Switch to using go-iptables

Godeps/Godeps.json

@@ -35,6 +35,10 @@
 			"Comment": "v2.0.0-3-g0424b5f",
 			"Rev": "0424b5f86ef0ca57a5309c599f74bbb3e97ecd9d"
 		},
+		{
+			"ImportPath": "github.com/coreos/go-iptables/iptables",
+			"Rev": "74b0926558061d3a23824e9c18c9cf9c1b9c11f4"
+		},
 		{
 			"ImportPath": "github.com/coreos/go-systemd/activation",
 			"Comment": "v2-26-ga606a1e",

pkg/ip/iptables.go → Godeps/_workspace/src/github.com/coreos/go-iptables/iptables/iptables.go

@@ -12,12 +12,12 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-package ip
+package iptables
 
 import (
 	"bytes"
 	"fmt"
-	log "github.com/coreos/flannel/Godeps/_workspace/src/github.com/golang/glog"
+	"log"
 	"os/exec"
 	"regexp"
 	"strconv"
@@ -25,11 +25,25 @@ import (
 	"syscall"
 )
 
+// Adds the output of stderr to exec.ExitError
+type Error struct {
+	exec.ExitError
+	msg string
+}
+
+func (e *Error) ExitStatus() int {
+	return e.Sys().(syscall.WaitStatus).ExitStatus()
+}
+
+func (e *Error) Error() string {
+	return fmt.Sprintf("exit status %v: %v", e.ExitStatus(), e.msg)
+}
+
 type IPTables struct {
 	path string
 }
 
-func NewIPTables() (*IPTables, error) {
+func New() (*IPTables, error) {
 	path, err := exec.LookPath("iptables")
 	if err != nil {
 		return nil, err
@@ -38,65 +52,128 @@ func NewIPTables() (*IPTables, error) {
 	return &IPTables{path}, nil
 }
 
-func (ipt *IPTables) Exists(table string, args ...string) (bool, error) {
+// Exists checks if given rulespec in specified table/chain exists
+func (ipt *IPTables) Exists(table, chain string, rulespec ...string) (bool, error) {
 	checkPresent, err := getIptablesHasCheckCommand()
 	if err != nil {
-		log.Warningf("Error checking iptables version, assuming version at least 1.4.11: %v\n", err)
+		log.Printf("Error checking iptables version, assuming version at least 1.4.11: %v", err)
 		checkPresent = true
 	}
 
 	if !checkPresent {
-		cmd := append([]string{"-A"}, args...)
+		cmd := append([]string{"-A", chain}, rulespec...)
 		return existsForOldIpTables(table, strings.Join(cmd, " "))
 	} else {
-		cmd := append([]string{"-t", table, "-C"}, args...)
-		err = exec.Command(ipt.path, cmd...).Run()
-	}
-	switch {
-	case err == nil:
-		return true, nil
-	case err.(*exec.ExitError).Sys().(syscall.WaitStatus).ExitStatus() == 1:
-		return false, nil
-	default:
-		return false, err
+		cmd := append([]string{"-t", table, "-C", chain}, rulespec...)
+		err := ipt.run(cmd...)
+
+		switch {
+		case err == nil:
+			return true, nil
+		case err.(*Error).ExitStatus() == 1:
+			return false, nil
+		default:
+			return false, err
+		}
 	}
 }
 
-func (ipt *IPTables) Append(table string, args ...string) error {
-	cmd := append([]string{"-t", table, "-A"}, args...)
-	return exec.Command(ipt.path, cmd...).Run()
+// Insert inserts rulespec to specified table/chain (in specified pos)
+func (ipt *IPTables) Insert(table, chain string, pos int, rulespec ...string) error {
+	cmd := append([]string{"-t", table, "-I", chain, strconv.Itoa(pos)}, rulespec...)
+	return ipt.run(cmd...)
+}
+
+// Append appends rulespec to specified table/chain
+func (ipt *IPTables) Append(table, chain string, rulespec ...string) error {
+	cmd := append([]string{"-t", table, "-A", chain}, rulespec...)
+	return ipt.run(cmd...)
 }
 
