Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add option to output only dynamic rules #1

New issue
New issue
Open
Open
Add option to output only dynamic rules#1
@drybjed

Description

@drybjed
drybjed
opened on Sep 5, 2015

Part of the Docker iptables configuration is static and can be configured in the ferm itself. This allows to wrap Docker-related firewall rules in other rules. The part of the output I'm talking about is:

    table nat {
        chain DOCKER;
        chain PREROUTING {
            policy ACCEPT;
            mod addrtype dst-type LOCAL jump DOCKER;
        }
        chain OUTPUT {
            policy ACCEPT;
            daddr ! 127.0.0.0/8 mod addrtype dst-type LOCAL jump DOCKER;
        }
        chain POSTROUTING {
            policy ACCEPT;
            saddr 172.18.0.0/16 outerface ! docker0 MASQUERADE;
        }
    }
    table filter {
        chain DOCKER;
        chain FORWARD {
            outerface docker0 {
                jump DOCKER;
                mod conntrack ctstate (RELATED ESTABLISHED) ACCEPT;
            }
            interface docker0 {
                outerface ! docker0 ACCEPT;
                outerface docker0 ACCEPT;
            }
        }
    }

It would be great if ferment had an option to only output the dynamic, container-related rules. That way I can configure the static rules in ferm directory, and add Docker rules afterwards.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions