new file mode 100644

@@ -0,0 +1,72 @@

+package main

+

+import (

+	"flag"

+	"fmt"

+	"log"

+	"net"

+	"os"

+	"os/signal"

+	"syscall"

+

+	"github.com/ishidawataru/sctp"

+)

+

+func main() {

+	f := os.NewFile(3, "signal-parent")

+	host, container := parseHostContainerAddrs()

+

+	p, err := NewProxy(host, container)

+	if err != nil {

+		fmt.Fprintf(f, "1\n%s", err)

+		f.Close()

+		os.Exit(1)

+	}

+	go handleStopSignals(p)

+	fmt.Fprint(f, "0\n")

+	f.Close()

+

+	// Run will block until the proxy stops

+	p.Run()

+}

+

+// parseHostContainerAddrs parses the flags passed on reexec to create the TCP/UDP/SCTP

+// net.Addrs to map the host and container ports

+func parseHostContainerAddrs() (host net.Addr, container net.Addr) {

+	var (

+		proto         = flag.String("proto", "tcp", "proxy protocol")

+		hostIP        = flag.String("host-ip", "", "host ip")

+		hostPort      = flag.Int("host-port", -1, "host port")

+		containerIP   = flag.String("container-ip", "", "container ip")

+		containerPort = flag.Int("container-port", -1, "container port")

+	)

+

+	flag.Parse()

+

+	switch *proto {

+	case "tcp":

+		host = &net.TCPAddr{IP: net.ParseIP(*hostIP), Port: *hostPort}

+		container = &net.TCPAddr{IP: net.ParseIP(*containerIP), Port: *containerPort}

+	case "udp":

+		host = &net.UDPAddr{IP: net.ParseIP(*hostIP), Port: *hostPort}

+		container = &net.UDPAddr{IP: net.ParseIP(*containerIP), Port: *containerPort}

+	case "sctp":

+		host = &sctp.SCTPAddr{IPAddrs: []net.IPAddr{{IP: net.ParseIP(*hostIP)}}, Port: *hostPort}

+		container = &sctp.SCTPAddr{IPAddrs: []net.IPAddr{{IP: net.ParseIP(*containerIP)}}, Port: *containerPort}

+	default:

+		log.Fatalf("unsupported protocol %s", *proto)

+	}

+

+	return host, container

+}

+

+func handleStopSignals(p Proxy) {

+	s := make(chan os.Signal, 10)

+	signal.Notify(s, os.Interrupt, syscall.SIGTERM)

+

+	for range s {

+		p.Close()

+

+		os.Exit(0)

+	}

+}

new file mode 100644

@@ -0,0 +1,314 @@

+package main

+

+import (

+	"bytes"

+	"fmt"

+	"io"

+	"io/ioutil"

+	"net"

+	"runtime"

+	"strings"

+	"testing"

+	"time"

+

+	"github.com/ishidawataru/sctp"

+	"gotest.tools/v3/skip"

+

+	// this takes care of the incontainer flag

+	_ "github.com/docker/docker/libnetwork/testutils"

+)

+

+var testBuf = []byte("Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo")

+var testBufSize = len(testBuf)

+

+type EchoServer interface {

+	Run()

+	Close()

+	LocalAddr() net.Addr

+}

+

+type EchoServerOptions struct {

+	TCPHalfClose bool

+}

+

+type StreamEchoServer struct {

+	listener net.Listener

+	testCtx  *testing.T

+	opts     EchoServerOptions

+}

+

+type UDPEchoServer struct {

+	conn    net.PacketConn

+	testCtx *testing.T

+}

+

+func NewEchoServer(t *testing.T, proto, address string, opts EchoServerOptions) EchoServer {

+	var server EchoServer

+	if !strings.HasPrefix(proto, "tcp") && opts.TCPHalfClose {

+		t.Fatalf("TCPHalfClose is not supported for %s", proto)

+	}

+

+	switch {

+	case strings.HasPrefix(proto, "tcp"):

+		listener, err := net.Listen(proto, address)

+		if err != nil {

+			t.Fatal(err)

+		}

+		server = &StreamEchoServer{listener: listener, testCtx: t, opts: opts}

+	case strings.HasPrefix(proto, "udp"):

+		socket, err := net.ListenPacket(proto, address)

+		if err != nil {

+			t.Fatal(err)

+		}

+		server = &UDPEchoServer{conn: socket, testCtx: t}

+	case strings.HasPrefix(proto, "sctp"):

+		addr, err := sctp.ResolveSCTPAddr(proto, address)

+		if err != nil {

+			t.Fatal(err)

+		}

+		listener, err := sctp.ListenSCTP(proto, addr)

+		if err != nil {

+			t.Fatal(err)

+		}

+		server = &StreamEchoServer{listener: listener, testCtx: t}

+	default:

+		t.Fatalf("unknown protocol: %s", proto)

+	}

+	return server

+}

+

+func (server *StreamEchoServer) Run() {

+	go func() {

+		for {

+			client, err := server.listener.Accept()

+			if err != nil {

+				return

+			}

+			go func(client net.Conn) {

+				if server.opts.TCPHalfClose {

+					data, err := ioutil.ReadAll(client)

+					if err != nil {

+						server.testCtx.Logf("io.ReadAll() failed for the client: %v\n", err.Error())

+					}

+					if _, err := client.Write(data); err != nil {

+						server.testCtx.Logf("can't echo to the client: %v\n", err.Error())

+					}

+					client.(*net.TCPConn).CloseWrite()

+				} else {

+					if _, err := io.Copy(client, client); err != nil {

+						server.testCtx.Logf("can't echo to the client: %v\n", err.Error())

+					}

+					client.Close()

+				}

+			}(client)

+		}

+	}()

+}

+

+func (server *StreamEchoServer) LocalAddr() net.Addr { return server.listener.Addr() }

+func (server *StreamEchoServer) Close()              { server.listener.Close() }

+

+func (server *UDPEchoServer) Run() {

+	go func() {

+		readBuf := make([]byte, 1024)

+		for {

+			read, from, err := server.conn.ReadFrom(readBuf)

+			if err != nil {

+				return

+			}

+			for i := 0; i != read; {

+				written, err := server.conn.WriteTo(readBuf[i:read], from)

+				if err != nil {

+					break

+				}

+				i += written

+			}

+		}

+	}()

+}

+

+func (server *UDPEchoServer) LocalAddr() net.Addr { return server.conn.LocalAddr() }

+func (server *UDPEchoServer) Close()              { server.conn.Close() }

+

+func testProxyAt(t *testing.T, proto string, proxy Proxy, addr string, halfClose bool) {

+	defer proxy.Close()

+	go proxy.Run()

+	var client net.Conn

+	var err error

+	if strings.HasPrefix(proto, "sctp") {

+		var a *sctp.SCTPAddr

+		a, err = sctp.ResolveSCTPAddr(proto, addr)

+		if err != nil {

+			t.Fatal(err)

+		}

+		client, err = sctp.DialSCTP(proto, nil, a)

+	} else {

+		client, err = net.Dial(proto, addr)

+	}

+

+	if err != nil {

+		t.Fatalf("Can't connect to the proxy: %v", err)

+	}

+	defer client.Close()

+	client.SetDeadline(time.Now().Add(10 * time.Second))

+	if _, err = client.Write(testBuf); err != nil {

+		t.Fatal(err)

+	}

+	if halfClose {

+		if proto != "tcp" {

+			t.Fatalf("halfClose is not supported for %s", proto)

+		}

+		client.(*net.TCPConn).CloseWrite()

+	}

+	recvBuf := make([]byte, testBufSize)

+	if _, err = client.Read(recvBuf); err != nil {

+		t.Fatal(err)

