Added support for multiple networks
Now networks are added as well, so if a container has multiple networks (e.g. when using docker-compose) it still works
This commit is contained in:
parent
0150af87dc
commit
80a691f084
41
ufw-docker
41
ufw-docker
@ -21,12 +21,18 @@ function ufw-docker--list() {
|
|||||||
local INSTANCE_NAME="$1"
|
local INSTANCE_NAME="$1"
|
||||||
local INSTANCE_PORT="${2:-}"
|
local INSTANCE_PORT="${2:-}"
|
||||||
local PROTO="${3:-${DEFAULT_PROTO}}"
|
local PROTO="${3:-${DEFAULT_PROTO}}"
|
||||||
|
local NETWORK="${4:-}"
|
||||||
|
|
||||||
if [[ -z "$INSTANCE_PORT" ]]; then
|
if [[ -z "$INSTANCE_PORT" ]]; then
|
||||||
INSTANCE_PORT="[[:digit:]]\\+"
|
INSTANCE_PORT="[[:digit:]]\\+"
|
||||||
PROTO="\\(tcp\\|udp\\)"
|
PROTO="\\(tcp\\|udp\\)"
|
||||||
fi
|
fi
|
||||||
ufw status numbered | grep "# allow ${INSTANCE_NAME}\\( ${INSTANCE_PORT}\\/${PROTO}\\)\\?\$"
|
|
||||||
|
if [[ -z "$NETWORK" ]]; then
|
||||||
|
NETWORK="[[:graph:]]*"
|
||||||
|
fi
|
||||||
|
|
||||||
|
ufw status numbered | grep "# allow ${INSTANCE_NAME}\\( ${INSTANCE_PORT}\\/${PROTO}\\)\\?\\( ${NETWORK}\\)\\?\$"
|
||||||
}
|
}
|
||||||
|
|
||||||
function ufw-docker--list-number() {
|
function ufw-docker--list-number() {
|
||||||
@ -44,6 +50,7 @@ function ufw-docker--allow() {
|
|||||||
local INSTANCE_NAME="$1"
|
local INSTANCE_NAME="$1"
|
||||||
local INSTANCE_PORT="$2"
|
local INSTANCE_PORT="$2"
|
||||||
local PROTO="$3"
|
local PROTO="$3"
|
||||||
|
local NETWORK="${4:-}"
|
||||||
|
|
||||||
docker inspect "$INSTANCE_NAME" &>/dev/null ||
|
docker inspect "$INSTANCE_NAME" &>/dev/null ||
|
||||||
die "Docker instance \"$INSTANCE_NAME\" doesn't exist."
|
die "Docker instance \"$INSTANCE_NAME\" doesn't exist."
|
||||||
@ -52,6 +59,7 @@ function ufw-docker--allow() {
|
|||||||
|
|
||||||
[[ -z "${INSTANCE_IP_ADDRESSES:-}" ]] && die "Could not find a running instance \"$INSTANCE_NAME\"."
|
[[ -z "${INSTANCE_IP_ADDRESSES:-}" ]] && die "Could not find a running instance \"$INSTANCE_NAME\"."
|
||||||
|
|
||||||
|
mapfile -t INSTANCE_NETWORK_NAMES < <(docker inspect --format='{{range $k, $v := .NetworkSettings.Networks}}{{printf "%s\n" $k}}{{end}}' "$INSTANCE_NAME" 2>/dev/null | remove_blank_lines)
|
||||||
mapfile -t PORT_PROTO_LIST < <(docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}}{{with $conf}}{{$p}}{{"\n"}}{{end}}{{end}}' "$INSTANCE_NAME" | remove_blank_lines)
|
mapfile -t PORT_PROTO_LIST < <(docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}}{{with $conf}}{{$p}}{{"\n"}}{{end}}{{end}}' "$INSTANCE_NAME" | remove_blank_lines)
|
||||||
|
|
||||||
if [[ -z "${PORT_PROTO_LIST:-}" ]]; then
|
if [[ -z "${PORT_PROTO_LIST:-}" ]]; then
|
||||||
@ -62,8 +70,15 @@ function ufw-docker--allow() {
|
|||||||
RETVAL=1
|
RETVAL=1
|
||||||
for PORT_PROTO in "${PORT_PROTO_LIST[@]}"; do
|
for PORT_PROTO in "${PORT_PROTO_LIST[@]}"; do
|
||||||
if [[ -z "$INSTANCE_PORT" || "$PORT_PROTO" = "${INSTANCE_PORT}/${PROTO}" ]]; then
|
if [[ -z "$INSTANCE_PORT" || "$PORT_PROTO" = "${INSTANCE_PORT}/${PROTO}" ]]; then
|
||||||
|
ITER=0
|
||||||
for IP in "${INSTANCE_IP_ADDRESSES[@]}"; do
|
for IP in "${INSTANCE_IP_ADDRESSES[@]}"; do
|
||||||
ufw-docker--add-rule "$INSTANCE_NAME" "$IP" "${PORT_PROTO%/*}" "${PORT_PROTO#*/}"
|
INSTANCE_NETWORK="${INSTANCE_NETWORK_NAMES[$ITER]}"
|
||||||
|
ITER=$(expr $ITER + 1)
|
||||||
|
if [[ -n "$NETWORK" ]] && [[ "$NETWORK" != "$INSTANCE_NETWORK" ]]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
ufw-docker--add-rule "$INSTANCE_NAME" "$IP" "${PORT_PROTO%/*}" "${PORT_PROTO#*/}" "${INSTANCE_NETWORK}"
|
||||||
RETVAL="$?"
