This repository has been archived by the owner on Jan 25, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Don't run traffic on the INPUT chain through warden-dispatch
Traffic between the host and its containers must not be limited in any form. Only traffic between containers, and between containers and the outside networks must be limited. To achieve this in the filter table, warden no longer intervenes on traffic on both the INPUT and FORWARD chains, but only on the FORWARD chain. For easier introspection into what is going on this change also removes the fast path for non-SYN TCP packets. If this proves to be a big performance hit, it can be put back in place. The network filtering tests are changed to no longer rely on the internet being reachable when the suite it run. Filtering is now tested by running multiple containers and testing reachability between them.
- Loading branch information
Pieter Noordhuis and Tim Labeeuw
committed
Mar 19, 2013
1 parent
7ad023e
commit debef6d
Showing
3 changed files
with
88 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters