We use cookies to ensure you get the best experience on our website
首页 发现 帮助
注册 登录
0ct0pu5
/
moby
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

Merge pull request #46724 from rhansen/host_ipv6

New `host_ipv6` bridge option to SNAT IPv6 connections
Sebastiaan van Stijn 1 年之前
父节点
6af7d6ea2d 808120e5b8
当前提交
f13d8c2026
共有 5 个文件被更改,包括 47 次插入3 次删除
合并视图 显示文件统计
  1. 5 0
      libnetwork/drivers/bridge/bridge_linux.go
  2. 4 0
      libnetwork/drivers/bridge/bridge_store.go
  3. 7 3
      libnetwork/drivers/bridge/setup_ip_tables_linux.go
  4. 28 0
      libnetwork/drivers/bridge/setup_ip_tables_linux_test.go
  5. 3 0
      libnetwork/netlabel/labels.go

+ 5 - 0
libnetwork/drivers/bridge/bridge_linux.go
查看文件 

@@ -74,6 +74,7 @@ type networkConfiguration struct {
 
 	DefaultBindingIP     net.IP
 
 	DefaultBindingIP     net.IP
 
 	DefaultBridge        bool
 
 	DefaultBridge        bool
 
 	HostIPv4             net.IP
 
 	HostIPv4             net.IP
 
+	HostIPv6             net.IP
 
 	ContainerIfacePrefix string
 
 	ContainerIfacePrefix string
 
 	// Internal fields set after ipam data parsing
 
 	// Internal fields set after ipam data parsing
 
 	AddressIPv4        *net.IPNet
 
 	AddressIPv4        *net.IPNet
 
@@ -270,6 +271,10 @@ func (c *networkConfiguration) fromLabels(labels map[string]string) error {
 
 			if c.HostIPv4 = net.ParseIP(value); c.HostIPv4 == nil {
 
 			if c.HostIPv4 = net.ParseIP(value); c.HostIPv4 == nil {
 
 				return parseErr(label, value, "nil ip")
 
 				return parseErr(label, value, "nil ip")
 
 			}
 
 			}
 
+		case netlabel.HostIPv6:
 
+			if c.HostIPv6 = net.ParseIP(value); c.HostIPv6 == nil {
 
+				return parseErr(label, value, "nil ip")
 
+			}
 
 		}
 
 		}
 
 	}
 
 	}

+ 4 - 0
libnetwork/drivers/bridge/bridge_store.go
查看文件 

@@ -147,6 +147,7 @@ func (ncfg *networkConfiguration) MarshalJSON() ([]byte, error) {
 
 	nMap["DefaultBindingIP"] = ncfg.DefaultBindingIP.String()
 
 	nMap["DefaultBindingIP"] = ncfg.DefaultBindingIP.String()
 
 	// This key is "HostIP" instead of "HostIPv4" to preserve compatibility with the on-disk format.
 
 	// This key is "HostIP" instead of "HostIPv4" to preserve compatibility with the on-disk format.
 
 	nMap["HostIP"] = ncfg.HostIPv4.String()
 
 	nMap["HostIP"] = ncfg.HostIPv4.String()
 
+	nMap["HostIPv6"] = ncfg.HostIPv6.String()
 
 	nMap["DefaultGatewayIPv4"] = ncfg.DefaultGatewayIPv4.String()
 
 	nMap["DefaultGatewayIPv4"] = ncfg.DefaultGatewayIPv4.String()
 
 	nMap["DefaultGatewayIPv6"] = ncfg.DefaultGatewayIPv6.String()
 
 	nMap["DefaultGatewayIPv6"] = ncfg.DefaultGatewayIPv6.String()
 
 	nMap["ContainerIfacePrefix"] = ncfg.ContainerIfacePrefix
 
 	nMap["ContainerIfacePrefix"] = ncfg.ContainerIfacePrefix
 
@@ -193,6 +194,9 @@ func (ncfg *networkConfiguration) UnmarshalJSON(b []byte) error {
 
 	if v, ok := nMap["HostIP"]; ok {
 
 	if v, ok := nMap["HostIP"]; ok {
 
 		ncfg.HostIPv4 = net.ParseIP(v.(string))
 
 		ncfg.HostIPv4 = net.ParseIP(v.(string))
 
