github.com/cloudfoundry-attic/garden-linux@v0.333.2-candidate/linux_backend/bin/net.sh

github.com/cloudfoundry-attic/garden-linux@v0.333.2-candidate/linux_backend/bin/net.sh (about)

     1  #!/bin/bash
     2  
     3  [ -n "$DEBUG" ] && set -o xtrace
     4  set -o nounset
     5  set -o errexit
     6  shopt -s nullglob
     7  
     8  filter_input_chain="${GARDEN_IPTABLES_FILTER_INPUT_CHAIN}"
     9  filter_forward_chain="${GARDEN_IPTABLES_FILTER_FORWARD_CHAIN}"
    10  filter_default_chain="${GARDEN_IPTABLES_FILTER_DEFAULT_CHAIN}"
    11  filter_instance_prefix="${GARDEN_IPTABLES_FILTER_INSTANCE_PREFIX}"
    12  nat_prerouting_chain="${GARDEN_IPTABLES_NAT_PREROUTING_CHAIN}"
    13  nat_postrouting_chain="${GARDEN_IPTABLES_NAT_POSTROUTING_CHAIN}"
    14  nat_instance_prefix="${GARDEN_IPTABLES_NAT_INSTANCE_PREFIX}"
    15  interface_name_prefix="${GARDEN_NETWORK_INTERFACE_PREFIX}"
    16  
    17  function teardown_deprecated_rules() {
    18    # Remove jump to garden-dispatch from INPUT
    19    iptables -w -S INPUT 2> /dev/null |
    20      grep " -j garden-dispatch" |
    21      sed -e "s/-A/-D/" -e "s/\s\+\$//" |
    22      xargs --no-run-if-empty --max-lines=1 iptables -w
    23  
    24    # Remove jump to garden-dispatch from FORWARD
    25    iptables -w -S FORWARD 2> /dev/null |
    26      grep " -j garden-dispatch" |
    27      sed -e "s/-A/-D/" -e "s/\s\+\$//" |
    28      xargs --no-run-if-empty --max-lines=1 iptables -w
    29  
    30    # Prune garden-dispatch
    31    iptables -w -F garden-dispatch 2> /dev/null || true
    32  
    33    # Delete garden-dispatch
    34    iptables -w -X garden-dispatch 2> /dev/null || true
    35  }
    36  
    37  function teardown_filter() {
    38    teardown_deprecated_rules
    39  
    40    # Prune garden-forward chain
    41    iptables -w -S ${filter_forward_chain} 2> /dev/null |
    42      grep "\-g ${filter_instance_prefix}" |
    43      sed -e "s/-A/-D/" -e "s/\s\+\$//" |
    44      xargs --no-run-if-empty --max-lines=1 iptables -w
    45  
    46    # Prune per-instance chains
    47    iptables -w -S 2> /dev/null |
    48      grep "^-A ${filter_instance_prefix}" |
    49      sed -e "s/-A/-D/" -e "s/\s\+\$//" |
    50      xargs --no-run-if-empty --max-lines=1 iptables -w
    51  
    52    # Delete per-instance chains
    53    iptables -w -S 2> /dev/null |
    54      grep "^-N ${filter_instance_prefix}" |
    55      sed -e "s/-N/-X/" -e "s/\s\+\$//" |
    56      xargs --no-run-if-empty --max-lines=1 iptables -w
    57  
    58    # Remove jump to garden-forward from FORWARD
    59    iptables -w -S FORWARD 2> /dev/null |
    60      grep " -j ${filter_forward_chain}" |
    61      sed -e "s/-A/-D/" -e "s/\s\+\$//" |
    62      xargs --no-run-if-empty --max-lines=1 iptables -w
    63  
    64    iptables -w -F ${filter_forward_chain} 2> /dev/null || true
    65    iptables -w -F ${filter_default_chain} 2> /dev/null || true
    66  
    67    # Remove jump to filter input chain from INPUT
    68    iptables -w -S INPUT 2> /dev/null |
    69      grep " -j ${filter_input_chain}" |
    70      sed -e "s/-A/-D/" -e "s/\s\+\$//" |
    71      xargs --no-run-if-empty --max-lines=1 iptables -w
    72  
    73    # Empty and delete filter input chain
    74    iptables -w -F ${filter_input_chain} 2> /dev/null || true
    75    iptables -w -X ${filter_input_chain} 2> /dev/null || true
    76  }
    77  
    78  function setup_filter() {
    79    teardown_filter
    80  
    81    # Determine interface device to the outside
    82    default_interface=$(ip route show | grep default | cut -d' ' -f5 | head -1)
    83  
    84    # Create, or empty existing, filter input chain
    85    iptables -w -N ${filter_input_chain} 2> /dev/null || iptables -w -F ${filter_input_chain}
    86  
    87    # Accept inbound packets if default interface is matched by filter prefix
    88    iptables -w -I ${filter_input_chain} -i $default_interface --jump ACCEPT
    89  
    90    # Put connection tracking rule in filter input chain
