When plumbing overlay filter rules serialize this to make sure that
multiple sandbox join or leave is not causing erroneous behavior while
moving the RETURN rule in the predefined chains.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
- When creating and programming the global overlay chain,
gracefully handle the case where the chain already exists.
Today the driver logs an Error and does not attempt to insert
the return rule if the chain is already present.
Signed-off-by: Alessandro Boch <aboch@docker.com>
ChainExists should not treat non-nil output as
error because there is always going to be some
output while dumping iptable rules.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
We check for existence of all filter rules in
overlay driver before creating it. We should
also do this for chain creation, because even though
we cleanup network chains when the last container
stops, there is a possibility of a stale network
chain in case of ungraceful restart.
Also cleaned up stale bridges if any exist due to
ungraceful shutdown of daemon.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Add support for overlay networking in older kernels.
Following were done to achieve this:
+ Create the vxlan network in host namespace.
+ This may create conflicts with other private
networks so check for conflicts and fail a
join if there is any conflict.
+ Add iptable based filtering to only allow
subnet bridges in the same network to forward
traffic while different network bridges will
not be able to forward b/w each other. Also
block traffic to overlay network originating
from the host itself.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>