diff --git a/src/nftables/process.rs b/src/nftables/process.rs index 55774bec..39694fa7 100644 --- a/src/nftables/process.rs +++ b/src/nftables/process.rs @@ -326,6 +326,30 @@ impl Process for ContainerToContainer { self.default_policy, )]; + if let Some(same_network_verdict) = self.same_network_verdict { + for network in ctx.network_map.values() { + let network_id = network.id.as_ref().expect("Docker network ID missing"); + let bridge_name = get_bridge_name(network_id)?; + trace!(ctx.logger, "Got bridge name"; + o!("network_name" => &network.name, + "bridge_name" => &bridge_name)); + + let rule = RuleBuilder::default() + .in_interface(&bridge_name) + .out_interface(&bridge_name) + .verdict(same_network_verdict) + .build()?; + + debug!(ctx.logger, "Add forward rule for same network verdict for bridge"; + o!("part" => "container_to_container", + "bridge_name" => bridge_name, + "same_network_verdict" => &self.same_network_verdict, + "rule" => &rule)); + + rules.push(add_rule(Family::Inet, "dfw", "forward", &rule)); + } + } + if let Some(mut ctc_rules) = self.rules.process(ctx)? { rules.append(&mut ctc_rules); } diff --git a/src/types.rs b/src/types.rs index 88183ce8..bd3e932d 100644 --- a/src/types.rs +++ b/src/types.rs @@ -192,6 +192,8 @@ pub struct ContainerToContainer { /// /// To permanently set this configuration, take a look at `man sysctl.d` and `man sysctl.conf`. pub default_policy: ChainPolicy, + #[allow(missing_docs)] + pub same_network_verdict: Option, /// An optional list of rules, see /// [`ContainerToContainerRule`](struct.ContainerToContainerRule.html). ///