Hello community,
here is the log from the commit of package golang-github-docker-libnetwork for
openSUSE:Factory checked in at 2020-11-26 23:11:42
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/golang-github-docker-libnetwork (Old)
and /work/SRC/openSUSE:Factory/.golang-github-docker-libnetwork.new.5913
(New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "golang-github-docker-libnetwork"
Thu Nov 26 23:11:42 2020 rev:23 rq:850093 version:0.7.0.1+gitr2906_026aabaa6598
Changes:
--------
---
/work/SRC/openSUSE:Factory/golang-github-docker-libnetwork/golang-github-docker-libnetwork.changes
2020-06-29 21:15:47.093304932 +0200
+++
/work/SRC/openSUSE:Factory/.golang-github-docker-libnetwork.new.5913/golang-github-docker-libnetwork.changes
2020-11-26 23:12:42.212944824 +0100
@@ -1,0 +2,8 @@
+Thu Nov 12 18:34:03 UTC 2020 - MichaĆ Rostecki <[email protected]>
+
+- Add patch which makes libnetwork compatible with firewalld with
+ nftables backend. Backport of https://github.com/moby/libnetwork/pull/2548
+ (boo#1178801, SLE-16460)
+ * boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
+
+-------------------------------------------------------------------
New:
----
boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ golang-github-docker-libnetwork.spec ++++++
--- /var/tmp/diff_new_pack.001TVT/_old 2020-11-26 23:12:43.248945038 +0100
+++ /var/tmp/diff_new_pack.001TVT/_new 2020-11-26 23:12:43.248945038 +0100
@@ -56,6 +56,8 @@
URL: http://github.com/docker/libnetwork
Source0: %{repo}-git.%{git_short}.tar.xz
Source1: %{realname}-rpmlintrc
+# SUSE-BACKPORT: Backport of https://github.com/moby/libnetwork/pull/2548.
boo#1178801, SLE-16460
+Patch0:
boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
BuildRequires: fdupes
BuildRequires: golang-packaging
BuildRequires: xz
@@ -110,6 +112,7 @@
%prep
%setup -q -n %{repo}-git.%{git_short}
+%patch0 -p1
%build
%goprep %{import_path}
++++++ boo1178801-0001-Add-docker-interfaces-to-firewalld-docker-zone.patch
++++++
From e8b0fa950bd564639af37f8869f926136abea87a Mon Sep 17 00:00:00 2001
From: Arko Dasgupta <[email protected]>
Date: Mon, 4 May 2020 13:51:42 -0700
Subject: [PATCH] Add docker interfaces to firewalld docker zone
If firewalld is running, create a new docker zone and
add the docker interfaces to the docker zone to allow
container networking for distros with firewalld enabled
Fixes: https://github.com/moby/libnetwork/issues/2496
Signed-off-by: Arko Dasgupta <[email protected]>
(cherry picked from commit 7a7209221542dc99b316748c97608dfc276c40f6)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
---
iptables/firewalld.go | 136 ++++++++++++++++++++++++++++++++++++++----
iptables/iptables.go | 13 ++++
2 files changed, 139 insertions(+), 10 deletions(-)
diff --git a/iptables/firewalld.go b/iptables/firewalld.go
index 8f13c864..33eb749a 100644
--- a/iptables/firewalld.go
+++ b/iptables/firewalld.go
@@ -19,20 +19,46 @@ const (
// Ebtables point to bridge table
Ebtables IPV = "eb"
)
+
const (
- dbusInterface = "org.fedoraproject.FirewallD1"
- dbusPath = "/org/fedoraproject/FirewallD1"
+ dbusInterface = "org.fedoraproject.FirewallD1"
+ dbusPath = "/org/fedoraproject/FirewallD1"
+ dbusConfigPath = "/org/fedoraproject/FirewallD1/config"
+ dockerZone = "docker"
)
// Conn is a connection to firewalld dbus endpoint.
type Conn struct {
- sysconn *dbus.Conn
- sysobj dbus.BusObject
- signal chan *dbus.Signal
+ sysconn *dbus.Conn
+ sysObj dbus.BusObject
+ sysConfObj dbus.BusObject
+ signal chan *dbus.Signal
+}
+
+// ZoneSettings holds the firewalld zone settings, documented in
+// https://firewalld.org/documentation/man-pages/firewalld.dbus.html
+type ZoneSettings struct {
+ version string
+ name string
+ description string
+ unused bool
+ target string
+ services []string
+ ports [][]interface{}
+ icmpBlocks []string
+ masquerade bool
+ forwardPorts [][]interface{}
+ interfaces []string
+ sourceAddresses []string
+ richRules []string
+ protocols []string
+ sourcePorts [][]interface{}
+ icmpBlockInversion bool
}
var (
- connection *Conn
+ connection *Conn
+
firewalldRunning bool // is Firewalld service running
onReloaded []*func() // callbacks when Firewalld has been reloaded
)
@@ -51,6 +77,9 @@ func FirewalldInit() error {
}
if connection != nil {
go signalHandler()
+ if err := setupDockerZone(); err != nil {
+ return err
+ }
}
return nil
@@ -76,8 +105,8 @@ func (c *Conn) initConnection() error {
}
// This never fails, even if the service is not running atm.