    91    # to accept packets related to previously established connections
    92    iptables -w -A ${filter_input_chain} -m conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT
    93  
    94    if [ "${GARDEN_IPTABLES_ALLOW_HOST_ACCESS}" != "true" ]; then
    95      iptables -w -A ${filter_input_chain} --jump REJECT --reject-with icmp-host-prohibited
    96    else
    97      iptables -w -A ${filter_input_chain} --jump ACCEPT
    98    fi
    99  
   100    # Forward input traffic via ${filter_input_chain}
   101    iptables -w -A INPUT -i ${GARDEN_NETWORK_INTERFACE_PREFIX}+ --jump ${filter_input_chain}
   102  
   103    # Create or flush forward chain
   104    iptables -w -N ${filter_forward_chain} 2> /dev/null || iptables -w -F ${filter_forward_chain}
   105    iptables -w -A ${filter_forward_chain} -j DROP
   106  
   107    # Create or flush default chain
   108    iptables -w -N ${filter_default_chain} 2> /dev/null || iptables -w -F ${filter_default_chain}
   109  
   110    # Always allow established connections to containers
   111    iptables -w -A ${filter_default_chain} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
   112  
   113    # Forward outbound traffic via ${filter_forward_chain}
   114    iptables -w -A FORWARD -i ${GARDEN_NETWORK_INTERFACE_PREFIX}+ --jump ${filter_forward_chain}
   115  
   116    # Forward inbound traffic immediately
   117    iptables -w -I ${filter_forward_chain} -i $default_interface --jump ACCEPT
   118  }
   119  
   120  function teardown_nat() {
   121    # Prune prerouting chain
   122    iptables -w -t nat -S ${nat_prerouting_chain} 2> /dev/null |
   123      grep "\-j ${nat_instance_prefix}" |
   124      sed -e "s/-A/-D/" -e "s/\s\+\$//" |
   125      xargs --no-run-if-empty --max-lines=1 iptables -w -t nat
   126  
   127    # Prune per-instance chains
   128    iptables -w -t nat -S 2> /dev/null |
   129      grep "^-A ${nat_instance_prefix}" |
   130      sed -e "s/-A/-D/" -e "s/\s\+\$//" |
   131      xargs --no-run-if-empty --max-lines=1 iptables -w -t nat
   132  
   133    # Delete per-instance chains
   134    iptables -w -t nat -S 2> /dev/null |
   135      grep "^-N ${nat_instance_prefix}" |
   136      sed -e "s/-N/-X/" -e "s/\s\+\$//" |
   137      xargs --no-run-if-empty --max-lines=1 iptables -w -t nat
   138  
   139    # Flush prerouting chain
   140    iptables -w -t nat -F ${nat_prerouting_chain} 2> /dev/null || true
   141  
   142    # Flush postrouting chain
   143    iptables -w -t nat -F ${nat_postrouting_chain} 2> /dev/null || true
   144  }
   145  
   146  function setup_nat() {
   147    teardown_nat
   148  
   149    # Create prerouting chain
   150    iptables -w -t nat -N ${nat_prerouting_chain} 2> /dev/null || true
   151  
   152    # Bind chain to PREROUTING
   153    (iptables -w -t nat -S PREROUTING | grep -q "\-j ${nat_prerouting_chain}\b") ||
   154      iptables -w -t nat -A PREROUTING \
   155        --jump ${nat_prerouting_chain}
   156  
   157    # Bind chain to OUTPUT (for traffic originating from same host)
   158    (iptables -w -t nat -S OUTPUT | grep -q "\-j ${nat_prerouting_chain}\b") ||
   159      iptables -w -t nat -A OUTPUT \
   160        --out-interface "lo" \
   161        --jump ${nat_prerouting_chain}
   162  
   163    # Create postrouting chain
   164    iptables -w -t nat -N ${nat_postrouting_chain} 2> /dev/null || true
   165  
   166    # Bind chain to POSTROUTING
   167    (iptables -w -t nat -S POSTROUTING | grep -q "\-j ${nat_postrouting_chain}\b") ||
   168      iptables -w -t nat -A POSTROUTING \
   169        --jump ${nat_postrouting_chain}
   170  }
   171  
   172  case "${1}" in
   173    setup)
   174      setup_filter
   175      setup_nat
   176  
   177      # Enable forwarding
   178      echo 1 > /proc/sys/net/ipv4/ip_forward
   179      ;;
   180    teardown)
   181      teardown_filter
   182      teardown_nat
   183      ;;
   184    *)
   185      echo "Unknown command: ${1}" 1>&2
   186      exit 1
   187      ;;
   188  esac