GitList

Browse code

Return concrete types from NewNftabler/NewIptabler

Signed-off-by: Rob Murray <rob.murray@docker.com>

Rob Murray authored on 2025/08/05 18:28:37
Showing 7 changed files

daemon/libnetwork/drivers/bridge/bridge_linux.go index 84e66a7..1ac1aff 100644
daemon/libnetwork/drivers/bridge/internal/iptabler/cleaner.go index 98f3f5f..b58675a 100644
daemon/libnetwork/drivers/bridge/internal/iptabler/iptabler.go index 74df0ba..340dae6 100644
daemon/libnetwork/drivers/bridge/internal/iptabler/network.go index f80802f..5eef4d6 100644
daemon/libnetwork/drivers/bridge/internal/nftabler/cleaner.go index 7efbfe7..c57c36d 100644
daemon/libnetwork/drivers/bridge/internal/nftabler/network.go index 996cc86..b5dd54b 100644
daemon/libnetwork/drivers/bridge/internal/nftabler/nftabler.go index 9d6f15c..670c351 100644

daemon/libnetwork/drivers/bridge/bridge_linux.go

@@ -556,7 +556,7 @@ var newFirewaller = func(ctx context.Context, config firewaller.Config) (firewal
                      		// cleaner can't clean up network or port-specific rules that may have been added
                      		// to iptables built-in chains. So, if cleanup is needed, give the cleaner to
                      		// the nftabler. Then, it'll use it to delete old rules as networks are restored.
                     -		fw.(firewaller.FirewallCleanerSetter).SetFirewallCleaner(iptabler.NewCleaner(ctx, config))
                     +		fw.SetFirewallCleaner(iptabler.NewCleaner(ctx, config))
                      		return fw, nil
+                     	}

daemon/libnetwork/drivers/bridge/internal/iptabler/cleaner.go

History View file @ 200a75b

@@ -17,7 +17,7 @@ type iptablesCleaner struct {
+                     }
                      // NewCleaner checks for iptables rules left behind by an old daemon that was using
                     -// the iptabler.
                     +// the Iptabler.
                      //
                      // If there are old rules present, it deletes as much as possible straight away
                      // (user-defined chains and jumps from the built-in chains).
@@ -62,7 +62,7 @@ func (ic iptablesCleaner) DelNetwork(ctx context.Context, nc firewaller.NetworkC
+                     	}
                      	n := network{
                      		config: nc,
                     -		ipt:    &iptabler{config: ic.config},
                     +		ipt:    &Iptabler{config: ic.config},
+                     	}
                      	if ic.config.IPv4 && nc.Config4.Prefix.IsValid() {
                      		_ = deleteLegacyFilterRules(iptables.IPv4, nc.IfName)
@@ -77,7 +77,7 @@ func (ic iptablesCleaner) DelNetwork(ctx context.Context, nc firewaller.NetworkC
                      func (ic iptablesCleaner) DelEndpoint(ctx context.Context, nc firewaller.NetworkConfig, epIPv4, epIPv6 netip.Addr) {
                      	n := network{
                      		config: nc,
                     -		ipt:    &iptabler{config: ic.config},
                     +		ipt:    &Iptabler{config: ic.config},
+                     	}
                      	if n.ipt.config.IPv4 && epIPv4.IsValid() {
                      		_ = n.filterDirectAccess(ctx, iptables.IPv4, n.config.Config4, epIPv4, false)
@@ -90,7 +90,7 @@ func (ic iptablesCleaner) DelEndpoint(ctx context.Context, nc firewaller.Network
                      func (ic iptablesCleaner) DelPorts(ctx context.Context, nc firewaller.NetworkConfig, pbs []types.PortBinding) {
                      	n := network{
                      		config: nc,
                     -		ipt:    &iptabler{config: ic.config},
                     +		ipt:    &Iptabler{config: ic.config},
+                     	}
                      	_ = n.DelPorts(ctx, pbs)
+                     }

daemon/libnetwork/drivers/bridge/internal/iptabler/iptabler.go

History View file @ 200a75b

@@ -35,12 +35,12 @@ const (
                      	isolationChain2 = "DOCKER-ISOLATION-STAGE-2"
+                     )
                     -type iptabler struct {
                     +type Iptabler struct {
                      	config firewaller.Config
+                     }
                     -func NewIptabler(ctx context.Context, config firewaller.Config) (firewaller.Firewaller, error) {
                     -	ipt := &iptabler{config: config}
                     +func NewIptabler(ctx context.Context, config firewaller.Config) (*Iptabler, error) {
                     +	ipt := &Iptabler{config: config}
                      	if ipt.config.IPv4 {
                      		removeIPChains(ctx, iptables.IPv4)
@@ -91,7 +91,7 @@ func NewIptabler(ctx context.Context, config firewaller.Config) (firewaller.Fire
                      	return ipt, nil
+                     }
                     -func (ipt *iptabler) FilterForwardDrop(ctx context.Context, ipv firewaller.IPVersion) error {
                     +func (ipt *Iptabler) FilterForwardDrop(ctx context.Context, ipv firewaller.IPVersion) error {
                      	var iptv iptables.IPVersion
                      	switch ipv {
                      	case firewaller.IPv4:

daemon/libnetwork/drivers/bridge/internal/iptabler/network.go

History View file @ 200a75b

@@ -22,11 +22,11 @@ type (
                      type network struct {
                      	config     firewaller.NetworkConfig
                     -	ipt        *iptabler
                     +	ipt        *Iptabler
                      	cleanFuncs iptablesCleanFuncs
+                     }
                     -func (ipt *iptabler) NewNetwork(ctx context.Context, nc firewaller.NetworkConfig) (_ firewaller.Network, retErr error) {
                     +func (ipt *Iptabler) NewNetwork(ctx context.Context, nc firewaller.NetworkConfig) (_ firewaller.Network, retErr error) {
                      	n := &network{
                      		ipt:    ipt,
                      		config: nc,

daemon/libnetwork/drivers/bridge/internal/nftabler/cleaner.go

History View file @ 200a75b

@@ -11,7 +11,7 @@ import (
 	"github.com/moby/moby/v2/daemon/libnetwork/internal/nftables"
 )
 
