Browse code
Move utility package 'iptables' to pkg/iptables
Solomon Hykes authored on 2013/12/24 08:36:58Showing 8 changed files
- integration/iptables_test.go
- iptables/MAINTAINERS
- iptables/iptables.go
- links.go
- network.go
- network_test.go
- pkg/iptables/MAINTAINERS
- pkg/iptables/iptables.go
| 2 | 1 |
deleted file mode 100644 |
| ... | ... |
@@ -1,141 +0,0 @@ |
| 1 |
-package iptables |
|
| 2 |
- |
|
| 3 |
-import ( |
|
| 4 |
- "errors" |
|
| 5 |
- "fmt" |
|
| 6 |
- "net" |
|
| 7 |
- "os" |
|
| 8 |
- "os/exec" |
|
| 9 |
- "strconv" |
|
| 10 |
- "strings" |
|
| 11 |
-) |
|
| 12 |
- |
|
| 13 |
-type Action string |
|
| 14 |
- |
|
| 15 |
-const ( |
|
| 16 |
- Add Action = "-A" |
|
| 17 |
- Delete Action = "-D" |
|
| 18 |
-) |
|
| 19 |
- |
|
| 20 |
-var ( |
|
| 21 |
- ErrIptablesNotFound = errors.New("Iptables not found")
|
|
| 22 |
- nat = []string{"-t", "nat"}
|
|
| 23 |
-) |
|
| 24 |
- |
|
| 25 |
-type Chain struct {
|
|
| 26 |
- Name string |
|
| 27 |
- Bridge string |
|
| 28 |
-} |
|
| 29 |
- |
|
| 30 |
-func NewChain(name, bridge string) (*Chain, error) {
|
|
| 31 |
- if output, err := Raw("-t", "nat", "-N", name); err != nil {
|
|
| 32 |
- return nil, err |
|
| 33 |
- } else if len(output) != 0 {
|
|
| 34 |
- return nil, fmt.Errorf("Error creating new iptables chain: %s", output)
|
|
| 35 |
- } |
|
| 36 |
- chain := &Chain{
|
|
| 37 |
- Name: name, |
|
| 38 |
- Bridge: bridge, |
|
| 39 |
- } |
|
| 40 |
- |
|
| 41 |
- if err := chain.Prerouting(Add, "-m", "addrtype", "--dst-type", "LOCAL"); err != nil {
|
|
| 42 |
- return nil, fmt.Errorf("Failed to inject docker in PREROUTING chain: %s", err)
|
|
| 43 |
- } |
|
| 44 |
- if err := chain.Output(Add, "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8"); err != nil {
|
|
| 45 |
- return nil, fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)
|
|
| 46 |
- } |
|
| 47 |
- return chain, nil |
|
| 48 |
-} |
|
| 49 |
- |
|
| 50 |
-func RemoveExistingChain(name string) error {
|
|
| 51 |
- chain := &Chain{
|
|
| 52 |
- Name: name, |
|
| 53 |
- } |
|
| 54 |
- return chain.Remove() |
|
| 55 |
-} |
|
| 56 |
- |
|
| 57 |
-func (c *Chain) Forward(action Action, ip net.IP, port int, proto, dest_addr string, dest_port int) error {
|
|
| 58 |
- daddr := ip.String() |
|
| 59 |
- if ip.IsUnspecified() {
|
|
| 60 |
- // iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we |
|
| 61 |
- // want "0.0.0.0/0". "0/0" is correctly interpreted as "any |
|
| 62 |
- // value" by both iptables and ip6tables. |
|
| 63 |
- daddr = "0/0" |
|
| 64 |
- } |
|
| 65 |
- if output, err := Raw("-t", "nat", fmt.Sprint(action), c.Name,
|
|
| 66 |
- "-p", proto, |
|
| 67 |
- "-d", daddr, |
|
| 68 |
- "--dport", strconv.Itoa(port), |
|
| 69 |
- "!", "-i", c.Bridge, |
|
| 70 |
- "-j", "DNAT", |
|
| 71 |
- "--to-destination", net.JoinHostPort(dest_addr, strconv.Itoa(dest_port))); err != nil {
|
|
