2424test -n " $ufw_docker_agent_image "
2525
2626function ufw-docker--status() {
27- ufw-docker--list " $GREP_REGEXP_INSTANCE_NAME "
27+ ufw-docker--list " $GREP_REGEXP_INSTANCE_NAME " | uniq
2828}
2929
3030function ufw-docker--list() {
@@ -42,13 +42,19 @@ function ufw-docker--list() {
4242 NETWORK=" [[:graph:]]*"
4343 fi
4444
45+ # IPv4
4546 ufw status numbered | grep " # allow ${INSTANCE_NAME} \\ ( ${INSTANCE_PORT} \\ /${PROTO} \\ )\\ ( ${NETWORK} \\ )\$ " || \
4647 ufw status numbered | grep " # allow ${INSTANCE_NAME} \\ ( ${INSTANCE_PORT} \\ /${PROTO} \\ )\$ " || \
4748 ufw status numbered | grep " # allow ${INSTANCE_NAME} \$ "
49+
50+ # IPv6
51+ ufw status numbered | grep " # allow ${INSTANCE_NAME} _IPv6\\ ( ${INSTANCE_PORT} \\ /${PROTO} \\ )\\ ( ${NETWORK} \\ )\$ " || \
52+ ufw status numbered | grep " # allow ${INSTANCE_NAME} _IPv6\\ ( ${INSTANCE_PORT} \\ /${PROTO} \\ )\$ " || \
53+ ufw status numbered | grep " # allow ${INSTANCE_NAME} _IPv6\$ "
4854}
4955
5056function ufw-docker--list-number() {
51- ufw-docker--list " $@ " | sed -e ' s/^\[[[:blank:]]*\([[:digit:]]\+\)\].*/\1/'
57+ ufw-docker--list " $@ " | sed -e ' s/^\[[[:blank:]]*\([[:digit:]]\+\)\].*/\1/' | uniq
5258}
5359
5460function ufw-docker--delete() {
@@ -68,6 +74,7 @@ function ufw-docker--allow() {
6874 die " Docker instance \" $INSTANCE_NAME \" doesn't exist."
6975
7076 mapfile -t INSTANCE_IP_ADDRESSES < <( docker inspect --format=' {{range .NetworkSettings.Networks}}{{.IPAddress}}{{"\n"}}{{end}}' " $INSTANCE_NAME " 2> /dev/null | remove_blank_lines)
77+ mapfile -t INSTANCE_IP_V6_ADDRESSES < <( docker inspect --format=' {{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{"\n"}}{{end}}' " $INSTANCE_NAME " 2> /dev/null | remove_blank_lines)
7178
7279 [[ -z " ${INSTANCE_IP_ADDRESSES:- } " && die " Could not find a running instance \" $INSTANCE_NAME \" ."
7380
@@ -92,6 +99,17 @@ function ufw-docker--allow() {
9299 ufw-docker--add-rule " $INSTANCE_NAME " " $IP " " ${PORT_PROTO%/* } " " ${PORT_PROTO#*/ } " " ${INSTANCE_NETWORK} "
93100 RETVAL=" $? "
94101 done
102+
103+ ITER_V6=0
104+ for IP in " ${INSTANCE_IP_V6_ADDRESSES[@]} " ; do
105+ INSTANCE_NETWORK=" ${INSTANCE_NETWORK_NAMES[$ITER_V6]} "
106+ ITER_V6=$(( ITER_V6 + 1 ))
107+ if [[ -n " $NETWORK " && [[ " $NETWORK " != " $INSTANCE_NETWORK " ; then
108+ continue
109+ fi
110+ ufw-docker--add-rule " ${INSTANCE_NAME} _IPv6" " $IP " " ${PORT_PROTO%/* } " " ${PORT_PROTO#*/ } " " ${INSTANCE_NETWORK} "
111+ RETVAL=" $? "
112+ done
95113 fi
96114 done
97115 if [[ " $RETVAL " -ne 0 ]]; then
@@ -290,13 +308,17 @@ function ufw-docker--raw-command() {
290308}
291309
292310after_rules=" /etc/ufw/after.rules"
311+ after6_rules=" /etc/ufw/after6.rules"
293312
294313function ufw-docker--check() {
295314 err " \\ n########## iptables -n -L DOCKER-USER ##########"
296315 iptables -n -L DOCKER-USER
297316
298317 err " \\ n\\ n########## diff $after_rules ##########"
299318 ufw-docker--check-install && err " \\ nCheck done."
