Skip to content

42wim/registrator-netfilter

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
LICENSE
 
 
README.md
 
 
firewalld.go
 
 
helpers.go
 
 
netfilter.go
 
 
Building Netfilter Firewalld support Prerequisites

README.md

This is a module for registrator (https://github.com/gliderlabs/registrator/)

Building

To build your version of registrator with this module. Make sure you have Go properly installed, including setting up your GOPATH

Next, run

$ cd $GOPATH
$ go get github.com/gliderlabs/registrator
$  src/github.com/gliderlabs/registrator/modules.go

Edit the file $GOPATH/src/github.com/gliderlabs/registrator/modules.go
Add the following line to the import path of modules.go

 _ "github.com/42wim/registrator-netfilter"

Run go get again (will fetch the code from github.com/42wim/registrator-netfilter)

$ go get

You will now have a "registrator" binary in $GOPATH/bin

Netfilter

    netfilter://mychain/myset

When using IPv6 containers, the NAT is gone and your container and ports are by default reachable. You can use this module to firewall those.

If no chain/set is specified, it will default to netfilter://FORWARD_direct/containerports

This module does on initialization:

  • creates an ipset (http://ipset.netfilter.org) called (hash:ip,port)
  • appends a rule to chain that allows <ip,port> addresses in a set to be forwarded to the container.
  • appends a rule to chain that will drop packets going to the docker0 device.

Or in actual commands

/usr/sbin/ipset create <myset> hash:ip,port family inet6
/usr/sbin/ip6tables -A <mychain> -o docker0 -m set --match-set <myset> dst,dst -j ACCEPT
/usr/sbin/ip6tables -A <mychain> -o docker0 -j DROP

When an IPv6 service gets registered:

  • the container <ip,port> will be added to and access to this port will be allowed.
  • icmpv6 echo request will also be allowed so that you can ping the container

Or in actual commands

/usr/sbin/ipset add <myset> <ip,proto:port>
/usr/sbin/ipset add <myset> <ip,icmpv6:128/0>

When the service gets deregistered, the access will be removed.

Firewalld support

The module will communicate with firewalld when detected.
The default FORWARD_direct chain would be a good chain to use with firewalld

Prerequisites

  • You need the iptables (v1.4.21+) and ipset (v6.19+) packages
  • ipset and ip6tables are expected to be found in /usr/sbin

About

ipv6 firewall (netfilter) module for registrator (https://github.com/gliderlabs/registrator/)

Resources

Readme

License

MIT license

Stars

1 star

Watchers

3 watching

Forks

0 forks

Releases

No releases published

Packages

No packages published

Languages