moby/libnetwork/resolver_unix.go

//go:build !windows
// +build !windows

package libnetwork

import (
	"fmt"
	"net"

	"github.com/docker/docker/libnetwork/iptables"
)

const (
	// output chain used for docker embedded DNS resolver
	outputChain = "DOCKER_OUTPUT"
	// postrouting chain used for docker embedded DNS resolver
	postroutingChain = "DOCKER_POSTROUTING"
)

func (r *Resolver) setupIPTable() error {
	if r.err != nil {
		return r.err
	}
	laddr := r.conn.LocalAddr().String()
	ltcpaddr := r.tcpListen.Addr().String()
	resolverIP, ipPort, _ := net.SplitHostPort(laddr)
	_, tcpPort, _ := net.SplitHostPort(ltcpaddr)
	rules := [][]string{
		{"-t", "nat", "-I", outputChain, "-d", resolverIP, "-p", "udp", "--dport", dnsPort, "-j", "DNAT", "--to-destination", laddr},
		{"-t", "nat", "-I", postroutingChain, "-s", resolverIP, "-p", "udp", "--sport", ipPort, "-j", "SNAT", "--to-source", ":" + dnsPort},
		{"-t", "nat", "-I", outputChain, "-d", resolverIP, "-p", "tcp", "--dport", dnsPort, "-j", "DNAT", "--to-destination", ltcpaddr},
		{"-t", "nat", "-I", postroutingChain, "-s", resolverIP, "-p", "tcp", "--sport", tcpPort, "-j", "SNAT", "--to-source", ":" + dnsPort},
	}

	var setupErr error
	err := r.backend.ExecFunc(func() {
		// TODO IPv6 support
		iptable := iptables.GetIptable(iptables.IPv4)

		// insert outputChain and postroutingchain
		if iptable.ExistsNative("nat", "OUTPUT", "-d", resolverIP, "-j", outputChain) {
			if err := iptable.RawCombinedOutputNative("-t", "nat", "-F", outputChain); err != nil {
				setupErr = err
				return
			}
		} else {
			if err := iptable.RawCombinedOutputNative("-t", "nat", "-N", outputChain); err != nil {
				setupErr = err
				return
			}
			if err := iptable.RawCombinedOutputNative("-t", "nat", "-I", "OUTPUT", "-d", resolverIP, "-j", outputChain); err != nil {
				setupErr = err
				return
			}
		}

		if iptable.ExistsNative("nat", "POSTROUTING", "-d", resolverIP, "-j", postroutingChain) {
			if err := iptable.RawCombinedOutputNative("-t", "nat", "-F", postroutingChain); err != nil {
				setupErr = err
				return
			}
		} else {
			if err := iptable.RawCombinedOutputNative("-t", "nat", "-N", postroutingChain); err != nil {
				setupErr = err
				return
			}
			if err := iptable.RawCombinedOutputNative("-t", "nat", "-I", "POSTROUTING", "-d", resolverIP, "-j", postroutingChain); err != nil {
				setupErr = err
				return
			}
		}

		for _, rule := range rules {
			if iptable.RawCombinedOutputNative(rule...) != nil {
				setupErr = fmt.Errorf("set up rule failed, %v", rule)
				return
			}
		}
	})
	if err != nil {
		return err
	}
	return setupErr
}