[lxc-devel] [lxd/master] iptables: Moves iptables helper functions into own package
tomponline on Github
lxc-bot at linuxcontainers.org
Fri Jul 12 13:59:48 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 425 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190712/e031e811/attachment.bin>
-------------- next part --------------
From 0f2b6cf2aea6a30530d84440f4dc9a762ea1b8ad Mon Sep 17 00:00:00 2001
From: Thomas Parrott <thomas.parrott at canonical.com>
Date: Fri, 12 Jul 2019 14:50:49 +0100
Subject: [PATCH] iptables: Moves iptables helper functions into own package
For use both from LXD main and from the new devices package.
Signed-off-by: Thomas Parrott <thomas.parrott at canonical.com>
---
lxd/container_lxc.go | 25 ++++++++--------
lxd/{ => iptables}/iptables.go | 12 ++++----
lxd/networks.go | 53 +++++++++++++++++-----------------
3 files changed, 46 insertions(+), 44 deletions(-)
rename lxd/{ => iptables}/iptables.go (87%)
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index e2b9acc843..ae30307401 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -31,6 +31,7 @@ import (
"github.com/lxc/lxd/lxd/cluster"
"github.com/lxc/lxd/lxd/db"
"github.com/lxc/lxd/lxd/db/query"
+ "github.com/lxc/lxd/lxd/iptables"
"github.com/lxc/lxd/lxd/maas"
"github.com/lxc/lxd/lxd/state"
"github.com/lxc/lxd/lxd/template"
@@ -8121,11 +8122,11 @@ func (c *containerLXC) doNat(proxy string, device types.Device) error {
defer func() {
if revert {
if IPv4Addr != "" {
- containerIptablesClear("ipv4", iptablesComment, "nat")
+ iptables.ContainerClear("ipv4", iptablesComment, "nat")
}
if IPv6Addr != "" {
- containerIptablesClear("ipv6", iptablesComment, "nat")
+ iptables.ContainerClear("ipv6", iptablesComment, "nat")
}
}
}()
@@ -8144,7 +8145,7 @@ func (c *containerLXC) doNat(proxy string, device types.Device) error {
if IPv4Addr != "" {
// outbound <-> container
- err := containerIptablesPrepend("ipv4", iptablesComment, "nat",
+ err := iptables.ContainerPrepend("ipv4", iptablesComment, "nat",
"PREROUTING", "-p", listenAddr.connType, "--destination",
address, "--dport", port, "-j", "DNAT",
"--to-destination", fmt.Sprintf("%s:%s", IPv4Addr, cPort))
@@ -8153,7 +8154,7 @@ func (c *containerLXC) doNat(proxy string, device types.Device) error {
}
// host <-> container
- err = containerIptablesPrepend("ipv4", iptablesComment, "nat",
+ err = iptables.ContainerPrepend("ipv4", iptablesComment, "nat",
"OUTPUT", "-p", listenAddr.connType, "--destination",
address, "--dport", port, "-j", "DNAT",
"--to-destination", fmt.Sprintf("%s:%s", IPv4Addr, cPort))
@@ -8164,7 +8165,7 @@ func (c *containerLXC) doNat(proxy string, device types.Device) error {
if IPv6Addr != "" {
// outbound <-> container
- err := containerIptablesPrepend("ipv6", iptablesComment, "nat",
+ err := iptables.ContainerPrepend("ipv6", iptablesComment, "nat",
"PREROUTING", "-p", listenAddr.connType, "--destination",
address, "--dport", port, "-j", "DNAT",
"--to-destination", fmt.Sprintf("[%s]:%s", IPv6Addr, cPort))
@@ -8173,7 +8174,7 @@ func (c *containerLXC) doNat(proxy string, device types.Device) error {
}
// host <-> container
- err = containerIptablesPrepend("ipv6", iptablesComment, "nat",
+ err = iptables.ContainerPrepend("ipv6", iptablesComment, "nat",
"OUTPUT", "-p", listenAddr.connType, "--destination",
address, "--dport", port, "-j", "DNAT",
"--to-destination", fmt.Sprintf("[%s]:%s", IPv6Addr, cPort))
@@ -8194,8 +8195,8 @@ func (c *containerLXC) removeProxyDevice(devName string) error {
