docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3759 from jpoimboe/links-iptables-cleanup 

network: remove unnecessary links iptables rule for return traffic
This commit is contained in:
Guillaume J. Charmes 2014-01-28 11:10:36 -08:00
parent 13ee6d8eee 5c04f1bcc7
commit d4ea6308fd
2 changed files with 23 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
links.go
View File

@ -131,18 +131,6 @@ func (l *Link) toggle(action string, ignoreErrors bool) error {
} else if len(output) != 0 { } else if len(output) != 0 {
return fmt.Errorf("Error toggle iptables forward: %s", output) return fmt.Errorf("Error toggle iptables forward: %s", output)
} }
if output, err := iptables.Raw(action, "FORWARD",
"-i", l.BridgeInterface, "-o", l.BridgeInterface,
"-p", p.Proto(),
"-s", l.ChildIP,
"--sport", p.Port(),
"-d", l.ParentIP,
"-j", "ACCEPT"); !ignoreErrors && err != nil {
return err
} else if len(output) != 0 {
return fmt.Errorf("Error toggle iptables forward: %s", output)
}
} }
return nil return nil
} }

45
network.go
View File

@ -450,28 +450,6 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
} }
} }
// Accept incoming packets for existing connections
existingArgs := []string{"FORWARD", "-o", config.BridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
if !iptables.Exists(existingArgs...) {
if output, err := iptables.Raw(append([]string{"-I"}, existingArgs...)...); err != nil {
return nil, fmt.Errorf("Unable to allow incoming packets: %s", err)
} else if len(output) != 0 {
return nil, fmt.Errorf("Error iptables allow incoming: %s", output)
}
}
// Accept all non-intercontainer outgoing packets
outgoingArgs := []string{"FORWARD", "-i", config.BridgeIface, "!", "-o", config.BridgeIface, "-j", "ACCEPT"}
if !iptables.Exists(outgoingArgs...) {
if output, err := iptables.Raw(append([]string{"-I"}, outgoingArgs...)...); err != nil {
return nil, fmt.Errorf("Unable to allow outgoing packets: %s", err)
} else if len(output) != 0 {
return nil, fmt.Errorf("Error iptables allow outgoing: %s", output)
}
}
args := []string{"FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j"} args := []string{"FORWARD", "-i", config.BridgeIface, "-o", config.BridgeIface, "-j"}
acceptArgs := append(args, "ACCEPT") acceptArgs := append(args, "ACCEPT")
dropArgs := append(args, "DROP") dropArgs := append(args, "DROP")
@ -497,6 +475,29 @@ func newNetworkManager(config *DaemonConfig) (*NetworkManager, error) {
} }
} }
} }
// Accept all non-intercontainer outgoing packets
outgoingArgs := []string{"FORWARD", "-i", config.BridgeIface, "!", "-o", config.BridgeIface, "-j", "ACCEPT"}
if !iptables.Exists(outgoingArgs...) {
if output, err := iptables.Raw(append([]string{"-I"}, outgoingArgs...)...); err != nil {
return nil, fmt.Errorf("Unable to allow outgoing packets: %s", err)
} else if len(output) != 0 {
return nil, fmt.Errorf("Error iptables allow outgoing: %s", output)
}
}
// Accept incoming packets for existing connections
existingArgs := []string{"FORWARD", "-o", config.BridgeIface, "-m", "conntrack", "--ctstate", "RELATED,ESTABLISHED", "-j", "ACCEPT"}
if !iptables.Exists(existingArgs...) {
if output, err := iptables.Raw(append([]string{"-I"}, existingArgs...)...); err != nil {
return nil, fmt.Errorf("Unable to allow incoming packets: %s", err)
} else if len(output) != 0 {
return nil, fmt.Errorf("Error iptables allow incoming: %s", output)
}
}
} }
portMapper, err := newPortMapper(config) portMapper, err := newPortMapper(config)