From b70954e60a15d09756bd6b00a6fadedc64829477 Mon Sep 17 00:00:00 2001
From: Chun Chen <ramichen@tencent.com>
Date: Mon, 28 Dec 2015 10:15:50 +0800
Subject: [PATCH] Add network interal mode

Signed-off-by: Chun Chen <ramichen@tencent.com>
Signed-off-by: David Calavera <david.calavera@gmail.com>
---
 api/client/network.go                         | 3 +++
 api/server/router/network/backend.go          | 2 +-
 api/server/router/network/network_routes.go   | 2 +-
 daemon/network.go                             | 5 ++++-
 docs/reference/api/docker_remote_api.md       | 1 +
 docs/reference/api/docker_remote_api_v1.22.md | 4 +++-
 docs/reference/commandline/network_create.md  | 6 ++++++
 man/docker-network-create.1.md                | 9 +++++++++
 8 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/api/client/network.go b/api/client/network.go
index 4c49fad7d8..8ebd4b05d6 100644
--- a/api/client/network.go
+++ b/api/client/network.go
@@ -47,6 +47,8 @@ func (cli *DockerCli) CmdNetworkCreate(args ...string) error {
 	cmd.Var(flIpamAux, []string{"-aux-address"}, "auxiliary ipv4 or ipv6 addresses used by Network driver")
 	cmd.Var(flOpts, []string{"o", "-opt"}, "set driver specific options")
 
+	flInternal := cmd.Bool([]string{"-internal"}, false, "restricts external access to the network")
+
 	cmd.Require(flag.Exact, 1)
 	err := cmd.ParseFlags(args, true)
 	if err != nil {
@@ -72,6 +74,7 @@ func (cli *DockerCli) CmdNetworkCreate(args ...string) error {
 		IPAM:           network.IPAM{Driver: *flIpamDriver, Config: ipamCfg},
 		Options:        flOpts.GetAll(),
 		CheckDuplicate: true,
+		Internal:       *flInternal,
 	}
 
 	resp, err := cli.client.NetworkCreate(nc)
diff --git a/api/server/router/network/backend.go b/api/server/router/network/backend.go
index 60461de2de..0826e79576 100644
--- a/api/server/router/network/backend.go
+++ b/api/server/router/network/backend.go
@@ -13,7 +13,7 @@ type Backend interface {
 	GetNetworksByID(partialID string) []libnetwork.Network
 	GetAllNetworks() []libnetwork.Network
 	CreateNetwork(name, driver string, ipam network.IPAM,
-		options map[string]string) (libnetwork.Network, error)
+		options map[string]string, internal bool) (libnetwork.Network, error)
 	ConnectContainerToNetwork(containerName, networkName string, endpointConfig *network.EndpointSettings) error
 	DisconnectContainerFromNetwork(containerName string,
 		network libnetwork.Network) error
diff --git a/api/server/router/network/network_routes.go b/api/server/router/network/network_routes.go
index 1f91b72a14..864057bb81 100644
--- a/api/server/router/network/network_routes.go
+++ b/api/server/router/network/network_routes.go
@@ -92,7 +92,7 @@ func (n *networkRouter) postNetworkCreate(ctx context.Context, w http.ResponseWr
 		warning = fmt.Sprintf("Network with name %s (id : %s) already exists", nw.Name(), nw.ID())
 	}
 
-	nw, err = n.backend.CreateNetwork(create.Name, create.Driver, create.IPAM, create.Options)
+	nw, err = n.backend.CreateNetwork(create.Name, create.Driver, create.IPAM, create.Options, create.Internal)
 	if err != nil {
 		return err
 	}
diff --git a/daemon/network.go b/daemon/network.go
index 9b5daa2db2..450a99e572 100644
--- a/daemon/network.go
+++ b/daemon/network.go
@@ -101,7 +101,7 @@ func (daemon *Daemon) GetAllNetworks() []libnetwork.Network {
 }
 
