Mirror of packages feed https://git.openwrt.org/feed/packages/atom?h=master 2020-12-15T12:52:33Z 2020-12-15T12:52:33Z Gerard Ryan 2020-10-31T08:12:36Z urn:sha1:249d7d8faa3a64e0d6108ee6274c4186bf35a4d7 The source is being deprecated and split into the CLI and engine/daemon repositories, So `docker-ce` will now be the `dockerd` and a separate package will be made for the `docker` CLI. Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com> 2020-11-30T08:59:34Z Gerard Ryan 2020-11-30T08:59:34Z urn:sha1:ae051aaca9254962730aa2bb9f689fce9fa90987 This is a convenience argument to primarily facilitate outbound wan connections from a docker container. However, all docker containers can't bidirectionally communicate with the internet by default. Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com> 2020-11-30T08:57:30Z Gerard Ryan 2020-11-30T08:57:30Z urn:sha1:8f7b57285f5a74d51f7a36d81f78dbe1167908eb Signed-off-by: Gerard Ryan <G.M0N3Y.2503@gmail.com> 2020-11-19T13:20:15Z Florian Eckert 2020-11-19T13:19:27Z urn:sha1:6df16e50fbd27581e02f5018712668e870df5a44 Signed-off-by: Florian Eckert <fe@dev.tdt.de> 2020-11-19T13:20:12Z Florian Eckert 2020-11-16T09:28:03Z urn:sha1:96a11a9c023f673e05e882a10b5ae3c3eefd8cec Deleting rules that docker has created is error-prone, because with every update docker we have to check if anything has changed. Cleaning up the firewall rules is part of the docker and should and must be cleaned up and handeled by them when the service is terminated. Signed-off-by: Florian Eckert <fe@dev.tdt.de> 2020-11-19T13:20:09Z Florian Eckert 2020-11-11T14:05:38Z urn:sha1:19fc9333303f742434cdb0ec8e922e2c01eb0cbe If docker-ce handles the firewall and fw3 is not envolved because the rules get not proceed, then not only docker0 should be handled but also other interfaces and therefore other docker networks. This commit extends the handling and introduces a new uci option `device` in the docker config firewall section. This can be used to specify which device is allowed to access the container. Up to now only docker0 is covert. Signed-off-by: Florian Eckert <fe@dev.tdt.de> 2020-11-19T13:20:07Z Florian Eckert 2020-11-11T13:20:49Z urn:sha1:7c9ed12fa17f0c1fc2b013718de1c2a899a9518f As the protocol is set to none, this makes no sense here, as it cannot be controlled and thus processed by the netifd. Signed-off-by: Florian Eckert <fe@dev.tdt.de> 2020-11-19T13:20:04Z Florian Eckert 2020-11-11T14:52:20Z urn:sha1:f12071add992c8b76b1b065257ac306f83957653 Set proto from `static` to `none`. This makes it clear that this interface is not handled by the netifd. Signed-off-by: Florian Eckert <fe@dev.tdt.de> 2020-11-19T13:20:02Z Florian Eckert 2020-11-11T12:34:39Z urn:sha1:1af559356829cad1ff0977900f7de459ae50a3a6 Openwrt has a own firewall service called fw3, that supports firewall zones. Docker can bypass the handling of the zone rules in openwrt via custom tables. These are "always" processed before the openwrt firewall. Which is prone to errors! Since not everyone is aware that the firewall of openwrt will not be passed. And this is a security problem because a mapped port is visible on all interfaces and so also on the WAN side. If the firewall handling in docker is switched off, then the port in fw3 must be explicitly released and it cannot happen that the port is accidentally exported to the outside world via the interfaces on the WAN zone. So all rules for the containers should and so must be made in fw3. Signed-off-by: Florian Eckert <fe@dev.tdt.de> 2020-11-19T13:19:59Z Florian Eckert 2020-11-10T10:20:14Z urn:sha1:dc9d9d2202d0b98ce5f5bcc8e1bb41bc439288ed Up to now only the docker0 interface and bridge is created by default. In order to create other interfaces and to integrate them into the openwrt these functions can now be called with arguments. Signed-off-by: Florian Eckert <fe@dev.tdt.de>