Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libnetwork/netavark: add isolate option 'strict' #1513

Merged
merged 1 commit into from
Jun 20, 2023
Merged

libnetwork/netavark: add isolate option 'strict' #1513

merged 1 commit into from
Jun 20, 2023

Conversation

yassi-github
Copy link
Contributor

The isolation is only enabled when both bridges are in --opt isolate=true mode.
This means it is possible to communicate with non-isolated and isolated.

So we adds --opt isolate=strict option to deny communication, even with non-isolated and isolated.
Passing this option to netavark creates iptables rules for strict isolation.

@yassi-github yassi-github force-pushed the netavark-strict-isolation branch from accde5a to 55f56c1 Compare June 16, 2023 21:29
@yassi-github yassi-github mentioned this pull request Jun 16, 2023
Merged
@yassi-github yassi-github force-pushed the netavark-strict-isolation branch from 55f56c1 to 1979b54 Compare June 17, 2023 12:17
@rhatdan
Copy link
Member

rhatdan commented Jun 17, 2023

@Luap99 PTAL

Luap99
Luap99 approved these changes Jun 19, 2023
View reviewed changes
Copy link
Member

@Luap99 Luap99 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Luap99
Copy link
Member

Luap99 commented Jun 20, 2023

@vrothberg PTAL

vrothberg
vrothberg reviewed Jun 20, 2023
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A unit test for the function would nice.

libnetwork/internal/util/parse.go Show resolved Hide resolved
@yassi-github
Copy link
Contributor Author

A unit test for the function would nice.

May i add parse_test.go like util_test.go for unit testing?

@vrothberg
Copy link
Member

Yes, parse_test.go sounds good. Thank you!

@yassi-github
libnetwork/netavark: add isolate option 'strict'
238885e 
The strict isolate refuses to communicate with non-isolate and isolate.

Signed-off-by: Saigusa Yasushi <[email protected]>
@yassi-github yassi-github force-pushed the netavark-strict-isolation branch from 1979b54 to 238885e Compare June 20, 2023 13:12
vrothberg
vrothberg approved these changes Jun 20, 2023
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you.

@Luap99 PTAL

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 20, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Luap99, vrothberg, yassi-github

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Luap99
Copy link
Member

Luap99 commented Jun 20, 2023

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jun 20, 2023
@openshift-merge-robot openshift-merge-robot merged commit ac2475a into containers:main Jun 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Luap99 Luap99 Luap99 approved these changes

@vrothberg vrothberg vrothberg approved these changes

Assignees

@Luap99 Luap99

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@yassi-github @rhatdan @Luap99 @vrothberg @openshift-merge-robot