github.com/schwarzm/garden-linux@v0.0.0-20150507151835-33bca2147c47/old/linux_backend/skeleton/net.sh (about) 1 #!/bin/bash 2 3 [ -n "$DEBUG" ] && set -o xtrace 4 set -o nounset 5 set -o errexit 6 shopt -s nullglob 7 8 cd $(dirname "${0}") 9 10 source ./etc/config 11 12 filter_forward_chain="${GARDEN_IPTABLES_FILTER_FORWARD_CHAIN}" 13 filter_default_chain="${GARDEN_IPTABLES_FILTER_DEFAULT_CHAIN}" 14 filter_instance_prefix="${GARDEN_IPTABLES_FILTER_INSTANCE_PREFIX}" 15 nat_prerouting_chain="${GARDEN_IPTABLES_NAT_PREROUTING_CHAIN}" 16 nat_postrouting_chain="${GARDEN_IPTABLES_NAT_POSTROUTING_CHAIN}" 17 nat_instance_prefix="${GARDEN_IPTABLES_NAT_INSTANCE_PREFIX}" 18 interface_name_prefix="${GARDEN_NETWORK_INTERFACE_PREFIX}" 19 20 filter_instance_chain="${filter_instance_prefix}${id}" 21 nat_instance_chain="${filter_instance_prefix}${id}" 22 23 function teardown_filter() { 24 # Prune forward chain 25 iptables --wait -S ${filter_forward_chain} 2> /dev/null | 26 grep "\-g ${filter_instance_chain}\b" | 27 sed -e "s/-A/-D/" | 28 xargs --no-run-if-empty --max-lines=1 iptables --wait 29 30 # Flush and delete instance chain 31 iptables --wait -F ${filter_instance_chain} 2> /dev/null || true 32 iptables --wait -X ${filter_instance_chain} 2> /dev/null || true 33 } 34 35 function setup_filter() { 36 teardown_filter 37 38 # Create instance chain 39 iptables --wait -N ${filter_instance_chain} 40 41 # Allow intra-subnet traffic (Linux ethernet bridging goes through ip stack) 42 iptables --wait -A ${filter_instance_chain} -s ${network_cidr} -d ${network_cidr} -j ACCEPT 43 44 iptables --wait -A ${filter_instance_chain} \ 45 --goto ${filter_default_chain} 46 47 # Bind instance chain to forward chain 48 iptables --wait -I ${filter_forward_chain} 2 \ 49 --in-interface ${bridge_iface} \ 50 --source ${network_container_ip} \ 51 --goto ${filter_instance_chain} 52 } 53 54 function teardown_nat() { 55 # Prune prerouting chain 56 iptables --wait --table nat -S ${nat_prerouting_chain} 2> /dev/null | 57 grep "\-j ${nat_instance_chain}\b" | 58 sed -e "s/-A/-D/" | 59 xargs --no-run-if-empty --max-lines=1 iptables --wait --table nat 60 61 # Flush and delete instance chain 62 iptables --wait --table nat -F ${nat_instance_chain} 2> /dev/null || true 63 iptables --wait --table nat -X ${nat_instance_chain} 2> /dev/null || true 64 } 65 66 function setup_nat() { 67 teardown_nat 68 69 # Create instance chain 70 iptables --wait --table nat -N ${nat_instance_chain} 71 72 # Bind instance chain to prerouting chain 73 iptables --wait --table nat -A ${nat_prerouting_chain} \ 74 --jump ${nat_instance_chain} 75 76 # Enable NAT for traffic coming from containers 77 (iptables --wait --table nat -S ${nat_postrouting_chain} | grep "\-j SNAT\b" | grep -q -F -- "-s ${network_cidr}") || 78 iptables --wait --table nat -A ${nat_postrouting_chain} \ 79 --source ${network_cidr} \ 80 --jump SNAT \ 81 --to $external_ip 82 } 83 84 case "${1}" in 85 "setup") 86 setup_filter 87 setup_nat 88 89 ;; 90 91 "teardown") 92 teardown_filter 93 teardown_nat 94 95 ;; 96 97 "in") 98 if [ -z "${HOST_PORT:-}" ]; then 99 echo "Please specify HOST_PORT..." 1>&2 100 exit 1 101 fi 102 103 if [ -z "${CONTAINER_PORT:-}" ]; then 104 echo "Please specify CONTAINER_PORT..." 1>&2 105 exit 1 106 fi 107 108 iptables --wait --table nat -A ${nat_instance_chain} \ 109 --protocol tcp \ 110 --destination "${external_ip}" \ 111 --destination-port "${HOST_PORT}" \ 112 --jump DNAT \ 113 --to-destination "${network_container_ip}:${CONTAINER_PORT}" 114 115 ;; 116 117 "get_ingress_info") 118 if [ -z "${ID:-}" ]; then 119 echo "Please specify container ID..." 1>&2 120 exit 1 121 fi 122 tc filter show dev ${network_host_iface} parent ffff: 123 124 ;; 125 "get_egress_info") 126 if [ -z "${ID:-}" ]; then 127 echo "Please specify container ID..." 1>&2 128 exit 1 129 fi 130 tc qdisc show dev ${network_host_iface} 131 132 ;; 133 *) 134 echo "Unknown command: ${1}" 1>&2 135 exit 1 136 137 ;; 138 esac