Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Chai Feng
|
4833b190ff | ||
|
Chai Feng
|
fc7840efef | ||
 Patrice Brend'amour
|
22f04125d6 | ||
|
Patrice Brend'amour
|
4335d6fb82 | ||
|
Patrice Brend'amour
|
cd783f91d7 | ||
|
Patrice Brend'amour
|
80a691f084 | ||
|
Chai Feng
|
0150af87dc | ||
|
Chai Feng
|
cc58088bc5 | ||
|
Chai Feng
|
2b4a44ff7a | ||
 Further
|
fa5cec9dc5 | ||
|
Chai Feng
|
a444fb9457 |
@@ -0,0 +1,16 @@
|
||||
name: Unit Testing ufw-docker
|
||||
on: [push, pull_request]
|
||||
jobs:
|
||||
test:
|
||||
name: Unit Testing
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v2
|
||||
- name: Checkout submodules
|
||||
shell: bash
|
||||
run: |
|
||||
auth_header="$(git config --local --get http.https://github.com/.extraheader)"
|
||||
git submodule sync --recursive
|
||||
git -c "http.extraheader=$auth_header" -c protocol.version=2 submodule update --init --force --recursive --depth=1
|
||||
- name: Test ufw-docker
|
||||
run: ./test.sh
|
||||
@@ -2,7 +2,7 @@ To Fix The Docker and UFW Security Flaw Without Disabling Iptables
|
||||
==================
|
||||
|
||||
[](https://travis-ci.org/chaifeng/ufw-docker)
|
||||
|
||||
[](https://hub.docker.com/r/chaifeng/ufw-docker-agent)
|
||||
|
||||
- [English](#tldr)
|
||||
- [中文](#太长不想读)
|
||||
@@ -210,7 +210,7 @@ Download `ufw-docker` script
|
||||
|
||||
sudo wget -O /usr/local/bin/ufw-docker \
|
||||
https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
|
||||
chmod +x /usr/local/bin/ufw-docker
|
||||
sudo chmod +x /usr/local/bin/ufw-docker
|
||||
|
||||
Then using the following command to modify the `after.rules` file of `ufw`
|
||||
|
||||
@@ -259,6 +259,10 @@ Expose the `443` port of the container `httpd` and the protocol is `tcp`
|
||||
|
||||
ufw-docker allow httpd 443/tcp
|
||||
|
||||
Expose the `443` port of the container `httpd` and the protocol is `tcp` and the network is `foobar-external-network` when the container `httpd` is attached to multiple networks
|
||||
|
||||
ufw-docker allow httpd 443/tcp foobar-external-network
|
||||
|
||||
Expose all published ports of the container `httpd`
|
||||
|
||||
ufw-docker allow httpd
|
||||
@@ -563,6 +567,10 @@ UFW 是 Ubuntu 上很流行的一个 iptables 前端,可以非常方便的管
|
||||
|
||||
ufw-docker allow httpd 443/tcp
|
||||
|
||||
如果容器 `httpd` 绑定到多个网络上,暴露其 `443` 端口,协议为 `tcp`,网络为 `foobar-external-network`
|
||||
|
||||
ufw-docker allow httpd 443/tcp foobar-external-network
|
||||
|
||||
把容器 `httpd` 的所有映射端口都暴露出来
|
||||
|
||||
ufw-docker allow httpd
|
||||
|
||||
Vendored
+27
-1
@@ -5,7 +5,7 @@
|
||||
|
||||
Vagrant.configure('2') do |config|
|
||||
|
||||
config.vm.box = "chaifeng/ubuntu-20.04-docker-19.03.11"
|
||||
config.vm.box = "chaifeng/ubuntu-20.04-docker-19.03.13"
|
||||
#config.vm.box = "chaifeng/ubuntu-16.04-docker-18.03"
|
||||
|
||||
config.vm.provider 'virtualbox' do |vb|
|
||||
@@ -125,6 +125,29 @@ DOCKERFILE
|
||||
ufw-docker allow public_webapp
|
||||
SHELL
|
