dfwfw
dfwfw copied to clipboard
irsl
Problem with matching rule "dst_container": "Name =~ .*"
I'm trying to create rule that matches any container. It looks like: { "dst_container": "Name =~ .*", "network": "cadnet" }, But it shoots only after at least two containers in network cadnet was created. I.e. it does not work if there is only one container in target network.
I'm trying to make some containers available from outside world. Some containers could be added later, and I don't know their names. So I trying to filter some known containers and open connections to any other.
yes wider_world_to_container So when I creating one container iptables rules don't appears, But when I creating second container rules appears for both containers.
I still can't reproduce the issue. I created a network (wwtc) with one container (got name serene_turing), seems working well:
# cat /etc/dfwfw/dfwfw.conf
{
"wider_world_to_container": {
"rules": [
{
"network": "wwtc",
"dst_container": "Name =~ .*",
"expose_port": 23123
}
]
}
}
# /opt/dfwfw/dfwfw.pl
...
################ wider_world_to_container:
# #1: host:23123 -> serene_turing:23123 / tcp
-A DFWFW_FORWARD -i eth0 -o br-51cdf713e72c -d 172.18.0.2 -p tcp --dport 23123 -j ACCEPT
iptables before start first container
`# Generated by iptables-save v1.4.21 on Sun Mar 12 17:28:29 2017
*nat
:PREROUTING ACCEPT [122:6876]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [1:328]
:POSTROUTING ACCEPT [0:0]
:DFWFW_POSTROUTING - [0:0]
:DFWFW_PREROUTING - [0:0]
-A PREROUTING -j DFWFW_PREROUTING
-A POSTROUTING -j DFWFW_POSTROUTING
-A DFWFW_POSTROUTING -o eth0 -j MASQUERADE
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 1 72.17.0.2:443
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 464 -j DNAT --to-destination 1 72.17.0.2:464
-A DFWFW_PREROUTING -i eth0 -p udp -m udp --dport 464 -j DNAT --to-destination 1 72.17.0.2:464
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 9444 -j DNAT --to-destination 172.17.0.2:9444
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 389 -j DNAT --to-destination 1 72.17.0.2:389
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 17 2.17.0.2:80
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 88 -j DNAT --to-destination 17 2.17.0.2:88
-A DFWFW_PREROUTING -i eth0 -p udp -m udp --dport 88 -j DNAT --to-destination 17 2.17.0.2:88
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 9445 -j DNAT --to-destination 172.17.0.2:9445
-A DFWFW_PREROUTING -i eth0 -p udp -m udp --dport 123 -j DNAT --to-destination 1 72.17.0.2:123
-A DFWFW_PREROUTING -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 17 2.17.0.2:53
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 7389 -j DNAT --to-destination 172.17.0.2:7389
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 9443 -j DNAT --to-destination 172.17.0.2:9443
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 17 2.17.0.2:53
-A DFWFW_PREROUTING -i eth0 -p tcp -m tcp --dport 636 -j DNAT --to-destination 1 72.17.0.2:636
COMMIT
# Completed on Sun Mar 12 17:28:29 2017
# Generated by iptables-save v1.4.21 on Sun Mar 12 17:28:29 2017
*filter
:INPUT DROP [22:2476]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:328]
:DFWFW_FORWARD - [0:0]
:DFWFW_INPUT - [0:0]
:HOST_INCOMING - [0:0]
:HOST_OUTBOUND - [0:0]
-A INPUT -m state --state INVALID -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DFWFW_INPUT
-A INPUT -m state --state NEW -j HOST_INCOMING
-A FORWARD -j DFWFW_FORWARD
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW -j HOST_OUTBOUND
-A DFWFW_FORWARD -m state --state INVALID -j DROP
-A DFWFW_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A DFWFW_FORWARD -i br-1e5794677d8a -o br-1e5794677d8a -j ACCEPT
-A DFWFW_FORWARD -i docker0 -o docker0 -j ACCEPT