- c.sysobj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusPath))
-
+ c.sysObj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusPath))
+ c.sysConfObj = c.sysconn.Object(dbusInterface,
dbus.ObjectPath(dbusConfigPath))
rule :=
fmt.Sprintf("type='signal',path='%s',interface='%s',sender='%s',member='Reloaded'",
dbusPath, dbusInterface, dbusInterface)
c.sysconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0, rule)
@@ -150,7 +179,7 @@ func checkRunning() bool {
var err error
if connection != nil {
- err = connection.sysobj.Call(dbusInterface+".getDefaultZone",
0).Store(&zone)
+ err = connection.sysObj.Call(dbusInterface+".getDefaultZone",
0).Store(&zone)
return err == nil
}
return false
@@ -160,8 +189,95 @@ func checkRunning() bool {
func Passthrough(ipv IPV, args ...string) ([]byte, error) {
var output string
logrus.Debugf("Firewalld passthrough: %s, %s", ipv, args)
- if err := connection.sysobj.Call(dbusInterface+".direct.passthrough",
0, ipv, args).Store(&output); err != nil {
+ if err := connection.sysObj.Call(dbusInterface+".direct.passthrough",
0, ipv, args).Store(&output); err != nil {
return nil, err
}
return []byte(output), nil
}
+
+// getDockerZoneSettings converts the ZoneSettings struct into a interface
slice
+func getDockerZoneSettings() map[string]string {
+ return map[string]string{
+ "version": "1.0",
+ "name": dockerZone,
+ "description": "zone for docker bridge network interfaces",
+ "target": "ACCEPT",
+ }
+}
+
+// setupDockerZone creates a zone called docker in firewalld which includes
docker interfaces to allow
+// container networking
+func setupDockerZone() error {
+ var zones []string
+ // Check if zone exists
+ if err := connection.sysObj.Call(dbusInterface+".zone.getZones",
0).Store(&zones); err != nil {
+ return err
+ }
+ if contains(zones, dockerZone) {
+ logrus.Infof("Firewalld: %s zone already exists, returning",
dockerZone)
+ return nil
+ }
+ logrus.Debugf("Firewalld: creating %s zone", dockerZone)
+
+ settings := getDockerZoneSettings()
+ // Permanent
+ if err := connection.sysConfObj.Call(dbusInterface+".config.addZone",
0, dockerZone, settings).Err; err != nil {
+ return err
+ }
+ // Reload for change to take effect
+ if err := connection.sysObj.Call(dbusInterface+".reload", 0).Err; err
!= nil {
+ return err
+ }
+
+ return nil
+}
+
+// AddInterfaceFirewalld adds the interface to the trusted zone
+func AddInterfaceFirewalld(intf string) error {
+ var intfs []string
+ // Check if interface is already added to the zone
+ if err := connection.sysObj.Call(dbusInterface+".zone.getInterfaces",
0, dockerZone).Store(&intfs); err != nil {
+ return err
+ }
+ // Return if interface is already part of the zone
+ if contains(intfs, intf) {
+ logrus.Infof("Firewalld: interface %s already part of %s zone,
returning", intf, dockerZone)
+ return nil
+ }
+
+ logrus.Debugf("Firewalld: adding %s interface to %s zone", intf,
dockerZone)
+ // Runtime
+ if err := connection.sysObj.Call(dbusInterface+".zone.addInterface", 0,
dockerZone, intf).Err; err != nil {
+ return err
+ }
+ return nil
+}
+
+// DelInterfaceFirewalld removes the interface from the trusted zone
+func DelInterfaceFirewalld(intf string) error {
+ var intfs []string
+ // Check if interface is part of the zone
+ if err := connection.sysObj.Call(dbusInterface+".zone.getInterfaces",
0, dockerZone).Store(&intfs); err != nil {
+ return err
+ }
+ // Remove interface if it exists
+ if !contains(intfs, intf) {
+ return fmt.Errorf("Firewalld: unable to find interface %s in %s
zone", intf, dockerZone)
+ }
+
+ logrus.Debugf("Firewalld: removing %s interface from %s zone", intf,
dockerZone)
+ // Runtime
+ if err := connection.sysObj.Call(dbusInterface+".zone.removeInterface",
0, dockerZone, intf).Err; err != nil {
+ return err
+ }
+ return nil
+}
+
+func contains(list []string, val string) bool {
+ for _, v := range list {
+ if v == val {
+ return true
+ }
+ }
+ return false
+}
diff --git a/iptables/iptables.go b/iptables/iptables.go
index 5523c485..bd262eb8 100644
--- a/iptables/iptables.go
+++ b/iptables/iptables.go
@@ -146,6 +146,19 @@ func ProgramChain(c *ChainInfo, bridgeName string,
hairpinMode, enable bool) err
return errors.New("Could not program chain, missing chain name")
}
+ // Either add or remove the interface from the firewalld zone
+ if firewalldRunning {
+ if enable {
+ if err := AddInterfaceFirewalld(bridgeName); err != nil
{
+ return err
+ }
+ } else {
+ if err := DelInterfaceFirewalld(bridgeName); err != nil
{
+ return err
+ }
+ }
+ }
+
switch c.Table {
case Nat:
preroute := []string{
--
2.29.2
_______________________________________________
openSUSE Commits mailing list -- [email protected]
To unsubscribe, email [email protected]
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/[email protected]
