ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

Update firewall README.md

Browse Source 
Document `CNI-ADMIN` chain usage as well as `iptablesAdminChainName`

Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>
This commit is contained in:
Sameer Vohra
2020-06-24 11:18:50 -05:00
parent c90b165c6e
commit 051452cdcf
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
plugins/meta/firewall/README.md
View File

@ -133,3 +133,17 @@ of the container as shown:
- `-s 10.88.0.2 -m conntrack --ctstate RELATED,ESTABLISHED -j CNI-FORWARD`
- `-d 10.88.0.2 -j CNI-FORWARD`
A new chain, CNI-ADMIN is added to the CNI-FORWARD chain. CNI-ADMIN is intended as a user-controlled chain that all traffic passes through prior to the rules managed by the `firewall` plugin.
`CNI-FORWARD` chain:
- `-j CNI-ADMIN`
The chain name `CNI-ADMIN` can be overridden by specifying `iptablesAdminChainName` in
```
{
"type": "firewall",
"backend": "iptables",
"iptablesAdminChainName": "SOME-OTHER-CHAIN-NAME",
}
```