+	}

+	if !bytes.Equal(testBuf, recvBuf) {

+		t.Fatal(fmt.Errorf("Expected [%v] but got [%v]", testBuf, recvBuf))

+	}

+}

+

+func testProxy(t *testing.T, proto string, proxy Proxy, halfClose bool) {

+	testProxyAt(t, proto, proxy, proxy.FrontendAddr().String(), halfClose)

+}

+

+func testTCP4Proxy(t *testing.T, halfClose bool) {

+	backend := NewEchoServer(t, "tcp", "127.0.0.1:0", EchoServerOptions{TCPHalfClose: halfClose})

+	defer backend.Close()

+	backend.Run()

+	frontendAddr := &net.TCPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0}

+	proxy, err := NewProxy(frontendAddr, backend.LocalAddr())

+	if err != nil {

+		t.Fatal(err)

+	}

+	testProxy(t, "tcp", proxy, halfClose)

+}

+

+func TestTCP4Proxy(t *testing.T) {

+	testTCP4Proxy(t, false)

+}

+

+func TestTCP4ProxyHalfClose(t *testing.T) {

+	testTCP4Proxy(t, true)

+}

+

+func TestTCP6Proxy(t *testing.T) {

+	t.Skip("Need to start CI docker with --ipv6")

+	backend := NewEchoServer(t, "tcp", "[::1]:0", EchoServerOptions{})

+	defer backend.Close()

+	backend.Run()

+	frontendAddr := &net.TCPAddr{IP: net.IPv6loopback, Port: 0}

+	proxy, err := NewProxy(frontendAddr, backend.LocalAddr())

+	if err != nil {

+		t.Fatal(err)

+	}

+	testProxy(t, "tcp", proxy, false)

+}

+

+func TestTCPDualStackProxy(t *testing.T) {

+	// If I understand `godoc -src net favoriteAddrFamily` (used by the

+	// net.Listen* functions) correctly this should work, but it doesn't.

+	t.Skip("No support for dual stack yet")

+	backend := NewEchoServer(t, "tcp", "[::1]:0", EchoServerOptions{})

+	defer backend.Close()

+	backend.Run()

+	frontendAddr := &net.TCPAddr{IP: net.IPv6loopback, Port: 0}

+	proxy, err := NewProxy(frontendAddr, backend.LocalAddr())

+	if err != nil {

+		t.Fatal(err)

+	}

+	ipv4ProxyAddr := &net.TCPAddr{

+		IP:   net.IPv4(127, 0, 0, 1),

+		Port: proxy.FrontendAddr().(*net.TCPAddr).Port,

+	}

+	testProxyAt(t, "tcp", proxy, ipv4ProxyAddr.String(), false)

+}

+

+func TestUDP4Proxy(t *testing.T) {

+	backend := NewEchoServer(t, "udp", "127.0.0.1:0", EchoServerOptions{})

+	defer backend.Close()

+	backend.Run()

+	frontendAddr := &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0}

+	proxy, err := NewProxy(frontendAddr, backend.LocalAddr())

+	if err != nil {

+		t.Fatal(err)

+	}

+	testProxy(t, "udp", proxy, false)

+}

+

+func TestUDP6Proxy(t *testing.T) {

+	t.Skip("Need to start CI docker with --ipv6")

+	backend := NewEchoServer(t, "udp", "[::1]:0", EchoServerOptions{})

+	defer backend.Close()

+	backend.Run()

+	frontendAddr := &net.UDPAddr{IP: net.IPv6loopback, Port: 0}

+	proxy, err := NewProxy(frontendAddr, backend.LocalAddr())

+	if err != nil {

+		t.Fatal(err)

+	}

+	testProxy(t, "udp", proxy, false)

+}

+

+func TestUDPWriteError(t *testing.T) {

+	frontendAddr := &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 0}

+	// Hopefully, this port will be free: */

+	backendAddr := &net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 25587}

+	proxy, err := NewProxy(frontendAddr, backendAddr)