 // CreateNetwork creates a network with the given name, driver and other optional parameters
-func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, options map[string]string) (libnetwork.Network, error) {
+func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, options map[string]string, internal bool) (libnetwork.Network, error) {
 	c := daemon.netController
 	if driver == "" {
 		driver = c.Config().Daemon.DefaultDriver
@@ -116,6 +116,9 @@ func (daemon *Daemon) CreateNetwork(name, driver string, ipam network.IPAM, opti
 
 	nwOptions = append(nwOptions, libnetwork.NetworkOptionIpam(ipam.Driver, "", v4Conf, v6Conf, nil))
 	nwOptions = append(nwOptions, libnetwork.NetworkOptionDriverOpts(options))
+	if internal {
+		nwOptions = append(nwOptions, libnetwork.NetworkOptionInternalNetwork())
+	}
 	n, err := c.NewNetwork(driver, name, nwOptions...)
 	if err != nil {
 		return nil, err
diff --git a/docs/reference/api/docker_remote_api.md b/docs/reference/api/docker_remote_api.md
index b2b91de43b..f61347e420 100644
--- a/docs/reference/api/docker_remote_api.md
+++ b/docs/reference/api/docker_remote_api.md
@@ -114,6 +114,7 @@ This section lists each version from latest to oldest.  Each listing includes a
 * `POST /containers/create` now allows you to set the static IPv4 and/or IPv6 address for the container.
 * `POST /networks/(id)/connect` now allows you to set the static IPv4 and/or IPv6 address for the container.
 * `GET /info` now includes the number of containers running, stopped, and paused.
+* `POST /networks/create` now supports restricting external access to the network by setting the `internal` field.
 
 ### v1.21 API changes
 
diff --git a/docs/reference/api/docker_remote_api_v1.22.md b/docs/reference/api/docker_remote_api_v1.22.md
index 752c2f221f..1ac810e77a 100644
--- a/docs/reference/api/docker_remote_api_v1.22.md
+++ b/docs/reference/api/docker_remote_api_v1.22.md
@@ -2985,13 +2985,15 @@ Content-Type: application/json
 
 {
   "Name":"isolated_nw",
-  "Driver":"bridge"
+  "Driver":"bridge",
   "IPAM":{
     "Config":[{
       "Subnet":"172.20.0.0/16",
       "IPRange":"172.20.10.0/24",
       "Gateway":"172.20.10.11"
     }]
+  },
+  "Internal":true
 }
 ```
 
diff --git a/docs/reference/commandline/network_create.md b/docs/reference/commandline/network_create.md
index 0a9ac6f19c..3a9705b65d 100644
--- a/docs/reference/commandline/network_create.md
+++ b/docs/reference/commandline/network_create.md
@@ -18,6 +18,7 @@ parent = "smn_cli"
     -d --driver=DRIVER       Driver to manage the Network bridge or overlay. The default is bridge.
     --gateway=[]             ipv4 or ipv6 Gateway for the master subnet
     --help                   Print usage
+    --internal               Restricts external access to the network
     --ip-range=[]            Allocate container ip from a sub-range
     --ipam-driver=default    IP Address Management Driver
     -o --opt=map[]           Set custom network plugin options
@@ -120,6 +121,11 @@ docker network create -d overlay
 ```
 Be sure that your subnetworks do not overlap. If they do, the network create fails and Engine returns an error.
 
+### Network internal mode
+
+By default, when you connect a container to an `overlay` network, Docker also connects a bridge network to it to provide external connectivity.
+If you want to create an externally isolated `overlay` network, you can specify the `--internal` option.
+
 ## Related information
 
 * [network inspect](network_inspect.md)
diff --git a/man/docker-network-create.1.md b/man/docker-network-create.1.md
index 4d0782b697..1c876d6b24 100644
--- a/man/docker-network-create.1.md
+++ b/man/docker-network-create.1.md
@@ -10,6 +10,7 @@ docker-network-create - create a new network
 [**-d**|**--driver**=*DRIVER*]
 [**--gateway**=*[]*]
 [**--help**]
+[**--internal**]
 [**--ip-range**=*[]*]
 [**--ipam-driver**=*default*]
 [**-o**|**--opt**=*map[]*]
@@ -120,6 +121,11 @@ docker network create -d overlay
 ```
 Be sure that your subnetworks do not overlap. If they do, the network create fails and Engine returns an error.
 
+### Network internal mode
+
+By default, when you connect a container to an `overlay` network, Docker also connects a bridge network to it to provide external connectivity.
+If you want to create an externally isolated `overlay` network, you can specify the `--internal` option.
+
 # OPTIONS
 **--aux-address**=map[]
   Auxiliary ipv4 or ipv6 addresses used by network driver
@@ -133,6 +139,9 @@ Be sure that your subnetworks do not overlap. If they do, the network create fai
 **--help**
   Print usage
 
+**--internal**
+  Restricts external access to the network
+
 **--ip-range**=[]
   Allocate container ip from a sub-range