// In the filter table FORWARD chain first rule should be to jump to INGRESS-CHAIN // This chain has the rules to allow access to the published ports for swarm tasks // from local bridge networks and docker_gwbridge (ie:taks on other swarm netwroks) func arrangeIngressFilterRule() { if iptables.ExistChain(ingressChain, iptables.Filter) { if iptables.Exists(iptables.Filter, "FORWARD", "-j", ingressChain) { if err := iptables.RawCombinedOutput("-D", "FORWARD", "-j", ingressChain); err != nil { logrus.Warnf("failed to delete jump rule to ingressChain in filter table: %v", err) } } if err := iptables.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil { logrus.Warnf("failed to add jump rule to ingressChain in filter table: %v", err) } } }
func TestCleanupIptableRules(t *testing.T) { defer testutils.SetupTestOSContext(t)() bridgeChain := []iptables.ChainInfo{ iptables.ChainInfo{Name: DockerChain, Table: iptables.Nat}, iptables.ChainInfo{Name: DockerChain, Table: iptables.Filter}, iptables.ChainInfo{Name: IsolationChain, Table: iptables.Filter}, } if _, _, _, err := setupIPChains(&configuration{EnableIPTables: true}); err != nil { t.Fatalf("Error setting up ip chains: %v", err) } for _, chainInfo := range bridgeChain { if !iptables.ExistChain(chainInfo.Name, chainInfo.Table) { t.Fatalf("iptables chain %s of %s table should have been created", chainInfo.Name, chainInfo.Table) } } Init(fakeCallBack{}, make(map[string]interface{})) for _, chainInfo := range bridgeChain { if iptables.ExistChain(chainInfo.Name, chainInfo.Table) { t.Fatalf("iptables chain %s of %s table should have been deleted", chainInfo.Name, chainInfo.Table) } } }
func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) error { addDelOpt := "-I" if isDelete { addDelOpt = "-D" } chainExists := iptables.ExistChain(ingressChain, iptables.Nat) ingressOnce.Do(func() { if chainExists { // Flush ingress chain rules during init if it // exists. It might contain stale rules from // previous life. if err := iptables.RawCombinedOutput("-t", "nat", "-F", ingressChain); err != nil { logrus.Errorf("Could not flush ingress chain rules during init: %v", err) } } }) if !isDelete { if !chainExists { if err := iptables.RawCombinedOutput("-t", "nat", "-N", ingressChain); err != nil { return fmt.Errorf("failed to create ingress chain: %v", err) } } if !iptables.Exists(iptables.Nat, ingressChain, "-j", "RETURN") { if err := iptables.RawCombinedOutput("-t", "nat", "-A", ingressChain, "-j", "RETURN"); err != nil { return fmt.Errorf("failed to add return rule in ingress chain: %v", err) } } for _, chain := range []string{"OUTPUT", "PREROUTING"} { if !iptables.Exists(iptables.Nat, chain, "-j", ingressChain) { if err := iptables.RawCombinedOutput("-t", "nat", "-I", chain, "-j", ingressChain); err != nil { return fmt.Errorf("failed to add jump rule in %s to ingress chain: %v", chain, err) } } } oifName, err := findOIFName(gwIP) if err != nil { return fmt.Errorf("failed to find gateway bridge interface name for %s: %v", gwIP, err) } path := filepath.Join("/proc/sys/net/ipv4/conf", oifName, "route_localnet") if err := ioutil.WriteFile(path, []byte{'1', '\n'}, 0644); err != nil { return fmt.Errorf("could not write to %s: %v", path, err) } ruleArgs := strings.Fields(fmt.Sprintf("-m addrtype --src-type LOCAL -o %s -j MASQUERADE", oifName)) if !iptables.Exists(iptables.Nat, "POSTROUTING", ruleArgs...) { if err := iptables.RawCombinedOutput(append([]string{"-t", "nat", "-I", "POSTROUTING"}, ruleArgs...)...); err != nil { return fmt.Errorf("failed to add ingress localhost POSTROUTING rule for %s: %v", oifName, err) } } } for _, iPort := range ingressPorts { if iptables.ExistChain(ingressChain, iptables.Nat) { rule := strings.Fields(fmt.Sprintf("-t nat %s %s -p %s --dport %d -j DNAT --to-destination %s:%d", addDelOpt, ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort, gwIP, iPort.PublishedPort)) if err := iptables.RawCombinedOutput(rule...); err != nil { return fmt.Errorf("setting up rule failed, %v: %v", rule, err) } } if err := plumbProxy(iPort, isDelete); err != nil { return fmt.Errorf("failed to create proxy for port %d: %v", iPort.PublishedPort, err) } } return nil }
