We use cookies to ensure you get the best experience on our website
Ana Sayfa Keşfet Yardım
Üye Ol Giriş Yap
0ct0pu5
/
moby
1
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Ağaç: 56da020e6b
Dallar Biçim İmleri
moby
/
vendor
/
github.com
/
docker
/
libnetwork
/
iptables
/
conntrack.go

conntrack.go 2.1 KB
Geçmiş Ham

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859 
  1. package iptables
    2. 

  2. 

  3. import (
    4. 

  4. 	"errors"
    5. 

  5. 	"net"
    6. 

  6. 	"syscall"
    7. 

  7. 

  8. 	"github.com/Sirupsen/logrus"
    9. 

  9. 	"github.com/vishvananda/netlink"
    10. 

  10. )
    11. 

  11. 

  12. var (
    13. 

  13. 	// ErrConntrackNotConfigurable means that conntrack module is not loaded or does not have the netlink module loaded
    14. 

  14. 	ErrConntrackNotConfigurable = errors.New("conntrack is not available")
    15. 

  15. )
    16. 

  16. 

  17. // IsConntrackProgrammable returns true if the handle supports the NETLINK_NETFILTER and the base modules are loaded
    18. 

  18. func IsConntrackProgrammable(nlh *netlink.Handle) bool {
    19. 

  19. 	return nlh.SupportsNetlinkFamily(syscall.NETLINK_NETFILTER)
    20. 

  20. }
    21. 

  21. 

  22. // DeleteConntrackEntries deletes all the conntrack connections on the host for the specified IP
    23. 

  23. // Returns the number of flows deleted for IPv4, IPv6 else error
    24. 

  24. func DeleteConntrackEntries(nlh *netlink.Handle, ipv4List []net.IP, ipv6List []net.IP) (uint, uint, error) {
    25. 

  25. 	if !IsConntrackProgrammable(nlh) {
    26. 

  26. 		return 0, 0, ErrConntrackNotConfigurable
    27. 

  27. 	}
    28. 

  28. 

  29. 	var totalIPv4FlowPurged uint
    30. 

  30. 	for _, ipAddress := range ipv4List {
    31. 

  31. 		flowPurged, err := purgeConntrackState(nlh, syscall.AF_INET, ipAddress)
    32. 

  32. 		if err != nil {
    33. 

  33. 			logrus.Warnf("Failed to delete conntrack state for %s: %v", ipAddress, err)
    34. 

  34. 			continue
    35. 

  35. 		}
    36. 

  36. 		totalIPv4FlowPurged += flowPurged
    37. 

  37. 	}
    38. 

  38. 

  39. 	var totalIPv6FlowPurged uint
    40. 

  40. 	for _, ipAddress := range ipv6List {
    41. 

  41. 		flowPurged, err := purgeConntrackState(nlh, syscall.AF_INET6, ipAddress)
    42. 

  42. 		if err != nil {
    43. 

  43. 			logrus.Warnf("Failed to delete conntrack state for %s: %v", ipAddress, err)
    44. 

  44. 			continue
    45. 

  45. 		}
    46. 

  46. 		totalIPv6FlowPurged += flowPurged
    47. 

  47. 	}
    48. 

  48. 

  49. 	logrus.Debugf("DeleteConntrackEntries purged ipv4:%d, ipv6:%d", totalIPv4FlowPurged, totalIPv6FlowPurged)
    50. 

  50. 	return totalIPv4FlowPurged, totalIPv6FlowPurged, nil
    51. 

  51. }
    52. 

  52. 

  53. func purgeConntrackState(nlh *netlink.Handle, family netlink.InetFamily, ipAddress net.IP) (uint, error) {
    54. 

  54. 	filter := &netlink.ConntrackFilter{}
    55. 

  55. 	// NOTE: doing the flush using the ipAddress is safe because today there cannot be multiple networks with the same subnet
    56. 

  56. 	// so it will not be possible to flush flows that are of other containers
    57. 

  57. 	filter.AddIP(netlink.ConntrackNatAnyIP, ipAddress)
    58. 

  58. 	return nlh.ConntrackDeleteFilter(netlink.ConntrackTable, family, filter)
    59. 

  59. }
    60.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5