Browse code
Move hasIPTablesEnabled check into firewall_linux.go
Signed-off-by: David O'Rourke <david@scalefactory.com>
David O'Rourke authored on 2019/04/29 21:50:21Showing 2 changed files
| ... | ... |
@@ -679,29 +679,6 @@ func (c *controller) isAgent() bool {
|
| 679 | 679 |
return c.cfg.Daemon.ClusterProvider.IsAgent() |
| 680 | 680 |
} |
| 681 | 681 |
|
| 682 |
-func (c *controller) hasIPTablesEnabled() bool {
|
|
| 683 |
- c.Lock() |
|
| 684 |
- defer c.Unlock() |
|
| 685 |
- |
|
| 686 |
- if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil {
|
|
| 687 |
- return false |
|
| 688 |
- } |
|
| 689 |
- |
|
| 690 |
- genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] |
|
| 691 |
- if !ok {
|
|
| 692 |
- return false |
|
| 693 |
- } |
|
| 694 |
- |
|
| 695 |
- optMap := genericData.(map[string]interface{})
|
|
| 696 |
- |
|
| 697 |
- enabled, ok := optMap["EnableIPTables"].(bool) |
|
| 698 |
- if !ok {
|
|
| 699 |
- return false |
|
| 700 |
- } |
|
| 701 |
- |
|
| 702 |
- return enabled |
|
| 703 |
-} |
|
| 704 |
- |
|
| 705 | 682 |
func (c *controller) isDistributedControl() bool {
|
| 706 | 683 |
return !c.isManager() && !c.isAgent() |
| 707 | 684 |
} |
| ... | ... |
@@ -925,9 +902,7 @@ addToStore: |
| 925 | 925 |
c.Unlock() |
| 926 | 926 |
} |
| 927 | 927 |
|
| 928 |
- if c.hasIPTablesEnabled() {
|
|
| 929 |
- c.arrangeUserFilterRule() |
|
| 930 |
- } |
|
| 928 |
+ c.arrangeUserFilterRule() |
|
| 931 | 929 |
|
| 932 | 930 |
return network, nil |
| 933 | 931 |
} |
| ... | ... |
@@ -2,6 +2,7 @@ package libnetwork |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 | 4 |
"github.com/docker/libnetwork/iptables" |
| 5 |
+ "github.com/docker/libnetwork/netlabel" |
|
| 5 | 6 |
"github.com/sirupsen/logrus" |
| 6 | 7 |
) |
| 7 | 8 |
|
| ... | ... |
@@ -9,15 +10,44 @@ const userChain = "DOCKER-USER" |
| 9 | 9 |
|
| 10 | 10 |
func (c *controller) arrangeUserFilterRule() {
|
| 11 | 11 |
c.Lock() |
| 12 |
- arrangeUserFilterRule() |
|
| 12 |
+ |
|
| 13 |
+ if c.hasIPTablesEnabled() {
|
|
| 14 |
+ arrangeUserFilterRule() |
|
| 15 |
+ } |
|
| 16 |
+ |
|
| 13 | 17 |
c.Unlock() |
| 18 |
+ |
|
| 14 | 19 |
iptables.OnReloaded(func() {
|
| 15 | 20 |
c.Lock() |
| 16 |
- arrangeUserFilterRule() |
|
| 21 |
+ |
|
| 22 |
+ if c.hasIPTablesEnabled() {
|
|
| 23 |
+ arrangeUserFilterRule() |
|
| 24 |
+ } |
|
| 25 |
+ |
|
| 17 | 26 |
c.Unlock() |
| 18 | 27 |
}) |
| 19 | 28 |
} |
| 20 | 29 |
|
| 30 |
+func (c *controller) hasIPTablesEnabled() bool {
|
|
| 31 |
+ // Locking c should be handled in the calling method. |
|
| 32 |
+ if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil {
|
|
| 33 |
+ return false |
|
| 34 |
+ } |
|
| 35 |
+ |
|
| 36 |
+ genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] |
|
| 37 |
+ if !ok {
|
|
| 38 |
+ return false |
|
| 39 |
+ } |
|
| 40 |
+ |
|
| 41 |
+ optMap := genericData.(map[string]interface{})
|
|
| 42 |
+ enabled, ok := optMap["EnableIPTables"].(bool) |
|
| 43 |
+ if !ok {
|
|
| 44 |
+ return false |
|
| 45 |
+ } |
|
| 46 |
+ |
|
| 47 |
+ return enabled |
|
| 48 |
+} |
|
| 49 |
+ |
|
| 21 | 50 |
// This chain allow users to configure firewall policies in a way that persists |
| 22 | 51 |
// docker operations/restarts. Docker will not delete or modify any pre-existing |
| 23 | 52 |
// rules from the DOCKER-USER filter chain. |