Skip to content

Commit

Permalink
Move iptables.IPVersion into iptRule struct (code health)
Browse files Browse the repository at this point in the history 
Rather than pass an `iptables.IPVersion` value alongside every
`iptRule` parameter, embed the IP version in the `iptRule` struct.

Signed-off-by: Richard Hansen <rhansen@rhansen.org>
  • Loading branch information
@rhansen
rhansen committed Oct 14, 2023
1 parent 4e219eb commit 14d2535
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 21 deletions.
29 changes: 17 additions & 12 deletions libnetwork/drivers/bridge/setup_ip_tables_linux.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,7 @@ func (n *bridgeNetwork) setupIPTables(ipVersion iptables.IPVersion, maskedAddr *
}

type iptRule struct {
ipv iptables.IPVersion
table iptables.Table
chain string
args []string
Expand All @@ -204,8 +205,8 @@ type iptRule struct {
func setupIPTablesInternal(ipVer iptables.IPVersion, config *networkConfiguration, addr *net.IPNet, hairpin, enable bool) error {
var (
address = addr.String()
skipDNAT = iptRule{table: iptables.Nat, chain: DockerChain, args: []string{"-i", config.BridgeName, "-j", "RETURN"}}
outRule = iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", config.BridgeName, "!", "-o", config.BridgeName, "-j", "ACCEPT"}}
skipDNAT = iptRule{ipv: ipVer, table: iptables.Nat, chain: DockerChain, args: []string{"-i", config.BridgeName, "-j", "RETURN"}}
outRule = iptRule{ipv: ipVer, table: iptables.Filter, chain: "FORWARD", args: []string{"-i", config.BridgeName, "!", "-o", config.BridgeName, "-j", "ACCEPT"}}
natArgs []string
hpNatArgs []string
)
Expand All @@ -220,25 +221,25 @@ func setupIPTablesInternal(ipVer iptables.IPVersion, config *networkConfiguratio
hpNatArgs = []string{"-m", "addrtype", "--src-type", "LOCAL", "-o", config.BridgeName, "-j", "MASQUERADE"}
}

natRule := iptRule{table: iptables.Nat, chain: "POSTROUTING", args: natArgs}
hpNatRule := iptRule{table: iptables.Nat, chain: "POSTROUTING", args: hpNatArgs}
natRule := iptRule{ipv: ipVer, table: iptables.Nat, chain: "POSTROUTING", args: natArgs}
hpNatRule := iptRule{ipv: ipVer, table: iptables.Nat, chain: "POSTROUTING", args: hpNatArgs}

// Set NAT.
if config.EnableIPMasquerade {
if err := programChainRule(ipVer, natRule, "NAT", enable); err != nil {
if err := programChainRule(natRule, "NAT", enable); err != nil {
return err
}
}

if config.EnableIPMasquerade && !hairpin {
if err := programChainRule(ipVer, skipDNAT, "SKIP DNAT", enable); err != nil {
if err := programChainRule(skipDNAT, "SKIP DNAT", enable); err != nil {
return err
}
}

// In hairpin mode, masquerade traffic from localhost. If hairpin is disabled or if we're tearing down
// that bridge, make sure the iptables rule isn't lying around.
if err := programChainRule(ipVer, hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil {
if err := programChainRule(hpNatRule, "MASQ LOCAL HOST", enable && hairpin); err != nil {
return err
}

Expand All @@ -248,11 +249,11 @@ func setupIPTablesInternal(ipVer iptables.IPVersion, config *networkConfiguratio
}

// Set Accept on all non-intercontainer outgoing packets.
return programChainRule(ipVer, outRule, "ACCEPT NON_ICC OUTGOING", enable)
return programChainRule(outRule, "ACCEPT NON_ICC OUTGOING", enable)
}

func programChainRule(version iptables.IPVersion, rule iptRule, ruleDescr string, insert bool) error {
iptable := iptables.GetIptable(version)
func programChainRule(rule iptRule, ruleDescr string, insert bool) error {
iptable := iptables.GetIptable(rule.ipv)

