We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
moby
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: ff2a5301b8
Branches Tags
moby
/
libnetwork
/
iptables
/
conntrack.go

conntrack.go 2.2 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364 
  1. //go:build linux
    2. 

  2. // +build linux
    3. 

  3. 

  4. package iptables
    5. 

  5. 

  6. import (
    7. 

  7. 	"errors"
    8. 

  8. 	"net"
    9. 

  9. 	"syscall"
    10. 

  10. 

  11. 	"github.com/sirupsen/logrus"
    12. 

  12. 	"github.com/vishvananda/netlink"
    13. 

  13. )
    14. 

  14. 

  15. var (
    16. 

  16. 	// ErrConntrackNotConfigurable means that conntrack module is not loaded or does not have the netlink module loaded
    17. 

  17. 	ErrConntrackNotConfigurable = errors.New("conntrack is not available")
    18. 

  18. )
    19. 

  19. 

  20. // IsConntrackProgrammable returns true if the handle supports the NETLINK_NETFILTER and the base modules are loaded
    21. 

  21. func IsConntrackProgrammable(nlh *netlink.Handle) bool {
    22. 

  22. 	return nlh.SupportsNetlinkFamily(syscall.NETLINK_NETFILTER)
    23. 

  23. }
    24. 

  24. 

  25. // DeleteConntrackEntries deletes all the conntrack connections on the host for the specified IP
    26. 

  26. // Returns the number of flows deleted for IPv4, IPv6 else error
    27. 

  27. func DeleteConntrackEntries(nlh *netlink.Handle, ipv4List []net.IP, ipv6List []net.IP) (uint, uint, error) {
    28. 

  28. 	if !IsConntrackProgrammable(nlh) {
    29. 

  29. 		return 0, 0, ErrConntrackNotConfigurable
    30. 

  30. 	}
    31. 

  31. 

  32. 	var totalIPv4FlowPurged uint
    33. 

  33. 	for _, ipAddress := range ipv4List {
    34. 

  34. 		flowPurged, err := purgeConntrackState(nlh, syscall.AF_INET, ipAddress)
    35. 

  35. 		if err != nil {
    36. 

  36. 			logrus.Warnf("Failed to delete conntrack state for %s: %v", ipAddress, err)
    37. 

  37. 			continue
    38. 

  38. 		}
    39. 

  39. 		totalIPv4FlowPurged += flowPurged
    40. 

  40. 	}
    41. 

  41. 

  42. 	var totalIPv6FlowPurged uint
    43. 

  43. 	for _, ipAddress := range ipv6List {
    44. 

  44. 		flowPurged, err := purgeConntrackState(nlh, syscall.AF_INET6, ipAddress)
    45. 

  45. 		if err != nil {
    46. 

  46. 			logrus.Warnf("Failed to delete conntrack state for %s: %v", ipAddress, err)
    47. 

  47. 			continue
    48. 

  48. 		}
    49. 

  49. 		totalIPv6FlowPurged += flowPurged
    50. 

  50. 	}
    51. 

  51. 

  52. 	logrus.Debugf("DeleteConntrackEntries purged ipv4:%d, ipv6:%d", totalIPv4FlowPurged, totalIPv6FlowPurged)
    53. 

  53. 	return totalIPv4FlowPurged, totalIPv6FlowPurged, nil
    54. 

  54. }
    55. 

  55. 

  56. func purgeConntrackState(nlh *netlink.Handle, family netlink.InetFamily, ipAddress net.IP) (uint, error) {
    57. 

  57. 	filter := &netlink.ConntrackFilter{}
    58. 

  58. 	// NOTE: doing the flush using the ipAddress is safe because today there cannot be multiple networks with the same subnet
    59. 

  59. 	// so it will not be possible to flush flows that are of other containers
    60. 

  60. 	if err := filter.AddIP(netlink.ConntrackNatAnyIP, ipAddress); err != nil {
    61. 

  61. 		return 0, err
    62. 

  62. 	}
    63. 

  63. 	return nlh.ConntrackDeleteFilter(netlink.ConntrackTable, family, filter)
    64. 

  64. }
    65.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5