diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json index c243176..ea90ab4 100644 --- a/Godeps/Godeps.json +++ b/Godeps/Godeps.json @@ -20,11 +20,6 @@ "Comment": "v1.4.1-3152-g3e85803", "Rev": "3e85803f311c3883a9b395ad046c894ea255e9be" }, - { - "ImportPath": "github.com/docker/docker/pkg/iptables", - "Comment": "v1.4.1-3152-g3e85803", - "Rev": "3e85803f311c3883a9b395ad046c894ea255e9be" - }, { "ImportPath": "github.com/docker/docker/pkg/mflag", "Comment": "v1.4.1-3152-g3e85803", diff --git a/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/firewalld.go b/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/firewalld.go deleted file mode 100644 index 1c0cddb..0000000 --- a/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/firewalld.go +++ /dev/null @@ -1,164 +0,0 @@ -package iptables - -import ( - "fmt" - "strings" - - "github.com/Sirupsen/logrus" - "github.com/godbus/dbus" -) - -type IPV string - -const ( - Iptables IPV = "ipv4" - Ip6tables IPV = "ipv6" - Ebtables IPV = "eb" -) -const ( - dbusInterface = "org.fedoraproject.FirewallD1" - dbusPath = "/org/fedoraproject/FirewallD1" -) - -// Conn is a connection to firewalld dbus endpoint. -type Conn struct { - sysconn *dbus.Conn - sysobj *dbus.Object - signal chan *dbus.Signal -} - -var ( - connection *Conn - firewalldRunning bool // is Firewalld service running - onReloaded []*func() // callbacks when Firewalld has been reloaded -) - -func FirewalldInit() { - var err error - - connection, err = newConnection() - - if err != nil { - logrus.Errorf("Failed to connect to D-Bus system bus: %s", err) - } - if connection != nil { - go signalHandler() - } - - firewalldRunning = checkRunning() -} - -// New() establishes a connection to the system bus. -func newConnection() (*Conn, error) { - c := new(Conn) - if err := c.initConnection(); err != nil { - return nil, err - } - - return c, nil -} - -// Innitialize D-Bus connection. -func (c *Conn) initConnection() error { - var err error - - c.sysconn, err = dbus.SystemBus() - if err != nil { - return err - } - - // This never fails, even if the service is not running atm. - c.sysobj = c.sysconn.Object(dbusInterface, dbus.ObjectPath(dbusPath)) - - rule := fmt.Sprintf("type='signal',path='%s',interface='%s',sender='%s',member='Reloaded'", - dbusPath, dbusInterface, dbusInterface) - c.sysconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0, rule) - - rule = fmt.Sprintf("type='signal',interface='org.freedesktop.DBus',member='NameOwnerChanged',path='/org/freedesktop/DBus',sender='org.freedesktop.DBus',arg0='%s'", - dbusInterface) - c.sysconn.BusObject().Call("org.freedesktop.DBus.AddMatch", 0, rule) - - c.signal = make(chan *dbus.Signal, 10) - c.sysconn.Signal(c.signal) - - return nil -} - -func signalHandler() { - for signal := range connection.signal { - if strings.Contains(signal.Name, "NameOwnerChanged") { - firewalldRunning = checkRunning() - dbusConnectionChanged(signal.Body) - } else if strings.Contains(signal.Name, "Reloaded") { - reloaded() - } - } -} - -func dbusConnectionChanged(args []interface{}) { - name := args[0].(string) - old_owner := args[1].(string) - new_owner := args[2].(string) - - if name != dbusInterface { - return - } - - if len(new_owner) > 0 { - connectionEstablished() - } else if len(old_owner) > 0 { - connectionLost() - } -} - -func connectionEstablished() { - reloaded() -} - -func connectionLost() { - // Doesn't do anything for now. Libvirt also doesn't react to this. -} - -// call all callbacks -func reloaded() { - for _, pf := range onReloaded { - (*pf)() - } -} - -// add callback -func OnReloaded(callback func()) { - for _, pf := range onReloaded { - if pf == &callback { - return - } - } - onReloaded = append(onReloaded, &callback) -} - -// Call some remote method to see whether the service is actually running. -func checkRunning() bool { - var zone string - var err error - - if connection != nil { - err = connection.sysobj.Call(dbusInterface+".getDefaultZone", 0).Store(&zone) - logrus.Infof("Firewalld running: %t", err == nil) - return err == nil - } - logrus.Info("Firewalld not running") - return false -} - -// Firewalld's passthrough method simply passes args through to iptables/ip6tables -func Passthrough(ipv IPV, args ...string) ([]byte, error) { - var output string - - logrus.Debugf("Firewalld passthrough: %s, %s", ipv, args) - err := connection.sysobj.Call(dbusInterface+".direct.passthrough", 0, ipv, args).Store(&output) - if output != "" { - logrus.Debugf("passthrough output: %s", output) - } - - return []byte(output), err -} diff --git a/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/firewalld_test.go b/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/firewalld_test.go deleted file mode 100644 index 3896007..0000000 --- a/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/firewalld_test.go +++ /dev/null @@ -1,78 +0,0 @@ -package iptables - -import ( - "net" - "strconv" - "testing" -) - -func TestFirewalldInit(t *testing.T) { - FirewalldInit() -} - -func TestReloaded(t *testing.T) { - var err error - var fwdChain *Chain - - fwdChain, err = NewChain("FWD", "lo", Filter) - if err != nil { - t.Fatal(err) - } - defer fwdChain.Remove() - - // copy-pasted from iptables_test:TestLink - ip1 := net.ParseIP("192.168.1.1") - ip2 := net.ParseIP("192.168.1.2") - port := 1234 - proto := "tcp" - - err = fwdChain.Link(Append, ip1, ip2, port, proto) - if err != nil { - t.Fatal(err) - } else { - // to be re-called again later - OnReloaded(func() { fwdChain.Link(Append, ip1, ip2, port, proto) }) - } - - rule1 := []string{ - "-i", fwdChain.Bridge, - "-o", fwdChain.Bridge, - "-p", proto, - "-s", ip1.String(), - "-d", ip2.String(), - "--dport", strconv.Itoa(port), - "-j", "ACCEPT"} - - if !Exists(fwdChain.Table, fwdChain.Name, rule1...) { - t.Fatalf("rule1 does not exist") - } - - // flush all rules - fwdChain.Remove() - - reloaded() - - // make sure the rules have been recreated - if !Exists(fwdChain.Table, fwdChain.Name, rule1...) { - t.Fatalf("rule1 hasn't been recreated") - } -} - -func TestPassthrough(t *testing.T) { - rule1 := []string{ - "-i", "lo", - "-p", "udp", - "--dport", "123", - "-j", "ACCEPT"} - - if firewalldRunning { - _, err := Passthrough(Iptables, append([]string{"-A"}, rule1...)...) - if err != nil { - t.Fatal(err) - } - if !Exists(Filter, "INPUT", rule1...) { - t.Fatalf("rule1 does not exist") - } - } - -} diff --git a/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/iptables.go b/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/iptables.go deleted file mode 100644 index 9983ec6..0000000 --- a/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/iptables.go +++ /dev/null @@ -1,306 +0,0 @@ -package iptables - -import ( - "errors" - "fmt" - "net" - "os/exec" - "regexp" - "strconv" - "strings" - - "github.com/Sirupsen/logrus" -) - -type Action string -type Table string - -const ( - Append Action = "-A" - Delete Action = "-D" - Insert Action = "-I" - Nat Table = "nat" - Filter Table = "filter" - Mangle Table = "mangle" -) - -var ( - iptablesPath string - supportsXlock = false - ErrIptablesNotFound = errors.New("Iptables not found") -) - -type Chain struct { - Name string - Bridge string - Table Table -} - -type ChainError struct { - Chain string - Output []byte -} - -func (e ChainError) Error() string { - return fmt.Sprintf("Error iptables %s: %s", e.Chain, string(e.Output)) -} - -func initCheck() error { - - if iptablesPath == "" { - path, err := exec.LookPath("iptables") - if err != nil { - return ErrIptablesNotFound - } - iptablesPath = path - supportsXlock = exec.Command(iptablesPath, "--wait", "-L", "-n").Run() == nil - } - return nil -} - -func NewChain(name, bridge