// Control Inter Network Communication. Install/remove only if it is not/is present. func setINC(iface1, iface2 string, enable bool) error { var ( table = iptables.Filter chain = IsolationChain args = [2][]string{{"-i", iface1, "-o", iface2, "-j", "DROP"}, {"-i", iface2, "-o", iface1, "-j", "DROP"}} ) if enable { for i := 0; i < 2; i++ { if iptables.Exists(iptables.Iptables, table, chain, args[i]...) { continue } if err := iptables.RawCombinedOutput(iptables.Iptables, append([]string{"-I", chain}, args[i]...)...); err != nil { return fmt.Errorf("unable to add inter-network communication rule: %v", err) } } } else { for i := 0; i < 2; i++ { if !iptables.Exists(iptables.Iptables, table, chain, args[i]...) { continue } if err := iptables.RawCombinedOutput(iptables.Iptables, append([]string{"-D", chain}, args[i]...)...); err != nil { return fmt.Errorf("unable to remove inter-network communication rule: %v", err) } } } return nil }
func programChainRule(rule iptRule, ruleDescr string, insert bool) error { var ( prefix []string operation string condition bool doesExist = iptables.Exists(rule.ipv, rule.table, rule.chain, rule.args...) ) if insert { condition = !doesExist prefix = []string{"-I", rule.chain} operation = "enable" } else { condition = doesExist prefix = []string{"-D", rule.chain} operation = "disable" } if rule.preArgs != nil { prefix = append(rule.preArgs, prefix...) } if condition { if err := iptables.RawCombinedOutput(rule.ipv, append(prefix, rule.args...)...); err != nil { return fmt.Errorf("Unable to %s %s rule: %s", operation, ruleDescr, err.Error()) } } return nil }
func setIcc(bridgeIface string, iccEnable, insert bool) error { var ( table = iptables.Filter chain = "FORWARD" args = []string{"-i", bridgeIface, "-o", bridgeIface, "-j"} acceptArgs = append(args, "ACCEPT") dropArgs = append(args, "DROP") ) if insert { if !iccEnable { iptables.Raw(iptables.Iptables, append([]string{"-D", chain}, acceptArgs...)...) if !iptables.Exists(iptables.Iptables, table, chain, dropArgs...) { if err := iptables.RawCombinedOutput(iptables.Iptables, append([]string{"-A", chain}, dropArgs...)...); err != nil { return fmt.Errorf("Unable to prevent intercontainer communication: %s", err.Error()) } } } else { iptables.Raw(iptables.Iptables, append([]string{"-D", chain}, dropArgs...)...) if !iptables.Exists(iptables.Iptables, table, chain, acceptArgs...) { if err := iptables.RawCombinedOutput(iptables.Iptables, append([]string{"-I", chain}, acceptArgs...)...); err != nil { return fmt.Errorf("Unable to allow intercontainer communication: %s", err.Error()) } } } } else { // Remove any ICC rule. if !iccEnable { if iptables.Exists(iptables.Iptables, table, chain, dropArgs...) { iptables.Raw(iptables.Iptables, append([]string{"-D", chain}, dropArgs...)...) } } else { if iptables.Exists(iptables.Iptables, table, chain, acceptArgs...) { iptables.Raw(iptables.Iptables, append([]string{"-D", chain}, acceptArgs...)...) } } } return nil }
func addReturnRule(ipv iptables.IPV, chain string) error { var ( table = iptables.Filter args = []string{"-j", "RETURN"} ) if iptables.Exists(ipv, table, chain, args...) { return nil } err := iptables.RawCombinedOutput(ipv, append([]string{"-I", chain}, args...)...) if err != nil { return fmt.Errorf("unable to add return rule in %s chain: %s", chain, err.Error()) } return nil }
// Ensure the jump rule is on top func ensureJumpRule(ipv iptables.IPV, fromChain, toChain string) error { var ( table = iptables.Filter args = []string{"-j", toChain} ) if iptables.Exists(ipv, table, fromChain, args...) { err := iptables.RawCombinedOutput(ipv, append([]string{"-D", fromChain}, args...)...) if err != nil { return fmt.Errorf("unable to remove jump to %s rule in %s chain: %s", toChain, fromChain, err.Error()) } } err := iptables.RawCombinedOutput(ipv, append([]string{"-I", fromChain}, args...)...) if err != nil { return fmt.Errorf("unable to insert jump to %s rule in %s chain: %s", toChain, fromChain, err.Error()) } return nil }
func (d *driver) DeleteEndpoint(nid, eid string) error { var err error defer osl.InitOSContext()() // Get the network handler and make sure it exists d.Lock() n, ok := d.networks[nid] d.Unlock() if !ok { return types.InternalMaskableErrorf("network %s does not exist", nid) } if n == nil { return driverapi.ErrNoNetwork(nid) } // Sanity Check n.Lock() if n.id != nid { n.Unlock() return InvalidNetworkIDError(nid) } n.Unlock() // Check endpoint id and if an endpoint is actually there ep, err := n.getEndpoint(eid) if err != nil { return err } if ep == nil { return EndpointNotFoundError(eid) } // Remove it n.Lock() delete(n.endpoints, eid) n.Unlock() // On failure make sure to set back ep in n.endpoints, but only // if it hasn't been taken over already by some other thread. defer func() { if err != nil { n.Lock() if _, ok := n.endpoints[eid]; !ok { n.endpoints[eid] = ep } n.Unlock() } }() // Remove port mappings. Do not stop endpoint delete on unmap failure n.releasePorts(ep) if ep.config != nil { for _, port := range ep.config.ExposedPorts { rule := []string{ "-p", port.Proto.String(), "-d", ep.addrv6.String(), "--dport", strconv.Itoa(int(port.Port)), "-j", "ACCEPT", } if iptables.Exists(iptables.IP6Tables, iptables.Filter, DockerChain, rule...) { delete := append( []string{ string(iptables.Delete), DockerChain, }, rule..., ) iptables.Raw(iptables.IP6Tables, delete...) } } } // Try removal of neighbor proxy. Discard error: it is a best effort. // Also make sure defer does not see this error either. if n.config.NDPProxyInterface != "" && n.config.EnableIPv6 { link, err := netlink.LinkByName(n.config.NDPProxyInterface) if err == nil { neighbor := netlink.Neigh{ LinkIndex: link.Attrs().Index, Family: netlink.FAMILY_V6, State: netlink.NUD_PERMANENT, Type: netlink.NDA_UNSPEC, Flags: netlink.NTF_PROXY, IP: ep.addrv6.IP, HardwareAddr: ep.macAddress, } netlink.NeighDel(&neighbor) } } // Try removal of link. Discard error: it is a best effort. // Also make sure defer does not see this error either. if link, err := netlink.LinkByName(ep.srcName); err == nil { netlink.LinkDel(link) } return nil }