Refactor rule generation: add GenerateBridge and GenerateContainer methods for improved modularity and clarity

2026-01-11 12:54:38 +05:00
parent ce6cbbe17e
commit 82b501d0ec
1 changed files with 69 additions and 53 deletions
--- a/internal/daemon/docker_monitor/rule_strategy/generator.go
+++ b/internal/daemon/docker_monitor/rule_strategy/generator.go
@@ -10,6 +10,8 @@ import (

 type Generator interface {
 	GenerateAll(chains chain.Chains, isComment bool)
+	GenerateBridge(bridge client.Bridge, chain chain.Chains, isComment bool)
+	GenerateContainer(container client.Container, bridgeName string, chain chain.Chains, isComment bool)
 	ClearChains(chains chain.Chains)
 	AddRule(chainData chain.Data, rule string)
 }
@@ -47,71 +49,85 @@ func (g *generator) GenerateAll(chains chain.Chains, isComment bool) {
 		g.logger.Error(err.Error())
 		return
 	}
-	var rule string
+
 	for _, bridge := range bridges {
-		comment := ""
-		if isComment {
-			comment = fmt.Sprintf("comment \"bridge_id:%s\"", bridge.ID)
-		}
-
-		rule = fmt.Sprintf("iifname != \"%s\" oifname \"%s\" counter drop %s", bridge.Name, bridge.Name, comment)
-		g.AddRule(listChains.DockerFilterSecond, rule)
-
-		rule = fmt.Sprintf("iifname \"%s\" counter accept %s", bridge.Name, comment)
-		g.AddRule(listChains.ForwardFilter, rule)
-
-		rule = fmt.Sprintf("oifname \"%s\" counter", bridge.Name)
-		if err := listChains.DockerFilter.JumpTo(&listChains.ForwardBridge, rule, comment); err != nil {
-			g.logger.Error(err.Error())
-		}
-
-		rule = fmt.Sprintf("oifname \"%s\" ct state related,established counter accept %s", bridge.Name, comment)
-		g.AddRule(listChains.ForwardCT, rule)
-
-		for _, subnet := range bridge.Subnets {
-			rule = fmt.Sprintf("ip saddr %s oifname != \"%s\" counter masquerade %s", subnet, bridge.Name, comment)
-			g.AddRule(listChains.PostroutingNat, rule)
-		}
+		g.GenerateBridge(bridge, chains, isComment)

 		if bridge.Containers == nil {
 			continue
 		}
 		for _, container := range bridge.Containers {
-			if isComment {
-				comment = fmt.Sprintf("comment \"container_id:%s\"", container.ID)
-			}
+			g.GenerateContainer(container, bridge.Name, chains, isComment)
+		}
+	}
+}

-			for _, ipInfo := range container.Networks.IPAddresses {
-				rule = fmt.Sprintf("%s daddr %s iifname != \"%s\" counter drop %s", ipInfo.NftPrefix(), ipInfo.Address, bridge.Name, comment)
-				g.AddRule(listChains.PreroutingFilter, rule)
+func (g *generator) GenerateBridge(bridge client.Bridge, chain chain.Chains, isComment bool) {
+	listChains := chain.List()

-				for _, port := range container.Networks.Ports {
-					isZeroAddress := false
-					for _, hostInfo := range port.HostPort {
-						if hostInfo.IP.Address != "0.0.0.0" && hostInfo.IP.Address != "::" && (hostInfo.IP.Address == "127.0.0.1" || hostInfo.IP.Address == "::1") {
-							rule = fmt.Sprintf("%s daddr %s iifname != \"lo\" %s dport %s counter drop %s", hostInfo.IP.NftPrefix(), hostInfo.IP.Address, port.Protocol, hostInfo.Port, comment)
-							g.AddRule(listChains.PreroutingFilter, rule)
-						}
+	var rule string
+	comment := ""
+	if isComment {
+		comment = fmt.Sprintf("comment \"bridge_id:%s\"", bridge.ID)
+	}

-						if hostInfo.IP.Address == "0.0.0.0" || hostInfo.IP.Address == "::" {
-							if isZeroAddress {
-								continue
-							}
-							isZeroAddress = true
-							rule = fmt.Sprintf("iifname != \"%s\" %s dport %s counter dnat %s to %s:%s %s", bridge.Name, port.Protocol, hostInfo.Port, ipInfo.NftPrefix(), ipInfo.Address, port.Port, comment)
-							g.AddRule(listChains.DockerNat, rule)
+	rule = fmt.Sprintf("iifname != \"%s\" oifname \"%s\" counter drop %s", bridge.Name, bridge.Name, comment)
+	g.AddRule(listChains.DockerFilterSecond, rule)