+	if err != nil {

+		t.Fatal(err)

+	}

+	defer proxy.Close()

+	go proxy.Run()

+	client, err := net.Dial("udp", "127.0.0.1:25587")

+	if err != nil {

+		t.Fatalf("Can't connect to the proxy: %v", err)

+	}

+	defer client.Close()

+	// Make sure the proxy doesn't stop when there is no actual backend:

+	client.Write(testBuf)

+	client.Write(testBuf)

+	backend := NewEchoServer(t, "udp", "127.0.0.1:25587", EchoServerOptions{})

+	defer backend.Close()

+	backend.Run()

+	client.SetDeadline(time.Now().Add(10 * time.Second))

+	if _, err = client.Write(testBuf); err != nil {

+		t.Fatal(err)

+	}

+	recvBuf := make([]byte, testBufSize)

+	if _, err = client.Read(recvBuf); err != nil {

+		t.Fatal(err)

+	}

+	if !bytes.Equal(testBuf, recvBuf) {

+		t.Fatal(fmt.Errorf("Expected [%v] but got [%v]", testBuf, recvBuf))

+	}

+}

+

+func TestSCTP4Proxy(t *testing.T) {

+	skip.If(t, runtime.GOOS == "windows", "sctp is not supported on windows")

+

+	backend := NewEchoServer(t, "sctp", "127.0.0.1:0", EchoServerOptions{})

+	defer backend.Close()

+	backend.Run()

+	frontendAddr := &sctp.SCTPAddr{IPAddrs: []net.IPAddr{{IP: net.IPv4(127, 0, 0, 1)}}, Port: 0}

+	proxy, err := NewProxy(frontendAddr, backend.LocalAddr())

+	if err != nil {

+		t.Fatal(err)

+	}

+	testProxy(t, "sctp", proxy, false)

+}

+

+func TestSCTP6Proxy(t *testing.T) {

+	t.Skip("Need to start CI docker with --ipv6")

+	skip.If(t, runtime.GOOS == "windows", "sctp is not supported on windows")

+

+	backend := NewEchoServer(t, "sctp", "[::1]:0", EchoServerOptions{})

+	defer backend.Close()

+	backend.Run()

+	frontendAddr := &sctp.SCTPAddr{IPAddrs: []net.IPAddr{{IP: net.IPv6loopback}}, Port: 0}

+	proxy, err := NewProxy(frontendAddr, backend.LocalAddr())

+	if err != nil {

+		t.Fatal(err)

+	}

+	testProxy(t, "sctp", proxy, false)

+}

new file mode 100644

@@ -0,0 +1,50 @@

+// docker-proxy provides a network Proxy interface and implementations for TCP

+// and UDP.

+package main

+

+import (

+	"net"

+

+	"github.com/ishidawataru/sctp"

+)

+

+// ipVersion refers to IP version - v4 or v6

+type ipVersion string

+

+const (

+	// IPv4 is version 4

+	ipv4 ipVersion = "4"

+	// IPv4 is version 6

+	ipv6 ipVersion = "6"

+)

+

+// Proxy defines the behavior of a proxy. It forwards traffic back and forth

+// between two endpoints : the frontend and the backend.

+// It can be used to do software port-mapping between two addresses.

+// e.g. forward all traffic between the frontend (host) 127.0.0.1:3000

+// to the backend (container) at 172.17.42.108:4000.

+type Proxy interface {

+	// Run starts forwarding traffic back and forth between the front

+	// and back-end addresses.

+	Run()

+	// Close stops forwarding traffic and close both ends of the Proxy.

+	Close()

+	// FrontendAddr returns the address on which the proxy is listening.

+	FrontendAddr() net.Addr

+	// BackendAddr returns the proxied address.

+	BackendAddr() net.Addr

+}

+

+// NewProxy creates a Proxy according to the specified frontendAddr and backendAddr.

