libnetwork/iptables: ChainInfo: don't pass whole IPTable as value
It only needed the IPVersion, so let's pass that instead. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
Sebastiaan van Stijn
parent
42653787ea
commit
16f80f649b
2 changed files with 17 additions and 15 deletions
|
|
@ -17,6 +17,7 @@ import (
|
|||
// DockerChain: DOCKER iptable chain name
|
||||
const (
|
||||
DockerChain = "DOCKER"
|
||||
|
||||
// Isolation between bridge networks is achieved in two stages by means
|
||||
// of the following two chains in the filter table. The first chain matches
|
||||
// on the source interface being a bridge network's bridge and the
|
||||
|
|
@ -26,6 +27,7 @@ const (
|
|||
// bridge. A positive match identifies a packet originated from one bridge
|
||||
// network's bridge destined to another bridge network's bridge and will
|
||||
// result in the packet being dropped. No match returns to the parent chain.
|
||||
|
||||
IsolationChain1 = "DOCKER-ISOLATION-STAGE-1"
|
||||
IsolationChain2 = "DOCKER-ISOLATION-STAGE-2"
|
||||
)
|
||||
|
|
@ -382,11 +384,11 @@ func removeIPChains(version iptables.IPVersion) {
|
|||
|
||||
// Remove chains
|
||||
for _, chainInfo := range []iptables.ChainInfo{
|
||||
{Name: DockerChain, Table: iptables.Nat, IPTable: ipt},
|
||||
{Name: DockerChain, Table: iptables.Filter, IPTable: ipt},
|
||||
{Name: IsolationChain1, Table: iptables.Filter, IPTable: ipt},
|
||||
{Name: IsolationChain2, Table: iptables.Filter, IPTable: ipt},
|
||||
{Name: oldIsolationChain, Table: iptables.Filter, IPTable: ipt},
|
||||
{Name: DockerChain, Table: iptables.Nat, IPVersion: version},
|
||||
{Name: DockerChain, Table: iptables.Filter, IPVersion: version},
|
||||
{Name: IsolationChain1, Table: iptables.Filter, IPVersion: version},
|
||||
{Name: IsolationChain2, Table: iptables.Filter, IPVersion: version},
|
||||
{Name: oldIsolationChain, Table: iptables.Filter, IPVersion: version},
|
||||
} {
|
||||
if err := chainInfo.Remove(); err != nil {
|
||||
log.G(context.TODO()).Warnf("Failed to remove existing iptables entries in table %s chain %s : %v", chainInfo.Table, chainInfo.Name, err)
|
||||
|
|
|
|||
|
|
@ -75,7 +75,7 @@ type ChainInfo struct {
|
|||
Name string
|
||||
Table Table
|
||||
HairpinMode bool
|
||||
IPTable IPTable
|
||||
IPVersion IPVersion
|
||||
}
|
||||
|
||||
// ChainError is returned to represent errors during ip table operation.
|
||||
|
|
@ -160,7 +160,7 @@ func (iptable IPTable) NewChain(name string, table Table, hairpinMode bool) (*Ch
|
|||
Name: name,
|
||||
Table: table,
|
||||
HairpinMode: hairpinMode,
|
||||
IPTable: iptable,
|
||||
IPVersion: iptable.Version,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
@ -279,16 +279,16 @@ func (iptable IPTable) RemoveExistingChain(name string, table Table) error {
|
|||
table = Filter
|
||||
}
|
||||
c := &ChainInfo{
|
||||
Name: name,
|
||||
Table: table,
|
||||
IPTable: iptable,
|
||||
Name: name,
|
||||
Table: table,
|
||||
IPVersion: iptable.Version,
|
||||
}
|
||||
return c.Remove()
|
||||
}
|
||||
|
||||
// Forward adds forwarding rule to 'filter' table and corresponding nat rule to 'nat' table.
|
||||
func (c *ChainInfo) Forward(action Action, ip net.IP, port int, proto, destAddr string, destPort int, bridgeName string) error {
|
||||
iptable := GetIptable(c.IPTable.Version)
|
||||
iptable := GetIptable(c.IPVersion)
|
||||
daddr := ip.String()
|
||||
if ip.IsUnspecified() {
|
||||
// iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we
|
||||
|
|
@ -361,7 +361,7 @@ func (c *ChainInfo) Forward(action Action, ip net.IP, port int, proto, destAddr
|
|||
// Link adds reciprocal ACCEPT rule for two supplied IP addresses.
|
||||
// Traffic is allowed from ip1 to ip2 and vice-versa
|
||||
func (c *ChainInfo) Link(action Action, ip1, ip2 net.IP, port int, proto string, bridgeName string) error {
|
||||
iptable := GetIptable(c.IPTable.Version)
|
||||
iptable := GetIptable(c.IPVersion)
|
||||
// forward
|
||||
args := []string{
|
||||
"-i", bridgeName, "-o", bridgeName,
|
||||
|
|
@ -393,7 +393,7 @@ func (iptable IPTable) ProgramRule(table Table, chain string, action Action, arg
|
|||
|
||||
// Prerouting adds linking rule to nat/PREROUTING chain.
|
||||
func (c *ChainInfo) Prerouting(action Action, args ...string) error {
|
||||
iptable := GetIptable(c.IPTable.Version)
|
||||
iptable := GetIptable(c.IPVersion)
|
||||
a := []string{"-t", string(Nat), string(action), "PREROUTING"}
|
||||
if len(args) > 0 {
|
||||
a = append(a, args...)
|
||||
|
|
@ -412,7 +412,7 @@ func (c *ChainInfo) Output(action Action, args ...string) error {
|
|||
if len(args) > 0 {
|
||||
a = append(a, args...)
|
||||
}
|
||||
if output, err := GetIptable(c.IPTable.Version).Raw(a...); err != nil {
|
||||
if output, err := GetIptable(c.IPVersion).Raw(a...); err != nil {
|
||||
return err
|
||||
} else if len(output) != 0 {
|
||||
return ChainError{Chain: "OUTPUT", Output: output}
|
||||
|
|
@ -422,7 +422,7 @@ func (c *ChainInfo) Output(action Action, args ...string) error {
|
|||
|
||||
// Remove removes the chain.
|
||||
func (c *ChainInfo) Remove() error {
|
||||
iptable := GetIptable(c.IPTable.Version)
|
||||
iptable := GetIptable(c.IPVersion)
|
||||
// Ignore errors - This could mean the chains were never set up
|
||||
if c.Table == Nat {
|
||||
_ = c.Prerouting(Delete, "-m", "addrtype", "--dst-type", "LOCAL", "-j", c.Name)
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue