ipmasq.go 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
  1. // Copyright 2015 flannel authors
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. package network
  15. import (
  16. "fmt"
  17. "strings"
  18. log "github.com/golang/glog"
  19. "github.com/coreos/flannel/pkg/ip"
  20. "github.com/coreos/flannel/subnet"
  21. )
  22. type IPTablesRules interface {
  23. AppendUnique(table string, chain string, rulespec ...string) error
  24. Delete(table string, chain string, rulespec ...string) error
  25. Exists(table string, chain string, rulespec ...string) (bool, error)
  26. }
  27. func rules(ipn ip.IP4Net, lease *subnet.Lease) [][]string {
  28. n := ipn.String()
  29. sn := lease.Subnet.String()
  30. return [][]string{
  31. // This rule makes sure we don't NAT traffic within overlay network (e.g. coming out of docker0)
  32. {"-s", n, "-d", n, "-j", "RETURN"},
  33. // NAT if it's not multicast traffic
  34. {"-s", n, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"},
  35. // Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
  36. {"!", "-s", n, "-d", sn, "-j", "RETURN"},
  37. // Masquerade anything headed towards flannel from the host
  38. {"!", "-s", n, "-d", n, "-j", "MASQUERADE"},
  39. }
  40. }
  41. func ipMasqRulesExist(ipt IPTablesRules, ipn ip.IP4Net, lease *subnet.Lease) (bool, error) {
  42. for _, rule := range rules(ipn, lease) {
  43. exists, err := ipt.Exists("nat", "POSTROUTING", rule...)
  44. if err != nil {
  45. // this shouldn't ever happen
  46. return false, fmt.Errorf("failed to check rule existence", err)
  47. }
  48. if !exists {
  49. return false, nil
  50. }
  51. }
  52. return true, nil
  53. }
  54. func EnsureIPMasq(ipt IPTablesRules, ipn ip.IP4Net, lease *subnet.Lease) error {
  55. exists, err := ipMasqRulesExist(ipt, ipn, lease)
  56. if err != nil {
  57. return fmt.Errorf("Error checking rule existence: %v", err)
  58. }
  59. if exists {
  60. // if all the rules already exist, no need to do anything
  61. return nil
  62. }
  63. // Otherwise, teardown all the rules and set them up again
  64. // We do this because the order of the rules is important
  65. log.Info("Some iptables rules are missing; deleting and recreating rules")
  66. TeardownIPMasq(ipt, ipn, lease)
  67. if err = SetupIPMasq(ipt, ipn, lease); err != nil {
  68. return fmt.Errorf("Error setting up rules: %v", err)
  69. }
  70. return nil
  71. }
  72. func SetupIPMasq(ipt IPTablesRules, ipn ip.IP4Net, lease *subnet.Lease) error {
  73. for _, rule := range rules(ipn, lease) {
  74. log.Info("Adding iptables rule: ", strings.Join(rule, " "))
  75. err := ipt.AppendUnique("nat", "POSTROUTING", rule...)
  76. if err != nil {
  77. return fmt.Errorf("failed to insert IP masquerade rule: %v", err)
  78. }
  79. }
  80. return nil
  81. }
  82. func TeardownIPMasq(ipt IPTablesRules, ipn ip.IP4Net, lease *subnet.Lease) {
  83. for _, rule := range rules(ipn, lease) {
  84. log.Info("Deleting iptables rule: ", strings.Join(rule, " "))
  85. // We ignore errors here because if there's an error it's almost certainly because the rule
  86. // doesn't exist, which is fine (we don't need to delete rules that don't exist)
  87. ipt.Delete("nat", "POSTROUTING", rule...)
  88. }
  89. }