2021-08-23 13:14:53 +00:00
|
|
|
//go:build !windows
|
2016-04-13 08:28:18 +00:00
|
|
|
// +build !windows
|
|
|
|
|
|
|
|
package libnetwork
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net"
|
|
|
|
"os"
|
|
|
|
"os/exec"
|
|
|
|
"runtime"
|
|
|
|
|
2021-04-06 00:24:47 +00:00
|
|
|
"github.com/docker/docker/libnetwork/iptables"
|
2021-05-28 00:15:56 +00:00
|
|
|
"github.com/docker/docker/pkg/reexec"
|
2017-07-26 21:18:31 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2016-04-13 08:28:18 +00:00
|
|
|
"github.com/vishvananda/netns"
|
|
|
|
)
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
reexec.Register("setup-resolver", reexecSetupResolver)
|
|
|
|
}
|
|
|
|
|
2016-06-11 00:32:19 +00:00
|
|
|
const (
|
|
|
|
// outputChain used for docker embed dns
|
|
|
|
outputChain = "DOCKER_OUTPUT"
|
|
|
|
//postroutingchain used for docker embed dns
|
|
|
|
postroutingchain = "DOCKER_POSTROUTING"
|
|
|
|
)
|
|
|
|
|
2016-04-13 08:28:18 +00:00
|
|
|
func reexecSetupResolver() {
|
|
|
|
runtime.LockOSThread()
|
|
|
|
defer runtime.UnlockOSThread()
|
|
|
|
|
|
|
|
if len(os.Args) < 4 {
|
2016-11-01 04:26:14 +00:00
|
|
|
logrus.Error("invalid number of arguments..")
|
2016-04-13 08:28:18 +00:00
|
|
|
os.Exit(1)
|
|
|
|
}
|
|
|
|
|
2016-09-19 22:48:06 +00:00
|
|
|
resolverIP, ipPort, _ := net.SplitHostPort(os.Args[2])
|
2016-04-13 08:28:18 +00:00
|
|
|
_, tcpPort, _ := net.SplitHostPort(os.Args[3])
|
|
|
|
rules := [][]string{
|
2016-06-11 00:32:19 +00:00
|
|
|
{"-t", "nat", "-I", outputChain, "-d", resolverIP, "-p", "udp", "--dport", dnsPort, "-j", "DNAT", "--to-destination", os.Args[2]},
|
|
|
|
{"-t", "nat", "-I", postroutingchain, "-s", resolverIP, "-p", "udp", "--sport", ipPort, "-j", "SNAT", "--to-source", ":" + dnsPort},
|
|
|
|
{"-t", "nat", "-I", outputChain, "-d", resolverIP, "-p", "tcp", "--dport", dnsPort, "-j", "DNAT", "--to-destination", os.Args[3]},
|
|
|
|
{"-t", "nat", "-I", postroutingchain, "-s", resolverIP, "-p", "tcp", "--sport", tcpPort, "-j", "SNAT", "--to-source", ":" + dnsPort},
|
2016-04-13 08:28:18 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
f, err := os.OpenFile(os.Args[1], os.O_RDONLY, 0)
|
|
|
|
if err != nil {
|
2016-11-01 04:26:14 +00:00
|
|
|
logrus.Errorf("failed get network namespace %q: %v", os.Args[1], err)
|
2016-04-13 08:28:18 +00:00
|
|
|
os.Exit(2)
|
|
|
|
}
|
2021-06-18 22:20:06 +00:00
|
|
|
defer f.Close() //nolint:gosec
|
2016-04-13 08:28:18 +00:00
|
|
|
|
|
|
|
nsFD := f.Fd()
|
|
|
|
if err = netns.Set(netns.NsHandle(nsFD)); err != nil {
|
2016-11-01 04:26:14 +00:00
|
|
|
logrus.Errorf("setting into container net ns %v failed, %v", os.Args[1], err)
|
2016-04-13 08:28:18 +00:00
|
|
|
os.Exit(3)
|
|
|
|
}
|
|
|
|
|
2020-07-23 14:52:40 +00:00
|
|
|
// TODO IPv6 support
|
2017-11-28 21:15:55 +00:00
|
|
|
iptable := iptables.GetIptable(iptables.IPv4)
|
|
|
|
|
2016-06-11 00:32:19 +00:00
|
|
|
// insert outputChain and postroutingchain
|
2017-11-28 21:15:55 +00:00
|
|
|
err = iptable.RawCombinedOutputNative("-t", "nat", "-C", "OUTPUT", "-d", resolverIP, "-j", outputChain)
|
2016-06-11 00:32:19 +00:00
|
|
|
if err == nil {
|
2017-11-28 21:15:55 +00:00
|
|
|
iptable.RawCombinedOutputNative("-t", "nat", "-F", outputChain)
|
2016-06-11 00:32:19 +00:00
|
|
|
} else {
|
2017-11-28 21:15:55 +00:00
|
|
|
iptable.RawCombinedOutputNative("-t", "nat", "-N", outputChain)
|
|
|
|
iptable.RawCombinedOutputNative("-t", "nat", "-I", "OUTPUT", "-d", resolverIP, "-j", outputChain)
|
2016-06-11 00:32:19 +00:00
|
|
|
}
|
|
|
|
|
2017-11-28 21:15:55 +00:00
|
|
|
err = iptable.RawCombinedOutputNative("-t", "nat", "-C", "POSTROUTING", "-d", resolverIP, "-j", postroutingchain)
|
2016-06-11 00:32:19 +00:00
|
|
|
if err == nil {
|
2017-11-28 21:15:55 +00:00
|
|
|
iptable.RawCombinedOutputNative("-t", "nat", "-F", postroutingchain)
|
2016-06-11 00:32:19 +00:00
|
|
|
} else {
|
2017-11-28 21:15:55 +00:00
|
|
|
iptable.RawCombinedOutputNative("-t", "nat", "-N", postroutingchain)
|
|
|
|
iptable.RawCombinedOutputNative("-t", "nat", "-I", "POSTROUTING", "-d", resolverIP, "-j", postroutingchain)
|
2016-06-11 00:32:19 +00:00
|
|
|
}
|
|
|
|
|
2016-04-13 08:28:18 +00:00
|
|
|
for _, rule := range rules {
|
2017-11-28 21:15:55 +00:00
|
|
|
if iptable.RawCombinedOutputNative(rule...) != nil {
|
2018-02-05 06:17:07 +00:00
|
|
|
logrus.Errorf("set up rule failed, %v", rule)
|
2016-04-13 08:28:18 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (r *resolver) setupIPTable() error {
|
|
|
|
if r.err != nil {
|
|
|
|
return r.err
|
|
|
|
}
|
|
|
|
laddr := r.conn.LocalAddr().String()
|
|
|
|
ltcpaddr := r.tcpListen.Addr().String()
|
|
|
|
|
|
|
|
cmd := &exec.Cmd{
|
|
|
|
Path: reexec.Self(),
|
2016-09-19 22:48:06 +00:00
|
|
|
Args: append([]string{"setup-resolver"}, r.resolverKey, laddr, ltcpaddr),
|
2016-04-13 08:28:18 +00:00
|
|
|
Stdout: os.Stdout,
|
|
|
|
Stderr: os.Stderr,
|
|
|
|
}
|
|
|
|
if err := cmd.Run(); err != nil {
|
|
|
|
return fmt.Errorf("reexec failed: %v", err)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|