v0.5.0 - iptables-restore fixes
Summary
The iptables-restore backend was added in the last release, and as noted, it wasn't as thoroughly tested.
Some more time and testing has shown that there were some bugs with the implementation of the iptables-restore backend. Namely:
- Commands from the initialization section weren't applied.
- Using
iptables-restorewith the--noflushoption is not feasible for our use-case.
Both of these issues have been fixed, with the second one being the important one for the end-user, since the behaviour of the iptables-restore backend has changed from 0.4.0 to 0.5.0! Rather than trying to work around any chains or rules that might exist, DFW now takes over any iptables table it modifies -- i.e. the most important nat and filter.
If you have any externally managed rules in your iptables and are using the iptables-restore backend, these rules will be overwritten without regard. If you need to add rules, use the initialization section of the DFW configuration.
(The iptables backend is unaffected from this change.)
Changes
Changes to the dfw binary
- Added argument
--log-levelwhich allows you to specify the verbosity of DFW's logging.
Changes to the dfw library
- The
iptables-restorebackend now acts flushing (033d27c) - Removed the unnecessary
IPTablesProxystruct (4e62ff2)
Internal changes: updated GitLab CI config, updated dependencies, updated tested Docker versions.
Installation
While you can use Cargo to install dfw as a binary, using the Docker image is the preferred
way to go, especially if you don't want to install Rust and Cargo on your host:
$ docker pull pitkley/dfw:0.5.0
$ docker run -d \
--name=dfw \
--restart=unless-stopped \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-v /path/to/your/config:/config \
--net host --cap-add=NET_ADMIN \
pitkley/dfw:0.5.0 --config-path /configThis will download a lightweight image, coming in at under 6 MB, and subsequently run it using
your configuration.