firewall: add firewalld functionality to firewall plugin
Example of usage, which uses flannel for allocating IP
addresses for containers and then registers them in `trusted`
zone in firewalld:
{
"cniVersion": "0.3.1",
"name": "flannel-firewalld",
"plugins": [
{
"name": "cbr0",
"type": "flannel",
"delegate": {
"isDefaultGateway": true
}
},
{
"type": "firewall",
"backend": "firewalld",
"zone": "trusted"
}
]
}
Fixes #114
Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Michal Rostecki <mrostecki@suse.com>
This commit is contained in:
Michal Rostecki
committed by
Michael Cambria
Michael Cambria
parent
eb66fc201c
commit
9d6f1e9975
76
plugins/meta/firewall/firewalld.go
Normal file
76
plugins/meta/firewall/firewalld.go
Normal file
@ -0,0 +1,76 @@
|
||||
// Copyright 2018 CNI authors
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
//
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/containernetworking/plugins/pkg/firewalld"
|
||||
|
||||
"github.com/godbus/dbus"
|
||||
)
|
||||
|
||||
// Only used for testcases to override the D-Bus connection
|
||||
var testConn *dbus.Conn
|
||||
|
||||
type fwdBackend struct {
|
||||
conn *dbus.Conn
|
||||
}
|
||||
|
||||
// fwdBackend implements the FirewallBackend interface
|
||||
var _ FirewallBackend = &fwdBackend{}
|
||||
|
||||
func getConn() (*dbus.Conn, error) {
|
||||
if testConn != nil {
|
||||
return testConn, nil
|
||||
}
|
||||
return dbus.SystemBus()
|
||||
}
|
||||
|
||||
func isFirewalldRunning() bool {
|
||||
conn, err := getConn()
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
return firewalld.IsRunning(conn)
|
||||
}
|
||||
|
||||
func newFirewalldBackend(conf *FirewallNetConf) (FirewallBackend, error) {
|
||||
conn, err := getConn()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
backend := &fwdBackend{
|
||||
conn: conn,
|
||||
}
|
||||
return backend, nil
|
||||
}
|
||||
|
||||
func (fb *fwdBackend) Add(conf *FirewallNetConf) error {
|
||||
for _, ip := range conf.PrevResult.IPs {
|
||||
if err := firewalld.AddSourceToZone(fb.conn, ip.Address.IP, conf.FirewalldZone); err != nil {
|
||||
return fmt.Errorf("failed to add the address %v to %v zone: %v", ip.Address.IP, conf.FirewalldZone, err)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (fb *fwdBackend) Del(conf *FirewallNetConf) error {
|
||||
for _, ip := range conf.PrevResult.IPs {
|
||||
firewalld.RemoveSourceFromZone(fb.conn, ip.Address.IP, conf.FirewalldZone)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
Reference in New Issue
Block a user