 	}
 
 	}
 
+	if v, ok := nMap["HostIPv6"]; ok {
 
+		ncfg.HostIPv6 = net.ParseIP(v.(string))
 
+	}
 
 
 
 	ncfg.DefaultBridge = nMap["DefaultBridge"].(bool)
 
 	ncfg.DefaultBridge = nMap["DefaultBridge"].(bool)
 
 	ncfg.DefaultBindingIP = net.ParseIP(nMap["DefaultBindingIP"].(string))
 
 	ncfg.DefaultBindingIP = net.ParseIP(nMap["DefaultBindingIP"].(string))

+ 7 - 3
libnetwork/drivers/bridge/setup_ip_tables_linux.go
查看文件 

@@ -258,9 +258,13 @@ func setupIPTablesInternal(ipVer iptables.IPVersion, config *networkConfiguratio
 
 		natArgs   []string
 
 		natArgs   []string
 
 		hpNatArgs []string
 
 		hpNatArgs []string
 
 	)
 
 	)
 
-	// If config.HostIPv4 is set, the user wants IPv4 SNAT with the given address.
 
-	if config.HostIPv4 != nil && ipVer == iptables.IPv4 {
 
-		hostAddr := config.HostIPv4.String()
 
+	hostIP := config.HostIPv4
 
+	if ipVer == iptables.IPv6 {
 
+		hostIP = config.HostIPv6
 
+	}
 
+	// If hostIP is set, the user wants IPv4/IPv6 SNAT with the given address.
 
+	if hostIP != nil {
 
+		hostAddr := hostIP.String()
 
 		natArgs = []string{"-s", address, "!", "-o", config.BridgeName, "-j", "SNAT", "--to-source", hostAddr}
 
 		natArgs = []string{"-s", address, "!", "-o", config.BridgeName, "-j", "SNAT", "--to-source", hostAddr}
 
 		hpNatArgs = []string{"-m", "addrtype", "--src-type", "LOCAL", "-o", config.BridgeName, "-j", "SNAT", "--to-source", hostAddr}
 
 		hpNatArgs = []string{"-m", "addrtype", "--src-type", "LOCAL", "-o", config.BridgeName, "-j", "SNAT", "--to-source", hostAddr}
 
 		// Else use MASQUERADE which picks the src-ip based on NH from the route table
 
 		// Else use MASQUERADE which picks the src-ip based on NH from the route table

+ 28 - 0
libnetwork/drivers/bridge/setup_ip_tables_linux_test.go
查看文件 

@@ -212,6 +212,7 @@ func TestOutgoingNATRules(t *testing.T) {
 
 	maskedBrIPv4 := &net.IPNet{IP: brIPv4.IP.Mask(brIPv4.Mask), Mask: brIPv4.Mask}
 
 	maskedBrIPv4 := &net.IPNet{IP: brIPv4.IP.Mask(brIPv4.Mask), Mask: brIPv4.Mask}
 
 	maskedBrIPv6 := &net.IPNet{IP: brIPv6.IP.Mask(brIPv6.Mask), Mask: brIPv6.Mask}
 
 	maskedBrIPv6 := &net.IPNet{IP: brIPv6.IP.Mask(brIPv6.Mask), Mask: brIPv6.Mask}
 
 	hostIPv4 := net.ParseIP("192.0.2.2")
 
 	hostIPv4 := net.ParseIP("192.0.2.2")
 
+	hostIPv6 := net.ParseIP("2001:db8:1::1")
 
 	for _, tc := range []struct {
 
 	for _, tc := range []struct {
 
 		desc               string
 
 		desc               string
 
 		enableIPTables     bool
 
 		enableIPTables     bool
 
@@ -219,6 +220,7 @@ func TestOutgoingNATRules(t *testing.T) {
 
 		enableIPv6         bool
 
 		enableIPv6         bool
 
 		enableIPMasquerade bool
 
 		enableIPMasquerade bool
 
 		hostIPv4           net.IP
 
 		hostIPv4           net.IP
 
+		hostIPv6           net.IP
 
 		// Hairpin NAT rules are not tested here because they are orthogonal to outgoing NAT.  They
 
 		// Hairpin NAT rules are not tested here because they are orthogonal to outgoing NAT.  They
 
 		// exist to support the port forwarding DNAT rules: without any port forwarding there would be
 
 		// exist to support the port forwarding DNAT rules: without any port forwarding there would be
 
 		// no need for any hairpin NAT rules, and when there is port forwarding then hairpin NAT rules
 
 		// no need for any hairpin NAT rules, and when there is port forwarding then hairpin NAT rules
 
@@ -227,6 +229,7 @@ func TestOutgoingNATRules(t *testing.T) {
 
 		wantIPv4Masq bool
 
 		wantIPv4Masq bool
 
 		wantIPv4Snat bool
 
 		wantIPv4Snat bool
 
 		wantIPv6Masq bool
 
 		wantIPv6Masq bool
 
+		wantIPv6Snat bool
 
 	}{
 
 	}{
 
 		{
 
 		{
 
 			desc: "everything disabled",
 
 			desc: "everything disabled",
 
@@ -241,6 +244,7 @@ func TestOutgoingNATRules(t *testing.T) {
 
 			enableIPv6:         true,
 
 			enableIPv6:         true,
 
 			enableIPMasquerade: true,
 
 			enableIPMasquerade: true,
 
 			hostIPv4:           hostIPv4,
 
 			hostIPv4:           hostIPv4,
 
+			hostIPv6:           hostIPv6,
 
 		},
 
 		},
 
 		{
 
 		{
 
 			desc:            "masquerade disabled, no host IP",
 
 			desc:            "masquerade disabled, no host IP",
 
@@ -254,6 +258,7 @@ func TestOutgoingNATRules(t *testing.T) {
 
 			enableIP6Tables: true,
 
 			enableIP6Tables: true,
 
 			enableIPv6:      true,
 
 			enableIPv6:      true,
 
 			hostIPv4:        hostIPv4,
 
 			hostIPv4:        hostIPv4,
 
+			hostIPv6:        hostIPv6,
 
 		},
 
 		},
 
 		{
 
 		{
 
 			desc:               "IPv4 masquerade, IPv6 disabled",
 
 			desc:               "IPv4 masquerade, IPv6 disabled",
 
@@ -277,6 +282,16 @@ func TestOutgoingNATRules(t *testing.T) {
 
 			wantIPv4Masq:       true,
 
 			wantIPv4Masq:       true,
 
 			wantIPv6Masq:       true,
 
 			wantIPv6Masq:       true,
 
 		},
 
 		},
 
+		{
 
+			desc:               "IPv4 masquerade, IPv6 SNAT",
 
+			enableIPTables:     true,
 
+			enableIP6Tables:    true,
 
+			enableIPv6:         true,
 
+			enableIPMasquerade: true,
 
+			hostIPv6:           hostIPv6,
 
+			wantIPv4Masq:       true,
 
+			wantIPv6Snat:       true,
 
+		},
 
 		{
 
 		{
 
 			desc:               "IPv4 SNAT, IPv6 masquerade",
 
 			desc:               "IPv4 SNAT, IPv6 masquerade",
 
 			enableIPTables:     true,
 
 			enableIPTables:     true,
 
@@ -287,6 +302,17 @@ func TestOutgoingNATRules(t *testing.T) {
 
 			wantIPv4Snat:       true,
 
 			wantIPv4Snat:       true,
 
 			wantIPv6Masq:       true,
 
 			wantIPv6Masq:       true,
 
 		},
 
 		},
 
+		{
 
+			desc:               "IPv4 SNAT, IPv6 SNAT",
 
+			enableIPTables:     true,
 
+			enableIP6Tables:    true,
 
+			enableIPv6:         true,
 
+			enableIPMasquerade: true,
 
+			hostIPv4:           hostIPv4,
 
+			hostIPv6:           hostIPv6,
 
+			wantIPv4Snat:       true,
 
+			wantIPv6Snat:       true,
 
+		},
 
 	} {
 
 	} {
 
 		t.Run(tc.desc, func(t *testing.T) {
 
 		t.Run(tc.desc, func(t *testing.T) {
 
 			defer netnsutils.SetupTestOSContext(t)()
 
 			defer netnsutils.SetupTestOSContext(t)()
 
