dotcloud/docker

package libnetwork

import (
    "context"
    "fmt"

    "github.com/containerd/log"
    "github.com/docker/docker/libnetwork/iptables"
)

const userChain = "DOCKER-USER"

var ctrl *Controller

func setupArrangeUserFilterRule(c *Controller) {
    ctrl = c
    iptables.OnReloaded(arrangeUserFilterRule)
}

// arrangeUserFilterRule sets up the DOCKER-USER chain for each iptables version
// (IPv4, IPv6) that's enabled in the controller's configuration.
func arrangeUserFilterRule() {
    if ctrl == nil {
        return
    }
    for _, ipVersion := range ctrl.enabledIptablesVersions() {
        if err := setupUserChain(ipVersion); err != nil {
            log.G(context.TODO()).WithError(err).Warn("arrangeUserFilterRule")
        }
    }
}

// setupUserChain sets up the DOCKER-USER chain for the given [iptables.IPVersion].
//
// This chain allows users to configure firewall policies in a way that
// persist daemon operations/restarts. The daemon does not delete or modify
// any pre-existing rules from the DOCKER-USER filter chain.
//
// Once the DOCKER-USER chain is created, the daemon does not remove it when
// IPTableForwarding is disabled, because it contains rules configured by user
// that are beyond the daemon's control.
func setupUserChain(ipVersion iptables.IPVersion) error {
    ipt := iptables.GetIptable(ipVersion)
    if _, err := ipt.NewChain(userChain, iptables.Filter); err != nil {
        return fmt.Errorf("failed to create %s %v chain: %v", userChain, ipVersion, err)
    }
    if err := ipt.AddReturnRule(userChain); err != nil {
        return fmt.Errorf("failed to add the RETURN rule for %s %v: %w", userChain, ipVersion, err)
    }
    if err := ipt.EnsureJumpRule("FORWARD", userChain); err != nil {
        return fmt.Errorf("failed to ensure the jump rule for %s %v: %w", userChain, ipVersion, err)
    }
    return nil
}