-A DFWFW_FORWARD -i br-1e5794677d8a -o eth0 -j ACCEPT
-A DFWFW_FORWARD -i docker0 -o eth0 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 443 - j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 464 - j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p udp -m udp --dport 464 - j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 9444 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 389 - j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 88 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p udp -m udp --dport 88 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 9445 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p udp -m udp --dport 123 - j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p udp -m udp --dport 53 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 7389 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 9443 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 53 -j ACCEPT
-A DFWFW_FORWARD -d 172.17.0.2/32 -i eth0 -o docker0 -p tcp -m tcp --dport 636 - j ACCEPT
-A DFWFW_FORWARD -j DROP
-A DFWFW_INPUT -i br-1e5794677d8a -j ACCEPT
-A DFWFW_INPUT -i docker0 -j ACCEPT
-A HOST_INCOMING -p tcp -m tcp --dport 22 -j ACCEPT
-A HOST_INCOMING -p icmp -j ACCEPT
-A HOST_OUTBOUND -p udp -m udp --dport 53 -j ACCEPT
-A HOST_OUTBOUND -p tcp -m tcp --dport 80 -j ACCEPT
-A HOST_OUTBOUND -p tcp -m tcp --dport 443 -j ACCEPT
-A HOST_OUTBOUND -p icmp -j ACCEPT
COMMIT
# Completed on Sun Mar 12 17:28:29 2017
`
docker start cadvisor1
output from dfwfw:
`[root@ipa ~]# docker attach 611d26449983
[Sun Mar 12 14:30:14 2017] Docker event: container:attach: {"ID":"611d26449983c27266789b0c0f00f66b699abf303b78ff046f62166043b5b34f","Attributes":{"name":"dfwfw","image":"irsl/dfwfw"}}
[Sun Mar 12 14:30:22 2017] Docker event: network:connect: {"ID":"1e5794677d8a494cae65d34d2f7fcf833b2ef59dbd82c9bb1ab85fe4c39bf360","Attributes":{"type":"bridge","name":"cadnet","container":"87a5b1d60f1c9a73064f6322fdfba83b0597f64adc268142a22f2beb45aa0a21"}}
[Sun Mar 12 14:30:22 2017] Docker event: container:start: {"ID":"87a5b1d60f1c9a73064f6322fdfba83b0597f64adc268142a22f2beb45aa0a21","Attributes":{"name":"cadvisor1","image":"google/cadvisor:latest"}}
[Sun Mar 12 14:30:22 2017] Docker events stream ended :(
Use of uninitialized value in pattern match (m//) at /opt/dfwfw/dfwfw.pl line 91.
[Sun Mar 12 14:30:23 2017] Rebuilding firewall ruleset...
[Sun Mar 12 14:30:23 2017] DFWFW::Rule::ContainerToContainer: number of matching networks for rule #1: 2
[Sun Mar 12 14:30:23 2017] DFWFW::Rule::ContainerToWiderWorld: number of matching networks for rule #1: 2
[Sun Mar 12 14:30:23 2017] DFWFW::Rule::ContainerToHost: number of matching networks for rule #1: 2
[Sun Mar 12 14:30:23 2017] DFWFW::Rule::WiderWorldToContainer: number of matching networks for rule #1: 1
[Sun Mar 12 14:30:23 2017] DFWFW::Rule::WiderWorldToContainer: number of matching networks for rule #2: 1
[Sun Mar 12 14:30:23 2017] Wider world to container: dst_container of rule #2 does not match any containers, skipping rule
[Sun Mar 12 14:30:23 2017] DFWFW::Rule::WiderWorldToContainer: number of matching networks for rule #3: 1
[Sun Mar 12 14:30:23 2017] Wider world to container: dst_container of rule #3 does not match any containers, skipping rule
[Sun Mar 12 14:30:23 2017] commiting to filter table:
*filter
################ DFWFW_FORWARD head:
-F DFWFW_FORWARD
-A DFWFW_FORWARD -m state --state INVALID -j DROP
-A DFWFW_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
################ DFWFW_INPUT head:
-F DFWFW_INPUT
################ container_to_container:
-A DFWFW_FORWARD -i br-1e5794677d8a -o br-1e5794677d8a -j ACCEPT
-A DFWFW_FORWARD -i docker0 -o docker0 -j ACCEPT
################ container_to_wider_world:
-A DFWFW_FORWARD -i br-1e5794677d8a -o eth0 -j ACCEPT
