Browse code
Exclude loopback-to-loopback connections from DNAT rules, to allow userland proxying
Solomon Hykes authored on 2013/04/20 11:32:32Showing 1 changed files
| ... | ... |
@@ -188,7 +188,8 @@ type PortMapper struct {
|
| 188 | 188 |
func (mapper *PortMapper) cleanup() error {
|
| 189 | 189 |
// Ignore errors - This could mean the chains were never set up |
| 190 | 190 |
iptables("-t", "nat", "-D", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER")
|
| 191 |
- iptables("-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER")
|
|
| 191 |
+ iptables("-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8", "-j", "DOCKER")
|
|
| 192 |
+ iptables("-t", "nat", "-D", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER") // Created in versions <= 0.1.6
|
|
| 192 | 193 |
// Also cleanup rules created by older versions, or -X might fail. |
| 193 | 194 |
iptables("-t", "nat", "-D", "PREROUTING", "-j", "DOCKER")
|
| 194 | 195 |
iptables("-t", "nat", "-D", "OUTPUT", "-j", "DOCKER")
|
| ... | ... |
@@ -205,7 +206,7 @@ func (mapper *PortMapper) setup() error {
|
| 205 | 205 |
if err := iptables("-t", "nat", "-A", "PREROUTING", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"); err != nil {
|
| 206 | 206 |
return fmt.Errorf("Failed to inject docker in PREROUTING chain: %s", err)
|
| 207 | 207 |
} |
| 208 |
- if err := iptables("-t", "nat", "-A", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "-j", "DOCKER"); err != nil {
|
|
| 208 |
+ if err := iptables("-t", "nat", "-A", "OUTPUT", "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8", "-j", "DOCKER"); err != nil {
|
|
| 209 | 209 |
return fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)
|
| 210 | 210 |
} |
| 211 | 211 |
return nil |