summaryrefslogtreecommitdiff
path: root/vendor/github.com/docker/libnetwork/drivers/overlay/filter.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/docker/libnetwork/drivers/overlay/filter.go')
-rw-r--r--vendor/github.com/docker/libnetwork/drivers/overlay/filter.go38
1 files changed, 23 insertions, 15 deletions
diff --git a/vendor/github.com/docker/libnetwork/drivers/overlay/filter.go b/vendor/github.com/docker/libnetwork/drivers/overlay/filter.go
index 1601803aa0..853afc6a80 100644
--- a/vendor/github.com/docker/libnetwork/drivers/overlay/filter.go
+++ b/vendor/github.com/docker/libnetwork/drivers/overlay/filter.go
@@ -20,7 +20,9 @@ func filterWait() func() {
}
func chainExists(cname string) bool {
- if _, err := iptables.Raw("-L", cname); err != nil {
+ // TODO IPv6 support
+ iptable := iptables.GetIptable(iptables.IPv4)
+ if _, err := iptable.Raw("-L", cname); err != nil {
return false
}
@@ -28,22 +30,26 @@ func chainExists(cname string) bool {
}
func setupGlobalChain() {
+ // TODO IPv6 support
+ iptable := iptables.GetIptable(iptables.IPv4)
// Because of an ungraceful shutdown, chain could already be present
if !chainExists(globalChain) {
- if err := iptables.RawCombinedOutput("-N", globalChain); err != nil {
+ if err := iptable.RawCombinedOutput("-N", globalChain); err != nil {
logrus.Errorf("could not create global overlay chain: %v", err)
return
}
}
- if !iptables.Exists(iptables.Filter, globalChain, "-j", "RETURN") {
- if err := iptables.RawCombinedOutput("-A", globalChain, "-j", "RETURN"); err != nil {
+ if !iptable.Exists(iptables.Filter, globalChain, "-j", "RETURN") {
+ if err := iptable.RawCombinedOutput("-A", globalChain, "-j", "RETURN"); err != nil {
logrus.Errorf("could not install default return chain in the overlay global chain: %v", err)
}
}
}
func setNetworkChain(cname string, remove bool) error {
+ // TODO IPv6 support
+ iptable := iptables.GetIptable(iptables.IPv4)
// Initialize the onetime global overlay chain
filterOnce.Do(setupGlobalChain)
@@ -52,21 +58,21 @@ func setNetworkChain(cname string, remove bool) error {
opt := "-N"
// In case of remove, make sure to flush the rules in the chain
if remove && exists {
- if err := iptables.RawCombinedOutput("-F", cname); err != nil {
+ if err := iptable.RawCombinedOutput("-F", cname); err != nil {
return fmt.Errorf("failed to flush overlay network chain %s rules: %v", cname, err)
}
opt = "-X"
}
if (!remove && !exists) || (remove && exists) {
- if err := iptables.RawCombinedOutput(opt, cname); err != nil {
+ if err := iptable.RawCombinedOutput(opt, cname); err != nil {
return fmt.Errorf("failed network chain operation %q for chain %s: %v", opt, cname, err)
}
}
if !remove {
- if !iptables.Exists(iptables.Filter, cname, "-j", "DROP") {
- if err := iptables.RawCombinedOutput("-A", cname, "-j", "DROP"); err != nil {
+ if !iptable.Exists(iptables.Filter, cname, "-j", "DROP") {
+ if err := iptable.RawCombinedOutput("-A", cname, "-j", "DROP"); err != nil {
return fmt.Errorf("failed adding default drop rule to overlay network chain %s: %v", cname, err)
}
}
@@ -92,37 +98,39 @@ func setFilters(cname, brName string, remove bool) error {
if remove {
opt = "-D"
}
+ // TODO IPv6 support
+ iptable := iptables.GetIptable(iptables.IPv4)
// Every time we set filters for a new subnet make sure to move the global overlay hook to the top of the both the OUTPUT and forward chains
if !remove {
for _, chain := range []string{"OUTPUT", "FORWARD"} {
- exists := iptables.Exists(iptables.Filter, chain, "-j", globalChain)
+ exists := iptable.Exists(iptables.Filter, chain, "-j", globalChain)
if exists {
- if err := iptables.RawCombinedOutput("-D", chain, "-j", globalChain); err != nil {
+ if err := iptable.RawCombinedOutput("-D", chain, "-j", globalChain); err != nil {
return fmt.Errorf("failed to delete overlay hook in chain %s while moving the hook: %v", chain, err)
}
}
- if err := iptables.RawCombinedOutput("-I", chain, "-j", globalChain); err != nil {
+ if err := iptable.RawCombinedOutput("-I", chain, "-j", globalChain); err != nil {
return fmt.Errorf("failed to insert overlay hook in chain %s: %v", chain, err)
}
}
}
// Insert/Delete the rule to jump to per-bridge chain
- exists := iptables.Exists(iptables.Filter, globalChain, "-o", brName, "-j", cname)
+ exists := iptable.Exists(iptables.Filter, globalChain, "-o", brName, "-j", cname)
if (!remove && !exists) || (remove && exists) {
- if err := iptables.RawCombinedOutput(opt, globalChain, "-o", brName, "-j", cname); err != nil {
+ if err := iptable.RawCombinedOutput(opt, globalChain, "-o", brName, "-j", cname); err != nil {
return fmt.Errorf("failed to add per-bridge filter rule for bridge %s, network chain %s: %v", brName, cname, err)
}
}
- exists = iptables.Exists(iptables.Filter, cname, "-i", brName, "-j", "ACCEPT")
+ exists = iptable.Exists(iptables.Filter, cname, "-i", brName, "-j", "ACCEPT")
if (!remove && exists) || (remove && !exists) {
return nil
}
- if err := iptables.RawCombinedOutput(opt, cname, "-i", brName, "-j", "ACCEPT"); err != nil {
+ if err := iptable.RawCombinedOutput(opt, cname, "-i", brName, "-j", "ACCEPT"); err != nil {
return fmt.Errorf("failed to add overlay filter rile for network chain %s, bridge %s: %v", cname, brName, err)
}
View Lorry Controller Status