[WIP] Add DOCKER-USER chain when iptables=true is set ENGCORE-1114

controller.go

@@ -904,14 +904,6 @@ addToStore:
 		}
 	}
 
-	if !c.isDistributedControl() {
-		c.Lock()
-		arrangeIngressFilterRule()
-		c.Unlock()
-	}
-
-	c.arrangeUserFilterRule()
-
 	return network, nil
 }
 

drivers/bridge/bridge.go

@@ -33,6 +33,8 @@ const (
 	vethLen                    = 7
 	defaultContainerVethPrefix = "eth"
 	maxAllocatePortAttempts    = 10
+	userChain                  = "DOCKER-USER"
+	ingressChain               = "DOCKER-INGRESS"
 )
 
 const (
@@ -357,6 +359,16 @@ func (d *driver) configure(option map[string]interface{}) error {
 		}
 		// Make sure on firewall reload, first thing being re-played is chains creation
 		iptables.OnReloaded(func() { logrus.Debugf("Recreating iptables chains on firewall reload"); setupIPChains(config) })
+
+		// Add DOCKER-INGRESS chain
+		arrangeIngressFilterRule()
+		// Add DOCKER-USER chain
+		arrangeUserFilterRule()
+		iptables.OnReloaded(func() {
+			logrus.Debugf("Recreating DOCKER-INGRESS and DOCKER-USER iptables chain on firewall reload")
+			arrangeIngressFilterRule()
+			arrangeUserFilterRule()
+		})
 	}
 
 	if config.EnableIPForwarding {
@@ -1504,3 +1516,42 @@ func electMacAddress(epConfig *endpointConfiguration, ip net.IP) net.HardwareAdd
 	}
 	return netutils.GenerateMACFromIP(ip)
 }
+
+// This chain allow users to configure firewall policies in a way that persists
+// docker operations/restarts. Docker will not delete or modify any pre-existing
+// rules from the DOCKER-USER filter chain.
+func arrangeUserFilterRule() {
+	_, err := iptables.NewChain(userChain, iptables.Filter, false)
+	if err != nil {
+		logrus.Warnf("Failed to create %s chain: %v", userChain, err)
+		return
+	}
+
+	if err = iptables.AddReturnRule(userChain); err != nil {
+		logrus.Warnf("Failed to add the RETURN rule for %s: %v", userChain, err)
+		return
+	}
+
+	err = iptables.EnsureJumpRule("FORWARD", userChain)
+	if err != nil {
+		logrus.Warnf("Failed to ensure the jump rule for %s: %v", userChain, err)
+	}
+}
+
+// In the filter table FORWARD chain the first rule should be to jump to
+// DOCKER-USER so the user is able to filter packet first.
+// The second rule should be jump to INGRESS-CHAIN.
+// This chain has the rules to allow access to the published ports for swarm tasks
+// from local bridge networks and docker_gwbridge (ie:taks on other swarm networks)
+func arrangeIngressFilterRule() {
+	if iptables.ExistChain(ingressChain, iptables.Filter) {
+		if iptables.Exists(iptables.Filter, "FORWARD", "-j", ingressChain) {
+			if err := iptables.RawCombinedOutput("-D", "FORWARD", "-j", ingressChain); err != nil {
+				logrus.Warnf("failed to delete jump rule to ingressChain in filter table: %v", err)
+			}
+		}
+		if err := iptables.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil {
+			logrus.Warnf("failed to add jump rule to ingressChain in filter table: %v", err)
+		}
+	}
+}

drivers/bridge/bridge_test.go

@@ -19,6 +19,41 @@ import (
 	"github.com/vishvananda/netlink"
 )
 
+// TestEnableIPTables enables EnableIPTables and checks if
+// the DOCKER-USER chain is created or not
+func TestEnableIPTables(t *testing.T) {
+	if !testutils.IsRunningInContainer() {
+		defer testutils.SetupTestOSContext(t)()
+	}
+
+	d := newDriver()
+
+	config := &configuration{
+		EnableIPTables: true,
+	}
+	genericOption := make(map[string]interface{})
+	genericOption[netlabel.GenericData] = config
+
+	if err := d.configure(genericOption); err != nil {
+		t.Fatalf("Failed to setup driver config: %v", err)
+	}
+
+	userRule1 := []string{
+		"-j", "DOCKER-USER"}
+
+	if !iptables.Exists(iptables.Filter, "FORWARD", userRule1...) {
+		t.Fatal("rule does not exist")
+	}
+
+	userRule2 := []string{
+		"-j", "RETURN"}
+
+	if !iptables.Exists(iptables.Filter, "DOCKER-USER", userRule2...) {
+		t.Fatal("rule does not exist")
+	}
+
+}
+
 func TestEndpointMarshalling(t *testing.T) {
 	ip1, _ := types.ParseCIDR("172.22.0.9/16")
 	ip2, _ := types.ParseCIDR("2001:db8::9")

service_linux.go

@@ -366,7 +366,6 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
 			if err := iptables.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil {
 				return fmt.Errorf("failed to add jump rule to %s in filter table forward chain: %v", ingressChain, err)
 			}
-			arrangeUserFilterRule()
 		}
 
 		oifName, err := findOIFName(gwIP)
@@ -455,24 +454,6 @@ func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) erro
 	return nil
 }
 
-// In the filter table FORWARD chain the first rule should be to jump to
-// DOCKER-USER so the user is able to filter packet first.
-// The second rule should be jump to INGRESS-CHAIN.
-// This chain has the rules to allow access to the published ports for swarm tasks
-// from local bridge networks and docker_gwbridge (ie:taks on other swarm networks)
-func arrangeIngressFilterRule() {
-	if iptables.ExistChain(ingressChain, iptables.Filter) {
-		if iptables.Exists(iptables.Filter, "FORWARD", "-j", ingressChain) {
-			if err := iptables.RawCombinedOutput("-D", "FORWARD", "-j", ingressChain); err != nil {
-				logrus.Warnf("failed to delete jump rule to ingressChain in filter table: %v", err)
-			}
-		}
-		if err := iptables.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil {
-			logrus.Warnf("failed to add jump rule to ingressChain in filter table: %v", err)
-		}
-	}
-}
-
 func findOIFName(ip net.IP) (string, error) {
 	nlh := ns.NlHandle()
 

service_unsupported.go

@@ -20,6 +20,3 @@ func (c *controller) rmServiceBinding(name, sid, nid, eid string, vip net.IP, in
 
 func (sb *sandbox) populateLoadBalancers(ep *endpoint) {
 }
-
-func arrangeIngressFilterRule() {
-}

service_windows.go

@@ -168,6 +168,3 @@ func numEnabledBackends(lb *loadBalancer) int {
 
 func (sb *sandbox) populateLoadBalancers(ep *endpoint) {
 }
-
-func arrangeIngressFilterRule() {
-}