Merge pull request #2940 from giuseppe/drop-firewall

networking: use firewall plugin

cni/87-podman-bridge.conflist

@@ -1,5 +1,5 @@
 {
-    "cniVersion": "0.3.0",
+    "cniVersion": "0.4.0",
     "name": "podman",
     "plugins": [
       {
@@ -20,6 +20,10 @@
         "capabilities": {
           "portMappings": true
         }
+      },
+      {
+        "type": "firewall",
+	"backend": "iptables"
       }
     ]
 }

go.mod

@@ -20,7 +20,6 @@ require (
 	github.com/containers/storage v1.13.2
 	github.com/coreos/bbolt v1.3.3 // indirect
 	github.com/coreos/etcd v3.3.13+incompatible // indirect
-	github.com/coreos/go-iptables v0.4.1
 	github.com/coreos/go-semver v0.3.0 // indirect
 	github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a
 	github.com/cri-o/ocicni v0.1.1-0.20190702175919-7762645d18ca

libpod/networking_linux.go

@@ -17,7 +17,6 @@ import (
 	cnitypes "github.com/containernetworking/cni/pkg/types/current"
 	"github.com/containernetworking/plugins/pkg/ns"
 	"github.com/containers/libpod/pkg/errorhandling"
-	"github.com/containers/libpod/pkg/firewall"
 	"github.com/containers/libpod/pkg/netns"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/cri-o/ocicni/pkg/ocicni"
@@ -86,18 +85,6 @@ func (r *Runtime) configureNetNS(ctr *Container, ctrNS ns.NetNS) ([]*cnitypes.Re
 		networkStatus = append(networkStatus, resultCurrent)
 	}
 
-	// Add firewall rules to ensure the container has network access.
-	// Will not be necessary once CNI firewall plugin merges upstream.
-	// https://github.com/containernetworking/plugins/pull/75
-	for _, netStatus := range networkStatus {
-		firewallConf := &firewall.FirewallNetConf{
-			PrevResult: netStatus,
-		}
-		if err := r.firewallBackend.Add(firewallConf); err != nil {
-			return nil, errors.Wrapf(err, "error adding firewall rules for container %s", ctr.ID())
-		}
-	}
-
 	return networkStatus, nil
 }
 
@@ -390,26 +377,12 @@ func (r *Runtime) closeNetNS(ctr *Container) error {
 }
 
 // Tear down a network namespace, undoing all state associated with it.
-// The CNI firewall rules will be removed, the namespace will be unmounted,
-// and the file descriptor associated with it closed.
 func (r *Runtime) teardownNetNS(ctr *Container) error {
 	if ctr.state.NetNS == nil {
 		// The container has no network namespace, we're set
 		return nil
 	}
 
-	// Remove firewall rules we added on configuring the container.
-	// Will not be necessary once CNI firewall plugin merges upstream.
-	// https://github.com/containernetworking/plugins/pull/75
-	for _, netStatus := range ctr.state.NetworkStatus {
-		firewallConf := &firewall.FirewallNetConf{
-			PrevResult: netStatus,
-		}
-		if err := r.firewallBackend.Del(firewallConf); err != nil {
-			return errors.Wrapf(err, "error removing firewall rules for container %s", ctr.ID())
-		}
-	}
-
 	logrus.Debugf("Tearing down network namespace at %s for container %s", ctr.state.NetNS.Path(), ctr.ID())
 
 	var requestedIP net.IP

libpod/runtime.go

@@ -23,7 +23,6 @@ import (
 	"github.com/containers/libpod/libpod/events"
 	"github.com/containers/libpod/libpod/image"
 	"github.com/containers/libpod/libpod/lock"
-	"github.com/containers/libpod/pkg/firewall"
 	sysreg "github.com/containers/libpod/pkg/registries"
 	"github.com/containers/libpod/pkg/rootless"
 	"github.com/containers/libpod/pkg/util"
@@ -108,7 +107,6 @@ type Runtime struct {
 	netPlugin         ocicni.CNIPlugin
 	conmonPath        string
 	imageRuntime      *image.Runtime
-	firewallBackend   firewall.FirewallBackend
 	lockManager       lock.Manager
 	configuredFrom    *runtimeConfiguredFrom
 
@@ -1110,17 +1108,6 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (err error) {
 		runtime.netPlugin = netPlugin
 	}
 
-	// Set up a firewall backend
-	backendType := ""
-	if rootless.IsRootless() {
-		backendType = "none"
-	}
-	fwBackend, err := firewall.GetBackend(backendType)
-	if err != nil {
-		return err
-	}
-	runtime.firewallBackend = fwBackend
-
 	// We now need to see if the system has restarted
 	// We check for the presence of a file in our tmp directory to verify this
 	// This check must be locked to prevent races