func SetupNFQUEUE(c *docker.Container, queueNum int, hookInput bool, disableBypass bool) error {
err := container.EnterDockerNetNs(c)
if err != nil {
return err
}
defer container.LeaveNetNs()
chain := "OUTPUT"
if hookInput {
chain = "INPUT"
}
iptArg := []string{"-A", chain, "-j", "NFQUEUE", "--queue-num", fmt.Sprintf("%d", queueNum)}
if !disableBypass {
iptArg = append(iptArg, "--queue-bypass")
}
log.Debugf("Running `iptables` with %s", iptArg)
cmd := exec.Command("iptables", iptArg...)
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
cmd.Env = os.Environ()
err = cmd.Run()
if err != nil {
return err
}
return nil
}
func StartEthernetInspector(c *docker.Container, queueNum int) error {
err := container.EnterDockerNetNs(c)
if err != nil {
return err
}
insp := ðernet.NFQInspector{
OrchestratorURL: ocutil.LocalOrchestratorURL,
EntityID: "_earthquake_container_ethernet_inspector",
NFQNumber: uint16(queueNum),
EnableTCPWatcher: true,
}
defer container.LeaveNetNs()
insp.Start()
return nil
}