From a75a6e994777005ffdc719a770cfc35e2358c395 Mon Sep 17 00:00:00 2001
From: Vitaly Repin <vitaly.repin@gmail.com>
Date: Wed, 30 Dec 2020 12:37:56 +0100
Subject: [PATCH] Added jump to ufw-before-forward rule

This chain chall be executed prior to ufw-user-forward to avoid accepting packets
in the ufw-user-forward before they are checked (and possibly dropped) in ufw-before-forward
---
 README.md  | 5 +++++
 ufw-docker | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 58f295c..d0d12ee 100644
--- a/README.md
+++ b/README.md
@@ -69,9 +69,11 @@ Modify the UFW configuration file `/etc/ufw/after.rules` and add the following r
 
     # BEGIN UFW AND DOCKER
     *filter
+    :ufw-before-forward - [0:0]
     :ufw-user-forward - [0:0]
     :ufw-docker-logging-deny - [0:0]
     :DOCKER-USER - [0:0]
+    -A DOCKER-USER -j ufw-before-forward
     -A DOCKER-USER -j ufw-user-forward
 
     -A DOCKER-USER -j RETURN -s 10.0.0.0/8
@@ -127,6 +129,7 @@ The following rules allow the private networks to be able to visit each other. N
 
 The following rules allow UFW to manage whether the public networks are allowed to visit the services provided by the Docker container. So that we can manage all firewall rules in one place.
 
+    -A DOCKER-USER -j ufw-before-forward
     -A DOCKER-USER -j ufw-user-forward
 
 For example, we want to block all outgoing connections from inside a container whose IP address is 172.17.0.9 which means to block this container to access internet or external networks. Using the following command:
@@ -377,9 +380,11 @@ UFW 是 Ubuntu 上很流行的一个 iptables 前端，可以非常方便的管
 
     # BEGIN UFW AND DOCKER
     *filter
+    :ufw-before-forward - [0:0]
     :ufw-user-forward - [0:0]
     :ufw-docker-logging-deny - [0:0]
     :DOCKER-USER - [0:0]
+    -A DOCKER-USER -j ufw-before-forward
     -A DOCKER-USER -j ufw-user-forward
 
     -A DOCKER-USER -j RETURN -s 10.0.0.0/8
diff --git a/ufw-docker b/ufw-docker
index 197c2d7..525870e 100755
--- a/ufw-docker
+++ b/ufw-docker
@@ -292,9 +292,11 @@ function ufw-docker--check-install() {
 	>> "${after_rules_tmp}" cat <<-\EOF
 	# BEGIN UFW AND DOCKER
 	*filter
+	:ufw-before-forward - [0:0]
 	:ufw-user-forward - [0:0]
 	:ufw-docker-logging-deny - [0:0]
 	:DOCKER-USER - [0:0]
+	-A DOCKER-USER -j ufw-before-forward
 	-A DOCKER-USER -j ufw-user-forward
 
 	-A DOCKER-USER -j RETURN -s 10.0.0.0/8