From 6aad63055c0855d68d7f3785c0ac075024508457 Mon Sep 17 00:00:00 2001 From: Stefan Junker Date: Thu, 31 Mar 2016 15:44:54 +0200 Subject: [PATCH] *: add comment to iptables rules for ipmasq --- pkg/ip/ipmasq.go | 12 ++++++------ pkg/utils/utils.go | 6 ++++++ plugins/main/bridge/bridge.go | 3 ++- plugins/main/ptp/ptp.go | 6 ++++-- 4 files changed, 18 insertions(+), 9 deletions(-) diff --git a/pkg/ip/ipmasq.go b/pkg/ip/ipmasq.go index 6901f69e..8ee27971 100644 --- a/pkg/ip/ipmasq.go +++ b/pkg/ip/ipmasq.go @@ -23,7 +23,7 @@ import ( // SetupIPMasq installs iptables rules to masquerade traffic // coming from ipn and going outside of it -func SetupIPMasq(ipn *net.IPNet, chain string) error { +func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error { ipt, err := iptables.New() if err != nil { return fmt.Errorf("failed to locate iptables: %v", err) @@ -36,25 +36,25 @@ func SetupIPMasq(ipn *net.IPNet, chain string) error { } } - if err = ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT"); err != nil { + if err = ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil { return err } - if err = ipt.AppendUnique("nat", chain, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"); err != nil { + if err = ipt.AppendUnique("nat", chain, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil { return err } - return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain) + return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment) } // TeardownIPMasq undoes the effects of SetupIPMasq -func TeardownIPMasq(ipn *net.IPNet, chain string) error { +func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error { ipt, err := iptables.New() if err != nil { return fmt.Errorf("failed to locate iptables: %v", err) } - if err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain); err != nil { + if err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment); err != nil { return err } diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index ea29c965..7ec139fd 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -19,3 +19,9 @@ func FormatChainName(name string, id string) string { chain := fmt.Sprintf("%s%x", chainPrefix, chainBytes) return chain[:maxChainLength] } + +// FormatComment returns a comment used for easier +// rule identification within iptables. +func FormatComment(name string, id string) string { + return fmt.Sprintf("name: %q id: %q", name, id) +} diff --git a/plugins/main/bridge/bridge.go b/plugins/main/bridge/bridge.go index d5581bf4..e4bc106c 100644 --- a/plugins/main/bridge/bridge.go +++ b/plugins/main/bridge/bridge.go @@ -222,7 +222,8 @@ func cmdAdd(args *skel.CmdArgs) error { if n.IPMasq { chain := utils.FormatChainName(n.Name, args.ContainerID) - if err = ip.SetupIPMasq(ip.Network(&result.IP4.IP), chain); err != nil { + comment := utils.FormatComment(n.Name, args.ContainerID) + if err = ip.SetupIPMasq(ip.Network(&result.IP4.IP), chain, comment); err != nil { return err } } diff --git a/plugins/main/ptp/ptp.go b/plugins/main/ptp/ptp.go index b397b795..3035c643 100644 --- a/plugins/main/ptp/ptp.go +++ b/plugins/main/ptp/ptp.go @@ -179,7 +179,8 @@ func cmdAdd(args *skel.CmdArgs) error { if conf.IPMasq { chain := utils.FormatChainName(conf.Name, args.ContainerID) - if err = ip.SetupIPMasq(&result.IP4.IP, chain); err != nil { + comment := utils.FormatComment(conf.Name, args.ContainerID) + if err = ip.SetupIPMasq(&result.IP4.IP, chain, comment); err != nil { return err } } @@ -206,7 +207,8 @@ func cmdDel(args *skel.CmdArgs) error { if conf.IPMasq { chain := utils.FormatChainName(conf.Name, args.ContainerID) - if err = ip.TeardownIPMasq(ipn, chain); err != nil { + comment := utils.FormatComment(conf.Name, args.ContainerID) + if err = ip.TeardownIPMasq(ipn, chain, comment); err != nil { return err } }