Fix issues with Docker bridge networks#9
Conversation
|
Good! I will look at it. Thanks |
| @@ -1,4 +1,4 @@ | |||
| #!/bin/sh | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
Oh, sorry, this is a thing I need locally because /bin/sh is dash - I didn't mean for it to end up in the PR. I'll revert this change and keep it in a local branch
| if [ $? -eq 0 ]; then | ||
| iptables -A DOCKER-ISOLATION -i ${int_in} -o ${int_out} -j DROP | ||
| fi | ||
| iptables -A DOCKER-ISOLATION -i ${int_in} -o ${int_out} -j DROP |
There was a problem hiding this comment.
So, first of all, writing it in two parts like that seems to cause csf to stop running the whole script. If you put it directly in the if it wouldn't do that:
if iptables -C -A DOCKER-ISOLATION -i ${int_in} -o ${int_out} -j DROP > /dev/null 2>&1; then
iptables -A DOCKER-ISOLATION -i ${int_in} -o ${int_out} -j DROP
fi
... however, it always fails for me and so the rule is never added - I'm not sure why. But removing the if altogether leads to the rules matching what Docker would do
There was a problem hiding this comment.
$ sudo iptables --version
iptables v1.4.21
There was a problem hiding this comment.
I confirm, if you are using docker-compose use version @dsnopek. But you need docker version ~1.12.
thanks!
2 participants
We have a bunch of services running on Docker bridged networks via docker-compose. The current script doesn't setup all the iptables rules exactly like the Docker daemon, which would cause everything to break everytime 'csf' got restarted. This PR contains the fixes that worked for me!
I used
iptables-saveto dump the rules that get setup by starting CSF then the Docker daemon without this script. Then I added the script, restarted CSF andiptables-saveto dump the rules generated by this script, and compared them viadiff- the only difference with my PR is the order that containers or networks are added, which is really just a difference in the order when looping - in everyway that matters the result is the same in our testing!