-// Cleanup deletes all rules created by nftabler; it's intended to be used
+// Cleanup deletes all rules created by Nftabler; it's intended to be used
 // during startup, to clean up rules created by an old incarnation of the daemon
 // after switching to a different Firewaller implementation.
 func Cleanup(ctx context.Context, config firewaller.Config) {
@@ -31,6 +31,6 @@ func Cleanup(ctx context.Context, config firewaller.Config) {
 	}
 }
 
-func (nft *nftabler) SetFirewallCleaner(fc firewaller.FirewallCleaner) {
+func (nft *Nftabler) SetFirewallCleaner(fc firewaller.FirewallCleaner) {
 	nft.cleaner = fc
 }

daemon/libnetwork/drivers/bridge/internal/nftabler/network.go

History View file @ 200a75b

@@ -18,10 +18,10 @@ import (
                      type network struct {
                      	config  firewaller.NetworkConfig
                      	cleaner func(ctx context.Context) error
                     -	fw      *nftabler
                     +	fw      *Nftabler
+                     }
                     -func (nft *nftabler) NewNetwork(ctx context.Context, nc firewaller.NetworkConfig) (_ firewaller.Network, retErr error) {
                     +func (nft *Nftabler) NewNetwork(ctx context.Context, nc firewaller.NetworkConfig) (_ firewaller.Network, retErr error) {
                      	n := &network{
                      		fw:     nft,
                      		config: nc,

daemon/libnetwork/drivers/bridge/internal/nftabler/nftabler.go

History View file @ 200a75b

@@ -45,15 +45,15 @@ const (
                      	rawPreroutingPortsRuleGroup = iota + initialRuleGroup + 1
+                     )
                     -type nftabler struct {
                     +type Nftabler struct {
                      	config  firewaller.Config
                      	cleaner firewaller.FirewallCleaner
                      	table4  nftables.TableRef
                      	table6  nftables.TableRef
+                     }
                     -func NewNftabler(ctx context.Context, config firewaller.Config) (firewaller.Firewaller, error) {
                     -	nft := &nftabler{config: config}
                     +func NewNftabler(ctx context.Context, config firewaller.Config) (*Nftabler, error) {
                     +	nft := &Nftabler{config: config}
                      	if nft.config.IPv4 {
                      		var err error
@@ -85,14 +85,14 @@ func NewNftabler(ctx context.Context, config firewaller.Config) (firewaller.Fire
                      	return nft, nil
+                     }
                     -func (nft *nftabler) getTable(ipv firewaller.IPVersion) nftables.TableRef {
                     +func (nft *Nftabler) getTable(ipv firewaller.IPVersion) nftables.TableRef {
                      	if ipv == firewaller.IPv4 {
                      		return nft.table4
+                     	}
                      	return nft.table6
+                     }
                     -func (nft *nftabler) FilterForwardDrop(ctx context.Context, ipv firewaller.IPVersion) error {
                     +func (nft *Nftabler) FilterForwardDrop(ctx context.Context, ipv firewaller.IPVersion) error {
                      	table := nft.getTable(ipv)
                      	if err := table.Chain(ctx, forwardChain).SetPolicy("drop"); err != nil {
                      		return err
@@ -101,7 +101,7 @@ func (nft *nftabler) FilterForwardDrop(ctx context.Context, ipv firewaller.IPVer
+                     }
                      // init creates the bridge driver's nftables table for IPv4 or IPv6.
                     -func (nft *nftabler) init(ctx context.Context, family nftables.Family) (nftables.TableRef, error) {
                     +func (nft *Nftabler) init(ctx context.Context, family nftables.Family) (nftables.TableRef, error) {
                      	// Instantiate the table.
                      	table, err := nftables.NewTable(family, dockerTable)
                      	if err != nil {

...	...	@@ -11,7 +11,7 @@ import (
11	11	"github.com/moby/moby/v2/daemon/libnetwork/internal/nftables"
12	12	)
13	13
14		-// Cleanup deletes all rules created by nftabler; it's intended to be used
	14	+// Cleanup deletes all rules created by Nftabler; it's intended to be used
15	15	// during startup, to clean up rules created by an old incarnation of the daemon
16	16	// after switching to a different Firewaller implementation.
17	17	func Cleanup(ctx context.Context, config firewaller.Config) {
...	...	@@ -31,6 +31,6 @@ func Cleanup(ctx context.Context, config firewaller.Config) {
31	31	}
32	32	}
33	33
34		-func (nft *nftabler) SetFirewallCleaner(fc firewaller.FirewallCleaner) {
	34	+func (nft *Nftabler) SetFirewallCleaner(fc firewaller.FirewallCleaner) {
35	35	nft.cleaner = fc
36	36	}