Add a new firewall ingress-policy "isolated"

IngressPolicyIsolated ("isolated") behaves similar to ingress policy "same-bridge" with the exception that connections from the same bridge are also blocked. This is meant to be functionally equivalent to Docker network option "enable_icc" when set to false. Signed-off-by: Swagat Bora <[email protected]>
containernetworking · Jan 15, 2025 · cf86c69 · cf86c69
1 parent abfac4a
commit cf86c69
Show file tree

Hide file tree

Showing 4 changed files with 283 additions and 104 deletions.
diff --git a/pkg/utils/buildversion/buildversion.go b/pkg/utils/buildversion/buildversion.go
@@ -19,7 +19,7 @@ package buildversion
 import "fmt"
 
 // This is overridden in the linker script
-var BuildVersion = "version unknown"
+var BuildVersion = "1.1.0"
 
 func BuildString(pluginName string) string {
 	return fmt.Sprintf("CNI %s plugin %s", pluginName, BuildVersion)

diff --git a/plugins/meta/firewall/firewall.go b/plugins/meta/firewall/firewall.go
@@ -64,6 +64,13 @@ const (
 	// IngressPolicySameBridge executes `iptables` regardless to the value of `Backend`.
 	// IngressPolicySameBridge may not work as expected for non-bridge networks.
 	IngressPolicySameBridge IngressPolicy = "same-bridge"
+
+	// IngressPolicyIsolated ("isolated"): similar to ingress policy "same-bridge" with the exception
+	// that connections from the same bridge are also blocked.
+	// This is equivalent to Docker network option "enable_icc" when set to false.
+	// IngressPolicyIsolated executes `iptables` regardless to the value of `Backend`.
+	// IngressPolicyIsolated may not work as expected for non-bridge networks.
+	IngressPolicyIsolated IngressPolicy = "isolated"
 )
 
 type FirewallBackend interface {