use 'DOCKER-USER' instead of 'FORWARD' chain to restrict LAN access

clore_hosting/main.py

@@ -87,6 +87,7 @@ class CloreClient:
             self.ws_peers[str(config.debug_ws_peer)]={
                 "expiration":"immune"
             }
+        docker_interface.verify_docker_version()
 
     async def service(self):
         global container_log_broken
@@ -394,7 +395,7 @@ class CloreClient:
     async def submit_specs(self, current_specs):
         try:
             if type(current_specs) == dict:
-                current_specs["backend_version"]=7
+                current_specs["backend_version"]=8
                 current_specs["update_hw"]=True
                 smallest_pcie_width = 999
                 for gpu in current_specs["gpus"]["nvidia"]:

lib/config.py

@@ -14,7 +14,7 @@ hard_config = {
     "run_iptables_with_sudo":True,
     "clore_iptables_rules":[
         "-A INPUT -s <subnet> -j DROP",
-        "-I FORWARD -i <interface> -d <subnet> -j DROP"
+        "-I DOCKER-USER -i <interface> -d <subnet> -j DROP"
     ],
     "clore_br_first_allowed_octet":"172",
     "ws_peers_recheck_interval": 300,

lib/docker_interface.py

@@ -2,6 +2,7 @@ from lib import logging as logging_lib
 log = logging_lib.log
 from lib import config as config_module
 config = config_module.config
+from packaging import version
 from lib import networking
 from lib import utils
 
@@ -314,17 +315,20 @@ def validate_and_secure_networks():
                         if normalized_template_rule[key]=="<subnet>" or normalized_template_rule[key]=="<interface>":
                             pass
                         elif normalized_template_rule[key]!=not_matched_rule[key]:
-                            any_unmatching_values=True
+                            if key=='-A' and not_matched_rule[key]=="FORWARD":
-                            break
+                                pass
+                            else:
+                                any_unmatching_values=True
+                                break
                         if key=="-s" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
                             any_unmatching_values=True
                             break
                         elif key=="-i" and not_matched_rule[key][:3] in ["eth", "enp", "eno", "ens", "wlp", "vet"]:
                             any_unmatching_values=True
                             break
-                        elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
+                        #elif key=="-d" and not_matched_rule[key][:len(config.clore_br_first_allowed_octet)] != config.clore_br_first_allowed_octet:
-                            any_unmatching_values=True
+                        #    any_unmatching_values=True
-                            break
+                        #    break
                     if not any_unmatching_values:
                         simple_rule = not_normalized_iptables_rules[index]
                         # Delete rule from iptables
@@ -353,3 +357,14 @@ def get_daemon_config():
     except json.JSONDecodeError:
         print(f"Error: Failed to parse JSON from {config_path}.")
         return None
+    
+def verify_docker_version(min_version="17.06"):
+    try:
+        docker_version = client.version()['Version']
+        is_newer = version.parse(docker_version) > version.parse(min_version)
+        if not is_newer:
+            log.error(f"Current docker version ({docker_version}) is too old to be used with clore.ai software\nExiting...")
+            os._exit(1)
+    except Exception as e:
+        log.error(f"Failed to verify docker version | {e}")
+        os._exit(1)

requirements.txt

@@ -6,3 +6,4 @@ speedtest-cli==2.1.3
 psutil==5.9.0
 python-iptables==1.0.1
 websockets==12.0
+packaging==23.2