func programIngress(gwIP net.IP, ingressPorts []*PortConfig, isDelete bool) error { addDelOpt := "-I" if isDelete { addDelOpt = "-D" } chainExists := iptables.ExistChain(ingressChain, iptables.Nat) filterChainExists := iptables.ExistChain(ingressChain, iptables.Filter) ingressOnce.Do(func() { // Flush nat table and filter table ingress chain rules during init if it // exists. It might contain stale rules from previous life. if chainExists { if err := iptables.RawCombinedOutput("-t", "nat", "-F", ingressChain); err != nil { logrus.Errorf("Could not flush nat table ingress chain rules during init: %v", err) } } if filterChainExists { if err := iptables.RawCombinedOutput("-F", ingressChain); err != nil { logrus.Errorf("Could not flush filter table ingress chain rules during init: %v", err) } } }) if !isDelete { if !chainExists { if err := iptables.RawCombinedOutput("-t", "nat", "-N", ingressChain); err != nil { return fmt.Errorf("failed to create ingress chain: %v", err) } } if !filterChainExists { if err := iptables.RawCombinedOutput("-N", ingressChain); err != nil { return fmt.Errorf("failed to create filter table ingress chain: %v", err) } } if !iptables.Exists(iptables.Nat, ingressChain, "-j", "RETURN") { if err := iptables.RawCombinedOutput("-t", "nat", "-A", ingressChain, "-j", "RETURN"); err != nil { return fmt.Errorf("failed to add return rule in nat table ingress chain: %v", err) } } if !iptables.Exists(iptables.Filter, ingressChain, "-j", "RETURN") { if err := iptables.RawCombinedOutput("-A", ingressChain, "-j", "RETURN"); err != nil { return fmt.Errorf("failed to add return rule to filter table ingress chain: %v", err) } } for _, chain := range []string{"OUTPUT", "PREROUTING"} { if !iptables.Exists(iptables.Nat, chain, "-m", "addrtype", "--dst-type", "LOCAL", "-j", ingressChain) { if err := iptables.RawCombinedOutput("-t", "nat", "-I", chain, "-m", "addrtype", "--dst-type", "LOCAL", "-j", ingressChain); err != nil { return fmt.Errorf("failed to add jump rule in %s to ingress chain: %v", chain, err) } } } if !iptables.Exists(iptables.Filter, "FORWARD", "-j", ingressChain) { if err := iptables.RawCombinedOutput("-I", "FORWARD", "-j", ingressChain); err != nil { return fmt.Errorf("failed to add jump rule to %s in filter table forward chain: %v", ingressChain, err) } } oifName, err := findOIFName(gwIP) if err != nil { return fmt.Errorf("failed to find gateway bridge interface name for %s: %v", gwIP, err) } path := filepath.Join("/proc/sys/net/ipv4/conf", oifName, "route_localnet") if err := ioutil.WriteFile(path, []byte{'1', '\n'}, 0644); err != nil { return fmt.Errorf("could not write to %s: %v", path, err) } ruleArgs := strings.Fields(fmt.Sprintf("-m addrtype --src-type LOCAL -o %s -j MASQUERADE", oifName)) if !iptables.Exists(iptables.Nat, "POSTROUTING", ruleArgs...) { if err := iptables.RawCombinedOutput(append([]string{"-t", "nat", "-I", "POSTROUTING"}, ruleArgs...)...); err != nil { return fmt.Errorf("failed to add ingress localhost POSTROUTING rule for %s: %v", oifName, err) } } } for _, iPort := range ingressPorts { if iptables.ExistChain(ingressChain, iptables.Nat) { rule := strings.Fields(fmt.Sprintf("-t nat %s %s -p %s --dport %d -j DNAT --to-destination %s:%d", addDelOpt, ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort, gwIP, iPort.PublishedPort)) if err := iptables.RawCombinedOutput(rule...); err != nil { errStr := fmt.Sprintf("setting up rule failed, %v: %v", rule, err) if !isDelete { return fmt.Errorf("%s", errStr) } logrus.Infof("%s", errStr) } } // Filter table rules to allow a published service to be accessible in the local node from.. // 1) service tasks attached to other networks // 2) unmanaged containers on bridge networks rule := strings.Fields(fmt.Sprintf("%s %s -m state -p %s --sport %d --state ESTABLISHED,RELATED -j ACCEPT", addDelOpt, ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort)) if err := iptables.RawCombinedOutput(rule...); err != nil { errStr := fmt.Sprintf("setting up rule failed, %v: %v", rule, err) if !isDelete { return fmt.Errorf("%s", errStr) } logrus.Warnf("%s", errStr) } rule = strings.Fields(fmt.Sprintf("%s %s -p %s --dport %d -j ACCEPT", addDelOpt, ingressChain, strings.ToLower(PortConfig_Protocol_name[int32(iPort.Protocol)]), iPort.PublishedPort)) if err := iptables.RawCombinedOutput(rule...); err != nil { errStr := fmt.Sprintf("setting up rule failed, %v: %v", rule, err) if !isDelete { return fmt.Errorf("%s", errStr) } logrus.Warnf("%s", errStr) } if err := plumbProxy(iPort, isDelete); err != nil { logrus.Warnf("failed to create proxy for port %d: %v", iPort.PublishedPort, err) } } return nil }