-A DFWFW_FORWARD -i docker0 -o eth0 -j ACCEPT
################ container_to_host:
-A DFWFW_INPUT -i br-1e5794677d8a -j ACCEPT
-A DFWFW_INPUT -i docker0 -j ACCEPT
################ wider_world_to_container:
# #1: host:443 -> freeipa-server-container:443 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 443 -j ACCEPT
# #1: host:464 -> freeipa-server-container:464 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 464 -j ACCEPT
# #1: host:464 -> freeipa-server-container:464 / udp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p udp --dport 464 -j ACCEPT
# #1: host:9444 -> freeipa-server-container:9444 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 9444 -j ACCEPT
# #1: host:389 -> freeipa-server-container:389 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 389 -j ACCEPT
# #1: host:80 -> freeipa-server-container:80 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 80 -j ACCEPT
# #1: host:88 -> freeipa-server-container:88 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 88 -j ACCEPT
# #1: host:88 -> freeipa-server-container:88 / udp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p udp --dport 88 -j ACCEPT
# #1: host:9445 -> freeipa-server-container:9445 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 9445 -j ACCEPT
# #1: host:123 -> freeipa-server-container:123 / udp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p udp --dport 123 -j ACCEPT
# #1: host:53 -> freeipa-server-container:53 / udp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p udp --dport 53 -j ACCEPT
# #1: host:7389 -> freeipa-server-container:7389 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 7389 -j ACCEPT
# #1: host:9443 -> freeipa-server-container:9443 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 9443 -j ACCEPT
# #1: host:53 -> freeipa-server-container:53 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 53 -j ACCEPT
# #1: host:636 -> freeipa-server-container:636 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 636 -j ACCEPT
################ DFWFW_FORWARD tail:
-A DFWFW_FORWARD -j DROP
COMMIT
[Sun Mar 12 14:30:23 2017] commiting to nat table:
*nat
################ DFWFW_PREROUTING head:
-F DFWFW_PREROUTING
################ wider_world_to_container:
# #1: host:443 -> freeipa-server-container:443 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443
# #1: host:464 -> freeipa-server-container:464 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 464 -j DNAT --to-destination 172.17.0.2:464
# #1: host:464 -> freeipa-server-container:464 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 464 -j DNAT --to-destination 172.17.0.2:464
# #1: host:9444 -> freeipa-server-container:9444 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9444 -j DNAT --to-destination 172.17.0.2:9444
# #1: host:389 -> freeipa-server-container:389 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 389 -j DNAT --to-destination 172.17.0.2:389
# #1: host:80 -> freeipa-server-container:80 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.17.0.2:80
# #1: host:88 -> freeipa-server-container:88 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 88 -j DNAT --to-destination 172.17.0.2:88
# #1: host:88 -> freeipa-server-container:88 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 88 -j DNAT --to-destination 172.17.0.2:88
# #1: host:9445 -> freeipa-server-container:9445 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9445 -j DNAT --to-destination 172.17.0.2:9445
# #1: host:123 -> freeipa-server-container:123 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 123 -j DNAT --to-destination 172.17.0.2:123
# #1: host:53 -> freeipa-server-container:53 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 172.17.0.2:53
# #1: host:7389 -> freeipa-server-container:7389 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 7389 -j DNAT --to-destination 172.17.0.2:7389
# #1: host:9443 -> freeipa-server-container:9443 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9443 -j DNAT --to-destination 172.17.0.2:9443
# #1: host:53 -> freeipa-server-container:53 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-destination 172.17.0.2:53
# #1: host:636 -> freeipa-server-container:636 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 636 -j DNAT --to-destination 172.17.0.2:636
COMMIT