||||
|
||||
master.vm.provision "multiple-network", type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
if ! docker network ls | grep -F foo-internal; then
|
||||
docker network create --internal foo-internal
|
||||
fi
|
||||
if ! docker network ls | grep -F bar-external; then
|
||||
docker network create bar-external
|
||||
fi
|
||||
|
||||
for app in internal-multinet-app:7000 public-multinet-app:17070; do
|
||||
if ! docker inspect "${app%:*}" &>/dev/null; then
|
||||
docker run -d --restart unless-stopped --name "${app%:*}" \
|
||||
-p "${app#*:}":80 --env name="${app}" \
|
||||
--network foo-internal \
|
||||
192.168.56.130:5000/chaifeng/hostname-webapp
|
||||
docker network connect bar-external "${app%:*}"
|
||||
fi
|
||||
done
|
||||
|
||||
ufw-docker allow public-multinet-app 80 bar-external
|
||||
ufw-docker allow internal-multinet-app 80 foo-internal
|
||||
SHELL
|
||||
|
||||
master.vm.provision "swarm-webapp", type: 'shell', inline: <<-SHELL
|
||||
set -euo pipefail
|
||||
for name in public:29090 local:9000; do
|
||||
@@ -166,6 +189,9 @@ DOCKERFILE
|
||||
test-webapp "$server:18080"
|
||||
! test-webapp "$server:8000"
|
||||
|
||||
test-webapp "$server:17070" # multiple networks app
|
||||
! test-webapp "$server:7000" # internal multiple networks app
|
||||
|
||||
test-webapp "$server:29090"
|
||||
! test-webapp "$server:9000"
|
||||
|
||||
|
||||
+1
-1
Submodule test/bach updated: ff948334df...447edb60db
+74
-29
@@ -143,7 +143,7 @@ test-ufw-docker-list-httpd() {
|
||||
ufw-docker list httpd
|
||||
}
|
||||
test-ufw-docker-list-httpd-assert() {
|
||||
ufw-docker--list httpd-container-name "" tcp
|
||||
ufw-docker--list httpd-container-name "" tcp ""
|
||||
}
|
||||
|
||||
|
||||
@@ -152,7 +152,7 @@ test-ufw-docker-allow-httpd() {
|
||||
ufw-docker allow httpd
|
||||
}
|
||||
test-ufw-docker-allow-httpd-assert() {
|
||||
ufw-docker--allow httpd-container-name "" tcp
|
||||
ufw-docker--allow httpd-container-name "" tcp ""
|
||||
}
|
||||
|
||||
|
||||
@@ -161,7 +161,7 @@ test-ufw-docker-allow-httpd-80() {
|
||||
ufw-docker allow httpd 80
|
||||
}
|
||||
test-ufw-docker-allow-httpd-80-assert() {
|
||||
ufw-docker--allow httpd-container-name 80 tcp
|
||||
ufw-docker--allow httpd-container-name 80 tcp ""
|
||||
}
|
||||
|
||||
|
||||
@@ -170,7 +170,7 @@ test-ufw-docker-allow-httpd-80tcp() {
|
||||
ufw-docker allow httpd 80/tcp
|
||||
}
|
||||
test-ufw-docker-allow-httpd-80tcp-assert() {
|
||||
ufw-docker--allow httpd-container-name 80 tcp
|
||||
ufw-docker--allow httpd-container-name 80 tcp ""
|
||||
}
|
||||
|
||||
|
||||
@@ -179,7 +179,7 @@ test-ufw-docker-allow-httpd-80udp() {
|
||||
ufw-docker allow httpd 80/udp
|
||||
}
|
||||
test-ufw-docker-allow-httpd-80udp-assert() {
|
||||
ufw-docker--allow httpd-container-name 80 udp
|
||||
ufw-docker--allow httpd-container-name 80 udp ""
|
||||
}
|
||||
|
||||
|
||||
@@ -196,7 +196,7 @@ test-ufw-docker-list-httpd() {
|
||||
