Make iptables-restore backend flushing

Before this change, the `iptables-restore` binary was called with the `--noflush` option. The idea was that DFW would not take over the entire tables, but rather only concern itself with its own rules. As it turns out, this had some disadvantages. It was extremely hard to control: * the rules in the default chains that jump to the DFW chains, * the contents of DFW's own chains. Both of these issues were solved by simply ommitting the `--noflush` flag and thus controlling the touched tables -- `nat` and `filter` -- in their entirety. This means that this is a breaking change: where before external rules would have stayed unchanged -- as long as the user didn't supply any such initialization rules -- any external rules are now simply overwritten without regard. If the user requires custom rules apart from the ones generated by DFW, they can still use the "initialization" section of the configuration. (Additionally, this refactors the internal fields of `IPTablesRestore`, which unveiled that rules passed through `IPTablesRestore::execute` were not applied before. This has been fixed.)
pitkley · Sep 2, 2018 · 033d27c · 033d27c
1 parent ee80e52
commit 033d27c
Show file tree

Hide file tree

Showing 13 changed files with 155 additions and 99 deletions.
diff --git a/resources/test/docker/01/expected-iptables-restore-v4.txt b/resources/test/docker/01/expected-iptables-restore-v4.txt
@@ -1,8 +1,11 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	:FORWARD - [0:0]
+-	:INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
+-	-P INPUT ACCEPT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	-A INPUT -j DFWRS_INPUT
@@ -13,9 +16,11 @@
 -	-A DFWRS_INPUT -i docker0 -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
+-	:POSTROUTING - [0:0]
+-	:PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	-A PREROUTING -j DFWRS_PREROUTING
 -	-A POSTROUTING -j DFWRS_POSTROUTING

diff --git a/resources/test/docker/01/expected-iptables-restore-v6.txt b/resources/test/docker/01/expected-iptables-restore-v6.txt
@@ -1,16 +1,17 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
+-	-P INPUT ACCEPT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	-A DFWRS_FORWARD -m state --state INVALID -j DROP
 -	-A DFWRS_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	COMMIT
diff --git a/resources/test/docker/02/expected-iptables-restore-v4.txt b/resources/test/docker/02/expected-iptables-restore-v4.txt
@@ -1,7 +1,9 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	:FORWARD - [0:0]
+-	:INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -14,9 +16,11 @@
 -	-A DFWRS_FORWARD -j DROP
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
+-	:POSTROUTING - [0:0]
+-	:PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	-A PREROUTING -j DFWRS_PREROUTING
 -	-A POSTROUTING -j DFWRS_POSTROUTING

diff --git a/resources/test/docker/02/expected-iptables-restore-v6.txt b/resources/test/docker/02/expected-iptables-restore-v6.txt
@@ -1,16 +1,16 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	-A DFWRS_FORWARD -m state --state INVALID -j DROP
 -	-A DFWRS_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	COMMIT
diff --git a/resources/test/docker/03/expected-iptables-restore-v4.txt b/resources/test/docker/03/expected-iptables-restore-v4.txt
@@ -1,7 +1,9 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	:FORWARD - [0:0]
+-	:INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -13,9 +15,11 @@
 -	-A DFWRS_FORWARD -s $src_ip=ip -i $input=bridge -o eni -m state --state RELATED -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
+-	:POSTROUTING - [0:0]
+-	:PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	-A PREROUTING -j DFWRS_PREROUTING
 -	-A POSTROUTING -j DFWRS_POSTROUTING

diff --git a/resources/test/docker/03/expected-iptables-restore-v6.txt b/resources/test/docker/03/expected-iptables-restore-v6.txt
@@ -1,16 +1,16 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	-A DFWRS_FORWARD -m state --state INVALID -j DROP
 -	-A DFWRS_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	COMMIT
diff --git a/resources/test/docker/04/expected-iptables-restore-v4.txt b/resources/test/docker/04/expected-iptables-restore-v4.txt
@@ -1,7 +1,9 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	:FORWARD - [0:0]
+-	:INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -17,9 +19,11 @@
 -	-A DFWRS_INPUT -i $input=bridge -j DROP
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
+-	:POSTROUTING - [0:0]
+-	:PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	-A PREROUTING -j DFWRS_PREROUTING
 -	-A POSTROUTING -j DFWRS_POSTROUTING

diff --git a/resources/test/docker/04/expected-iptables-restore-v6.txt b/resources/test/docker/04/expected-iptables-restore-v6.txt
@@ -1,16 +1,16 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	-A DFWRS_FORWARD -m state --state INVALID -j DROP
 -	-A DFWRS_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	COMMIT
diff --git a/resources/test/docker/05/expected-iptables-restore-v4.txt b/resources/test/docker/05/expected-iptables-restore-v4.txt
@@ -1,7 +1,9 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	:FORWARD - [0:0]
+-	:INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -17,9 +19,11 @@
 -	-A DFWRS_INPUT -i docker0 -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
+-	:POSTROUTING - [0:0]
+-	:PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	-A PREROUTING -j DFWRS_PREROUTING
 -	-A POSTROUTING -j DFWRS_POSTROUTING

diff --git a/resources/test/docker/05/expected-iptables-restore-v6.txt b/resources/test/docker/05/expected-iptables-restore-v6.txt
@@ -1,16 +1,16 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	-A DFWRS_FORWARD -m state --state INVALID -j DROP
 -	-A DFWRS_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	COMMIT
diff --git a/resources/test/docker/06/expected-iptables-restore-v4.txt b/resources/test/docker/06/expected-iptables-restore-v4.txt
@@ -1,7 +1,9 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	:FORWARD - [0:0]
+-	:INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -11,9 +13,11 @@
 -	-A FORWARD -j DFWRS_FORWARD
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
+-	:POSTROUTING - [0:0]
+-	:PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	-A PREROUTING -j DFWRS_PREROUTING
 -	-A POSTROUTING -j DFWRS_POSTROUTING

diff --git a/resources/test/docker/06/expected-iptables-restore-v6.txt b/resources/test/docker/06/expected-iptables-restore-v6.txt
@@ -1,16 +1,16 @@
 -	*filter
 -	:DFWRS_FORWARD - [0:0]
--	-F DFWRS_FORWARD
 -	:DFWRS_INPUT - [0:0]
+-	-F DFWRS_FORWARD
 -	-F DFWRS_INPUT
 -	-A DFWRS_INPUT -m state --state INVALID -j DROP
 -	-A DFWRS_INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	-A DFWRS_FORWARD -m state --state INVALID -j DROP
 -	-A DFWRS_FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
 -	COMMIT
 -	*nat
+-	:DFWRS_POSTROUTING - [0:0]
 -	:DFWRS_PREROUTING - [0:0]
 -	-F DFWRS_PREROUTING
--	:DFWRS_POSTROUTING - [0:0]
 -	-F DFWRS_POSTROUTING
 -	COMMIT