netfilter

package module
v0.0.0-...-e97d958 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 5, 2015 License: MIT Imports: 9 Imported by: 0

README

This is a module for registrator (https://github.com/gliderlabs/registrator/)

Building

To build your version of registrator with this module. Make sure you have Go properly installed, including setting up your GOPATH

Next, run

$ cd $GOPATH
$ go get github.com/gliderlabs/registrator
$  src/github.com/gliderlabs/registrator/modules.go

Edit the file $GOPATH/src/github.com/gliderlabs/registrator/modules.go
Add the following line to the import path of modules.go

 _ "github.com/42wim/registrator-netfilter"

Run go get again (will fetch the code from github.com/42wim/registrator-netfilter)

$ go get

You will now have a "registrator" binary in $GOPATH/bin

Netfilter

    netfilter://mychain/myset

When using IPv6 containers, the NAT is gone and your container and ports are by default reachable. You can use this module to firewall those.

If no chain/set is specified, it will default to netfilter://FORWARD_direct/containerports

This module does on initialization:

  • creates an ipset (http://ipset.netfilter.org) called (hash:ip,port)
  • appends a rule to chain that allows <ip,port> addresses in a set to be forwarded to the container.
  • appends a rule to chain that will drop packets going to the docker0 device.

Or in actual commands

/usr/sbin/ipset create <myset> hash:ip,port family inet6
/usr/sbin/ip6tables -A <mychain> -o docker0 -m set --match-set <myset> dst,dst -j ACCEPT
/usr/sbin/ip6tables -A <mychain> -o docker0 -j DROP

When an IPv6 service gets registered:

  • the container <ip,port> will be added to and access to this port will be allowed.
  • icmpv6 echo request will also be allowed so that you can ping the container

Or in actual commands

/usr/sbin/ipset add <myset> <ip,proto:port>
/usr/sbin/ipset add <myset> <ip,icmpv6:128/0>

When the service gets deregistered, the access will be removed.

Firewalld support

The module will communicate with firewalld when detected.
The default FORWARD_direct chain would be a good chain to use with firewalld

Prerequisites

  • You need the iptables (v1.4.21+) and ipset (v6.19+) packages
  • ipset and ip6tables are expected to be found in /usr/sbin

Documentation

Overview

based on github.com/docker/libnetwork/iptables/firewalld.go apache 2.0 license

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func FirewalldInit 

func FirewalldInit() error

FirewalldInit initializes firewalld management code.

func OnReloaded 

func OnReloaded(callback func())

OnReloaded add callback

func Passthrough 

func Passthrough(args []string) ([]byte, error)

Passthrough method simply passes args through to iptables/ip6tables

Types

type Conn 

type Conn struct {
	// contains filtered or unexported fields
}

Conn is a connection to firewalld dbus endpoint.

type Factory 

type Factory struct{}

func (*Factory) New 

func (f *Factory) New(uri *url.URL) bridge.RegistryAdapter

type NetfilterAdapter 

type NetfilterAdapter struct {
	Chain string
	Set   string
}

func (*NetfilterAdapter) Deregister 

func (r *NetfilterAdapter) Deregister(service *bridge.Service) error

func (*NetfilterAdapter) Ping 

func (r *NetfilterAdapter) Ping() error

func (*NetfilterAdapter) Refresh 

func (r *NetfilterAdapter) Refresh(service *bridge.Service) error

func (*NetfilterAdapter) Register 

func (r *NetfilterAdapter) Register(service *bridge.Service) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.