 // AppendUnique acts like Append except that it won't add a duplicate
-func (ipt *IPTables) AppendUnique(table string, args ...string) error {
-	exists, err := ipt.Exists(table, args...)
+func (ipt *IPTables) AppendUnique(table, chain string, rulespec ...string) error {
+	exists, err := ipt.Exists(table, chain, rulespec...)
 	if err != nil {
 		return err
 	}
 
 	if !exists {
-		return ipt.Append(table, args...)
+		return ipt.Append(table, chain, rulespec...)
 	}
 
 	return nil
 }
 
+// Delete removes rulespec in specified table/chain
+func (ipt *IPTables) Delete(table, chain string, rulespec ...string) error {
+	cmd := append([]string{"-t", table, "-D", chain}, rulespec...)
+	return ipt.run(cmd...)
+}
+
+// List rules in specified table/chain
+func (ipt *IPTables) List(table, chain string) ([]string, error) {
+	var stdout, stderr bytes.Buffer
+	cmd := exec.Cmd{
+		Path:   ipt.path,
+		Args:   []string{ipt.path, "--wait", "-t", table, "-S", chain},
+		Stdout: &stdout,
+		Stderr: &stderr,
+	}
+
+	if err := cmd.Run(); err != nil {
+		return nil, &Error{*(err.(*exec.ExitError)), stderr.String()}
+	}
+
+	rules := strings.Split(stdout.String(), "\n")
+	if len(rules) > 0 && rules[len(rules)-1] == "" {
+		rules = rules[:len(rules)-1]
+	}
+
+	return rules, nil
+}
+
+func (ipt *IPTables) NewChain(table, chain string) error {
+	return ipt.run("-t", table, "-N", chain)
+}
+
+// ClearChain flushed (deletes all rules) in the specifed table/chain.
+// If the chain does not exist, new one will be created
 func (ipt *IPTables) ClearChain(table, chain string) error {
-	cmd := append([]string{"-t", table, "-N", chain})
-	err := exec.Command(ipt.path, cmd...).Run()
+	err := ipt.NewChain(table, chain)
 
 	switch {
 	case err == nil:
 		return nil
-	case err.(*exec.ExitError).Sys().(syscall.WaitStatus).ExitStatus() == 1:
+	case err.(*Error).ExitStatus() == 1:
 		// chain already exists. Flush (clear) it.
-		cmd := append([]string{"-t", table, "-F", chain})
-		return exec.Command(ipt.path, cmd...).Run()
+		return ipt.run("-t", table, "-F", chain)
 	default:
 		return err
 	}
 }
 
+// DeleteChain deletes the chain in the specified table.
+// The chain must be empty
+func (ipt *IPTables) DeleteChain(table, chain string) error {
+	return ipt.run("-t", table, "-X", chain)
+}
+
+func (ipt *IPTables) run(args ...string) error {
+	var stderr bytes.Buffer
+	args = append([]string{"--wait"}, args...)
+	cmd := exec.Cmd{
+		Path:   ipt.path,
+		Args:   append([]string{ipt.path}, args...),
+		Stderr: &stderr,
+	}
+
+	if err := cmd.Run(); err != nil {
+		return &Error{*(err.(*exec.ExitError)), stderr.String()}
+	}
+
+	return nil
+}
+
 // Checks if iptables has the "-C" flag
 func getIptablesHasCheckCommand() (bool, error) {
 	vstring, err := getIptablesVersionString()

