*: add comment to iptables rules for ipmasq

2016-03-31 15:44:54 +02:00 · 2016-03-31 15:44:54 +02:00 · 6aad63055c
commit 6aad63055c
parent bcef17daac
4 changed files with 18 additions and 9 deletions
--- a/pkg/ip/ipmasq.go
+++ b/pkg/ip/ipmasq.go
@ -23,7 +23,7 @@ import (
 // SetupIPMasq installs iptables rules to masquerade traffic
 // coming from ipn and going outside of it
-func SetupIPMasq(ipn *net.IPNet, chain string) error {
+func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
 	ipt, err := iptables.New()
 	if err != nil {
 		return fmt.Errorf("failed to locate iptables: %v", err)
@ -36,25 +36,25 @@ func SetupIPMasq(ipn *net.IPNet, chain string) error {
 		}
 	}
-	if err = ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT"); err != nil {
+	if err = ipt.AppendUnique("nat", chain, "-d", ipn.String(), "-j", "ACCEPT", "-m", "comment", "--comment", comment); err != nil {
 		return err
 	}
-	if err = ipt.AppendUnique("nat", chain, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE"); err != nil {
+	if err = ipt.AppendUnique("nat", chain, "!", "-d", "224.0.0.0/4", "-j", "MASQUERADE", "-m", "comment", "--comment", comment); err != nil {
 		return err
 	}
-	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain)
+	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment)
 }
 // TeardownIPMasq undoes the effects of SetupIPMasq
-func TeardownIPMasq(ipn *net.IPNet, chain string) error {
+func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
 	ipt, err := iptables.New()
 	if err != nil {
 		return fmt.Errorf("failed to locate iptables: %v", err)
 	}
-	if err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain); err != nil {
+	if err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment); err != nil {
 		return err
 	}
--- a/pkg/utils/utils.go
+++ b/pkg/utils/utils.go
@ -19,3 +19,9 @@ func FormatChainName(name string, id string) string {
 	chain := fmt.Sprintf("%s%x", chainPrefix, chainBytes)
 	return chain[:maxChainLength]
 }
 // FormatComment returns a comment used for easier
 // rule identification within iptables.
 func FormatComment(name string, id string) string {
 	return fmt.Sprintf("name: %q id: %q", name, id)
 }
--- a/plugins/main/bridge/bridge.go
+++ b/plugins/main/bridge/bridge.go
@ -222,7 +222,8 @@ func cmdAdd(args *skel.CmdArgs) error {
 	if n.IPMasq {
 		chain := utils.FormatChainName(n.Name, args.ContainerID)
-		if err = ip.SetupIPMasq(ip.Network(&result.IP4.IP), chain); err != nil {
+		comment := utils.FormatComment(n.Name, args.ContainerID)
 		if err = ip.SetupIPMasq(ip.Network(&result.IP4.IP), chain, comment); err != nil {
 			return err
 		}
 	}
--- a/plugins/main/ptp/ptp.go
+++ b/plugins/main/ptp/ptp.go
@ -179,7 +179,8 @@ func cmdAdd(args *skel.CmdArgs) error {
 	if conf.IPMasq {
 		chain := utils.FormatChainName(conf.Name, args.ContainerID)
-		if err = ip.SetupIPMasq(&result.IP4.IP, chain); err != nil {
+		comment := utils.FormatComment(conf.Name, args.ContainerID)
 		if err = ip.SetupIPMasq(&result.IP4.IP, chain, comment); err != nil {
 			return err
 		}
 	}
@ -206,7 +207,8 @@ func cmdDel(args *skel.CmdArgs) error {
 	if conf.IPMasq {
 		chain := utils.FormatChainName(conf.Name, args.ContainerID)
-		if err = ip.TeardownIPMasq(ipn, chain); err != nil {
+		comment := utils.FormatComment(conf.Name, args.ContainerID)
 		if err = ip.TeardownIPMasq(ipn, chain, comment); err != nil {
 			return err
 		}
 	}