRule(userChain); err != nil {
	logrus.WithError(err).Warnf("Failed to add the RETURN rule for %s %v", userChain, ipVer)
	return
	}

	err = iptable.EnsureJumpRule("FORWARD", userChain)
	if err != nil {
	logrus.WithError(err).Warnf("Failed to ensure the jump rule for %s %v", userChain, ipVer)
	}
	}
	}