| 72 |
- return err |
|
| 73 |
- } else if len(output) != 0 {
|
|
| 74 |
- return fmt.Errorf("Error iptables forward: %s", output)
|
|
| 75 |
- } |
|
| 76 |
- return nil |
|
| 77 |
-} |
|
| 78 |
- |
|
| 79 |
-func (c *Chain) Prerouting(action Action, args ...string) error {
|
|
| 80 |
- a := append(nat, fmt.Sprint(action), "PREROUTING") |
|
| 81 |
- if len(args) > 0 {
|
|
| 82 |
- a = append(a, args...) |
|
| 83 |
- } |
|
| 84 |
- if output, err := Raw(append(a, "-j", c.Name)...); err != nil {
|
|
| 85 |
- return err |
|
| 86 |
- } else if len(output) != 0 {
|
|
| 87 |
- return fmt.Errorf("Error iptables prerouting: %s", output)
|
|
| 88 |
- } |
|
| 89 |
- return nil |
|
| 90 |
-} |
|
| 91 |
- |
|
| 92 |
-func (c *Chain) Output(action Action, args ...string) error {
|
|
| 93 |
- a := append(nat, fmt.Sprint(action), "OUTPUT") |
|
| 94 |
- if len(args) > 0 {
|
|
| 95 |
- a = append(a, args...) |
|
| 96 |
- } |
|
| 97 |
- if output, err := Raw(append(a, "-j", c.Name)...); err != nil {
|
|
| 98 |
- return err |
|
| 99 |
- } else if len(output) != 0 {
|
|
| 100 |
- return fmt.Errorf("Error iptables output: %s", output)
|
|
| 101 |
- } |
|
| 102 |
- return nil |
|
| 103 |
-} |
|
| 104 |
- |
|
| 105 |
-func (c *Chain) Remove() error {
|
|
| 106 |
- // Ignore errors - This could mean the chains were never set up |
|
| 107 |
- c.Prerouting(Delete, "-m", "addrtype", "--dst-type", "LOCAL") |
|
| 108 |
- c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8") |
|
| 109 |
- c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL") // Created in versions <= 0.1.6 |
|
| 110 |
- |
|
| 111 |
- c.Prerouting(Delete) |
|
| 112 |
- c.Output(Delete) |
|
| 113 |
- |
|
| 114 |
- Raw("-t", "nat", "-F", c.Name)
|
|
| 115 |
- Raw("-t", "nat", "-X", c.Name)
|
|
| 116 |
- |
|
| 117 |
- return nil |
|
| 118 |
-} |
|
| 119 |
- |
|
| 120 |
-// Check if an existing rule exists |
|
| 121 |
-func Exists(args ...string) bool {
|
|
| 122 |
- if _, err := Raw(append([]string{"-C"}, args...)...); err != nil {
|
|
| 123 |
- return false |
|
| 124 |
- } |
|
| 125 |
- return true |
|
| 126 |
-} |
|
| 127 |
- |
|
| 128 |
-func Raw(args ...string) ([]byte, error) {
|
|
| 129 |
- path, err := exec.LookPath("iptables")
|
|
| 130 |
- if err != nil {
|
|
| 131 |
- return nil, ErrIptablesNotFound |
|
| 132 |
- } |
|
| 133 |
- if os.Getenv("DEBUG") != "" {
|
|
| 134 |
- fmt.Printf("[DEBUG] [iptables]: %s, %v\n", path, args)
|
|
| 135 |
- } |
|
| 136 |
- output, err := exec.Command(path, args...).CombinedOutput() |
|
| 137 |
- if err != nil {
|
|
| 138 |
- return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err)
|
|
| 139 |
- } |
|
| 140 |
- return output, err |
|
| 141 |
-} |
| ... | ... |
@@ -1,7 +1,7 @@ |
| 1 | 1 |
package docker |
| 2 | 2 |
|
| 3 | 3 |
import ( |
| 4 |
- "github.com/dotcloud/docker/iptables" |
|
| 4 |
+ "github.com/dotcloud/docker/pkg/iptables" |