+func NewProxy(frontendAddr, backendAddr net.Addr) (Proxy, error) {

+	switch frontendAddr.(type) {

+	case *net.UDPAddr:

+		return NewUDPProxy(frontendAddr.(*net.UDPAddr), backendAddr.(*net.UDPAddr))

+	case *net.TCPAddr:

+		return NewTCPProxy(frontendAddr.(*net.TCPAddr), backendAddr.(*net.TCPAddr))

+	case *sctp.SCTPAddr:

+		return NewSCTPProxy(frontendAddr.(*sctp.SCTPAddr), backendAddr.(*sctp.SCTPAddr))

+	default:

+		panic("Unsupported protocol")

+	}

+}

new file mode 100644

@@ -0,0 +1,98 @@

+package main

+

+import (

+	"io"

+	"log"

+	"net"

+	"sync"

+

+	"github.com/ishidawataru/sctp"

+)

+

+// SCTPProxy is a proxy for SCTP connections. It implements the Proxy interface to

+// handle SCTP traffic forwarding between the frontend and backend addresses.

+type SCTPProxy struct {

+	listener     *sctp.SCTPListener

+	frontendAddr *sctp.SCTPAddr

+	backendAddr  *sctp.SCTPAddr

+}

+

+// NewSCTPProxy creates a new SCTPProxy.

+func NewSCTPProxy(frontendAddr, backendAddr *sctp.SCTPAddr) (*SCTPProxy, error) {

+	// detect version of hostIP to bind only to correct version

+	ipVersion := ipv4

+	if frontendAddr.IPAddrs[0].IP.To4() == nil {

+		ipVersion = ipv6

+	}

+	listener, err := sctp.ListenSCTP("sctp"+string(ipVersion), frontendAddr)

+	if err != nil {

+		return nil, err

+	}

+	// If the port in frontendAddr was 0 then ListenSCTP will have a picked

+	// a port to listen on, hence the call to Addr to get that actual port:

+	return &SCTPProxy{

+		listener:     listener,

+		frontendAddr: listener.Addr().(*sctp.SCTPAddr),

+		backendAddr:  backendAddr,

+	}, nil

+}

+

+func (proxy *SCTPProxy) clientLoop(client *sctp.SCTPConn, quit chan bool) {

+	backend, err := sctp.DialSCTP("sctp", nil, proxy.backendAddr)

+	if err != nil {

+		log.Printf("Can't forward traffic to backend sctp/%v: %s\n", proxy.backendAddr, err)

+		client.Close()

+		return

+	}

+	clientC := sctp.NewSCTPSndRcvInfoWrappedConn(client)

+	backendC := sctp.NewSCTPSndRcvInfoWrappedConn(backend)

+

+	var wg sync.WaitGroup

+	var broker = func(to, from net.Conn) {

+		io.Copy(to, from)

+		from.Close()

+		to.Close()

+		wg.Done()

+	}

+

+	wg.Add(2)

+	go broker(clientC, backendC)

+	go broker(backendC, clientC)

+

+	finish := make(chan struct{})

+	go func() {

+		wg.Wait()

+		close(finish)

+	}()

+

+	select {

+	case <-quit:

+	case <-finish:

+	}

+	clientC.Close()

+	backendC.Close()

+	<-finish

+}

+

+// Run starts forwarding the traffic using SCTP.

+func (proxy *SCTPProxy) Run() {

+	quit := make(chan bool)

+	defer close(quit)

+	for {

+		client, err := proxy.listener.Accept()

+		if err != nil {

+			log.Printf("Stopping proxy on sctp/%v for sctp/%v (%s)", proxy.frontendAddr, proxy.backendAddr, err)

+			return

+		}

+		go proxy.clientLoop(client.(*sctp.SCTPConn), quit)

+	}

+}

+

+// Close stops forwarding the traffic.

+func (proxy *SCTPProxy) Close() { proxy.listener.Close() }

+

+// FrontendAddr returns the SCTP address on which the proxy is listening.