`
docker start cadvisor2
both rules are present:
-A DFWFW_FORWARD -d 172.18.0.2/32 -i eth0 -o br-1e5794677d8a -p tcp -m tcp --dport 8080 -j ACCEPT
-A DFWFW_FORWARD -d 172.18.0.3/32 -i eth0 -o br-1e5794677d8a -p tcp -m tcp --dport 8080 -j ACCEPT
output from console:
`[Sun Mar 12 14:30:23 2017] commiting to nat table:
*nat
################ DFWFW_PREROUTING head:
-F DFWFW_PREROUTING
################ wider_world_to_container:
# #1: host:443 -> freeipa-server-container:443 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443
# #1: host:464 -> freeipa-server-container:464 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 464 -j DNAT --to-destination 172.17.0.2:464
# #1: host:464 -> freeipa-server-container:464 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 464 -j DNAT --to-destination 172.17.0.2:464
# #1: host:9444 -> freeipa-server-container:9444 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9444 -j DNAT --to-destination 172.17.0.2:9444
# #1: host:389 -> freeipa-server-container:389 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 389 -j DNAT --to-destination 172.17.0.2:389
# #1: host:80 -> freeipa-server-container:80 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.17.0.2:80
# #1: host:88 -> freeipa-server-container:88 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 88 -j DNAT --to-destination 172.17.0.2:88
# #1: host:88 -> freeipa-server-container:88 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 88 -j DNAT --to-destination 172.17.0.2:88
# #1: host:9445 -> freeipa-server-container:9445 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9445 -j DNAT --to-destination 172.17.0.2:9445
# #1: host:123 -> freeipa-server-container:123 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 123 -j DNAT --to-destination 172.17.0.2:123
# #1: host:53 -> freeipa-server-container:53 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 172.17.0.2:53
# #1: host:7389 -> freeipa-server-container:7389 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 7389 -j DNAT --to-destination 172.17.0.2:7389
# #1: host:9443 -> freeipa-server-container:9443 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9443 -j DNAT --to-destination 172.17.0.2:9443
# #1: host:53 -> freeipa-server-container:53 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-destination 172.17.0.2:53
# #1: host:636 -> freeipa-server-container:636 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 636 -j DNAT --to-destination 172.17.0.2:636
COMMIT
Use of uninitialized value in pattern match (m//) at /opt/dfwfw/dfwfw.pl line 91.
[Sun Mar 12 14:31:42 2017] Docker event: network:connect: {"Attributes":{"container":"a55c0d5ebda18a79121f7b6ba0e7d60279fb5ee74638eb360b4d185051c01d08","name":"cadnet","type":"bridge"},"ID":"1e5794677d8a494cae65d34d2f7fcf833b2ef59dbd82c9bb1ab85fe4c39bf360"}
[Sun Mar 12 14:31:42 2017] Docker event: container:start: {"Attributes":{"name":"cadvisor2","image":"google/cadvisor:latest"},"ID":"a55c0d5ebda18a79121f7b6ba0e7d60279fb5ee74638eb360b4d185051c01d08"}
[Sun Mar 12 14:31:42 2017] Rebuilding DFWFW due to Docker event: start - google/cadvisor:latest
[Sun Mar 12 14:31:42 2017] Talking to Docker daemon to learn current network and container configuration
[Sun Mar 12 14:31:42 2017] Rebuilding firewall ruleset...
