func SetupIptables(fw *firewalld.Interface, clusterNetworkCIDR string) error { if fw.IsRunning() { rules := []FirewallRule{ {firewalld.IPv4, "nat", "POSTROUTING", 0, []string{"-s", clusterNetworkCIDR, "!", "-d", clusterNetworkCIDR, "-j", "MASQUERADE"}}, {firewalld.IPv4, "filter", "INPUT", 0, []string{"-p", "udp", "-m", "multiport", "--dports", "4789", "-m", "comment", "--comment", "001 vxlan incoming", "-j", "ACCEPT"}}, {firewalld.IPv4, "filter", "INPUT", 0, []string{"-i", "tun0", "-m", "comment", "--comment", "traffic from docker for internet", "-j", "ACCEPT"}}, {firewalld.IPv4, "filter", "FORWARD", 0, []string{"-d", clusterNetworkCIDR, "-j", "ACCEPT"}}, {firewalld.IPv4, "filter", "FORWARD", 0, []string{"-s", clusterNetworkCIDR, "-j", "ACCEPT"}}, } for _, rule := range rules { err := fw.EnsureRule(rule.ipv, rule.table, rule.chain, rule.priority, rule.args) if err != nil { return err } } } else { dbus := utildbus.New() ipt := iptables.New(kexec.New(), dbus, iptables.ProtocolIpv4) _, err := ipt.EnsureRule(iptables.Append, iptables.TableNAT, iptables.ChainPostrouting, "-s", clusterNetworkCIDR, "!", "-d", clusterNetworkCIDR, "-j", "MASQUERADE") if err != nil { return err } } return nil }
func (c *FlowController) SetupIptables(fw *firewalld.Interface, containerNetwork string) error { if fw.IsRunning() { rules := []FirewallRule{ {firewalld.IPv4, "nat", "POSTROUTING", 0, []string{"-s", containerNetwork, "!", "-d", containerNetwork, "-j", "MASQUERADE"}}, {firewalld.IPv4, "filter", "INPUT", 0, []string{"-p", "udp", "-m", "multiport", "--dports", "4789", "-m", "comment", "--comment", "001 vxlan incoming", "-j", "ACCEPT"}}, {firewalld.IPv4, "filter", "INPUT", 0, []string{"-i", "tun0", "-m", "comment", "--comment", "traffic from docker for internet", "-j", "ACCEPT"}}, {firewalld.IPv4, "filter", "FORWARD", 0, []string{"-d", containerNetwork, "-j", "ACCEPT"}}, {firewalld.IPv4, "filter", "FORWARD", 0, []string{"-s", containerNetwork, "-j", "ACCEPT"}}, } for _, rule := range rules { err := fw.EnsureRule(rule.ipv, rule.table, rule.chain, rule.priority, rule.args) if err != nil { return err } } } else { exec.Command("iptables", "-t", "nat", "-D", "POSTROUTING", "-s", containerNetwork, "!", "-d", containerNetwork, "-j", "MASQUERADE").Run() err := exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-s", containerNetwork, "!", "-d", containerNetwork, "-j", "MASQUERADE").Run() if err != nil { return err } } return nil }