+func (proxy *SCTPProxy) FrontendAddr() net.Addr { return proxy.frontendAddr }

+

+// BackendAddr returns the SCTP proxied address.

+func (proxy *SCTPProxy) BackendAddr() net.Addr { return proxy.backendAddr }

new file mode 100644

@@ -0,0 +1,94 @@

+package main

+

+import (

+	"io"

+	"log"

+	"net"

+	"sync"

+)

+

+// TCPProxy is a proxy for TCP connections. It implements the Proxy interface to

+// handle TCP traffic forwarding between the frontend and backend addresses.

+type TCPProxy struct {

+	listener     *net.TCPListener

+	frontendAddr *net.TCPAddr

+	backendAddr  *net.TCPAddr

+}

+

+// NewTCPProxy creates a new TCPProxy.

+func NewTCPProxy(frontendAddr, backendAddr *net.TCPAddr) (*TCPProxy, error) {

+	// detect version of hostIP to bind only to correct version

+	ipVersion := ipv4

+	if frontendAddr.IP.To4() == nil {

+		ipVersion = ipv6

+	}

+	listener, err := net.ListenTCP("tcp"+string(ipVersion), frontendAddr)

+	if err != nil {

+		return nil, err

+	}

+	// If the port in frontendAddr was 0 then ListenTCP will have a picked

+	// a port to listen on, hence the call to Addr to get that actual port:

+	return &TCPProxy{

+		listener:     listener,

+		frontendAddr: listener.Addr().(*net.TCPAddr),

+		backendAddr:  backendAddr,

+	}, nil

+}

+

+func (proxy *TCPProxy) clientLoop(client *net.TCPConn, quit chan bool) {

+	backend, err := net.DialTCP("tcp", nil, proxy.backendAddr)

+	if err != nil {

+		log.Printf("Can't forward traffic to backend tcp/%v: %s\n", proxy.backendAddr, err)

+		client.Close()

+		return

+	}

+

+	var wg sync.WaitGroup

+	var broker = func(to, from *net.TCPConn) {

+		io.Copy(to, from)

+		from.CloseRead()

+		to.CloseWrite()

+		wg.Done()

+	}

+

+	wg.Add(2)

+	go broker(client, backend)

+	go broker(backend, client)

+

+	finish := make(chan struct{})

+	go func() {

+		wg.Wait()

+		close(finish)

+	}()

+

+	select {

+	case <-quit:

+	case <-finish:

+	}

+	client.Close()

+	backend.Close()

+	<-finish

+}

+

+// Run starts forwarding the traffic using TCP.

+func (proxy *TCPProxy) Run() {

+	quit := make(chan bool)

+	defer close(quit)

+	for {

+		client, err := proxy.listener.Accept()

+		if err != nil {

+			log.Printf("Stopping proxy on tcp/%v for tcp/%v (%s)", proxy.frontendAddr, proxy.backendAddr, err)

+			return

+		}

+		go proxy.clientLoop(client.(*net.TCPConn), quit)

+	}

+}

+

+// Close stops forwarding the traffic.

+func (proxy *TCPProxy) Close() { proxy.listener.Close() }

+

+// FrontendAddr returns the TCP address on which the proxy is listening.

+func (proxy *TCPProxy) FrontendAddr() net.Addr { return proxy.frontendAddr }

+

+// BackendAddr returns the TCP proxied address.

+func (proxy *TCPProxy) BackendAddr() net.Addr { return proxy.backendAddr }

new file mode 100644

@@ -0,0 +1,173 @@

+package main

+

+import (

+	"encoding/binary"

+	"log"

+	"net"

+	"strings"

+	"sync"

+	"syscall"

+	"time"

+)

+

+const (

+	// UDPConnTrackTimeout is the timeout used for UDP connection tracking

+	UDPConnTrackTimeout = 90 * time.Second

+	// UDPBufSize is the buffer size for the UDP proxy

+	UDPBufSize = 65507

+)