string, table Table) (*Chain, error) { - c := &Chain{ - Name: name, - Bridge: bridge, - Table: table, - } - - if string(c.Table) == "" { - c.Table = Filter - } - - // Add chain if it doesn't exist - if _, err := Raw("-t", string(c.Table), "-n", "-L", c.Name); err != nil { - if output, err := Raw("-t", string(c.Table), "-N", c.Name); err != nil { - return nil, err - } else if len(output) != 0 { - return nil, fmt.Errorf("Could not create %s/%s chain: %s", c.Table, c.Name, output) - } - } - - switch table { - case Nat: - preroute := []string{ - "-m", "addrtype", - "--dst-type", "LOCAL"} - if !Exists(Nat, "PREROUTING", preroute...) { - if err := c.Prerouting(Append, preroute...); err != nil { - return nil, fmt.Errorf("Failed to inject docker in PREROUTING chain: %s", err) - } - } - output := []string{ - "-m", "addrtype", - "--dst-type", "LOCAL", - "!", "--dst", "127.0.0.0/8"} - if !Exists(Nat, "OUTPUT", output...) { - if err := c.Output(Append, output...); err != nil { - return nil, fmt.Errorf("Failed to inject docker in OUTPUT chain: %s", err) - } - } - case Filter: - link := []string{ - "-o", c.Bridge, - "-j", c.Name} - if !Exists(Filter, "FORWARD", link...) { - insert := append([]string{string(Insert), "FORWARD"}, link...) - if output, err := Raw(insert...); err != nil { - return nil, err - } else if len(output) != 0 { - return nil, fmt.Errorf("Could not create linking rule to %s/%s: %s", c.Table, c.Name, output) - } - } - } - return c, nil -} - -func RemoveExistingChain(name string, table Table) error { - c := &Chain{ - Name: name, - Table: table, - } - if string(c.Table) == "" { - c.Table = Filter - } - return c.Remove() -} - -// Add forwarding rule to 'filter' table and corresponding nat rule to 'nat' table -func (c *Chain) Forward(action Action, ip net.IP, port int, proto, destAddr string, destPort int) error { - daddr := ip.String() - if ip.IsUnspecified() { - // iptables interprets "0.0.0.0" as "0.0.0.0/32", whereas we - // want "0.0.0.0/0". "0/0" is correctly interpreted as "any - // value" by both iptables and ip6tables. - daddr = "0/0" - } - if output, err := Raw("-t", string(Nat), string(action), c.Name, - "-p", proto, - "-d", daddr, - "--dport", strconv.Itoa(port), - "!", "-i", c.Bridge, - "-j", "DNAT", - "--to-destination", net.JoinHostPort(destAddr, strconv.Itoa(destPort))); err != nil { - return err - } else if len(output) != 0 { - return ChainError{Chain: "FORWARD", Output: output} - } - - if output, err := Raw("-t", string(Filter), string(action), c.Name, - "!", "-i", c.Bridge, - "-o", c.Bridge, - "-p", proto, - "-d", destAddr, - "--dport", strconv.Itoa(destPort), - "-j", "ACCEPT"); err != nil { - return err - } else if len(output) != 0 { - return ChainError{Chain: "FORWARD", Output: output} - } - - if output, err := Raw("-t", string(Nat), string(action), "POSTROUTING", - "-p", proto, - "-s", destAddr, - "-d", destAddr, - "--dport", strconv.Itoa(destPort), - "-j", "MASQUERADE"); err != nil { - return err - } else if len(output) != 0 { - return ChainError{Chain: "FORWARD", Output: output} - } - - return nil -} - -// Add reciprocal ACCEPT rule for two supplied IP addresses. -// Traffic is allowed from ip1 to ip2 and vice-versa -func (c *Chain) Link(action Action, ip1, ip2 net.IP, port int, proto string) error { - if output, err := Raw("-t", string(Filter), string(action), c.Name, - "-i", c.Bridge, "-o", c.Bridge, - "-p", proto, - "-s", ip1.String(), - "-d", ip2.String(), - "--dport", strconv.Itoa(port), - "-j", "ACCEPT"); err != nil { - return err - } else if len(output) != 0 { - return fmt.Errorf("Error iptables forward: %s", output) - } - if output, err := Raw("-t", string(Filter), string(action), c.Name, - "-i", c.Bridge, "-o", c.Bridge, - "-p", proto, - "-s", ip2.String(), - "-d", ip1.String(), - "--sport", strconv.Itoa(port), - "-j", "ACCEPT"); err != nil { - return err - } else if len(output) != 0 { - return fmt.Errorf("Error iptables forward: %s", output) - } - return nil -} - -// Add linking rule to nat/PREROUTING chain. -func (c *Chain) Prerouting(action Action, args ...string) error { - a := []string{"-t", string(Nat), string(action), "PREROUTING"} - if len(args) > 0 { - a = append(a, args...) - } - if output, err := Raw(append(a, "-j", c.Name)...); err != nil { - return err - } else if len(output) != 0 { - return ChainError{Chain: "PREROUTING", Output: output} - } - return nil -} - -// Add linking rule to an OUTPUT chain -func (c *Chain) Output(action Action, args ...string) error { - a := []string{"-t", string(c.Table), string(action), "OUTPUT"} - if len(args) > 0 { - a = append(a, args...) - } - if output, err := Raw(append(a, "-j", c.Name)...); err != nil { - return err - } else if len(output) != 0 { - return ChainError{Chain: "OUTPUT", Output: output} - } - return nil -} - -func (c *Chain) Remove() error { - // Ignore errors - This could mean the chains were never set up - if c.Table == Nat { - c.Prerouting(Delete, "-m", "addrtype", "--dst-type", "LOCAL") - c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL", "!", "--dst", "127.0.0.0/8") - c.Output(Delete, "-m", "addrtype", "--dst-type", "LOCAL") // Created in versions <= 0.1.6 - - c.Prerouting(Delete) - c.Output(Delete) - } - Raw("-t", string(c.Table), "-F", c.Name) - Raw("-t", string(c.Table), "-X", c.Name) - return nil -} - -// Check if a rule exists -func Exists(table Table, chain string, rule ...string) bool { - if string(table) == "" { - table = Filter - } - - // iptables -C, --check option was added in v.1.4.11 - // http://ftp.netfilter.org/pub/iptables/changes-iptables-1.4.11.txt - - // try -C - // if exit status is 0 then return true, the rule exists - if _, err := Raw(append([]string{ - "-t", string(table), "-C", chain}, rule...)...); err == nil { - return true - } - - // parse "iptables -S" for the rule (this checks rules in a specific chain - // in a specific table) - ruleString := strings.Join(rule, " ") - existingRules, _ := exec.Command(iptablesPath, "-t", string(table), "-S", chain).Output() - - // regex to replace ips in rule - // because MASQUERADE rule will not be exactly what was passed - re := regexp.MustCompile(`[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\/[0-9]{1,2}`) - - return strings.Contains( - re.ReplaceAllString(string(existingRules), "?"), - re.ReplaceAllString(ruleString, "?"), - ) -} - -// Call 'iptables' system command, passing supplied arguments -func Raw(args ...string) ([]byte, error) { - if firewalldRunning { - output, err := Passthrough(Iptables, args...) - if err == nil || !strings.Contains(err.Error(), "was not provided by any .service files") { - return output, err - } - - } - - if err := initCheck(); err != nil { - return nil, err - } - if supportsXlock { - args = append([]string{"--wait"}, args...) - } - - logrus.Debugf("%s, %v", iptablesPath, args) - - output, err := exec.Command(iptablesPath, args...).CombinedOutput() - if err != nil { - return nil, fmt.Errorf("iptables failed: iptables %v: %s (%s)", strings.Join(args, " "), output, err) - } - - // ignore iptables' message about xtables lock - if strings.Contains(string(output), "waiting for it to exit") { - output = []byte("") - } - - return output, err -} diff --git a/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/iptables_test.go b/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/iptables_test.go deleted file mode 100644 index ced4262..0000000 --- a/Godeps/_workspace/src/github.com/docker/docker/pkg/iptables/iptables_test.go +++ /dev/null @@ -1,198 +0,0 @@ -package iptables - -import ( - "net" - "os/exec" - "strconv" - "strings" - "testing" -) - -const chainName = "DOCKERTEST" - -var natChain *Chain -var filterChain *Chain - -func