ufw-docker list httpd
|
||||
}
|
||||
test-ufw-docker-list-httpd-assert() {
|
||||
ufw-docker--list httpd-container-name "" tcp
|
||||
ufw-docker--list httpd-container-name "" tcp ""
|
||||
}
|
||||
|
||||
|
||||
@@ -205,7 +205,7 @@ test-ufw-docker-delete-allow-httpd() {
|
||||
ufw-docker delete allow httpd
|
||||
}
|
||||
test-ufw-docker-delete-allow-httpd-assert() {
|
||||
ufw-docker--delete httpd-container-name "" tcp
|
||||
ufw-docker--delete httpd-container-name "" tcp ""
|
||||
}
|
||||
|
||||
|
||||
@@ -223,6 +223,16 @@ function setup-ufw-docker--allow() {
|
||||
|
||||
@mocktrue docker inspect instance-name
|
||||
@mock docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{"\n"}}{{end}}' instance-name === @stdout 172.18.0.3
|
||||
@mock docker inspect --format='{{range $k, $v := .NetworkSettings.Networks}}{{printf "%s\n" $k}}{{end}}' instance-name === @stdout default
|
||||
@mock docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}}{{with $conf}}{{$p}}{{"\n"}}{{end}}{{end}}' instance-name === @stdout 5000/tcp 8080/tcp 5353/udp
|
||||
}
|
||||
|
||||
function setup-ufw-docker--allow--multinetwork() {
|
||||
load-ufw-docker-function ufw-docker--allow
|
||||
|
||||
@mocktrue docker inspect instance-name
|
||||
@mock docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{"\n"}}{{end}}' instance-name === @stdout 172.18.0.3 172.19.0.7
|
||||
@mock docker inspect --format='{{range $k, $v := .NetworkSettings.Networks}}{{printf "%s\n" $k}}{{end}}' instance-name === @stdout default awesomenet
|
||||
@mock docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}}{{with $conf}}{{$p}}{{"\n"}}{{end}}{{end}}' instance-name === @stdout 5000/tcp 8080/tcp 5353/udp
|
||||
}
|
||||
|
||||
@@ -269,7 +279,7 @@ test-ufw-docker--allow-instance-and-match-the-port() {
|
||||
ufw-docker--allow instance-name 5000 tcp
|
||||
}
|
||||
test-ufw-docker--allow-instance-and-match-the-port-assert() {
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp default
|
||||
}
|
||||
|
||||
|
||||
@@ -279,9 +289,9 @@ test-ufw-docker--allow-instance-all-published-port() {
|
||||
ufw-docker--allow instance-name "" ""
|
||||
}
|
||||
test-ufw-docker--allow-instance-all-published-port-assert() {
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 8080 tcp
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5353 udp
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp default
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 8080 tcp default
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5353 udp default
|
||||
}
|
||||
|
||||
|
||||
@@ -291,14 +301,39 @@ test-ufw-docker--allow-instance-all-published-tcp-port() {
|
||||
ufw-docker--allow instance-name "" tcp
|
||||
}
|
||||
test-ufw-docker--allow-instance-all-published-tcp-port-assert() {
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 8080 tcp
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5353 udp # FIXME