|
RETVAL="$?"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
@ -92,10 +107,11 @@ function ufw-docker--add-rule() {
|
|||||||
local INSTANCE_IP_ADDRESS="$2"
|
local INSTANCE_IP_ADDRESS="$2"
|
||||||
local PORT="$3"
|
local PORT="$3"
|
||||||
local PROTO="$4"
|
local PROTO="$4"
|
||||||
|
local NETWORK="$5"
|
||||||
|
|
||||||
declare comment
|
declare comment
|
||||||
|
|
||||||
echo "allow ${INSTANCE_NAME} ${PORT}/${PROTO}"
|
echo "allow ${INSTANCE_NAME} ${PORT}/${PROTO} ${NETWORK}"
|
||||||
typeset -a UFW_OPTS
|
typeset -a UFW_OPTS
|
||||||
UFW_OPTS=(route allow proto "${PROTO}"
|
UFW_OPTS=(route allow proto "${PROTO}"
|
||||||
from any to "$INSTANCE_IP_ADDRESS")
|
from any to "$INSTANCE_IP_ADDRESS")
|
||||||
@ -104,12 +120,15 @@ function ufw-docker--add-rule() {
|
|||||||
UFW_OPTS+=(port "${PORT}")
|
UFW_OPTS+=(port "${PORT}")
|
||||||
comment="$comment ${PORT}/${PROTO}"
|
comment="$comment ${PORT}/${PROTO}"
|
||||||
}
|
}
|
||||||
|
[[ -n "$NETWORK" ]] && {
|
||||||
|
comment="$comment ${NETWORK}"
|
||||||
|
}
|
||||||
UFW_OPTS+=(comment "$comment")
|
UFW_OPTS+=(comment "$comment")
|
||||||
|
|
||||||
if ufw-docker--list "$INSTANCE_NAME" "$PORT" "$PROTO" &>/dev/null; then
|
if ufw-docker--list "$INSTANCE_NAME" "$PORT" "$PROTO" "$NETWORK" &>/dev/null; then
|
||||||
ufw --dry-run "${UFW_OPTS[@]}" | grep "^Skipping" && return 0
|
ufw --dry-run "${UFW_OPTS[@]}" | grep "^Skipping" && return 0
|
||||||
err "Remove outdated rule."
|
err "Remove outdated rule."
|
||||||
ufw-docker--delete "$INSTANCE_NAME" "$PORT" "$PROTO"
|
ufw-docker--delete "$INSTANCE_NAME" "$PORT" "$PROTO" "$NETWORK"
|
||||||
fi
|
fi
|
||||||
echo ufw "${UFW_OPTS[@]}"
|
echo ufw "${UFW_OPTS[@]}"
|
||||||
ufw "${UFW_OPTS[@]}"
|
ufw "${UFW_OPTS[@]}"
|
||||||
@ -341,8 +360,8 @@ function ufw-docker--install() {
|
|||||||
function ufw-docker--help() {
|
function ufw-docker--help() {
|
||||||
cat <<-EOF >&2
|
cat <<-EOF >&2
|
||||||
Usage:
|
Usage:
|
||||||
ufw-docker <list|allow> [docker-instance-id-or-name [port[/tcp|/udp]]]
|
ufw-docker <list|allow> [docker-instance-id-or-name [port[/tcp|/udp]] [network]]
|
||||||
ufw-docker delete allow [docker-instance-id-or-name [port[/tcp|/udp]]]
|
ufw-docker delete allow [docker-instance-id-or-name [port[/tcp|/udp]] [network]]
|
||||||
|
|
||||||
ufw-docker service allow <swarm-service-id-or-name <port</tcp|/udp>>>
|
ufw-docker service allow <swarm-service-id-or-name <port</tcp|/udp>>>
|
||||||
ufw-docker service delete allow <swarm-service-id-or-name>
|
ufw-docker service delete allow <swarm-service-id-or-name>
|
||||||
@ -363,10 +382,11 @@ function ufw-docker--help() {
|
|||||||
ufw-docker allow httpd
|
ufw-docker allow httpd
|
||||||
ufw-docker allow httpd 80
|
ufw-docker allow httpd 80
|
||||||
ufw-docker allow httpd 80/tcp
|
ufw-docker allow httpd 80/tcp
|
||||||
|
ufw-docker allow httpd 80/tcp default
|
||||||
|
|
||||||
ufw-docker delete allow httpd
|
ufw-docker delete allow httpd
|
||||||
ufw-docker delete allow httpd 80/tcp
|
ufw-docker delete allow httpd 80/tcp
|
||||||
|
ufw-docker delete allow httpd 80/tcp default
|
||||||
|
|
||||||
ufw-docker service allow httpd 80/tcp
|
ufw-docker service allow httpd 80/tcp
|
||||||
|
|
||||||
@ -418,10 +438,13 @@ case "$ufw_action" in
|
|||||||
if [[ "$INSTANCE_PORT" = */udp ]]; then
|
if [[ "$INSTANCE_PORT" = */udp ]]; then
|
||||||
PROTO=udp
|
PROTO=udp
|
||||||
fi
|
fi
|
||||||
|
shift || true
|
||||||
|
|
||||||
|
NETWORK="${1:-}"
|
||||||
|
|
||||||
INSTANCE_PORT="${INSTANCE_PORT%/*}"
|
INSTANCE_PORT="${INSTANCE_PORT%/*}"
|
||||||
|
|
||||||
"ufw-docker--$ufw_action" "$INSTANCE_NAME" "$INSTANCE_PORT" "$PROTO"
|
"ufw-docker--$ufw_action" "$INSTANCE_NAME" "$INSTANCE_PORT" "$PROTO" "$NETWORK"
|
||||||
;;
|
;;
|
||||||
service|raw-command|add-service-rule)
|
service|raw-command|add-service-rule)
|
||||||
shift || true
|
shift || true
|
||||||
|
Loading…
Reference in New Issue
Block a user