TestNewChain(t *testing.T) { - var err error - - natChain, err = NewChain(chainName, "lo", Nat) - if err != nil { - t.Fatal(err) - } - - filterChain, err = NewChain(chainName, "lo", Filter) - if err != nil { - t.Fatal(err) - } -} - -func TestForward(t *testing.T) { - ip := net.ParseIP("192.168.1.1") - port := 1234 - dstAddr := "172.17.0.1" - dstPort := 4321 - proto := "tcp" - - err := natChain.Forward(Insert, ip, port, proto, dstAddr, dstPort) - if err != nil { - t.Fatal(err) - } - - dnatRule := []string{ - "!", "-i", filterChain.Bridge, - "-d", ip.String(), - "-p", proto, - "--dport", strconv.Itoa(port), - "-j", "DNAT", - "--to-destination", dstAddr + ":" + strconv.Itoa(dstPort), - } - - if !Exists(natChain.Table, natChain.Name, dnatRule...) { - t.Fatalf("DNAT rule does not exist") - } - - filterRule := []string{ - "!", "-i", filterChain.Bridge, - "-o", filterChain.Bridge, - "-d", dstAddr, - "-p", proto, - "--dport", strconv.Itoa(dstPort), - "-j", "ACCEPT", - } - - if !Exists(filterChain.Table, filterChain.Name, filterRule...) { - t.Fatalf("filter rule does not exist") - } - - masqRule := []string{ - "-d", dstAddr, - "-s", dstAddr, - "-p", proto, - "--dport", strconv.Itoa(dstPort), - "-j", "MASQUERADE", - } - - if !Exists(natChain.Table, "POSTROUTING", masqRule...) { - t.Fatalf("MASQUERADE rule does not exist") - } -} - -func TestLink(t *testing.T) { - var err error - - ip1 := net.ParseIP("192.168.1.1") - ip2 := net.ParseIP("192.168.1.2") - port := 1234 - proto := "tcp" - - err = filterChain.Link(Append, ip1, ip2, port, proto) - if err != nil { - t.Fatal(err) - } - - rule1 := []string{ - "-i", filterChain.Bridge, - "-o", filterChain.Bridge, - "-p", proto, - "-s", ip1.String(), - "-d", ip2.String(), - "--dport", strconv.Itoa(port), - "-j", "ACCEPT"} - - if !Exists(filterChain.Table, filterChain.Name, rule1...) { - t.Fatalf("rule1 does not exist") - } - - rule2 := []string{ - "-i", filterChain.Bridge, - "-o", filterChain.Bridge, - "-p", proto, - "-s", ip2.String(), - "-d", ip1.String(), - "--sport", strconv.Itoa(port), - "-j", "ACCEPT"} - - if !Exists(filterChain.Table, filterChain.Name, rule2...) { - t.Fatalf("rule2 does not exist") - } -} - -func TestPrerouting(t *testing.T) { - args := []string{ - "-i", "lo", - "-d", "192.168.1.1"} - - err := natChain.Prerouting(Insert, args...) - if err != nil { - t.Fatal(err) - } - - rule := []string{ - "-j", natChain.Name} - - rule = append(rule, args...) - - if !Exists(natChain.Table, "PREROUTING", rule...) { - t.Fatalf("rule does not exist") - } - - delRule := append([]string{"-D", "PREROUTING", "-t", string(Nat)}, rule...) - if _, err = Raw(delRule...); err != nil { - t.Fatal(err) - } -} - -func TestOutput(t *testing.T) { - args := []string{ - "-o", "lo", - "-d", "192.168.1.1"} - - err := natChain.Output(Insert, args...) - if err != nil { - t.Fatal(err) - } - - rule := []string{ - "-j", natChain.Name} - - rule = append(rule, args...) - - if !Exists(natChain.Table, "OUTPUT", rule...) { - t.Fatalf("rule does not exist") - } - - delRule := append([]string{"-D", "OUTPUT", "-t", - string(natChain.Table)}, rule...) - if _, err = Raw(delRule...); err != nil { - t.Fatal(err) - } -} - -func TestCleanup(t *testing.T) { - var err error - var rules []byte - - // Cleanup filter/FORWARD first otherwise output of iptables-save is dirty - link := []string{"-t", string(filterChain.Table), - string(Delete), "FORWARD", - "-o", filterChain.Bridge, - "-j", filterChain.Name} - if _, err = Raw(link...); err != nil { - t.Fatal(err) - } - filterChain.Remove() - - err = RemoveExistingChain(chainName, Nat) - if err != nil { - t.Fatal(err) - } - - rules, err = exec.Command("iptables-save").Output() - if err != nil { - t.Fatal(err) - } - if strings.Contains(string(rules), chainName) { - t.Fatalf("Removing chain failed. %s found in iptables-save", chainName) - } -}