[Sun Mar 12 14:31:42 2017] DFWFW::Rule::ContainerToContainer: number of matching networks for rule #1: 2
[Sun Mar 12 14:31:42 2017] DFWFW::Rule::ContainerToWiderWorld: number of matching networks for rule #1: 2
[Sun Mar 12 14:31:42 2017] DFWFW::Rule::ContainerToHost: number of matching networks for rule #1: 2
[Sun Mar 12 14:31:42 2017] DFWFW::Rule::WiderWorldToContainer: number of matching networks for rule #1: 1
[Sun Mar 12 14:31:42 2017] DFWFW::Rule::WiderWorldToContainer: number of matching networks for rule #2: 1
[Sun Mar 12 14:31:42 2017] Wider world to container: dst_container of rule #2 does not match any containers, skipping rule
[Sun Mar 12 14:31:42 2017] DFWFW::Rule::WiderWorldToContainer: number of matching networks for rule #3: 1
[Sun Mar 12 14:31:42 2017] commiting to filter table:
*filter
################ DFWFW_FORWARD head:
-F DFWFW_FORWARD
-A DFWFW_FORWARD -m state --state INVALID -j DROP
-A DFWFW_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
################ DFWFW_INPUT head:
-F DFWFW_INPUT
################ container_to_container:
-A DFWFW_FORWARD -i br-1e5794677d8a -o br-1e5794677d8a -j ACCEPT
-A DFWFW_FORWARD -i docker0 -o docker0 -j ACCEPT
################ container_to_wider_world:
-A DFWFW_FORWARD -i br-1e5794677d8a -o eth0 -j ACCEPT
-A DFWFW_FORWARD -i docker0 -o eth0 -j ACCEPT
################ container_to_host:
-A DFWFW_INPUT -i br-1e5794677d8a -j ACCEPT
-A DFWFW_INPUT -i docker0 -j ACCEPT
################ wider_world_to_container:
# #1: host:443 -> freeipa-server-container:443 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 443 -j ACCEPT
# #1: host:464 -> freeipa-server-container:464 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 464 -j ACCEPT
# #1: host:464 -> freeipa-server-container:464 / udp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p udp --dport 464 -j ACCEPT
# #1: host:9444 -> freeipa-server-container:9444 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 9444 -j ACCEPT
# #1: host:389 -> freeipa-server-container:389 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 389 -j ACCEPT
# #1: host:80 -> freeipa-server-container:80 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 80 -j ACCEPT
# #1: host:88 -> freeipa-server-container:88 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 88 -j ACCEPT
# #1: host:88 -> freeipa-server-container:88 / udp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p udp --dport 88 -j ACCEPT
# #1: host:9445 -> freeipa-server-container:9445 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 9445 -j ACCEPT
# #1: host:123 -> freeipa-server-container:123 / udp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p udp --dport 123 -j ACCEPT
# #1: host:53 -> freeipa-server-container:53 / udp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p udp --dport 53 -j ACCEPT
# #1: host:7389 -> freeipa-server-container:7389 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 7389 -j ACCEPT
# #1: host:9443 -> freeipa-server-container:9443 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 9443 -j ACCEPT
# #1: host:53 -> freeipa-server-container:53 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 53 -j ACCEPT
# #1: host:636 -> freeipa-server-container:636 / tcp
-A DFWFW_FORWARD -i eth0 -o docker0 -d 172.17.0.2 -p tcp --dport 636 -j ACCEPT
# #3: host:8081 -> cadvisor1:8080 / tcp
-A DFWFW_FORWARD -i eth0 -o br-1e5794677d8a -d 172.18.0.2 -p tcp --dport 8080 -j ACCEPT
# #3: host:8082 -> cadvisor2:8080 / tcp
-A DFWFW_FORWARD -i eth0 -o br-1e5794677d8a -d 172.18.0.3 -p tcp --dport 8080 -j ACCEPT
################ DFWFW_FORWARD tail:
-A DFWFW_FORWARD -j DROP
COMMIT
[Sun Mar 12 14:31:42 2017] commiting to nat table:
*nat
################ DFWFW_PREROUTING head:
-F DFWFW_PREROUTING
################ wider_world_to_container:
