Created
February 8, 2016 23:55
-
-
Save pmoranga/9c4f194a1ac4102d4f94 to your computer and use it in GitHub Desktop.
Make puppetlabs-firewall works with docker smoothly
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class my_fw::pre { | |
| # Disable due to selective purges of firewallchain | |
| # resources { "firewall": | |
| # purge => true | |
| # } | |
| # Avoid removing Docker rules: | |
| firewallchain { 'FORWARD:filter:IPv4': | |
| purge => true, | |
| ignore => [ 'docker' ], | |
| } | |
| firewallchain { 'DOCKER:filter:IPv4': | |
| purge => false, | |
| } | |
| firewallchain { 'DOCKER:nat:IPv4': | |
| purge => false, | |
| } | |
| firewallchain { 'POSTROUTING:nat:IPv4': | |
| purge => true, | |
| ignore => [ 'docker', '172.17' ], | |
| } | |
| firewallchain { 'PREROUTING:nat:IPv4': | |
| purge => true, | |
| ignore => [ 'DOCKER' ], | |
| } | |
| #ensure input rules are cleaned out | |
| firewallchain { 'INPUT:filter:IPv4': | |
| ensure => present, | |
| purge => true, | |
| } | |
| # Block what ever..... | |
| } |
Thanks for this. It did not quite work for me, DOCKER-USER, DOCKER-INGRESS and DOCKER-ISOLATION-STAGE-1 rules were being deleted from the FORWARD chain. I changed all ignore to a regexp that matches rules starting with docker, case insensitive:
ignore => [ '[^"]*(?i:docker)[^"]*' ],
Thanks for all your inspiration, this seems working in 2023:
# Avoid removing Docker rules:
firewallchain { 'FORWARD:filter:IPv4':
purge => true,
ignore => [ '[^"]*(?i:docker)[^"]*', 'br-' ],
}
firewallchain { 'OUTPUT:filter:IPv4':
purge => true,
ignore => [ '[^"]*(?i:docker)[^"]*' ],
}
firewallchain { 'DOCKER:filter:IPv4':
purge => false,
}
firewallchain { 'DOCKER:nat:IPv4':
purge => false,
}
firewallchain { 'POSTROUTING:nat:IPv4':
purge => true,
ignore => [ '[^"]*(?i:docker)[^"]*', '172.' ],
}
firewallchain { 'PREROUTING:nat:IPv4':
purge => true,
ignore => [ '[^"]*(?i:docker)[^"]*' ],
}
# Ensure input rules are cleaned out
firewallchain { 'INPUT:filter:IPv4':
ensure => present,
purge => true,
}
cool! thanks for sharing! I miss Puppet's power.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Really appreciate, i also needed to add OUTPUT:filter:IPv4 with the same ignore from FORWARD:filter:IPv4