|
| 5 | 5 |
"github.com/dotcloud/docker/proxy" |
| 6 | 6 |
"net" |
| 7 | 7 |
"testing" |
| ... | ... |
@@ -340,6 +340,7 @@ func NewStubProxy(frontendAddr, backendAddr net.Addr) (proxy.Proxy, error) {
|
| 340 | 340 |
} |
| 341 | 341 |
|
| 342 | 342 |
func TestPortMapper(t *testing.T) {
|
| 343 |
+ // FIXME: is this iptables chain still used anywhere? |
|
| 343 | 344 |
var chain *iptables.Chain |
| 344 | 345 |
mapper := &PortMapper{
|
| 345 | 346 |
tcpMapping: make(map[string]*net.TCPAddr), |
| 0 | 1 |
new file mode 100644 |
| ... | ... |
@@ -0,0 +1,141 @@ |
| 0 |
+package iptables |
|
| 1 |
+ |
|
| 2 |
+import ( |
|
| 3 |
+ "errors" |
|
| 4 |
+ "fmt" |
|
| 5 |
+ "net" |
|
| 6 |
+ "os" |
|
| 7 |
+ "os/exec" |
|
| 8 |
+ "strconv" |
|
| 9 |
+ "strings" |
|
| 10 |
+) |
|
| 11 |
+ |
|
| 12 |
+type Action string |
|
| 13 |
+ |
|
| 14 |
+const ( |
|
| 15 |
+ Add Action = "-A" |
|
| 16 |
+ Delete Action = "-D" |
|
| 17 |
+) |
|
| 18 |
+ |
|
| 19 |
+var ( |
|
| 20 |
+ ErrIptablesNotFound = errors.New("Iptables not found")
|
|
| 21 |
+ nat = []string{"-t", "nat"}
|
|
| 22 |
+) |
|
| 23 |
+ |
|
| 24 |
+type Chain struct {
|
|
| 25 |
+ Name string |
|
| 26 |
+ Bridge string |
|
| 27 |
+} |
|
| 28 |
+ |
|
| 29 |
+func NewChain(name, bridge string) (*Chain, error) {
|
|
| 30 |
+ if output, err := Raw("-t", "nat", "-N", name); err != nil {
|
|
| 31 |
+ return nil, err |
|
| 32 |
+ } else if len(output) != 0 {
|
|
| 33 |
+ return nil, fmt.Errorf("Error creating new iptables chain: %s", output)
|
|
| 34 |
+ } |
|
| 35 |
+ chain := &Chain{
|
|
| 36 |
+ Name: name, |
|
| 37 |
+ Bridge: bridge, |
|
| 38 |
+ } |
|
| 39 |
+ |
|
| 40 |
+ if err := chain.Prerouting(Add, "-m", "addrtype", "--dst-type", "LOCAL"); err != nil {
|
|
| 41 |
+ return nil, fmt.Errorf("Failed to inject docker in PREROUTING chain: %s", err)
|
|
| 42 |
+ } |
|
| 43 |
+ if err := chain.Output(Add, "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8"); err != nil {
|
|
| 44 |
+ return nil, fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)
|
|
| 45 |
+ } |
|
| 46 |
+ return chain, nil |
|
| 47 |
+} |
|
| 48 |
+ |
|
| 49 |
+func RemoveExistingChain(name string) error {
|
|
| 50 |
+ chain := &Chain{
|
|
| 51 |
+ Name: name, |
|
| 52 |
+ } |
|
| 53 |
+ return chain.Remove() |
|
| 54 |
+} |
|
| 55 |
+ |
|
| 56 |
+func (c *Chain) Forward(action Action, ip net.IP, port int, proto, dest_addr string, dest_port int) error {
|
|
| 57 |
+ daddr := ip.String() |
|
| 58 |
+ if ip.IsUnspecified() {
|
|
| 59 |
+ // iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we |
|
| 60 |
+ // want "0.0.0.0/0". "0/0" is correctly interpreted as "any |
|
| 61 |
+ // value" by both iptables and ip6tables. |
|
| 62 |
+ daddr = "0/0" |
|
| 63 |
+ } |
|
| 64 |
+ if output, err := Raw("-t", "nat", fmt.Sprint(action), c.Name,
|
|
| 65 |
+ "-p", proto, |
|
| 66 |
+ "-d", daddr, |
|
| 67 |