319+
320+ err " \\ n\\ n########## diff $after6_rules ##########"
321+ ufw-docker--check-install_ipv6 && err " \\ nCheck IPv6 done."
300322}
301323
302324declare -a files_to_be_deleted
@@ -352,6 +374,43 @@ function ufw-docker--check-install() {
352374 diff -u --color=auto " $after_rules " " $after_rules_tmp "
353375}
354376
377+ function ufw-docker--check-install_ipv6() {
378+ DOCKER_IPV6_NETWORK=$( sed -En ' s/.*"fixed-cidr-v6":.?"([^"]*).*/\1/p' )
379+ [[ -z " ${DOCKER_IPV6_NETWORK:- } " && die " Could not find \" fixed-cidr-v6\" in \" /etc/docker/daemon.json\" ."
380+
381+ after6_rules_tmp=" ${after6_rules_tmp:- $(mktemp)} "
382+ rm-on-exit " $after6_rules_tmp "
383+
384+ sed " /^# BEGIN UFW AND DOCKER/,/^# END UFW AND DOCKER/d" " $after6_rules " > " $after6_rules_tmp "
385+ >> " ${after6_rules_tmp} " << -\EOF
386+ # BEGIN UFW AND DOCKER
387+ *filter
388+ :ufw6-user-forward - [0:0]
389+ :ufw6-docker-logging-deny - [0:0]
390+ :DOCKER-USER - [0:0]
391+ -A DOCKER-USER -j ufw6-user-forward
392+
393+ -A DOCKER-USER -j RETURN -s {DOCKER_IPV6_NETWORK}
394+
395+ -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN
396+
397+ -A DOCKER-USER -j ufw6-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d {DOCKER_IPV6_NETWORK}
398+ -A DOCKER-USER -j ufw6-docker-logging-deny -p udp -m udp --dport 0:32767 -d {DOCKER_IPV6_NETWORK}
399+
400+ -A DOCKER-USER -j RETURN
401+
402+ -A ufw6-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
403+ -A ufw6-docker-logging-deny -j DROP
404+
405+ COMMIT
406+ # END UFW AND DOCKER
407+ EOF
408+
409+ sed -i " s/{DOCKER_IPV6_NETWORK}/${DOCKER_IPV6_NETWORK/ \/ / \\ / } /g" " $after6_rules_tmp "
410+
411+ diff -u --color=auto " $after6_rules " " $after6_rules_tmp "
412+ }
413+
355414function ufw-docker--install() {
356415 if ! ufw-docker--check-install; then
357416 local after_rules_bak
@@ -366,6 +425,20 @@ function ufw-docker--install() {
366425 err " sudo service ufw restart"
367426 fi
368427 fi
428+
429+ if ! ufw-docker--check-install_ipv6; then
430+ local after6_rules_bak
431+ after6_rules_bak=" ${after6_rules} -ufw-docker~$( date ' +%Y-%m-%d-%H%M%S' ) "
432+ err " \\ nBacking up $after6_rules to $after6_rules_bak "
433+ cp " $after6_rules " " $after6_rules_bak "
434+ cat " $after6_rules_tmp " > " $after6_rules "
435+ err " Please restart UFW service manually by using the following command:"
436+ if type systemctl & > /dev/null; then
437+ err " sudo systemctl restart ufw"
438+ else
439+ err " sudo service ufw restart"
440+ fi
441+ fi
369442}
370443
371444function ufw-docker--help() {
0 commit comments