// Control Inter Network Communication. Install/remove only if it is not/is present.
func setINC(iface1, iface2 string, enable bool) error {
	var (
		table = iptables.Filter
		chain = IsolationChain
		args  = [2][]string{{"-i", iface1, "-o", iface2, "-j", "DROP"}, {"-i", iface2, "-o", iface1, "-j", "DROP"}}
	)

	if enable {
		for i := 0; i < 2; i++ {
			if iptables.Exists(iptables.Iptables, table, chain, args[i]...) {
				continue
			}
			if err := iptables.RawCombinedOutput(iptables.Iptables, append([]string{"-I", chain}, args[i]...)...); err != nil {
				return fmt.Errorf("unable to add inter-network communication rule: %v", err)
			}
		}
	} else {
		for i := 0; i < 2; i++ {
			if !iptables.Exists(iptables.Iptables, table, chain, args[i]...) {
				continue
			}
			if err := iptables.RawCombinedOutput(iptables.Iptables, append([]string{"-D", chain}, args[i]...)...); err != nil {
				return fmt.Errorf("unable to remove inter-network communication rule: %v", err)
			}
		}
	}

	return nil
}
func programChainRule(rule iptRule, ruleDescr string, insert bool) error {
	var (
		prefix    []string
		operation string
		condition bool
		doesExist = iptables.Exists(rule.ipv, rule.table, rule.chain, rule.args...)
	)

	if insert {
		condition = !doesExist
		prefix = []string{"-I", rule.chain}
		operation = "enable"
	} else {
		condition = doesExist
		prefix = []string{"-D", rule.chain}
		operation = "disable"
	}
	if rule.preArgs != nil {
		prefix = append(rule.preArgs, prefix...)
	}

	if condition {
		if err := iptables.RawCombinedOutput(rule.ipv, append(prefix, rule.args...)...); err != nil {
			return fmt.Errorf("Unable to %s %s rule: %s", operation, ruleDescr, err.Error())
		}
	}

	return nil
}
func setIcc(bridgeIface string, iccEnable, insert bool) error {
	var (
		table      = iptables.Filter
		chain      = "FORWARD"
		args       = []string{"-i", bridgeIface, "-o", bridgeIface, "-j"}
		acceptArgs = append(args, "ACCEPT")
		dropArgs   = append(args, "DROP")
	)

	if insert {
		if !iccEnable {
			iptables.Raw(iptables.Iptables, append([]string{"-D", chain}, acceptArgs...)...)

			if !iptables.Exists(iptables.Iptables, table, chain, dropArgs...) {
				if err := iptables.RawCombinedOutput(iptables.Iptables, append([]string{"-A", chain}, dropArgs...)...); err != nil {
					return fmt.Errorf("Unable to prevent intercontainer communication: %s", err.Error())
				}
			}
		} else {
			iptables.Raw(iptables.Iptables, append([]string{"-D", chain}, dropArgs...)...)

			if !iptables.Exists(iptables.Iptables, table, chain, acceptArgs...) {
				if err := iptables.RawCombinedOutput(iptables.Iptables, append([]string{"-I", chain}, acceptArgs...)...); err != nil {
					return fmt.Errorf("Unable to allow intercontainer communication: %s", err.Error())
				}
			}
		}
	} else {
		// Remove any ICC rule.
		if !iccEnable {
			if iptables.Exists(iptables.Iptables, table, chain, dropArgs...) {
				iptables.Raw(iptables.Iptables, append([]string{"-D", chain}, dropArgs...)...)
			}
		} else {
			if iptables.Exists(iptables.Iptables, table, chain, acceptArgs...) {
				iptables.Raw(iptables.Iptables, append([]string{"-D", chain}, acceptArgs...)...)
			}
		}
	}

	return nil
}
func addReturnRule(ipv iptables.IPV, chain string) error {
	var (
		table = iptables.Filter
		args  = []string{"-j", "RETURN"}
	)

