Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rules::docker_ce allow passing '*' as interface name #119

Open
nbarrientos opened this issue Feb 2, 2022 · 2 comments
Open

rules::docker_ce allow passing '*' as interface name #119

nbarrientos opened this issue Feb 2, 2022 · 2 comments
Labels
enhancement New feature or request

Comments

@nbarrientos
Copy link
Collaborator

nbarrientos commented Feb 2, 2022
edited
Loading

From nftables' manpage:

Like with iptables, wildcard matching on interface name prefixes is available for iifname and oifname matches by appending an asterisk (*) character. Note however that unlike iptables, nftables does not accept interface names consisting of the wildcard character only - users are supposed to just skip those always matching expressions. In order to match on literal asterisk character, one may escape it using backslash ().

In some cases it's not possible to always fix the interface name used by Docker, like for instance when using docker-compose and build statements. When container images are built, docker-compose uses the default network which interface's name is typically docker0 and this cannot be changed.

If the user uses a custom network with a custom interface name for the 'live' containers (for instance mycustominterface), then it becomes non-trivial to write static firewall rules, as they have to work for both the build and the run phase which use different interface name as described above.

A workaround is to use what's described in the statement above (which comes from nft(8)), so pass a prefix like:

nftables::rules::docker_ce::docker_interface: 'docker*'

however that's a bit ugly as this forces users to use a pattern for their custom interfaces.

The task is to allow * as value for docker_interface which would simply remove the iifname and oifname statements from the rules as recommended above:

users are supposed to just skip those always matching expressions

Unfortunately, AFAIK, it's not possible to use regular expressions like: docker*|mycustomiface.

To discuss before implementing this change if it actually makes sense to remove the iifname and oifname statements. Perhaps we should turn $docker_interface into an array and duplicate rules so something like:

nftables::rules::docker_ce::docker_interface: ['docker*', 'mycustomiface']

would create separate rules for each interface (or pattern).
@nbarrientos nbarrientos added the enhancement New feature or request label Feb 2, 2022
@nbarrientos
Copy link
Collaborator Author

It might be possible in "recent" versions of docker-compose to select the network at build time too so perhaps this change is not necessary anymore.

https://docs.docker.com/compose/compose-file/compose-file-v3/#network
https://docs.docker.com/compose/compose-file/compose-file-v2/#network

@traylenator
Copy link
Collaborator

Perhaps we should turn $docker_interface into an array and duplicate rules so something like:

Not sure the rules need to be duplicated. iifname supports a list itself.

iifname {"docker*", "mycustominterface" }

assuming the glob is still respected in there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nbarrientos @traylenator