}
// Remove possible iptables entries
- containerIptablesClear("ipv4", fmt.Sprintf("%s (%s)", c.Name(), devName), "nat")
- containerIptablesClear("ipv6", fmt.Sprintf("%s (%s)", c.Name(), devName), "nat")
+ iptables.ContainerClear("ipv4", fmt.Sprintf("%s (%s)", c.Name(), devName), "nat")
+ iptables.ContainerClear("ipv6", fmt.Sprintf("%s (%s)", c.Name(), devName), "nat")
devFileName := fmt.Sprintf("proxy.%s", devName)
devPath := filepath.Join(c.DevicesPath(), devFileName)
@@ -8215,8 +8216,8 @@ func (c *containerLXC) removeProxyDevice(devName string) error {
func (c *containerLXC) removeProxyDevices() error {
// Remove possible iptables entries
- containerIptablesClear("ipv4", fmt.Sprintf("%s", c.Name()), "nat")
- containerIptablesClear("ipv6", fmt.Sprintf("%s", c.Name()), "nat")
+ iptables.ContainerClear("ipv4", fmt.Sprintf("%s", c.Name()), "nat")
+ iptables.ContainerClear("ipv6", fmt.Sprintf("%s", c.Name()), "nat")
// Check that we actually have devices to remove
if !shared.PathExists(c.DevicesPath()) {
@@ -8815,7 +8816,7 @@ func (c *containerLXC) setNetworkFilters(deviceName string, m types.Device) (err
}
for _, rule := range rules {
- err = containerIptablesPrepend(rule[0], fmt.Sprintf("%s - %s_filtering", c.Name(), rule[0]), "filter", rule[1], rule[2:]...)
+ err = iptables.ContainerPrepend(rule[0], fmt.Sprintf("%s - %s_filtering", c.Name(), rule[0]), "filter", rule[1], rule[2:]...)
if err != nil {
return err
}
@@ -8960,7 +8961,7 @@ func (c *containerLXC) removeNetworkFilters(deviceName string, m types.Device) {
}
// Remove any IPv6 filters used for this container.
- err := containerIptablesClear("ipv6", fmt.Sprintf("%s - ipv6_filtering", c.Name()), "filter")
+ err := iptables.ContainerClear("ipv6", fmt.Sprintf("%s - ipv6_filtering", c.Name()), "filter")
if err != nil {
logger.Error("Failed to clear ip6tables ipv6_filter rules", log.Ctx{"container": c.Name(), "device": deviceName, "err": err})
}
diff --git a/lxd/iptables.go b/lxd/iptables/iptables.go
similarity index 87%
rename from lxd/iptables.go
rename to lxd/iptables/iptables.go
index a72cefdcc3..93b556adda 100644
--- a/lxd/iptables.go
+++ b/lxd/iptables/iptables.go
@@ -1,4 +1,4 @@
-package main
+package iptables
import (
"fmt"
@@ -103,30 +103,30 @@ func iptablesClear(protocol string, comment string, table string) error {
return nil
}
-func networkIptablesAppend(protocol string, comment string, table string, chain string,
+func NetworkAppend(protocol string, comment string, table string, chain string,
rule ...string) error {
return iptablesAppend(protocol, fmt.Sprintf("LXD network %s", comment),
table, chain, rule...)
}
-func networkIptablesPrepend(protocol string, comment string, table string, chain string,
+func NetworkPrepend(protocol string, comment string, table string, chain string,
rule ...string) error {
return iptablesPrepend(protocol, fmt.Sprintf("LXD network %s", comment),
table, chain, rule...)
}
-func networkIptablesClear(protocol string, comment string, table string) error {
+func NetworkClear(protocol string, comment string, table string) error {
return iptablesClear(protocol, fmt.Sprintf("LXD network %s", comment),
table)
}
-func containerIptablesPrepend(protocol string, comment string, table string,
+func ContainerPrepend(protocol string, comment string, table string,
chain string, rule ...string) error {
return iptablesPrepend(protocol, fmt.Sprintf("LXD container %s", comment),
table, chain, rule...)