Godeps/_workspace/src/github.com/coreos/go-iptables/iptables/iptables_test.go

@@ -0,0 +1,136 @@
+// Copyright 2015 CoreOS, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package iptables
+
+import (
+	"crypto/rand"
+	"math/big"
+	"reflect"
+	"testing"
+)
+
+func randChain(t *testing.T) string {
+	n, err := rand.Int(rand.Reader, big.NewInt(1000000))
+	if err != nil {
+		t.Fatalf("Failed to generate random chain name: %v", err)
+	}
+
+	return "TEST-" + n.String()
+}
+
+func TestChain(t *testing.T) {
+	chain := randChain(t)
+
+	ipt, err := New()
+	if err != nil {
+		t.Fatalf("New failed: %v", err)
+	}
+
+	// chain shouldn't exist, this will create new
+	err = ipt.ClearChain("filter", chain)
+	if err != nil {
+		t.Fatalf("ClearChain (of missing) failed: %v", err)
+	}
+
+	// chain now exists
+	err = ipt.ClearChain("filter", chain)
+	if err != nil {
+		t.Fatalf("ClearChain (of empty) failed: %v", err)
+	}
+
+	// put a simple rule in
+	err = ipt.Append("filter", chain, "-s", "0.0.0.0/0", "-j", "ACCEPT")
+	if err != nil {
+		t.Fatalf("Append failed: %v", err)
+	}
+
+	// can't delete non-empty chain
+	err = ipt.DeleteChain("filter", chain)
+	if err == nil {
+		t.Fatalf("DeleteChain of non-empty chain did not fail")
+	}
+
+	err = ipt.ClearChain("filter", chain)
+	if err != nil {
+		t.Fatalf("ClearChain (of non-empty) failed: %v", err)
+	}
+
+	// chain empty, should be ok
+	err = ipt.DeleteChain("filter", chain)
+	if err != nil {
+		t.Fatalf("DeleteChain of empty chain failed: %v", err)
+	}
+}
+
+func TestRules(t *testing.T) {
+	chain := randChain(t)
+
+	ipt, err := New()
+	if err != nil {
+		t.Fatalf("New failed: %v", err)
+	}
+
+	// chain shouldn't exist, this will create new
+	err = ipt.ClearChain("filter", chain)
+	if err != nil {
+		t.Fatalf("ClearChain (of missing) failed: %v", err)
+	}
+
+	err = ipt.Append("filter", chain, "-s", "10.1.0.0/16", "-d", "8.8.8.8/32", "-j", "ACCEPT")
+	if err != nil {
+		t.Fatalf("Append failed: %v", err)
+	}
+
+	err = ipt.AppendUnique("filter", chain, "-s", "10.1.0.0/16", "-d", "8.8.8.8/32", "-j", "ACCEPT")
+	if err != nil {
+		t.Fatalf("AppendUnique failed: %v", err)
+	}
+
+	err = ipt.Append("filter", chain, "-s", "10.2.0.0/16", "-d", "8.8.8.8/32", "-j", "ACCEPT")
+	if err != nil {
+		t.Fatalf("Append failed: %v", err)
+	}
+
+	err = ipt.Insert("filter", chain, 2, "-s", "10.2.0.0/16", "-d", "9.9.9.9/32", "-j", "ACCEPT")
+	if err != nil {
+		t.Fatalf("Insert failed: %v", err)
+	}
+
+	err = ipt.Insert("filter", chain, 1, "-s", "10.1.0.0/16", "-d", "9.9.9.9/32", "-j", "ACCEPT")
+	if err != nil {
+		t.Fatalf("Insert failed: %v", err)
+	}
+
+	err = ipt.Delete("filter", chain, "-s", "10.1.0.0/16", "-d", "9.9.9.9/32", "-j", "ACCEPT")
+	if err != nil {
+		t.Fatalf("Delete failed: %v", err)
+	}
+
+	rules, err := ipt.List("filter", chain)
+	if err != nil {
+		t.Fatalf("List failed: %v", err)
+	}
+
+	expected := []string{
+		"-N " + chain,
+		"-A " + chain + " -s 10.1.0.0/16 -d 8.8.8.8/32 -j ACCEPT",
+		"-A " + chain + " -s 10.2.0.0/16 -d 9.9.9.9/32 -j ACCEPT",
+		"-A " + chain + " -s 10.2.0.0/16 -d 8.8.8.8/32 -j ACCEPT",
+	}
+
+	if !reflect.DeepEqual(rules, expected) {
+		t.Fatalf("List mismatch: \ngot  %#v \nneed %#v", rules, expected)
+	}
+}

network/ipmasq.go

@@ -18,13 +18,14 @@ import (
 	"fmt"
 	"strings"
 
+	"github.com/coreos/flannel/Godeps/_workspace/src/github.com/coreos/go-iptables/iptables"
 	log "github.com/coreos/flannel/Godeps/_workspace/src/github.com/golang/glog"
 
 	"github.com/coreos/flannel/pkg/ip"
 )
 
 func setupIPMasq(ipn ip.IP4Net) error {
-	ipt, err := ip.NewIPTables()
+	ipt, err := iptables.New()
 	if err != nil {
 		return fmt.Errorf("failed to setup IP Masquerade. iptables was not found")
 	}
@@ -43,10 +44,12 @@ func setupIPMasq(ipn ip.IP4Net) error {
 		{"POSTROUTING", "-s", ipn.String(), "-j", "FLANNEL"},
 	}
 
-	for _, args := range rules {
-		log.Info("Adding iptables rule: ", strings.Join(args, " "))
+	for _, rule := range rules {
+		log.Info("Adding iptables rule: ", strings.Join(rule, " "))
+		chain := rule[0]
+		args := rule[1:len(rule)]
 
-		err = ipt.AppendUnique("nat", args...)
+		err = ipt.AppendUnique("nat", chain, args...)
 		if err != nil {
 			return fmt.Errorf("Failed to insert IP masquerade rule: %v", err)
 		}