@@ -308,6 +334,7 @@ func TestOutgoingNATRules(t *testing.T) {
 
 				EnableIPv6:         tc.enableIPv6,
 
 				EnableIPv6:         tc.enableIPv6,
 
 				EnableIPMasquerade: tc.enableIPMasquerade,
 
 				EnableIPMasquerade: tc.enableIPMasquerade,
 
 				HostIPv4:           tc.hostIPv4,
 
 				HostIPv4:           tc.hostIPv4,
 
+				HostIPv6:           tc.hostIPv6,
 
 			}
 
 			}
 
 			ipv4Data := []driverapi.IPAMData{{Pool: maskedBrIPv4, Gateway: brIPv4}}
 
 			ipv4Data := []driverapi.IPAMData{{Pool: maskedBrIPv4, Gateway: brIPv4}}
 
 			ipv6Data := []driverapi.IPAMData{{Pool: maskedBrIPv6, Gateway: brIPv6}}
 
 			ipv6Data := []driverapi.IPAMData{{Pool: maskedBrIPv6, Gateway: brIPv6}}
 
@@ -343,6 +370,7 @@ func TestOutgoingNATRules(t *testing.T) {
 
 				{tc.wantIPv4Masq, iptRule{iptables.IPv4, iptables.Nat, "POSTROUTING", []string{"-s", maskedBrIPv4.String(), "!", "-o", br, "-j", "MASQUERADE"}}},
 
 				{tc.wantIPv4Masq, iptRule{iptables.IPv4, iptables.Nat, "POSTROUTING", []string{"-s", maskedBrIPv4.String(), "!", "-o", br, "-j", "MASQUERADE"}}},
 
 				{tc.wantIPv4Snat, iptRule{iptables.IPv4, iptables.Nat, "POSTROUTING", []string{"-s", maskedBrIPv4.String(), "!", "-o", br, "-j", "SNAT", "--to-source", hostIPv4.String()}}},
 
 				{tc.wantIPv4Snat, iptRule{iptables.IPv4, iptables.Nat, "POSTROUTING", []string{"-s", maskedBrIPv4.String(), "!", "-o", br, "-j", "SNAT", "--to-source", hostIPv4.String()}}},
 
 				{tc.wantIPv6Masq, iptRule{iptables.IPv6, iptables.Nat, "POSTROUTING", []string{"-s", maskedBrIPv6.String(), "!", "-o", br, "-j", "MASQUERADE"}}},
 
 				{tc.wantIPv6Masq, iptRule{iptables.IPv6, iptables.Nat, "POSTROUTING", []string{"-s", maskedBrIPv6.String(), "!", "-o", br, "-j", "MASQUERADE"}}},
 
+				{tc.wantIPv6Snat, iptRule{iptables.IPv6, iptables.Nat, "POSTROUTING", []string{"-s", maskedBrIPv6.String(), "!", "-o", br, "-j", "SNAT", "--to-source", hostIPv6.String()}}},
 
 			} {
 
 			} {
 
 				assert.Equal(t, rc.rule.Exists(), rc.want)
 
 				assert.Equal(t, rc.rule.Exists(), rc.want)
 
 			}
 
 			}

+ 3 - 0
libnetwork/netlabel/labels.go
查看文件 

@@ -47,6 +47,9 @@ const (
 
 	// HostIPv4 is the Source-IPv4 Address used to SNAT IPv4 container traffic
 
 	// HostIPv4 is the Source-IPv4 Address used to SNAT IPv4 container traffic
 
 	HostIPv4 = Prefix + ".host_ipv4"
 
 	HostIPv4 = Prefix + ".host_ipv4"
 
 
 
+	// HostIPv6 is the Source-IPv6 Address used to SNAT IPv6 container traffic
 
+	HostIPv6 = Prefix + ".host_ipv6"
 
+
 
 	// LocalKVClient constants represents the local kv store client
 
 	// LocalKVClient constants represents the local kv store client
 
 	LocalKVClient = DriverPrivatePrefix + "localkv_client"
 
 	LocalKVClient = DriverPrivatePrefix + "localkv_client"
 
 )
 
 )

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5