	if iptables.Exists(ipv, table, chain, args...) {
		return nil
	}

	err := iptables.RawCombinedOutput(ipv, append([]string{"-I", chain}, args...)...)
	if err != nil {
		return fmt.Errorf("unable to add return rule in %s chain: %s", chain, err.Error())
	}

	return nil
}
// Ensure the jump rule is on top
func ensureJumpRule(ipv iptables.IPV, fromChain, toChain string) error {
	var (
		table = iptables.Filter
		args  = []string{"-j", toChain}
	)

	if iptables.Exists(ipv, table, fromChain, args...) {
		err := iptables.RawCombinedOutput(ipv, append([]string{"-D", fromChain}, args...)...)
		if err != nil {
			return fmt.Errorf("unable to remove jump to %s rule in %s chain: %s", toChain, fromChain, err.Error())
		}
	}

	err := iptables.RawCombinedOutput(ipv, append([]string{"-I", fromChain}, args...)...)
	if err != nil {
		return fmt.Errorf("unable to insert jump to %s rule in %s chain: %s", toChain, fromChain, err.Error())
	}

	return nil
}
Beispiel #6
0
func (d *driver) DeleteEndpoint(nid, eid string) error {
	var err error

	defer osl.InitOSContext()()

	// Get the network handler and make sure it exists
	d.Lock()
	n, ok := d.networks[nid]
	d.Unlock()

	if !ok {
		return types.InternalMaskableErrorf("network %s does not exist", nid)
	}
	if n == nil {
		return driverapi.ErrNoNetwork(nid)
	}

	// Sanity Check
	n.Lock()
	if n.id != nid {
		n.Unlock()
		return InvalidNetworkIDError(nid)
	}
	n.Unlock()

	// Check endpoint id and if an endpoint is actually there
	ep, err := n.getEndpoint(eid)
	if err != nil {
		return err
	}
	if ep == nil {
		return EndpointNotFoundError(eid)
	}

	// Remove it
	n.Lock()
	delete(n.endpoints, eid)
	n.Unlock()

	// On failure make sure to set back ep in n.endpoints, but only
	// if it hasn't been taken over already by some other thread.
	defer func() {
		if err != nil {
			n.Lock()
			if _, ok := n.endpoints[eid]; !ok {
				n.endpoints[eid] = ep
			}
			n.Unlock()
		}
	}()

	// Remove port mappings. Do not stop endpoint delete on unmap failure
	n.releasePorts(ep)

	if ep.config != nil {
		for _, port := range ep.config.ExposedPorts {
			rule := []string{
				"-p", port.Proto.String(),
				"-d", ep.addrv6.String(),
				"--dport", strconv.Itoa(int(port.Port)),
				"-j", "ACCEPT",
			}
			if iptables.Exists(iptables.IP6Tables, iptables.Filter, DockerChain, rule...) {
				delete := append(
					[]string{
						string(iptables.Delete),
						DockerChain,
					},
					rule...,
				)
				iptables.Raw(iptables.IP6Tables, delete...)
			}
		}
	}

	// Try removal of neighbor proxy. Discard error: it is a best effort.
	// Also make sure defer does not see this error either.
	if n.config.NDPProxyInterface != "" && n.config.EnableIPv6 {
		link, err := netlink.LinkByName(n.config.NDPProxyInterface)
		if err == nil {
			neighbor := netlink.Neigh{
				LinkIndex:    link.Attrs().Index,
				Family:       netlink.FAMILY_V6,
				State:        netlink.NUD_PERMANENT,
				Type:         netlink.NDA_UNSPEC,
				Flags:        netlink.NTF_PROXY,
				IP:           ep.addrv6.IP,
				HardwareAddr: ep.macAddress,
			}
			netlink.NeighDel(&neighbor)
		}
	}

	// Try removal of link. Discard error: it is a best effort.
	// Also make sure defer does not see this error either.
	if link, err := netlink.LinkByName(ep.srcName); err == nil {
		netlink.LinkDel(link)
	}

	return nil
}