func ReleasePortMaps(containerip string, maps []pod.UserContainerPort) error { if disableIptables || len(maps) == 0 { return nil } for _, m := range maps { glog.V(1).Infof("release port map %d", m.HostPort) err := PortMapper.ReleaseMap(m.Protocol, m.HostPort) if err != nil { continue } var proto string if strings.EqualFold(m.Protocol, "udp") { proto = "udp" } else { proto = "tcp" } natArgs := []string{"-p", proto, "-m", proto, "--dport", strconv.Itoa(m.HostPort), "-j", "DNAT", "--to-destination", net.JoinHostPort(containerip, strconv.Itoa(m.ContainerPort))} iptables.OperatePortMap(iptables.Delete, "HYPER", natArgs) filterArgs := []string{"-d", containerip, "-p", proto, "-m", proto, "--dport", strconv.Itoa(m.ContainerPort), "-j", "ACCEPT"} iptables.Raw(append([]string{"-D", "HYPER"}, filterArgs...)...) } /* forbid to map ports twice */ return nil }
func ReleasePortMaps(vmId string, index int, containerip string, maps []pod.UserContainerPort) error { if len(maps) == 0 { return nil } for _, m := range maps { glog.V(1).Infof("release port map %d", m.HostPort) err := portMapper.ReleaseMap(m.Protocol, m.HostPort) if err != nil { continue } var proto string if strings.EqualFold(m.Protocol, "udp") { proto = "udp" } else { proto = "tcp" } iptables.OperatePortMap(iptables.Delete, vmId, index, proto, m.HostPort, containerip, m.ContainerPort) } /* forbid to map ports twice */ return nil }
func SetupPortMaps(containerip string, maps []pod.UserContainerPort) error { if disableIptables || len(maps) == 0 { return nil } for _, m := range maps { var proto string if strings.EqualFold(m.Protocol, "udp") { proto = "udp" } else { proto = "tcp" } natArgs := []string{"-p", proto, "-m", proto, "--dport", strconv.Itoa(m.HostPort), "-j", "DNAT", "--to-destination", net.JoinHostPort(containerip, strconv.Itoa(m.ContainerPort))} if iptables.PortMapExists("HYPER", natArgs) { return nil } if iptables.PortMapUsed("HYPER", natArgs) { return fmt.Errorf("Host port %d has aleady been used", m.HostPort) } err := iptables.OperatePortMap(iptables.Insert, "HYPER", natArgs) if err != nil { return err } err = PortMapper.AllocateMap(m.Protocol, m.HostPort, containerip, m.ContainerPort) if err != nil { return err } filterArgs := []string{"-d", containerip, "-p", proto, "-m", proto, "--dport", strconv.Itoa(m.ContainerPort), "-j", "ACCEPT"} if output, err := iptables.Raw(append([]string{"-I", "HYPER"}, filterArgs...)...); err != nil { return fmt.Errorf("Unable to setup forward rule in HYPER chain: %s", err) } else if len(output) != 0 { return &iptables.ChainError{Chain: "HYPER", Output: output} } } /* forbid to map ports twice */ return nil }