# #1: host:443 -> freeipa-server-container:443 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 443 -j DNAT --to-destination 172.17.0.2:443
# #1: host:464 -> freeipa-server-container:464 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 464 -j DNAT --to-destination 172.17.0.2:464
# #1: host:464 -> freeipa-server-container:464 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 464 -j DNAT --to-destination 172.17.0.2:464
# #1: host:9444 -> freeipa-server-container:9444 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9444 -j DNAT --to-destination 172.17.0.2:9444
# #1: host:389 -> freeipa-server-container:389 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 389 -j DNAT --to-destination 172.17.0.2:389
# #1: host:80 -> freeipa-server-container:80 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 172.17.0.2:80
# #1: host:88 -> freeipa-server-container:88 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 88 -j DNAT --to-destination 172.17.0.2:88
# #1: host:88 -> freeipa-server-container:88 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 88 -j DNAT --to-destination 172.17.0.2:88
# #1: host:9445 -> freeipa-server-container:9445 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9445 -j DNAT --to-destination 172.17.0.2:9445
# #1: host:123 -> freeipa-server-container:123 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 123 -j DNAT --to-destination 172.17.0.2:123
# #1: host:53 -> freeipa-server-container:53 / udp
-A DFWFW_PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 172.17.0.2:53
# #1: host:7389 -> freeipa-server-container:7389 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 7389 -j DNAT --to-destination 172.17.0.2:7389
# #1: host:9443 -> freeipa-server-container:9443 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 9443 -j DNAT --to-destination 172.17.0.2:9443
# #1: host:53 -> freeipa-server-container:53 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 53 -j DNAT --to-destination 172.17.0.2:53
# #1: host:636 -> freeipa-server-container:636 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 636 -j DNAT --to-destination 172.17.0.2:636
# #3: host:8081 -> cadvisor1:8080 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 8081 -j DNAT --to-destination 172.18.0.2:8080
# #3: host:8082 -> cadvisor2:8080 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 8082 -j DNAT --to-destination 172.18.0.3:8080
COMMIT
`
[root@ipa ~]# cat /usr/lib/dfwfw/dfwfw.conf
{
"initialization": {
"filter": [
":DFWFW_INPUT - [0:0]",
":HOST_OUTBOUND - [0:0]",
":HOST_INCOMING - [0:0]",
"-P INPUT DROP",
"-F INPUT",
"-A INPUT -m state --state INVALID -j DROP",
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
"-A INPUT -j DFWFW_INPUT",
"-A INPUT -m state --state NEW -j HOST_INCOMING",
"-F HOST_INCOMING",
"-A HOST_INCOMING -p tcp --dport 22 -j ACCEPT",
"-A HOST_INCOMING -p icmp -j ACCEPT",
"-P OUTPUT DROP",
"-F OUTPUT",
"-A OUTPUT -m state --state INVALID -j DROP",
"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
"-A OUTPUT -m state --state NEW -j HOST_OUTBOUND",
"-F HOST_OUTBOUND",
"-A HOST_OUTBOUND -p udp --dport 53 -j ACCEPT",
"-A HOST_OUTBOUND -p tcp --dport 80 -j ACCEPT",
"-A HOST_OUTBOUND -p tcp --dport 443 -j ACCEPT",
"-A HOST_OUTBOUND -p icmp -j ACCEPT",
"-P FORWARD DROP"
]
},
"container_to_container": {
"default_policy": "ACCEPT"
},
"container_to_wider_world": {
"default_policy": "ACCEPT"
},
"container_to_host": {
"default_policy": "ACCEPT"
},
"wider_world_to_container": {
"rules": [
{
"dst_container": "Name =~ .*",
"network": "bridge"
},
{
"dst_container": "cadvisor1",
"network": "bridge"
},
{
"network": "cadnet",
"dst_container": "Name =~ .*"
}
]
}
}
I am still not able to reproduce your issue, it is working fine for me for a single container as well, even the feature querying the exposed ports of the containers. Please provide a reproducible way with a minimal configuration and describe your expectations as well.
Ok, what I'm trying to do: I need to filter only one container with known name. Any else containers should be available from the wider world.