var (
operation string
Expand Down Expand Up @@ -392,33 +393,37 @@ func setupInternalNetworkRules(bridgeIface string, addr *net.IPNet, icc, insert
if addr.IP.To4() != nil {
version = iptables.IPv4
inDropRule = iptRule{
ipv: version,
table: iptables.Filter,
chain: IsolationChain1,
args: []string{"-i", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"},
}
outDropRule = iptRule{
ipv: version,
table: iptables.Filter,
chain: IsolationChain1,
args: []string{"-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"},
}
} else {
version = iptables.IPv6
inDropRule = iptRule{
ipv: version,
table: iptables.Filter,
chain: IsolationChain1,
args: []string{"-i", bridgeIface, "!", "-o", bridgeIface, "!", "-d", addr.String(), "-j", "DROP"},
}
outDropRule = iptRule{
ipv: version,
table: iptables.Filter,
chain: IsolationChain1,
args: []string{"!", "-i", bridgeIface, "-o", bridgeIface, "!", "-s", addr.String(), "-j", "DROP"},
}
}

if err := programChainRule(version, inDropRule, "DROP INCOMING", insert); err != nil {
if err := programChainRule(inDropRule, "DROP INCOMING", insert); err != nil {
return err
}
if err := programChainRule(version, outDropRule, "DROP OUTGOING", insert); err != nil {
if err := programChainRule(outDropRule, "DROP OUTGOING", insert); err != nil {
return err
}

Expand Down
18 changes: 9 additions & 9 deletions libnetwork/drivers/bridge/setup_ip_tables_linux_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,12 +31,12 @@ func TestProgramIPTable(t *testing.T) {
rule iptRule
descr string
}{
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-d", "127.1.2.3", "-i", "lo", "-o", "lo", "-j", "DROP"}}, "Test Loopback"},
{iptRule{table: iptables.Nat, chain: "POSTROUTING", args: []string{"-s", iptablesTestBridgeIP, "!", "-o", DefaultBridgeName, "-j", "MASQUERADE"}}, "NAT Test"},
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-o", DefaultBridgeName, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}}, "Test ACCEPT INCOMING"},
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "!", "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test ACCEPT NON_ICC OUTGOING"},
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test enable ICC"},
{iptRule{table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "DROP"}}, "Test disable ICC"},
{iptRule{ipv: iptables.IPv4, table: iptables.Filter, chain: "FORWARD", args: []string{"-d", "127.1.2.3", "-i", "lo", "-o", "lo", "-j", "DROP"}}, "Test Loopback"},
{iptRule{ipv: iptables.IPv4, table: iptables.Nat, chain: "POSTROUTING", args: []string{"-s", iptablesTestBridgeIP, "!", "-o", DefaultBridgeName, "-j", "MASQUERADE"}}, "NAT Test"},
{iptRule{ipv: iptables.IPv4, table: iptables.Filter, chain: "FORWARD", args: []string{"-o", DefaultBridgeName, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}}, "Test ACCEPT INCOMING"},
{iptRule{ipv: iptables.IPv4, table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "!", "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test ACCEPT NON_ICC OUTGOING"},
{iptRule{ipv: iptables.IPv4, table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "ACCEPT"}}, "Test enable ICC"},
{iptRule{ipv: iptables.IPv4, table: iptables.Filter, chain: "FORWARD", args: []string{"-i", DefaultBridgeName, "-o", DefaultBridgeName, "-j", "DROP"}}, "Test disable ICC"},
}

// Assert the chain rules' insertion and removal.
Expand Down Expand Up @@ -103,17 +103,17 @@ func createTestBridge(config *networkConfiguration, br *bridgeInterface, t *test
// Assert base function which pushes iptables chain rules on insertion and removal.
func assertIPTableChainProgramming(rule iptRule, descr string, t *testing.T) {
// Add
if err := programChainRule(iptables.IPv4, rule, descr, true); err != nil {
if err := programChainRule(rule, descr, true); err != nil {
t.Fatalf("Failed to program iptable rule %s: %s", descr, err.Error())
}

iptable := iptables.GetIptable(iptables.IPv4)
iptable := iptables.GetIptable(rule.ipv)
if iptable.Exists(rule.table, rule.chain, rule.args...) == false {
t.Fatalf("Failed to effectively program iptable rule: %s", descr)
}

// Remove
if err := programChainRule(iptables.IPv4, rule, descr, false); err != nil {
if err := programChainRule(rule, descr, false); err != nil {
t.Fatalf("Failed to remove iptable rule %s: %s", descr, err.Error())
}
if iptable.Exists(rule.table, rule.chain, rule.args...) == true {
Expand Down

0 comments on commit 14d2535

Please sign in to comment.