add missed files

2025-02-23 17:42:47 +00:00 · 2021-08-30 17:26:46 +00:00 · 2021-08-30 17:26:46 +00:00 · 58a8e92757
commit 58a8e92757
parent cd2317a66e
2 changed files with 61 additions and 0 deletions
--- a/docker.sysusers
+++ b/docker.sysusers
@ -0,0 +1 @@
+g docker - -
--- a/nftables-docker.nft
+++ b/nftables-docker.nft
@ -0,0 +1,60 @@
+table ip filter {
+	chain INPUT {
+		type filter hook input priority 0; policy accept;
+	}
+
+	chain FORWARD {
+		type filter hook forward priority 0; policy accept;
+		counter jump DOCKER-USER
+		counter jump DOCKER-ISOLATION-STAGE-1
+		oifname "docker0" ct state established,related counter accept
+		oifname "docker0" counter jump DOCKER
+		iifname "docker0" oifname != "docker0" counter accept
+		iifname "docker0" oifname "docker0" counter accept
+	}
+
+	chain OUTPUT {
+		type filter hook output priority 0; policy accept;
+	}
+
+	chain DOCKER {
+	}
+
+	chain DOCKER-ISOLATION-STAGE-1 {
+		iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
+		counter return
+	}
+
+	chain DOCKER-ISOLATION-STAGE-2 {
+		oifname "docker0" counter drop
+		counter return
+	}
+
+	chain DOCKER-USER {
+		counter return
+	}
+}
+table ip nat {
+	chain PREROUTING {
+		type nat hook prerouting priority -100; policy accept;
+		fib daddr type local counter jump DOCKER
+	}
+
+	chain INPUT {
+		type nat hook input priority 100; policy accept;
+	}
+
+	chain POSTROUTING {
+		type nat hook postrouting priority 100; policy accept;
+		oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
+	}
+
+	chain OUTPUT {
+		type nat hook output priority -100; policy accept;
+		ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
+	}
+
+	chain DOCKER {
+		iifname "docker0" counter return
+	}
+}