So my config file is: `{
"initialization": { "filter": [ ":DFWFW_INPUT - [0:0]", ":HOST_OUTBOUND - [0:0]", ":HOST_INCOMING - [0:0]",
"-P INPUT DROP",
"-F INPUT",
"-A INPUT -m state --state INVALID -j DROP",
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
"-A INPUT -j DFWFW_INPUT",
"-A INPUT -m state --state NEW -j HOST_INCOMING",
"-F HOST_INCOMING",
"-A HOST_INCOMING -p tcp --dport 22 -j ACCEPT",
"-A HOST_INCOMING -p icmp -j ACCEPT",
"-P OUTPUT DROP",
"-F OUTPUT",
"-A OUTPUT -m state --state INVALID -j DROP",
"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT",
"-A OUTPUT -m state --state NEW -j HOST_OUTBOUND",
"-F HOST_OUTBOUND",
"-A HOST_OUTBOUND -p udp --dport 53 -j ACCEPT",
"-A HOST_OUTBOUND -p tcp --dport 80 -j ACCEPT",
"-A HOST_OUTBOUND -p tcp --dport 443 -j ACCEPT",
"-A HOST_OUTBOUND -p icmp -j ACCEPT",
"-P FORWARD DROP"
]
},
"container_to_container": { "default_policy": "ACCEPT" }, "container_to_wider_world": { "default_policy": "ACCEPT" },
"container_to_host": { "default_policy": "ACCEPT" },
"wider_world_to_container": { "rules": [ { "dst_container": "Name =~ .*", "network": "cadnet" }
]
}
} `
I have two containers connected to network cadnet. Cadvisor1 and Cadvisor2 Monitoring output and starting first container: `Mon Mar 13 07:59:38 2017] Docker event: container:attach: {"ID":"611d26449983c27266789b0c0f00f66b699abf303b78ff046f62166043b5b34f","Attributes":{"image":"irsl/dfwfw","name":"dfwfw"}} Use of uninitialized value in pattern match (m//) at /opt/dfwfw/dfwfw.pl line 91. [Mon Mar 13 07:59:45 2017] Docker event: network:connect: {"ID":"1e5794677d8a494cae65d34d2f7fcf833b2ef59dbd82c9bb1ab85fe4c39bf360","Attributes":{"container":"87a5b1d60f1c9a73064f6322fdfba83b0597f64adc268142a22f2beb45aa0a21","type":"bridge","name":"cadnet"}} [Mon Mar 13 07:59:45 2017] Docker event: container:start: {"ID":"87a5b1d60f1c9a73064f6322fdfba83b0597f64adc268142a22f2beb45aa0a21","Attributes":{"image":"google/cadvisor:latest","name":"cadvisor1"}} [Mon Mar 13 07:59:45 2017] Docker events stream ended :( [Mon Mar 13 07:59:46 2017] Rebuilding firewall ruleset... [Mon Mar 13 07:59:46 2017] DFWFW::Rule::ContainerToContainer: number of matching networks for rule #1: 2 [Mon Mar 13 07:59:46 2017] DFWFW::Rule::ContainerToWiderWorld: number of matching networks for rule #1: 2 [Mon Mar 13 07:59:46 2017] DFWFW::Rule::ContainerToHost: number of matching networks for rule #1: 2 [Mon Mar 13 07:59:46 2017] DFWFW::Rule::WiderWorldToContainer: number of matching networks for rule #1: 1 [Mon Mar 13 07:59:46 2017] Wider world to container: dst_container of rule #1 does not match any containers, skipping rule [Mon Mar 13 07:59:46 2017] commiting to filter table:
*filter ################ DFWFW_FORWARD head: -F DFWFW_FORWARD -A DFWFW_FORWARD -m state --state INVALID -j DROP -A DFWFW_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
################ DFWFW_INPUT head: -F DFWFW_INPUT
################ container_to_container: -A DFWFW_FORWARD -i br-1e5794677d8a -o br-1e5794677d8a -j ACCEPT -A DFWFW_FORWARD -i docker0 -o docker0 -j ACCEPT
################ container_to_wider_world: -A DFWFW_FORWARD -i br-1e5794677d8a -o eth0 -j ACCEPT -A DFWFW_FORWARD -i docker0 -o eth0 -j ACCEPT
################ container_to_host: -A DFWFW_INPUT -i br-1e5794677d8a -j ACCEPT -A DFWFW_INPUT -i docker0 -j ACCEPT