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp default
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 8080 tcp default
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5353 udp default # FIXME
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker--allow-instance-all-published-port-multinetwork() {
|
||||
setup-ufw-docker--allow--multinetwork
|
||||
|
||||
ufw-docker--allow instance-name "" ""
|
||||
}
|
||||
test-ufw-docker--allow-instance-all-published-port-multinetwork-assert() {
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5000 tcp default
|
||||
ufw-docker--add-rule instance-name 172.19.0.7 5000 tcp awesomenet
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 8080 tcp default
|
||||
ufw-docker--add-rule instance-name 172.19.0.7 8080 tcp awesomenet
|
||||
ufw-docker--add-rule instance-name 172.18.0.3 5353 udp default
|
||||
ufw-docker--add-rule instance-name 172.19.0.7 5353 udp awesomenet
|
||||
}
|
||||
|
||||
test-ufw-docker--allow-instance-all-published-port-multinetwork-select-network() {
|
||||
setup-ufw-docker--allow--multinetwork
|
||||
|
||||
ufw-docker--allow instance-name "" "" awesomenet
|
||||
}
|
||||
test-ufw-docker--allow-instance-all-published-port-multinetwork-select-network-assert() {
|
||||
ufw-docker--add-rule instance-name 172.19.0.7 5000 tcp awesomenet
|
||||
ufw-docker--add-rule instance-name 172.19.0.7 8080 tcp awesomenet
|
||||
ufw-docker--add-rule instance-name 172.19.0.7 5353 udp awesomenet
|
||||
}
|
||||
|
||||
test-ufw-docker--add-rule-a-non-existing-rule() {
|
||||
@mockfalse ufw-docker--list webapp 5000 tcp
|
||||
@mockfalse ufw-docker--list webapp 5000 tcp ""
|
||||
|
||||
load-ufw-docker-function ufw-docker--add-rule
|
||||
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp
|
||||
@@ -307,29 +342,39 @@ test-ufw-docker--add-rule-a-non-existing-rule-assert() {
|
||||
ufw route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp"
|
||||
}
|
||||
|
||||
test-ufw-docker--add-rule-a-non-existing-rule-with-network() {
|
||||
@mockfalse ufw-docker--list webapp 5000 tcp default
|
||||
|
||||
load-ufw-docker-function ufw-docker--add-rule
|
||||
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp default
|
||||
}
|
||||
test-ufw-docker--add-rule-a-non-existing-rule-with-network-assert() {
|
||||
ufw route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp default"
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker--add-rule-modify-an-existing-rule() {
|
||||
@mocktrue ufw-docker--list webapp 5000 tcp
|
||||
@mocktrue ufw --dry-run route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp"
|
||||
@mocktrue ufw-docker--list webapp 5000 tcp default
|
||||
@mocktrue ufw --dry-run route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp default"
|
||||
@mockfalse grep "^Skipping"
|
||||
|
||||
load-ufw-docker-function ufw-docker--add-rule
|
||||
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp
|
||||
