iptables: add reaction chain to FORWARD chain for docker

https://framagit.org/ppom/reaction/-/issues/84

app/example.yml

@@ -1,4 +1,11 @@
 ---
+# This example configuration file is a good starting point, but you're
+# strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
+#
+# This file is using the well-established YAML configuration language.
+# Note that the more powerful JSONnet configuration language is also supported
+# and that the documentation uses JSONnet
+
 # definitions are just a place to put chunks of conf you want to reuse in another place
 # using YAML anchors `&name` and pointers `*name`
 # definitions are not readed by reaction
@@ -31,10 +38,12 @@ patterns:
 start:
   - [ 'ip46tables', '-w', '-N', 'reaction' ]
   - [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
+  - [ 'ip46tables', '-w', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction' ]
 
 # Those commands will be executed in order at stop, after everything else
 stop:
   - [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
+  - [ 'ip46tables', '-w,', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction' ]
   - [ 'ip46tables', '-w', '-F', 'reaction' ]
   - [ 'ip46tables', '-w', '-X', 'reaction' ]
 

config/example.jsonnet

@@ -1,11 +1,15 @@
-// This file is using JSONNET, a complete configuration language based on JSON
+// This file is using JSONnet, a complete configuration language based on JSON
 // See https://jsonnet.org
-// JSONNET is a superset of JSON, so one can write plain JSON files if wanted.
+// JSONnet is a superset of JSON, so one can write plain JSON files if wanted.
 // Note that YAML is also supported, see ./example.yml
 
-// JSONNET functions
+// This example configuration file is a good starting point, but you're
+// strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
+
+// JSONnet functions
 local iptables(args) = ['ip46tables', '-w'] + args;
-// ip46tables is a minimal C program (only POSIX dependencies) present in a subdirectory of this repo.
+// ip46tables is a minimal C program (only POSIX dependencies) present in a
+// subdirectory of this repo.
 // it permits to handle both ipv4/iptables and ipv6/ip6tables commands
 
 // See meaning and usage of this function around L106
@@ -43,14 +47,16 @@ local banFor(time) = {
   start: [
     // Create an iptables chain for reaction
     iptables(['-N', 'reaction']),
-    // Insert this chain as the first item of the INPUT chain (for incoming connections)
+    // Insert this chain as the first item of the INPUT & FORWARD chains (for incoming connections)
     iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']),
+    iptables(['-I', 'FORWARD', '-p', 'all', '-j', 'reaction']),
   ],
 
   // Those commands will be executed in order at stop, after everything else
   stop: [
-    // Remove the chain from the INPUT chain
+    // Remove the chain from the INPUT & FORWARD chains
     iptables(['-D', 'INPUT', '-p', 'all', '-j', 'reaction']),
+    iptables(['-D', 'FORWARD', '-p', 'all', '-j', 'reaction']),
     // Empty the chain
     iptables(['-F', 'reaction']),
     // Delete the chain

config/reaction.debian.service

@@ -1,6 +1,8 @@
 [Unit]
 Description=A daemon that scans program outputs for repeated patterns, and takes action.
 Documentation=https://framagit.org/ppom/reaction-wiki
+# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used
+# After=docker.service
 
 [Service]
 ExecStart=/usr/bin/reaction start -c /etc/reaction.jsonnet

config/reaction.example.service

@@ -1,6 +1,8 @@
 # vim: ft=systemd
 [Install]
 WantedBy=multi-user.target
+# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used
+# After=docker.service
 
 # See `man systemd.exec` and `man systemd.service` for most options below
 [Service]