Browse code
[19.03 backport] revert controller: Check if IPTables is enabled for arrangeUserFilterRule
This change caused a regression, causing the DOCKER-USER chain
to not be created, despite iptables being enabled on the daemon.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2019/10/12 04:10:48Showing 3 changed files
- hack/dockerfile/install/proxy.installer
- vendor.conf
- vendor/github.com/docker/libnetwork/firewall_linux.go
| ... | ... |
@@ -3,7 +3,7 @@ |
| 3 | 3 |
# LIBNETWORK_COMMIT is used to build the docker-userland-proxy binary. When |
| 4 | 4 |
# updating the binary version, consider updating github.com/docker/libnetwork |
| 5 | 5 |
# in vendor.conf accordingly |
| 6 |
-LIBNETWORK_COMMIT=45c710223c5fbf04dc3028b9a90b51892e36ca7f |
|
| 6 |
+LIBNETWORK_COMMIT=3eb39382bfa6a3c42f83674ab080ae13b0e34e5d # bump_19.03 branch |
|
| 7 | 7 |
|
| 8 | 8 |
install_proxy() {
|
| 9 | 9 |
case "$1" in |
| ... | ... |
@@ -38,7 +38,7 @@ github.com/gofrs/flock 7f43ea2e6a643ad441fc12d0ecc0 |
| 38 | 38 |
# libnetwork |
| 39 | 39 |
|
| 40 | 40 |
# When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly |
| 41 |
-github.com/docker/libnetwork 45c710223c5fbf04dc3028b9a90b51892e36ca7f |
|
| 41 |
+github.com/docker/libnetwork 3eb39382bfa6a3c42f83674ab080ae13b0e34e5d # bump_19.03 branch |
|
| 42 | 42 |
github.com/docker/go-events 9461782956ad83b30282bf90e31fa6a70c255ba9 |
| 43 | 43 |
github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 |
| 44 | 44 |
github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec |
| ... | ... |
@@ -2,7 +2,6 @@ package libnetwork |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 | 4 |
"github.com/docker/libnetwork/iptables" |
| 5 |
- "github.com/docker/libnetwork/netlabel" |
|
| 6 | 5 |
"github.com/sirupsen/logrus" |
| 7 | 6 |
) |
| 8 | 7 |
|
| ... | ... |
@@ -10,44 +9,15 @@ const userChain = "DOCKER-USER" |
| 10 | 10 |
|
| 11 | 11 |
func (c *controller) arrangeUserFilterRule() {
|
| 12 | 12 |
c.Lock() |
| 13 |
- |
|
| 14 |
- if c.hasIPTablesEnabled() {
|
|
| 15 |
- arrangeUserFilterRule() |
|
| 16 |
- } |
|
| 17 |
- |
|
| 13 |
+ arrangeUserFilterRule() |
|
| 18 | 14 |
c.Unlock() |
| 19 |
- |
|
| 20 | 15 |
iptables.OnReloaded(func() {
|
| 21 | 16 |
c.Lock() |
| 22 |
- |
|
| 23 |
- if c.hasIPTablesEnabled() {
|
|
| 24 |
- arrangeUserFilterRule() |
|
| 25 |
- } |
|
| 26 |
- |
|
| 17 |
+ arrangeUserFilterRule() |
|
| 27 | 18 |
c.Unlock() |
| 28 | 19 |
}) |
| 29 | 20 |
} |
| 30 | 21 |
|
| 31 |
-func (c *controller) hasIPTablesEnabled() bool {
|
|
| 32 |
- // Locking c should be handled in the calling method. |
|
| 33 |
- if c.cfg == nil || c.cfg.Daemon.DriverCfg[netlabel.GenericData] == nil {
|
|
| 34 |
- return false |
|
| 35 |
- } |
|
| 36 |
- |
|
| 37 |
- genericData, ok := c.cfg.Daemon.DriverCfg[netlabel.GenericData] |
|
| 38 |
- if !ok {
|
|
| 39 |
- return false |
|
| 40 |
- } |
|
| 41 |
- |
|
| 42 |
- optMap := genericData.(map[string]interface{})
|
|
| 43 |
- enabled, ok := optMap["EnableIPTables"].(bool) |
|
| 44 |
- if !ok {
|
|
| 45 |
- return false |
|
| 46 |
- } |
|
| 47 |
- |
|
| 48 |
- return enabled |
|
| 49 |
-} |
|
| 50 |
- |
|
| 51 | 22 |
// This chain allow users to configure firewall policies in a way that persists |
| 52 | 23 |
// docker operations/restarts. Docker will not delete or modify any pre-existing |
| 53 | 24 |
// rules from the DOCKER-USER filter chain. |