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp default
|
||||
}
|
||||
test-ufw-docker--add-rule-modify-an-existing-rule-assert() {
|
||||
ufw-docker--delete webapp 5000 tcp
|
||||
ufw-docker--delete webapp 5000 tcp default
|
||||
|
||||
ufw route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp"
|
||||
ufw route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp default"
|
||||
}
|
||||
|
||||
|
||||
test-ufw-docker--add-rule-skip-an-existing-rule() {
|
||||
@mocktrue ufw-docker--list webapp 5000 tcp
|
||||
@mocktrue ufw-docker--list webapp 5000 tcp ""
|
||||
@mocktrue ufw --dry-run route allow proto tcp from any to 172.18.0.4 port 5000 comment "allow webapp 5000/tcp"
|
||||
@mocktrue grep "^Skipping"
|
||||
|
||||
load-ufw-docker-function ufw-docker--add-rule
|
||||
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp
|
||||
ufw-docker--add-rule webapp 172.18.0.4 5000 tcp ""
|
||||
}
|
||||
test-ufw-docker--add-rule-skip-an-existing-rule-assert() {
|
||||
@do-nothing
|
||||
@@ -337,17 +382,17 @@ test-ufw-docker--add-rule-skip-an-existing-rule-assert() {
|
||||
|
||||
|
||||
test-ufw-docker--add-rule-modify-an-existing-rule-without-port() {
|
||||
@mocktrue ufw-docker--list webapp "" tcp
|
||||
@mocktrue ufw-docker--list webapp "" tcp ""
|
||||
|
||||
@mocktrue ufw --dry-run route allow proto tcp from any to 172.18.0.4 comment "allow webapp"
|
||||
@mockfalse grep "^Skipping"
|
||||
|
||||
load-ufw-docker-function ufw-docker--add-rule
|
||||
|
||||
ufw-docker--add-rule webapp 172.18.0.4 "" tcp
|
||||
ufw-docker--add-rule webapp 172.18.0.4 "" tcp ""
|
||||
}
|
||||
test-ufw-docker--add-rule-modify-an-existing-rule-without-port-assert() {
|
||||
ufw-docker--delete webapp "" tcp
|
||||
ufw-docker--delete webapp "" tcp ""
|
||||
|
||||
ufw route allow proto tcp from any to 172.18.0.4 comment "allow webapp"
|
||||
}
|
||||
@@ -388,7 +433,7 @@ test-ufw-docker--list-name() {
|
||||
ufw-docker--list foo
|
||||
}
|
||||
test-ufw-docker--list-name-assert() {
|
||||
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\?\$"
|
||||
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\?\\( [[:graph:]]*\\)\\?\$"
|
||||
}
|
||||
|
||||
test-ufw-docker--list-name-udp() {
|
||||
@@ -397,7 +442,7 @@ test-ufw-docker--list-name-udp() {
|
||||
ufw-docker--list foo "" udp
|
||||
}
|
||||
test-ufw-docker--list-name-udp-assert() {
|
||||
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\?\$"
|
||||
grep "# allow foo\\( [[:digit:]]\\+\\/\\(tcp\\|udp\\)\\)\\?\\( [[:graph:]]*\\)\\?\$"
|
||||
}
|
||||
|
||||
|
||||
@@ -407,7 +452,7 @@ test-ufw-docker--list-name-80() {
|
||||
ufw-docker--list foo 80
|
||||
}
|
||||
test-ufw-docker--list-name-80-assert() {
|
||||
grep "# allow foo\\( 80\\/tcp\\)\\?\$"
|
||||
grep "# allow foo\\( 80\\/tcp\\)\\?\\( [[:graph:]]*\\)\\?\$"
|
||||
}
|
||||
|
||||
|
||||
@@ -417,7 +462,7 @@ test-ufw-docker--list-name-80-udp() {
|
||||
ufw-docker--list foo 80 udp
|
||||
}
|
||||