-							rule = fmt.Sprintf("%s daddr %s iifname != \"%s\" oifname \"%s\" %s dport %s counter accept %s", ipInfo.NftPrefix(), ipInfo.Address, bridge.Name, bridge.Name, port.Protocol, port.Port, comment)
-							g.AddRule(listChains.DockerFilterFirst, rule)
-							continue
-						}
-						rule = fmt.Sprintf("%s daddr %s iifname != \"%s\" oifname \"%s\" %s dport %s counter accept %s", ipInfo.NftPrefix(), ipInfo.Address, bridge.Name, bridge.Name, port.Protocol, port.Port, comment)
-						g.AddRule(listChains.DockerFilterFirst, rule)
+	rule = fmt.Sprintf("iifname \"%s\" counter accept %s", bridge.Name, comment)
+	g.AddRule(listChains.ForwardFilter, rule)

-						rule = fmt.Sprintf("%s daddr %s iifname != \"%s\" %s dport %s counter dnat to %s:%s %s", hostInfo.IP.NftPrefix(), hostInfo.IP.Address, bridge.Name, port.Protocol, hostInfo.Port, ipInfo.Address, port.Port, comment)
-						g.AddRule(listChains.DockerNat, rule)
-					}
+	rule = fmt.Sprintf("oifname \"%s\" counter", bridge.Name)
+	if err := listChains.DockerFilter.JumpTo(&listChains.ForwardBridge, rule, comment); err != nil {
+		g.logger.Error(err.Error())
+	}
+
+	rule = fmt.Sprintf("oifname \"%s\" ct state related,established counter accept %s", bridge.Name, comment)
+	g.AddRule(listChains.ForwardCT, rule)
+
+	for _, subnet := range bridge.Subnets {
+		rule = fmt.Sprintf("ip saddr %s oifname != \"%s\" counter masquerade %s", subnet, bridge.Name, comment)
+		g.AddRule(listChains.PostroutingNat, rule)
+	}
+}
+
+func (g *generator) GenerateContainer(container client.Container, bridgeName string, chain chain.Chains, isComment bool) {
+	listChains := chain.List()
+	var rule string
+	comment := ""
+	if isComment {
+		comment = fmt.Sprintf("comment \"container_id:%s\"", container.ID)
+	}
+
+	for _, ipInfo := range container.Networks.IPAddresses {
+		rule = fmt.Sprintf("%s daddr %s iifname != \"%s\" counter drop %s", ipInfo.NftPrefix(), ipInfo.Address, bridgeName, comment)
+		g.AddRule(listChains.PreroutingFilter, rule)
+
+		for _, port := range container.Networks.Ports {
+			isZeroAddress := false
+			for _, hostInfo := range port.HostPort {
+				if hostInfo.IP.Address != "0.0.0.0" && hostInfo.IP.Address != "::" && (hostInfo.IP.Address == "127.0.0.1" || hostInfo.IP.Address == "::1") {
+					rule = fmt.Sprintf("%s daddr %s iifname != \"lo\" %s dport %s counter drop %s", hostInfo.IP.NftPrefix(), hostInfo.IP.Address, port.Protocol, hostInfo.Port, comment)
+					g.AddRule(listChains.PreroutingFilter, rule)
 				}
+
+				if hostInfo.IP.Address == "0.0.0.0" || hostInfo.IP.Address == "::" {
+					if isZeroAddress {
+						continue
+					}
+					isZeroAddress = true
+					rule = fmt.Sprintf("iifname != \"%s\" %s dport %s counter dnat %s to %s:%s %s", bridgeName, port.Protocol, hostInfo.Port, ipInfo.NftPrefix(), ipInfo.Address, port.Port, comment)
+					g.AddRule(listChains.DockerNat, rule)
+
+					rule = fmt.Sprintf("%s daddr %s iifname != \"%s\" oifname \"%s\" %s dport %s counter accept %s", ipInfo.NftPrefix(), ipInfo.Address, bridgeName, bridgeName, port.Protocol, port.Port, comment)
+					g.AddRule(listChains.DockerFilterFirst, rule)
+					continue
+				}
+				rule = fmt.Sprintf("%s daddr %s iifname != \"%s\" oifname \"%s\" %s dport %s counter accept %s", ipInfo.NftPrefix(), ipInfo.Address, bridgeName, bridgeName, port.Protocol, port.Port, comment)
+				g.AddRule(listChains.DockerFilterFirst, rule)
+
+				rule = fmt.Sprintf("%s daddr %s iifname != \"%s\" %s dport %s counter dnat to %s:%s %s", hostInfo.IP.NftPrefix(), hostInfo.IP.Address, bridgeName, port.Protocol, hostInfo.Port, ipInfo.Address, port.Port, comment)
+				g.AddRule(listChains.DockerNat, rule)
 			}
 		}
 	}