+

+// A net.Addr where the IP is split into two fields so you can use it as a key

+// in a map:

+type connTrackKey struct {

+	IPHigh uint64

+	IPLow  uint64

+	Port   int

+}

+

+func newConnTrackKey(addr *net.UDPAddr) *connTrackKey {

+	if len(addr.IP) == net.IPv4len {

+		return &connTrackKey{

+			IPHigh: 0,

+			IPLow:  uint64(binary.BigEndian.Uint32(addr.IP)),

+			Port:   addr.Port,

+		}

+	}

+	return &connTrackKey{

+		IPHigh: binary.BigEndian.Uint64(addr.IP[:8]),

+		IPLow:  binary.BigEndian.Uint64(addr.IP[8:]),

+		Port:   addr.Port,

+	}

+}

+

+type connTrackMap map[connTrackKey]*net.UDPConn

+

+// UDPProxy is proxy for which handles UDP datagrams. It implements the Proxy

+// interface to handle UDP traffic forwarding between the frontend and backend

+// addresses.

+type UDPProxy struct {

+	listener       *net.UDPConn

+	frontendAddr   *net.UDPAddr

+	backendAddr    *net.UDPAddr

+	connTrackTable connTrackMap

+	connTrackLock  sync.Mutex

+}

+

+// NewUDPProxy creates a new UDPProxy.

+func NewUDPProxy(frontendAddr, backendAddr *net.UDPAddr) (*UDPProxy, error) {

+	// detect version of hostIP to bind only to correct version

+	ipVersion := ipv4

+	if frontendAddr.IP.To4() == nil {

+		ipVersion = ipv6

+	}

+	listener, err := net.ListenUDP("udp"+string(ipVersion), frontendAddr)

+	if err != nil {

+		return nil, err

+	}

+	return &UDPProxy{

+		listener:       listener,

+		frontendAddr:   listener.LocalAddr().(*net.UDPAddr),

+		backendAddr:    backendAddr,

+		connTrackTable: make(connTrackMap),

+	}, nil

+}

+

+func (proxy *UDPProxy) replyLoop(proxyConn *net.UDPConn, clientAddr *net.UDPAddr, clientKey *connTrackKey) {

+	defer func() {

+		proxy.connTrackLock.Lock()

+		delete(proxy.connTrackTable, *clientKey)

+		proxy.connTrackLock.Unlock()

+		proxyConn.Close()

+	}()

+

+	readBuf := make([]byte, UDPBufSize)

+	for {

+		proxyConn.SetReadDeadline(time.Now().Add(UDPConnTrackTimeout))

+	again:

+		read, err := proxyConn.Read(readBuf)

+		if err != nil {

+			if err, ok := err.(*net.OpError); ok && err.Err == syscall.ECONNREFUSED {

+				// This will happen if the last write failed

+				// (e.g: nothing is actually listening on the

+				// proxied port on the container), ignore it

+				// and continue until UDPConnTrackTimeout

+				// expires:

+				goto again

+			}

+			return

+		}

+		for i := 0; i != read; {

+			written, err := proxy.listener.WriteToUDP(readBuf[i:read], clientAddr)

+			if err != nil {

+				return

+			}

+			i += written

+		}

+	}

+}

+

+// Run starts forwarding the traffic using UDP.

+func (proxy *UDPProxy) Run() {

+	readBuf := make([]byte, UDPBufSize)

+	for {

+		read, from, err := proxy.listener.ReadFromUDP(readBuf)

+		if err != nil {

+			// NOTE: Apparently ReadFrom doesn't return

+			// ECONNREFUSED like Read do (see comment in

+			// UDPProxy.replyLoop)

+			if !isClosedError(err) {

+				log.Printf("Stopping proxy on udp/%v for udp/%v (%s)", proxy.frontendAddr, proxy.backendAddr, err)

+			}

+			break

+		}

+

+		fromKey := newConnTrackKey(from)

+		proxy.connTrackLock.Lock()

+		proxyConn, hit := proxy.connTrackTable[*fromKey]

+		if !hit {

+			proxyConn, err = net.DialUDP("udp", nil, proxy.backendAddr)

+			if err != nil {

+				log.Printf("Can't proxy a datagram to udp/%s: %s\n", proxy.backendAddr, err)

+				proxy.connTrackLock.Unlock()

+				continue

+			}

+			proxy.connTrackTable[*fromKey] = proxyConn

+			go proxy.replyLoop(proxyConn, from, fromKey)

+		}

+		proxy.connTrackLock.Unlock()

+		for i := 0; i != read; {

+			written, err := proxyConn.Write(readBuf[i:read])

+			if err != nil {

+				log.Printf("Can't proxy a datagram to udp/%s: %s\n", proxy.backendAddr, err)

+				break

+			}

+			i += written

+		}

+	}

+}

+

+// Close stops forwarding the traffic.

+func (proxy *UDPProxy) Close() {

+	proxy.listener.Close()

+	proxy.connTrackLock.Lock()

+	defer proxy.connTrackLock.Unlock()

+	for _, conn := range proxy.connTrackTable {

+		conn.Close()

+	}

+}

+

+// FrontendAddr returns the UDP address on which the proxy is listening.

+func (proxy *UDPProxy) FrontendAddr() net.Addr { return proxy.frontendAddr }

+

+// BackendAddr returns the proxied UDP address.

+func (proxy *UDPProxy) BackendAddr() net.Addr { return proxy.backendAddr }

+

+func isClosedError(err error) bool {

+	/* This comparison is ugly, but unfortunately, net.go doesn't export errClosing.

+	 * See:

+	 * http://golang.org/src/pkg/net/net.go

+	 * https://code.google.com/p/go/issues/detail?id=4337

+	 * https://groups.google.com/forum/#!msg/golang-nuts/0_aaCvBmOcM/SptmDyX1XJMJ

+	 */

+	return strings.HasSuffix(err.Error(), "use of closed network connection")

+}

@@ -3,7 +3,7 @@

 set -e

 (

-	GO_PACKAGE='github.com/docker/docker/libnetwork/cmd/proxy'

+	GO_PACKAGE='github.com/docker/docker/cmd/docker-proxy'

 	BINARY_SHORT_NAME='docker-proxy'

 	source "${MAKEDIR}/.binary"

@@ -9,7 +9,7 @@ set -e

 	export BUILDFLAGS=("${BUILDFLAGS[@]/osusergo /}")     # ditto for osusergo

 	export BUILDFLAGS=("${BUILDFLAGS[@]/static_build /}") # we're not building a "static" binary here

-	GO_PACKAGE='github.com/docker/docker/libnetwork/cmd/proxy'

+	GO_PACKAGE='github.com/docker/docker/cmd/docker-proxy'

 	BINARY_SHORT_NAME='docker-proxy'

 	source "${MAKEDIR}/.binary"

 )

deleted file mode 100644

@@ -1,72 +0,0 @@

-package main

-

-import (

-	"flag"

-	"fmt"

-	"log"

-	"net"

-	"os"

-	"os/signal"

-	"syscall"

-

-	"github.com/ishidawataru/sctp"

-)

-

-func main() {

-	f := os.NewFile(3, "signal-parent")

-	host, container := parseHostContainerAddrs()

-

-	p, err := NewProxy(host, container)

-	if err != nil {

-		fmt.Fprintf(f, "1\n%s", err)

-		f.Close()

-		os.Exit(1)

-	}

-	go handleStopSignals(p)

-	fmt.Fprint(f, "0\n")

-	f.Close()

-

-	// Run will block until the proxy stops

-	p.Run()

-}

-

-// parseHostContainerAddrs parses the flags passed on reexec to create the TCP/UDP/SCTP

-// net.Addrs to map the host and container ports

-func parseHostContainerAddrs() (host net.Addr, container net.Addr) {