Vendor CNI plugins firewall code

The upstream CNI project has a PR open for adding iptables and firewalld support, but this has been stalled for the better part of a year upstream. On advice of several maintainers, we are vendoring this code into libpod, to perform the relevant firewall configuration ourselves. Signed-off-by: Matthew Heon <matthew.heon@gmail.com> Closes: #1431 Approved by: baude
2025-08-06 03:19:52 +08:00 · 2018-09-09 13:16:34 -04:00
parent 2afadeec66
commit 9405e3704f
12 changed files with 1288 additions and 13 deletions
--- a/libpod/runtime.go
+++ b/libpod/runtime.go
@ -13,6 +13,7 @@ import (
 	is "github.com/containers/image/storage"
 	"github.com/containers/image/types"
 	"github.com/containers/libpod/libpod/image"
+	"github.com/containers/libpod/pkg/firewall"
 	"github.com/containers/libpod/pkg/hooks"
 	sysreg "github.com/containers/libpod/pkg/registries"
 	"github.com/containers/libpod/pkg/rootless"
@ -70,19 +71,20 @@ type RuntimeOption func(*Runtime) error

 // Runtime is the core libpod runtime
 type Runtime struct {
-	config         *RuntimeConfig
-	state          State
-	store          storage.Store
-	storageService *storageService
-	imageContext   *types.SystemContext
-	ociRuntime     *OCIRuntime
-	lockDir        string
-	netPlugin      ocicni.CNIPlugin
-	ociRuntimePath string
-	conmonPath     string
-	valid          bool
-	lock           sync.RWMutex
-	imageRuntime   *image.Runtime
+	config          *RuntimeConfig
+	state           State
+	store           storage.Store
+	storageService  *storageService
+	imageContext    *types.SystemContext
+	ociRuntime      *OCIRuntime
+	lockDir         string
+	netPlugin       ocicni.CNIPlugin
+	ociRuntimePath  string
+	conmonPath      string
+	valid           bool
+	lock            sync.RWMutex
+	imageRuntime    *image.Runtime
+	firewallBackend firewall.FirewallBackend
 }

 // RuntimeConfig contains configuration options used to set up the runtime
@ -507,6 +509,17 @@ func makeRuntime(runtime *Runtime) (err error) {
 	}
 	runtime.netPlugin = netPlugin

+	// Set up a firewall backend
+	backendType := ""
+	if os.Geteuid() != 0 {
+		backendType = "none"
+	}
+	fwBackend, err := firewall.GetBackend(backendType)
+	if err != nil {
+		return err
+	}
+	runtime.firewallBackend = fwBackend
+
 	// Set up the state
 	switch runtime.config.StateType {
 	case InMemoryStateStore: