Commit graph

20 commits

Author SHA1 Message Date
Lars Kellogg-Stedman
ef50a94a9c fix various problems with iptables.Exists
This modifies iptables.Exists so that it must be called with an explicit
table and chain.  This allows us (a) to generate an appropriate command
line for "iptables -C", which was not previously possible, and (b) it
allows us to limit our strings.Contains() search to just the table and
chain in question, preventing erroneous matches against unrelated rules.

Resolves #10781

Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
2015-03-16 17:14:45 -04:00
Phil Estes
3ffffc0cff Move iptables check out of runtime init() to separate function
Due to the iptables package being `init`ed at start of the docker
runtime, this means the iptables --wait command listing all rules
is run, no matter if the command is simply "docker -h".  It makes
more sense to both locate the iptables command and check for the
wait flag support at the time iptables is actually used, as it
may not be used at all if certain network support is off/configured
differently.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-01-20 21:04:22 -05:00
Ian Bishop
18fe796679 Create tests for pkg/iptables
Docker-DCO-1.1-Signed-off-by: Ian Bishop <ianbishop@pace7.com> (github: porjo)
2014-12-21 12:57:32 +10:00
Porjo
7bcd294c4e Create DOCKER forward chain on driver init
Docker-DCO-1.1-Signed-off-by: Ian Bishop <ianbishop@pace7.com> (github: porjo)
2014-12-21 12:57:32 +10:00
Porjo
79e3a90569 Move per-container forward rules to DOCKER chain
Docker-DCO-1.1-Signed-off-by: Ian Bishop <ianbishop@pace7.com> (github: porjo)
2014-12-21 12:57:32 +10:00
Jessica Frazelle
26f399ddf3 Typed errors for iptables chain raw command output. YAYYYYYY.
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-11-20 18:07:11 -08:00
Michael Crosby
869842478e Revert "Support hairpin NAT"
This reverts commit 95a400e6e1a3b5da68431e64f9902a3fac218360.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-11-20 14:22:32 -08:00
Patrick Hemmer
21fc078476 Support hairpin NAT
This re-applies commit b39d02b with additional iptables rules to solve the issue with containers routing back into themselves.

The previous issue with this attempt was that the DNAT rule would send traffic back into the container it came from. When this happens you have 2 issues.
1) reverse path filtering. The container is going to see the traffic coming in from the outside and it's going to have a source address of itself. So reverse path filtering will kick in and drop the packet.
2) direct return mismatch. Assuming you turned reverse path filtering off, when the packet comes back in, it's goign to have a source address of itself, thus when the reply traffic is sent, it's going to have a source address of itself. But the original packet was sent to the host IP address, so the traffic will be dropped because it's coming from an address which the original traffic was not sent to (and likely with an incorrect port as well).

The solution to this is to masquerade the traffic when it gets routed back into the origin container. However for this to work you need to enable hairpin mode on the bridge port, otherwise the kernel will just drop the traffic.
The hairpin mode set is part of libcontainer, while the MASQ change is part of docker.

This reverts commit 63c303eecdbaf4dc7967fd51b82cd447c778cecc.

Docker-DCO-1.1-Signed-off-by: Patrick Hemmer <patrick.hemmer@gmail.com> (github: phemmer)
2014-11-03 23:09:08 -05:00
Alexandr Morozov
712a6554ce Use logrus everywhere for logging
Fixed #8761

Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-24 15:03:06 -07:00
Vincent Batts
d53bedb1b7 daemon logging: unifying output and timestamps
A little refactor of the ./pkg/log so engine can have a logger instance

Signed-off-by: Vincent Batts <vbatts@redhat.com>
2014-09-26 14:44:46 -04:00
Jessica Frazelle
3ed103c543 Fix duplicate iptables rules
If iptables version is < 1.4.11, try to delete the rule vs. checking if it exists. Fixes #6831.

Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jfrazelle@users.noreply.github.com> (github: jfrazelle)
2014-09-07 15:12:19 -07:00
Victor Vieux
6d70b5e210 use stderr to debug iptables
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-05-30 19:39:42 +00:00
Giuseppe Mazzotta
d68100ec34 * do not consider iptables' output an error in case of xtables lock
Docker-DCO-1.1-Signed-off-by: Giuseppe Mazzotta <gdm85@users.noreply.github.com> (github: gdm85)
2014-05-29 15:57:29 +02:00
Michael Crosby
1c07f75e6f Add check for iptables xlock support
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-23 14:18:50 -07:00
Michael Crosby
cc706701b0 Add wait flag to iptables
Fixes #1573
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-23 01:24:58 +00:00
Michael Crosby
1df38475cd Revert "Support hairpin NAT without going through docker server"
This reverts commit b39d02b611f1cc0af283f417b73bf0d36f26277a.

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-09 11:55:08 +00:00
Darren Shepherd
3d2d4a0624 Support hairpin NAT without going through docker server
Hairpin NAT is currently done by passing through the docker server.  If
two containers on the same box try to access each other through exposed
ports and using the host IP the current iptables rules will not match the
DNAT and thus the traffic goes to 'docker -d'

This change drops the restriction that DNAT traffic must not originate
from docker0.  It should be safe to drop this restriction because the
DOCKER chain is already gated by jumps that check for the destination
address to be a local address.

Docker-DCO-1.1-Signed-off-by: Darren Shepherd <darren.s.shepherd@gmail.com> (github: ibuildthecloud)
2014-03-03 21:53:57 -07:00
Josh Poimboeuf
a298bd3b63 iptables: use dest_addr and dest_port for public port FORWARD rule
Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
2014-02-04 11:32:50 -06:00
Josh Poimboeuf
c6b78b9d31 network: add publicly mapped ports to FORWARD table
Allow publicly mapped ports to be made public beyond the host.  This is
needed for distros like Fedora and RHEL which have a reject all rule at
the end of their FORWARD table.

Docker-DCO-1.1-Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com> (github: jpoimboe)
2014-01-28 13:11:49 -06:00
Solomon Hykes
fe61edbb36 Move utility package 'iptables' to pkg/iptables 2014-01-06 15:41:24 -08:00