test-ufw-docker--list-name-80-udp-assert() {
|
||||
grep "# allow foo\\( 80\\/udp\\)\\?\$"
|
||||
grep "# allow foo\\( 80\\/udp\\)\\?\\( [[:graph:]]*\\)\\?\$"
|
||||
}
|
||||
|
||||
|
||||
|
||||
+33
-10
@@ -11,7 +11,7 @@ GREP_REGEXP_INSTANCE_NAME="[-_.[:alnum:]]\\+"
|
||||
DEFAULT_PROTO=tcp
|
||||
|
||||
ufw_docker_agent=ufw-docker-agent
|
||||
ufw_docker_agent_image="${UFW_DOCKER_AGENT_IMAGE:-chaifeng/${ufw_docker_agent}:200812}"
|
||||
ufw_docker_agent_image="${UFW_DOCKER_AGENT_IMAGE:-chaifeng/${ufw_docker_agent}:210925}"
|
||||
|
||||
function ufw-docker--status() {
|
||||
ufw-docker--list "$GREP_REGEXP_INSTANCE_NAME"
|
||||
@@ -21,12 +21,18 @@ function ufw-docker--list() {
|
||||
local INSTANCE_NAME="$1"
|
||||
local INSTANCE_PORT="${2:-}"
|
||||
local PROTO="${3:-${DEFAULT_PROTO}}"
|
||||
local NETWORK="${4:-}"
|
||||
|
||||
if [[ -z "$INSTANCE_PORT" ]]; then
|
||||
INSTANCE_PORT="[[:digit:]]\\+"
|
||||
PROTO="\\(tcp\\|udp\\)"
|
||||
fi
|
||||
ufw status numbered | grep "# allow ${INSTANCE_NAME}\\( ${INSTANCE_PORT}\\/${PROTO}\\)\\?\$"
|
||||
|
||||
if [[ -z "$NETWORK" ]]; then
|
||||
NETWORK="[[:graph:]]*"
|
||||
fi
|
||||
|
||||
ufw status numbered | grep "# allow ${INSTANCE_NAME}\\( ${INSTANCE_PORT}\\/${PROTO}\\)\\?\\( ${NETWORK}\\)\\?\$"
|
||||
}
|
||||
|
||||
function ufw-docker--list-number() {
|
||||
@@ -44,6 +50,7 @@ function ufw-docker--allow() {
|
||||
local INSTANCE_NAME="$1"
|
||||
local INSTANCE_PORT="$2"
|
||||
local PROTO="$3"
|
||||
local NETWORK="${4:-}"
|
||||
|
||||
docker inspect "$INSTANCE_NAME" &>/dev/null ||
|
||||
die "Docker instance \"$INSTANCE_NAME\" doesn't exist."
|
||||
@@ -52,6 +59,7 @@ function ufw-docker--allow() {
|
||||
|
||||
[[ -z "${INSTANCE_IP_ADDRESSES:-}" ]] && die "Could not find a running instance \"$INSTANCE_NAME\"."
|
||||
|
||||
mapfile -t INSTANCE_NETWORK_NAMES < <(docker inspect --format='{{range $k, $v := .NetworkSettings.Networks}}{{printf "%s\n" $k}}{{end}}' "$INSTANCE_NAME" 2>/dev/null | remove_blank_lines)
|
||||
mapfile -t PORT_PROTO_LIST < <(docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}}{{with $conf}}{{$p}}{{"\n"}}{{end}}{{end}}' "$INSTANCE_NAME" | remove_blank_lines)
|
||||
|
||||
if [[ -z "${PORT_PROTO_LIST:-}" ]]; then
|
||||
@@ -62,8 +70,15 @@ function ufw-docker--allow() {
|
||||
RETVAL=1
|
||||
for PORT_PROTO in "${PORT_PROTO_LIST[@]}"; do
|
||||
if [[ -z "$INSTANCE_PORT" || "$PORT_PROTO" = "${INSTANCE_PORT}/${PROTO}" ]]; then
|
||||
ITER=0
|
||||
for IP in "${INSTANCE_IP_ADDRESSES[@]}"; do
|
||||
ufw-docker--add-rule "$INSTANCE_NAME" "$IP" "${PORT_PROTO%/*}" "${PORT_PROTO#*/}"
|
||||
INSTANCE_NETWORK="${INSTANCE_NETWORK_NAMES[$ITER]}"
|
||||
ITER=$((ITER+1))
|
||||
if [[ -n "$NETWORK" ]] && [[ "$NETWORK" != "$INSTANCE_NETWORK" ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
ufw-docker--add-rule "$INSTANCE_NAME" "$IP" "${PORT_PROTO%/*}" "${PORT_PROTO#*/}" "${INSTANCE_NETWORK}"
|
||||
RETVAL="$?"
|
||||
done
|
||||
fi
|
||||
@@ -92,10 +107,11 @@ function ufw-docker--add-rule() {
|
||||
local INSTANCE_IP_ADDRESS="$2"
|
||||
local PORT="$3"
|
||||
local PROTO="$4"
|
||||
local NETWORK="${5:-}"
|
||||
|
||||
declare comment
|
||||
|
||||
echo "allow ${INSTANCE_NAME} ${PORT}/${PROTO}"
|
||||
echo "allow ${INSTANCE_NAME} ${PORT}/${PROTO} ${NETWORK}"
|
||||
typeset -a UFW_OPTS
|
||||
UFW_OPTS=(route allow proto "${PROTO}"
|
||||
from any to "$INSTANCE_IP_ADDRESS")
|
||||
@@ -104,12 +120,15 @@ function ufw-docker--add-rule() {
|
||||
UFW_OPTS+=(port "${PORT}")
|
||||
comment="$comment ${PORT}/${PROTO}"
|
||||
}
|
||||
[[ -n "$NETWORK" ]] && {
|
||||
comment="$comment ${NETWORK}"
|
||||
}
|
||||
UFW_OPTS+=(comment "$comment")
|
||||
|
||||
if ufw-docker--list "$INSTANCE_NAME" "$PORT" "$PROTO" &>/dev/null; then
|
||||
if ufw-docker--list "$INSTANCE_NAME" "$PORT" "$PROTO" "$NETWORK" &>/dev/null; then
|
||||
ufw --dry-run "${UFW_OPTS[@]}" | grep "^Skipping" && return 0
|
||||
err "Remove outdated rule."
|
||||
ufw-docker--delete "$INSTANCE_NAME" "$PORT" "$PROTO"
|
||||
ufw-docker--delete "$INSTANCE_NAME" "$PORT" "$PROTO" "$NETWORK"
|
||||
fi
|
||||
echo ufw "${UFW_OPTS[@]}"
|
||||
ufw "${UFW_OPTS[@]}"
|
||||
@@ -341,8 +360,8 @@ function ufw-docker--install() {
|
||||
function ufw-docker--help() {
|
||||
cat <<-EOF >&2
|
||||
Usage:
|
||||
ufw-docker <list|allow> [docker-instance-id-or-name [port[/tcp|/udp]]]
|
||||
ufw-docker delete allow [docker-instance-id-or-name [port[/tcp|/udp]]]
|
||||
ufw-docker <list|allow> [docker-instance-id-or-name [port[/tcp|/udp]] [network]]
|
||||
ufw-docker delete allow [docker-instance-id-or-name [port[/tcp|/udp]] [network]]
|
||||
|
||||
ufw-docker service allow <swarm-service-id-or-name <port</tcp|/udp>>>
|
||||
ufw-docker service delete allow <swarm-service-id-or-name>
|
||||
@@ -363,10 +382,11 @@ function ufw-docker--help() {
|
||||
ufw-docker allow httpd
|
||||
ufw-docker allow httpd 80
|
||||
ufw-docker allow httpd 80/tcp
|
||||
ufw-docker allow httpd 80/tcp default
|
||||
|
||||
ufw-docker delete allow httpd
|
||||
ufw-docker delete allow httpd 80/tcp
|
||||
|
||||
ufw-docker delete allow httpd 80/tcp default
|
||||
|
||||
ufw-docker service allow httpd 80/tcp
|
||||
|
||||
@@ -418,10 +438,13 @@ case "$ufw_action" in
|
||||
if [[ "$INSTANCE_PORT" = */udp ]]; then
|
||||
PROTO=udp
|
||||
fi
|
||||
shift || true
|
||||
|
||||
NETWORK="${1:-}"
|
||||
|
||||
INSTANCE_PORT="${INSTANCE_PORT%/*}"
|
||||
|
||||
"ufw-docker--$ufw_action" "$INSTANCE_NAME" "$INSTANCE_PORT" "$PROTO"
|
||||
"ufw-docker--$ufw_action" "$INSTANCE_NAME" "$INSTANCE_PORT" "$PROTO" "$NETWORK"
|
||||
;;
|
||||
service|raw-command|add-service-rule)
|
||||
shift || true
|
||||
|
||||
Reference in New Issue
Block a user