ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

firewall: add firewalld functionality to firewall plugin

Browse Source 
Example of usage, which uses flannel for allocating IP
addresses for containers and then registers them in `trusted`
zone in firewalld:

{
  "cniVersion": "0.3.1",
  "name": "flannel-firewalld",
  "plugins": [
    {
      "name": "cbr0",
      "type": "flannel",
      "delegate": {
        "isDefaultGateway": true
      }
    },
    {
      "type": "firewall",
      "backend": "firewalld",
      "zone": "trusted"
    }
  ]
}

Fixes #114

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Michal Rostecki <mrostecki@suse.com>
This commit is contained in:
Michal Rostecki
2018-02-06 17:19:17 +01:00
committed by Michael Cambria
parent eb66fc201c
commit 9d6f1e9975
5 changed files with 386 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
plugins/meta/firewall/README.md
View File

@ -2,23 +2,41 @@
## Overview
This plugin creates firewall rules to allow traffic to/from the host network interface given by "ifName".
This plugin creates firewall rules to allow traffic to/from container IP address via the host network .
It does not create any network interfaces and therefore does not set up connectivity by itself.
It is only useful when used in addition to other plugins.
## Operation
The following network configuration file
```
```json
{
"name": "mynet",
"type": "firewall",
"ifName": "cni0"
"cniVersion": "0.3.1",
"name": "bridge-firewalld",
"plugins": [
{
"type": "bridge",
"bridge": "cni0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "10.88.0.0/16",
"routes": [
{ "dst": "0.0.0.0/0" }
]
}
},
{
"type": "firewall",
}
]
}
```
will allow the given interface to send/receive traffic via the host.
will allow any IP addresses configured by earlier plugins to send/receive traffic via the host.
A successful result would simply be an empty result, unless a previous plugin passed a previous result, in which case this plugin will return that verbatim.
A successful result would simply be an empty result, unless a previous plugin passed a previous result, in which case this plugin will return that previous result.
## Backends