This fixes IP masquerading on systems with reject rules at the end of
the POSTROUTING table, by inserting the rule at the beginning of the
table instead of adding it at the end.
Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
Currently there are two iptables rules per port for each link: one to
allow the parent to connect to the child's port, and another one to
allow return traffic from the child back to the parent. The second rule
shouldn't be needed because the "ctstate RELATED,ESTABLISHED" rule can
already allow all established traffic.
So this patch does the following:
1. Move the RELATED,ESTABLISHED rule to be _before_ the potential
inter-container communication DROP rule so it will work for
inter-container traffic as well. Since we're inserting, everything
is reversed chronologically so it should be inserted _after_ we
insert the DROP. This also has a small performance benefit because
it will be processed earlier and it's generally one of the most
commonly used rules.
2. Get rid of the unnecessary return traffic rule per link.
3. Also move the other "Accept all non-intercontainer outgoing packets"
rule to earlier. This gives a small performance benefit since it's
also a commonly used rule, and it makes sense to logically group it
next to the ctstate rule.
Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
e.g.:
```
docker -d -bip "10.10.0.1/16"
```
If set and valid, use provided in place of trial and error from pre-defined array in network.go.
Mutually exclusive of -b option.
This commit improves upon the PortMapper and PortAllocator classes by changing
their internal data structures for port allocations to use a string rather than
a single integer. This string holds the network interface address as well as the
port number. This solves a previous problem where a port would be incorrectly
reported as being in use because it had been allocated for a different interface.
I've also added a basic test case for the PortMapper class, and extended the
existing test case for PortAllocator. In the case of PortMapper, this is done
by handing it a stub function for creating proxies rather than an actual
implementation.
Retrieve /etc/resolv.conf data (if available)
Add checkNameserverOverlaps and call it to
make sure there are no conflicts
Add utils.GetNameserversAsCIDR and tests
Read /etc/resolv.conf and pull out nameservers,
formatting them as a CIDR block ("1.2.3.4/32")
Sometimes `ip route` will show mask-less IPs, so net.ParseCIDR will fail. If it does we check if we can net.ParseIP, and fail only if we can't.
Fixes#1214Fixes#362