}
-func containerIptablesClear(protocol string, comment string, table string) error {
+func ContainerClear(protocol string, comment string, table string) error {
return iptablesClear(protocol, fmt.Sprintf("LXD container %s", comment),
table)
}
diff --git a/lxd/networks.go b/lxd/networks.go
index 2e6d1d1979..04d10a1d95 100644
--- a/lxd/networks.go
+++ b/lxd/networks.go
@@ -20,6 +20,7 @@ import (
lxd "github.com/lxc/lxd/client"
"github.com/lxc/lxd/lxd/cluster"
"github.com/lxc/lxd/lxd/db"
+ "github.com/lxc/lxd/lxd/iptables"
"github.com/lxc/lxd/lxd/node"
"github.com/lxc/lxd/lxd/state"
"github.com/lxc/lxd/lxd/util"
@@ -1190,17 +1191,17 @@ func (n *network) Start() error {
}
// Remove any existing IPv4 iptables rules
- err = networkIptablesClear("ipv4", n.name, "")
+ err = iptables.NetworkClear("ipv4", n.name, "")
if err != nil {
return err
}
- err = networkIptablesClear("ipv4", n.name, "mangle")
+ err = iptables.NetworkClear("ipv4", n.name, "mangle")
if err != nil {
return err
}
- err = networkIptablesClear("ipv4", n.name, "nat")
+ err = iptables.NetworkClear("ipv4", n.name, "nat")
if err != nil {
return err
}
@@ -1236,7 +1237,7 @@ func (n *network) Start() error {
{"ipv4", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
for _, rule := range rules {
- err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
+ err = iptables.NetworkPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
if err != nil {
return err
}
@@ -1245,7 +1246,7 @@ func (n *network) Start() error {
// Attempt a workaround for broken DHCP clients
if n.config["ipv4.firewall"] == "" || shared.IsTrue(n.config["ipv4.firewall"]) {
- networkIptablesPrepend("ipv4", n.name, "mangle", "POSTROUTING", "-o", n.name, "-p", "udp", "--dport", "68", "-j", "CHECKSUM", "--checksum-fill")
+ iptables.NetworkPrepend("ipv4", n.name, "mangle", "POSTROUTING", "-o", n.name, "-p", "udp", "--dport", "68", "-j", "CHECKSUM", "--checksum-fill")
}
// Allow forwarding
@@ -1256,24 +1257,24 @@ func (n *network) Start() error {
}
if n.config["ipv4.firewall"] == "" || shared.IsTrue(n.config["ipv4.firewall"]) {
- err = networkIptablesPrepend("ipv4", n.name, "", "FORWARD", "-i", n.name, "-j", "ACCEPT")
+ err = iptables.NetworkPrepend("ipv4", n.name, "", "FORWARD", "-i", n.name, "-j", "ACCEPT")
if err != nil {
return err
}
- err = networkIptablesPrepend("ipv4", n.name, "", "FORWARD", "-o", n.name, "-j", "ACCEPT")
+ err = iptables.NetworkPrepend("ipv4", n.name, "", "FORWARD", "-o", n.name, "-j", "ACCEPT")
if err != nil {
return err
}
}
} else {
if n.config["ipv4.firewall"] == "" || shared.IsTrue(n.config["ipv4.firewall"]) {
- err = networkIptablesPrepend("ipv4", n.name, "", "FORWARD", "-i", n.name, "-j", "REJECT")
+ err = iptables.NetworkPrepend("ipv4", n.name, "", "FORWARD", "-i", n.name, "-j", "REJECT")
if err != nil {
return err
}
- err = networkIptablesPrepend("ipv4", n.name, "", "FORWARD", "-o", n.name, "-j", "REJECT")
+ err = iptables.NetworkPrepend("ipv4", n.name, "", "FORWARD", "-o", n.name, "-j", "REJECT")
if err != nil {
return err
}
@@ -1354,12 +1355,12 @@ func (n *network) Start() error {
}
if n.config["ipv4.nat.order"] == "after" {
- err = networkIptablesAppend("ipv4", n.name, "nat", "POSTROUTING", args...)
+ err = iptables.NetworkAppend("ipv4", n.name, "nat", "POSTROUTING", args...)
if err != nil {
return err
}
} else {
- err = networkIptablesPrepend("ipv4", n.name, "nat", "POSTROUTING", args...)
+ err = iptables.NetworkPrepend("ipv4", n.name, "nat", "POSTROUTING", args...)
if err != nil {
return err
}
@@ -1385,12 +1386,12 @@ func (n *network) Start() error {
}
// Remove any existing IPv6 iptables rules
- err = networkIptablesClear("ipv6", n.name, "")
+ err = iptables.NetworkClear("ipv6", n.name, "")
if err != nil {
return err
}
- err = networkIptablesClear("ipv6", n.name, "nat")
+ err = iptables.NetworkClear("ipv6", n.name, "nat")
if err != nil {
return err
}
@@ -1440,7 +1441,7 @@ func (n *network) Start() error {
{"ipv6", n.name, "", "OUTPUT", "-o", n.name, "-p", "tcp", "--sport", "53", "-j", "ACCEPT"}}
for _, rule := range rules {
- err = networkIptablesPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
+ err = iptables.NetworkPrepend(rule[0], rule[1], rule[2], rule[3], rule[4:]...)
if err != nil {
return err
}
@@ -1503,24 +1504,24 @@ func (n *network) Start() error {
}
if n.config["ipv6.firewall"] == "" || shared.IsTrue(n.config["ipv6.firewall"]) {
- err = networkIptablesPrepend("ipv6", n.name, "", "FORWARD", "-i", n.name, "-j", "ACCEPT")
+ err = iptables.NetworkPrepend("ipv6", n.name, "", "FORWARD", "-i", n.name, "-j", "ACCEPT")
if err != nil {
return err
}
- err = networkIptablesPrepend("ipv6", n.name, "", "FORWARD", "-o", n.name, "-j", "ACCEPT")
+ err = iptables.NetworkPrepend("ipv6", n.name, "", "FORWARD", "-o", n.name, "-j", "ACCEPT")
if err != nil {
return err
}
}
} else {
if n.config["ipv6.firewall"] == "" || shared.IsTrue(n.config["ipv6.firewall"]) {
- err = networkIptablesPrepend("ipv6", n.name, "", "FORWARD", "-i", n.name, "-j", "REJECT")
+ err = iptables.NetworkPrepend("ipv6", n.name, "", "FORWARD", "-i", n.name, "-j", "REJECT")
if err != nil {
return err
}
- err = networkIptablesPrepend("ipv6", n.name, "", "FORWARD", "-o", n.name, "-j", "REJECT")
+ err = iptables.NetworkPrepend("ipv6", n.name, "", "FORWARD", "-o", n.name, "-j", "REJECT")
if err != nil {
return err
}
@@ -1541,12 +1542,12 @@ func (n *network) Start() error {
}
if n.config["ipv6.nat.order"] == "after" {
- err = networkIptablesAppend("ipv6", n.name, "nat", "POSTROUTING", args...)
+ err = iptables.NetworkAppend("ipv6", n.name, "nat", "POSTROUTING", args...)
if err != nil {
return err
}
} else {
- err = networkIptablesPrepend("ipv6", n.name, "nat", "POSTROUTING", args...)
+ err = iptables.NetworkPrepend("ipv6", n.name, "nat", "POSTROUTING", args...)
if err != nil {
return err
}
@@ -1699,7 +1700,7 @@ func (n *network) Start() error {
}
// Configure NAT
- err = networkIptablesPrepend("ipv4", n.name, "nat", "POSTROUTING", "-s", overlaySubnet.String(), "!", "-d", overlaySubnet.String(), "-j", "MASQUERADE")
+ err = iptables.NetworkPrepend("ipv4", n.name, "nat", "POSTROUTING", "-s", overlaySubnet.String(), "!", "-d", overlaySubnet.String(), "-j", "MASQUERADE")
if err != nil {
return err
}
@@ -1931,27 +1932,27 @@ func (n *network) Stop() error {
}
// Cleanup iptables
- err := networkIptablesClear("ipv4", n.name, "")
+ err := iptables.NetworkClear("ipv4", n.name, "")
if err != nil {
return err
}
- err = networkIptablesClear("ipv4", n.name, "mangle")
+ err = iptables.NetworkClear("ipv4", n.name, "mangle")
if err != nil {
return err
}
- err = networkIptablesClear("ipv4", n.name, "nat")
+ err = iptables.NetworkClear("ipv4", n.name, "nat")
if err != nil {
return err
}
- err = networkIptablesClear("ipv6", n.name, "")
+ err = iptables.NetworkClear("ipv6", n.name, "")
if err != nil {
return err
}
- err = networkIptablesClear("ipv6", n.name, "nat")
+ err = iptables.NetworkClear("ipv6", n.name, "nat")
if err != nil {
return err
}
More information about the lxc-devel
mailing list