Update firewall README.md CNI-ADMIN
Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>
This commit is contained in:
Sameer Vohra
@ -133,12 +133,12 @@ of the container as shown:
|
|||||||
- `-s 10.88.0.2 -m conntrack --ctstate RELATED,ESTABLISHED -j CNI-FORWARD`
|
- `-s 10.88.0.2 -m conntrack --ctstate RELATED,ESTABLISHED -j CNI-FORWARD`
|
||||||
- `-d 10.88.0.2 -j CNI-FORWARD`
|
- `-d 10.88.0.2 -j CNI-FORWARD`
|
||||||
|
|
||||||
A new chain, CNI-ADMIN is added to the CNI-FORWARD chain. CNI-ADMIN is intended as a user-controlled chain that all traffic passes through prior to the rules managed by the `firewall` plugin.
|
The `CNI-FORWARD` chain first sends all traffic to `CNI-ADMIN` chain, which is intended as an user-controlled chain for custom rules that run prior to rules managed by the `firewall` plugin. The `firewall` plugin does not add, delete or modify rules in the `CNI-ADMIN` chain.
|
||||||
|
|
||||||
`CNI-FORWARD` chain:
|
`CNI-FORWARD` chain:
|
||||||
- `-j CNI-ADMIN`
|
- `-j CNI-ADMIN`
|
||||||
|
|
||||||
The chain name `CNI-ADMIN` can be overridden by specifying `iptablesAdminChainName` in
|
The chain name `CNI-ADMIN` can be overridden by specifying `iptablesAdminChainName` in the plugin configuration
|
||||||
|
|
||||||
```
|
```
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user