@@ -23,7 +23,7 @@ github.com/RackSec/srslog 365bf33cd9acc21ae1c355209865f17228ca534e

 github.com/imdario/mergo 0.2.1

 #get libnetwork packages

-github.com/docker/libnetwork f36e733a08cd8239a2db296994cb6613fef1cece 

+github.com/docker/libnetwork dd0ddde6749fdffe310087e1c3616142d8c3ef9e 

 github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894

 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80

 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

@@ -123,7 +123,7 @@ func (sb *sandbox) needDefaultGW() bool {

 			return false

 		}

 		for _, r := range ep.StaticRoutes() {

-			if r.Destination.String() == "0.0.0.0/0" {

+			if r.Destination != nil && r.Destination.String() == "0.0.0.0/0" {

 				return false

 			}

 		}

@@ -1148,20 +1148,3 @@ func (c *controller) cleanupLocalEndpoints() {

 		}

 	}

 }

-

-func (ep *endpoint) setAliasIP(sb *sandbox, ip net.IP, add bool) error {

-	sb.Lock()

-	sbox := sb.osSbox

-	sb.Unlock()

-

-	for _, i := range sbox.Info().Interfaces() {

-		if ep.hasInterface(i.SrcName()) {

-			ipNet := &net.IPNet{IP: ip, Mask: []byte{255, 255, 255, 255}}

-			if err := i.SetAliasIP(ipNet, add); err != nil {

-				return err

-			}

-			break

-		}

-	}

-	return nil

-}

@@ -114,12 +114,12 @@ func (epi *endpointInterface) UnmarshalJSON(b []byte) error {

 		}

 	}

 	if v, ok := epMap["llAddrs"]; ok {

-		list := v.([]string)

+		list := v.([]interface{})

 		epi.llAddrs = make([]*net.IPNet, 0, len(list))

 		for _, llS := range list {

-			ll, err := types.ParseCIDR(llS)

+			ll, err := types.ParseCIDR(llS.(string))

 			if err != nil {

-				return types.InternalErrorf("failed to decode endpoint interface link-local address (%s) after json unmarshal: %v", llS, err)

+				return types.InternalErrorf("failed to decode endpoint interface link-local address (%v) after json unmarshal: %v", llS, err)

 			}

 			epi.llAddrs = append(epi.llAddrs, ll)

 		}

@@ -26,6 +26,7 @@ type nwIface struct {

 	mac         net.HardwareAddr

 	address     *net.IPNet

 	addressIPv6 *net.IPNet

+	ipAliases   []*net.IPNet

 	llAddrs     []*net.IPNet

 	routes      []*net.IPNet

 	bridge      bool

@@ -96,6 +97,13 @@ func (i *nwIface) LinkLocalAddresses() []*net.IPNet {

 	return i.llAddrs

 }

+func (i *nwIface) IPAliases() []*net.IPNet {

+	i.Lock()

+	defer i.Unlock()

+

+	return i.ipAliases

+}

+

 func (i *nwIface) Routes() []*net.IPNet {

 	i.Lock()

 	defer i.Unlock()

@@ -122,28 +130,6 @@ func (n *networkNamespace) Interfaces() []Interface {

 	return ifaces

 }

-func (i *nwIface) SetAliasIP(ip *net.IPNet, add bool) error {

-	i.Lock()

-	n := i.ns

-	i.Unlock()

-

-	n.Lock()

-	nlh := n.nlHandle

-	n.Unlock()

-

-	// Find the network interface identified by the DstName attribute.

-	iface, err := nlh.LinkByName(i.DstName())

-	if err != nil {

-		return err

-	}

-

-	ipAddr := &netlink.Addr{IPNet: ip, Label: ""}

-	if add {

-		return nlh.AddrAdd(iface, ipAddr)

-	}

-	return nlh.AddrDel(iface, ipAddr)

-}

-

 func (i *nwIface) Remove() error {

 	i.Lock()

 	n := i.ns

@@ -347,6 +333,7 @@ func configureInterface(nlh *netlink.Handle, iface netlink.Link, i *nwIface) err

 		{setInterfaceIPv6, fmt.Sprintf("error setting interface %q IPv6 to %v", ifaceName, i.AddressIPv6())},

 		{setInterfaceMaster, fmt.Sprintf("error setting interface %q master to %q", ifaceName, i.DstMaster())},

 		{setInterfaceLinkLocalIPs, fmt.Sprintf("error setting interface %q link local IPs to %v", ifaceName, i.LinkLocalAddresses())},

+		{setInterfaceIPAliases, fmt.Sprintf("error setting interface %q IP Aliases to %v", ifaceName, i.IPAliases())},

 	}

 	for _, config := range ifaceConfigurators {

@@ -405,6 +392,16 @@ func setInterfaceLinkLocalIPs(nlh *netlink.Handle, iface netlink.Link, i *nwIfac

 	return nil

 }

+func setInterfaceIPAliases(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {

+	for _, si := range i.IPAliases() {

+		ipAddr := &netlink.Addr{IPNet: si}

+		if err := nlh.AddrAdd(iface, ipAddr); err != nil {

+			return err

+		}

+	}

+	return nil

+}

+

 func setInterfaceName(nlh *netlink.Handle, iface netlink.Link, i *nwIface) error {

 	return nlh.LinkSetName(iface, i.DstName())

 }

@@ -66,6 +66,12 @@ func (n *networkNamespace) LinkLocalAddresses(list []*net.IPNet) IfaceOption {

 	}

 }

+func (n *networkNamespace) IPAliases(list []*net.IPNet) IfaceOption {

+	return func(i *nwIface) {

+		i.ipAliases = list

+	}

+}

+

 func (n *networkNamespace) Routes(routes []*net.IPNet) IfaceOption {

 	return func(i *nwIface) {

 		i.routes = routes

@@ -91,6 +91,9 @@ type IfaceOptionSetter interface {

 	// LinkLocalAddresses returns an option setter to set the link-local IP addresses.

 	LinkLocalAddresses([]*net.IPNet) IfaceOption

+	// IPAliases returns an option setter to set IP address Aliases

+	IPAliases([]*net.IPNet) IfaceOption

+

 	// Master returns an option setter to set the master interface if any for this

 	// interface. The master interface name should refer to the srcname of a

 	// previously added interface of type bridge.

@@ -147,6 +150,9 @@ type Interface interface {

 	// LinkLocalAddresses returns the link-local IP addresses assigned to the interface.

 	LinkLocalAddresses() []*net.IPNet

+	// IPAliases returns the IP address aliases assigned to the interface.

+	IPAliases() []*net.IPNet

+

 	// IP routes for the interface.

 	Routes() []*net.IPNet

@@ -160,10 +166,6 @@ type Interface interface {

 	// and moving it out of the sandbox.

 	Remove() error

-	// SetAliasIP adds or deletes the passed IP as an alias on the interface.

-	// ex: set the vip of services in the same network as secondary IP.

-	SetAliasIP(ip *net.IPNet, add bool) error

-

 	// Statistics returns the statistics for this interface

 	Statistics() (*types.InterfaceStatistics, error)

 }

@@ -87,6 +87,7 @@ type resolver struct {

 	listenAddress string

 	proxyDNS      bool

 	resolverKey   string

+	startCh       chan struct{}

 }

 func init() {

@@ -101,6 +102,7 @@ func NewResolver(address string, proxyDNS bool, resolverKey string, backend DNSB

 		listenAddress: address,

 		resolverKey:   resolverKey,

 		err:           fmt.Errorf("setup not done yet"),

+		startCh:       make(chan struct{}, 1),

 	}

 }

@@ -136,6 +138,9 @@ func (r *resolver) SetupFunc(port int) func() {

 }

 func (r *resolver) Start() error {

+	r.startCh <- struct{}{}

+	defer func() { <-r.startCh }()

+

 	// make sure the resolver has been setup before starting

 	if r.err != nil {

 		return r.err

@@ -160,6 +165,9 @@ func (r *resolver) Start() error {

 }

 func (r *resolver) Stop() {

+	r.startCh <- struct{}{}

+	defer func() { <-r.startCh }()

+

 	if r.server != nil {

 		r.server.Shutdown()

 	}

@@ -761,6 +761,10 @@ func (sb *sandbox) restoreOslSandbox() error {

 		if len(i.llAddrs) != 0 {

 			ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().LinkLocalAddresses(i.llAddrs))

 		}

+		if len(ep.virtualIP) != 0 {

+			vipAlias := &net.IPNet{IP: ep.virtualIP, Mask: net.CIDRMask(32, 32)}

+			ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().IPAliases([]*net.IPNet{vipAlias}))

+		}

 		Ifaces[fmt.Sprintf("%s+%s", i.srcName, i.dstPrefix)] = ifaceOptions

 		if joinInfo != nil {

 			for _, r := range joinInfo.StaticRoutes {

@@ -814,6 +818,10 @@ func (sb *sandbox) populateNetworkResources(ep *endpoint) error {

 		if len(i.llAddrs) != 0 {

 			ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().LinkLocalAddresses(i.llAddrs))

 		}

+		if len(ep.virtualIP) != 0 {

+			vipAlias := &net.IPNet{IP: ep.virtualIP, Mask: net.CIDRMask(32, 32)}

+			ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().IPAliases([]*net.IPNet{vipAlias}))

+		}

 		if i.mac != nil {

 			ifaceOptions = append(ifaceOptions, sb.osSbox.InterfaceOptions().MacAddress(i.mac))

 		}

@@ -101,14 +101,6 @@ func (sb *sandbox) populateLoadbalancers(ep *endpoint) {

 		for _, ip := range lb.backEnds {

 			sb.addLBBackend(ip, lb.vip, lb.fwMark, lb.service.ingressPorts,

 				eIP, gwIP, addService, n.ingress)

-			// For a new service program the vip as an alias on the task's sandbox interface

-			// connected to this network.

-			if !addService {

-				continue

-			}

-			if err := ep.setAliasIP(sb, lb.vip, true); err != nil {

-				logrus.Errorf("Adding Service VIP %v to ep %v(%v) failed: %v", lb.vip, ep.ID(), ep.Name(), err)

-			}

 			addService = false

 		}

 		lb.service.Unlock()

@@ -132,16 +124,8 @@ func (n *network) addLBBackend(ip, vip net.IP, fwMark uint32, ingressPorts []*Po

 			}

 			sb.addLBBackend(ip, vip, fwMark, ingressPorts, ep.Iface().Address(), gwIP, addService, n.ingress)

-

-			// For a new service program the vip as an alias on the task's sandbox interface

-			// connected to this network.

-			if !addService {

-				return false

-			}

-			if err := ep.setAliasIP(sb, vip, true); err != nil {

-				logrus.Errorf("Adding Service VIP %v to ep %v(%v) failed: %v", vip, ep.ID(), ep.Name(), err)

-			}

 		}

+

 		return false

 	})

 }

@@ -163,16 +147,8 @@ func (n *network) rmLBBackend(ip, vip net.IP, fwMark uint32, ingressPorts []*Por

 			}

 			sb.rmLBBackend(ip, vip, fwMark, ingressPorts, ep.Iface().Address(), gwIP, rmService, n.ingress)

-

-			// If the service is being remove its vip alias on on the task's sandbox interface

-			// has to be removed as well.

-			if !rmService {

-				return false

-			}

-			if err := ep.setAliasIP(sb, vip, false); err != nil {

-				logrus.Errorf("Removing Service VIP %v from ep %v(%v) failed: %v", vip, ep.ID(), ep.Name(), err)

-			}

 		}

+

 		return false

 	})

 }

@@ -678,6 +654,9 @@ func fwMarker() {

 	rule := strings.Fields(fmt.Sprintf("-t mangle %s OUTPUT -d %s/32 -j MARK --set-mark %d", addDelOpt, vip, fwMark))

 	rules = append(rules, rule)

+	rule = strings.Fields(fmt.Sprintf("-t nat %s OUTPUT -p icmp --icmp echo-request -d %s -j DNAT --to 127.0.0.1", addDelOpt, vip))

+	rules = append(rules, rule)

+

 	for _, rule := range rules {

 		if err := iptables.RawCombinedOutputNative(rule...); err != nil {

 			logrus.Errorf("setting up rule failed, %v: %v", rule, err)