################ DFWFW_FORWARD tail: -A DFWFW_FORWARD -j DROP
COMMIT
[Mon Mar 13 07:59:46 2017] commiting to nat table:
*nat ################ DFWFW_PREROUTING head: -F DFWFW_PREROUTING
COMMIT`
Message from the log: Wider world to container: dst_container of rule #1 does not match any containers, skipping rule Nothing new in iptables
Then starting second container: `*nat ################ DFWFW_PREROUTING head: -F DFWFW_PREROUTING
COMMIT
[Mon Mar 13 08:00:47 2017] Docker event: network:connect: {"Attributes":{"name":"cadnet","type":"bridge","container":"a55c0d5ebda18a79121f7b6ba0e7d60279fb5ee74638eb360b4d185051c01d08"},"ID":"1e5794677d8a494cae65d34d2f7fcf833b2ef59dbd82c9bb1ab85fe4c39bf360"} Use of uninitialized value in pattern match (m//) at /opt/dfwfw/dfwfw.pl line 91. [Mon Mar 13 08:00:47 2017] Docker event: container:start: {"Attributes":{"name":"cadvisor2","image":"google/cadvisor:latest"},"ID":"a55c0d5ebda18a79121f7b6ba0e7d60279fb5ee74638eb360b4d185051c01d08"} [Mon Mar 13 08:00:47 2017] Rebuilding DFWFW due to Docker event: start - google/cadvisor:latest [Mon Mar 13 08:00:47 2017] Talking to Docker daemon to learn current network and container configuration [Mon Mar 13 08:00:47 2017] Rebuilding firewall ruleset... [Mon Mar 13 08:00:47 2017] DFWFW::Rule::ContainerToContainer: number of matching networks for rule #1: 2 [Mon Mar 13 08:00:47 2017] DFWFW::Rule::ContainerToWiderWorld: number of matching networks for rule #1: 2 [Mon Mar 13 08:00:47 2017] DFWFW::Rule::ContainerToHost: number of matching networks for rule #1: 2 [Mon Mar 13 08:00:47 2017] DFWFW::Rule::WiderWorldToContainer: number of matching networks for rule #1: 1 [Mon Mar 13 08:00:47 2017] commiting to filter table:
*filter ################ DFWFW_FORWARD head: -F DFWFW_FORWARD -A DFWFW_FORWARD -m state --state INVALID -j DROP -A DFWFW_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
################ DFWFW_INPUT head: -F DFWFW_INPUT
################ container_to_container: -A DFWFW_FORWARD -i br-1e5794677d8a -o br-1e5794677d8a -j ACCEPT -A DFWFW_FORWARD -i docker0 -o docker0 -j ACCEPT
################ container_to_wider_world: -A DFWFW_FORWARD -i br-1e5794677d8a -o eth0 -j ACCEPT -A DFWFW_FORWARD -i docker0 -o eth0 -j ACCEPT
################ container_to_host: -A DFWFW_INPUT -i br-1e5794677d8a -j ACCEPT -A DFWFW_INPUT -i docker0 -j ACCEPT
################ wider_world_to_container:
#1: host:8081 -> cadvisor1:8080 / tcp
-A DFWFW_FORWARD -i eth0 -o br-1e5794677d8a -d 172.18.0.2 -p tcp --dport 8080 -j ACCEPT
#1: host:8082 -> cadvisor2:8080 / tcp
-A DFWFW_FORWARD -i eth0 -o br-1e5794677d8a -d 172.18.0.3 -p tcp --dport 8080 -j ACCEPT
################ DFWFW_FORWARD tail: -A DFWFW_FORWARD -j DROP
COMMIT
[Mon Mar 13 08:00:47 2017] commiting to nat table:
*nat ################ DFWFW_PREROUTING head: -F DFWFW_PREROUTING
################ wider_world_to_container:
#1: host:8081 -> cadvisor1:8080 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 8081 -j DNAT --to-destination 172.18.0.2:8080
#1: host:8082 -> cadvisor2:8080 / tcp
-A DFWFW_PREROUTING -i eth0 -p tcp --dport 8082 -j DNAT --to-destination 172.18.0.3:8080
COMMIT
`
So two rules were created.
Just catched one more thing. I started one more contaner and rules didn't apears But when I sent docker kill --signal=HUP dfwfw all rules succesfully apeared.