+ "--dport", strconv.Itoa(port), |
|
| 68 |
+ "!", "-i", c.Bridge, |
|
| 69 |
+ "-j", "DNAT", |
|
| 70 |
+ "--to-destination", net.JoinHostPort(dest_addr, strconv.Itoa(dest_port))); err != nil {
|
|
| 71 |
+ return err |
|
| 72 |
+ } else if len(output) != 0 {
|
|
| 73 |
+ return fmt.Errorf("Error iptables forward: %s", output)
|
|
| 74 |
+ } |
|
| 75 |
+ return nil |
|
| 76 |
+} |
|
| 77 |
+ |
|
| 78 |
+func (c *Chain) Prerouting(action Action, args ...string) error {
|
|
| 79 |
+ a := append(nat, fmt.Sprint(action), "PREROUTING") |
|
| 80 |
+ if len(args) > 0 {
|
|
| 81 |
+ a = append(a, args...) |
|
| 82 |
+ } |
|
| 83 |
+ if output, err := Raw(append(a, "-j", c.Name)...); err != nil {
|
|
| 84 |
+ return err |
|
| 85 |
+ } else if len(output) != 0 {
|
|
| 86 |
+ return fmt.Errorf("Error iptables prerouting: %s", output)
|
|
| 87 |
+ } |
|
| 88 |
+ return nil |
|
| 89 |
+} |
|
| 90 |
+ |
|
| 91 |
+func (c *Chain) Output(action Action, args ...string) error {
|
|
| 92 |
+ a := append(nat, fmt.Sprint(action), "OUTPUT") |
|
| 93 |
+ if len(args) > 0 {
|
|
| 94 |
+ a = append(a, args...) |
|
| 95 |
+ } |
|
| 96 |
+ if output, err := Raw(append(a, "-j", c.Name)...); err != nil {
|
|
| 97 |
+ return err |
|
| 98 |
+ } else if len(output) != 0 {
|
|
| 99 |
+ return fmt.Errorf("Error iptables output: %s", output)
|
|
| 100 |
+ } |
|
| 101 |
+ return nil |
|
| 102 |
+} |
|
| 103 |
+ |
|
| 104 |
+func (c *Chain) Remove() error {
|
|
| 105 |
+ // Ignore errors - This could mean the chains were never set up |
|
| 106 |
+ c.Prerouting(Delete, "-m", "addrtype", "--dst-type", "LOCAL") |
|
| 107 |
+ c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8") |
|
| 108 |
+ c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL") // Created in versions <= 0.1.6 |
|
| 109 |
+ |
|
| 110 |
+ c.Prerouting(Delete) |
|
| 111 |
+ c.Output(Delete) |
|
| 112 |
+ |
|
| 113 |
+ Raw("-t", "nat", "-F", c.Name)
|
|
| 114 |
+ Raw("-t", "nat", "-X", c.Name)
|
|
| 115 |
+ |
|
| 116 |
+ return nil |
|
| 117 |
+} |
|
| 118 |
+ |
|
| 119 |
+// Check if an existing rule exists |
|
| 120 |
+func Exists(args ...string) bool {
|
|
| 121 |
+ if _, err := Raw(append([]string{"-C"}, args...)...); err != nil {
|
|
| 122 |
+ return false |
|
| 123 |
+ } |
|
| 124 |
+ return true |
|
| 125 |
+} |
|
| 126 |
+ |
|
| 127 |
+func Raw(args ...string) ([]byte, error) {
|
|
| 128 |
+ path, err := exec.LookPath("iptables")
|
|
| 129 |
+ if err != nil {
|
|
| 130 |
+ return nil, ErrIptablesNotFound |
|
| 131 |
+ } |
|
| 132 |
+ if os.Getenv("DEBUG") != "" {
|
|
| 133 |
+ fmt.Printf("[DEBUG] [iptables]: %s, %v\n", path, args)
|
|
| 134 |
+ } |
|
| 135 |
+ output, err := exec.Command(path, args...).CombinedOutput() |
|
| 136 |
+ if err != nil {
|
|
| 137 |
+ return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err)
|
|
| 138 |
+ } |
|
| 139 |
+ return output, err |
|
| 140 |
+} |