Browse code
Make sure the firewall rules are created even if the bridge interface is already created
Marek Goldmann authored on 2013/11/27 17:10:44Showing 1 changed files
| ... | ... |
@@ -167,30 +167,6 @@ func CreateBridgeIface(config *DaemonConfig) error {
|
| 167 | 167 |
return fmt.Errorf("Unable to start network bridge: %s", err)
|
| 168 | 168 |
} |
| 169 | 169 |
|
| 170 |
- if config.EnableIptables {
|
|
| 171 |
- // Enable NAT |
|
| 172 |
- if output, err := iptables.Raw("-t", "nat", "-A", "POSTROUTING", "-s", ifaceAddr,
|
|
| 173 |
- "!", "-d", ifaceAddr, "-j", "MASQUERADE"); err != nil {
|
|
| 174 |
- return fmt.Errorf("Unable to enable network bridge NAT: %s", err)
|
|
| 175 |
- } else if len(output) != 0 {
|
|
| 176 |
- return fmt.Errorf("Error iptables postrouting: %s", output)
|
|
| 177 |
- } |
|
| 178 |
- |
|
| 179 |
- // Accept incoming packets for existing connections |
|
| 180 |
- if output, err := iptables.Raw("-I", "FORWARD", "-o", config.BridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"); err != nil {
|
|
| 181 |
- return fmt.Errorf("Unable to allow incoming packets: %s", err)
|
|
| 182 |
- } else if len(output) != 0 {
|
|
| 183 |
- return fmt.Errorf("Error iptables allow incoming: %s", output)
|
|
| 184 |
- } |
|
| 185 |
- |
|
| 186 |
- // Accept all non-intercontainer outgoing packets |
|
| 187 |
- if output, err := iptables.Raw("-I", "FORWARD", "-i", config.BridgeIface, "!", "-o", config.BridgeIface, "-j", "ACCEPT"); err != nil {
|
|
| 188 |
- return fmt.Errorf("Unable to allow outgoing packets: %s", err)
|
|
| 189 |
- } else if len(output) != 0 {
|
|
| 190 |
- return fmt.Errorf("Error iptables allow outgoing: %s", output)
|
|
| 191 |
- } |
|
| 192 |
- |
|
| 193 |
- } |
|
| 194 | 170 |
return nil |
| 195 | 171 |
} |
| 196 | 172 |
|
| ... | ... |
@@ -699,6 +675,40 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
|
| 699 | 699 |
|
| 700 | 700 |
// Configure iptables for link support |
| 701 | 701 |
if config.EnableIptables {
|
| 702 |
+ |
|
| 703 |
+ // Enable NAT |
|
| 704 |
+ natArgs := []string{"POSTROUTING", "-t", "nat", "-s", addr.String(), "!", "-d", addr.String(), "-j", "MASQUERADE"}
|
|
| 705 |
+ |
|
| 706 |
+ if !iptables.Exists(natArgs...) {
|
|
| 707 |
+ if output, err := iptables.Raw(append([]string{"-A"}, natArgs...)...); err != nil {
|
|
| 708 |
+ return nil, fmt.Errorf("Unable to enable network bridge NAT: %s", err)
|
|
| 709 |
+ } else if len(output) != 0 {
|
|
| 710 |
+ return nil, fmt.Errorf("Error iptables postrouting: %s", output)
|
|
| 711 |
+ } |
|
| 712 |
+ } |
|
| 713 |
+ |
|
| 714 |
+ // Accept incoming packets for existing connections |
|
| 715 |
+ existingArgs := []string{"FORWARD", "-o", config.BridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
|
|
| 716 |
+ |
|
| 717 |
+ if !iptables.Exists(existingArgs...) {
|
|
| 718 |
+ if output, err := iptables.Raw(append([]string{"-I"}, existingArgs...)...); err != nil {
|
|
| 719 |
+ return nil, fmt.Errorf("Unable to allow incoming packets: %s", err)
|
|
| 720 |
+ } else if len(output) != 0 {
|
|
| 721 |
+ return nil, fmt.Errorf("Error iptables allow incoming: %s", output)
|
|
| 722 |
+ } |
|
| 723 |
+ } |
|
| 724 |
+ |
|
| 725 |
+ // Accept all non-intercontainer outgoing packets |
|
| 726 |
+ outgoingArgs := []string{"FORWARD", "-i", config.BridgeIface, "!", "-o", config.BridgeIface, "-j", "ACCEPT"}
|
|
| 727 |
+ |
|
| 728 |
+ if !iptables.Exists(outgoingArgs...) {
|
|
| 729 |
+ if output, err := iptables.Raw(append([]string{"-I"}, outgoingArgs...)...); err != nil {
|
|
| 730 |
+ return nil, fmt.Errorf("Unable to allow outgoing packets: %s", err)
|
|
| 731 |
+ } else if len(output) != 0 {
|
|
| 732 |
+ return nil, fmt.Errorf("Error iptables allow outgoing: %s", output)
|
|
| 733 |
+ } |
|
| 734 |
+ } |
|
| 735 |
+ |
|
| 702 | 736 |
args := []string{"FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j"}
|
| 703 | 737 |
acceptArgs := append(args, "ACCEPT") |
| 704 | 738 |
dropArgs := append(args, "DROP") |