Add --userland-proxy daemon flag
The `--userland-proxy` daemon flag makes it possible to rely on hairpin NAT and additional iptables routes instead of userland proxy for port publishing and inter-container communication. Usage of the userland proxy remains the default as hairpin NAT is unsupported by older kernels. Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
This commit is contained in:
Arnaud Porterie
parent
112ff23e41
commit
baa5a896a2
3 changed files with 8 additions and 8 deletions
|
|
@ -14,7 +14,7 @@ func TestReloaded(t *testing.T) {
|
||||||
var err error
|
var err error
|
||||||
var fwdChain *Chain
|
var fwdChain *Chain
|
||||||
|
|
||||||
fwdChain, err = NewChain("FWD", "lo", Filter)
|
fwdChain, err = NewChain("FWD", "lo", Filter, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,7 @@ func initCheck() error {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewChain(name, bridge string, table Table) (*Chain, error) {
|
func NewChain(name, bridge string, table Table, hairpinMode bool) (*Chain, error) {
|
||||||
c := &Chain{
|
c := &Chain{
|
||||||
Name: name,
|
Name: name,
|
||||||
Bridge: bridge,
|
Bridge: bridge,
|
||||||
|
|
@ -90,8 +90,10 @@ func NewChain(name, bridge string, table Table) (*Chain, error) {
|
||||||
}
|
}
|
||||||
output := []string{
|
output := []string{
|
||||||
"-m", "addrtype",
|
"-m", "addrtype",
|
||||||
"--dst-type", "LOCAL",
|
"--dst-type", "LOCAL"}
|
||||||
"!", "--dst", "127.0.0.0/8"}
|
if !hairpinMode {
|
||||||
|
output = append(output, "!", "--dst", "127.0.0.0/8")
|
||||||
|
}
|
||||||
if !Exists(Nat, "OUTPUT", output...) {
|
if !Exists(Nat, "OUTPUT", output...) {
|
||||||
if err := c.Output(Append, output...); err != nil {
|
if err := c.Output(Append, output...); err != nil {
|
||||||
return nil, fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)
|
return nil, fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err)
|
||||||
|
|
@ -137,7 +139,6 @@ func (c *Chain) Forward(action Action, ip net.IP, port int, proto, destAddr stri
|
||||||
"-p", proto,
|
"-p", proto,
|
||||||
"-d", daddr,
|
"-d", daddr,
|
||||||
"--dport", strconv.Itoa(port),
|
"--dport", strconv.Itoa(port),
|
||||||
"!", "-i", c.Bridge,
|
|
||||||
"-j", "DNAT",
|
"-j", "DNAT",
|
||||||
"--to-destination", net.JoinHostPort(destAddr, strconv.Itoa(destPort))); err != nil {
|
"--to-destination", net.JoinHostPort(destAddr, strconv.Itoa(destPort))); err != nil {
|
||||||
return err
|
return err
|
||||||
|
|
|
||||||
|
|
@ -16,12 +16,12 @@ var filterChain *Chain
|
||||||
func TestNewChain(t *testing.T) {
|
func TestNewChain(t *testing.T) {
|
||||||
var err error
|
var err error
|
||||||
|
|
||||||
natChain, err = NewChain(chainName, "lo", Nat)
|
natChain, err = NewChain(chainName, "lo", Nat, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
filterChain, err = NewChain(chainName, "lo", Filter)
|
filterChain, err = NewChain(chainName, "lo", Filter, false)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Fatal(err)
|
t.Fatal(err)
|
||||||
}
|
}
|
||||||
|
|
@ -40,7 +40,6 @@ func TestForward(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
dnatRule := []string{
|
dnatRule := []string{
|
||||||
"!", "-i", filterChain.Bridge,
|
|
||||||
"-d", ip.String(),
|
"-d", ip.String(),
|
||||||
"-p", proto,
|
"-p", proto,
|
||||||
"--dport", strconv.Itoa(port),
|
"--dport", strconv.Itoa(port),
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue