/
rules.go
84 lines (69 loc) · 2.09 KB
/
rules.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
package iptables
import (
"fmt"
"code.cloudfoundry.org/garden"
)
type iptablesFlags []string
func (flags iptablesFlags) Flags(chain string) []string {
return flags
}
func natRule(destination string, destinationPort uint32, containerIP string, containerPort uint32, comment string) Rule {
return iptablesFlags([]string{
"--table", "nat",
"--protocol", "tcp",
"--destination", destination,
"--destination-port", fmt.Sprintf("%d", destinationPort),
"--jump", "DNAT",
"--to-destination", fmt.Sprintf("%s:%d", containerIP, containerPort),
"-m", "comment", "--comment", comment,
})
}
func rejectRule(destination string) Rule {
return iptablesFlags([]string{
"--destination", destination,
"--jump", "REJECT",
})
}
type SingleFilterRule struct {
Protocol garden.Protocol
Networks *garden.IPRange
Ports *garden.PortRange
ICMPs *garden.ICMPControl
Log bool
Handle string
}
func (r SingleFilterRule) Flags(chain string) (params []string) {
params = append(params, "--protocol", protocols[r.Protocol])
network := r.Networks
if network != nil {
if network.Start != nil && network.End != nil {
params = append(params, "-m", "iprange", "--dst-range", network.Start.String()+"-"+network.End.String())
} else if network.Start != nil {
params = append(params, "--destination", network.Start.String())
} else if network.End != nil {
params = append(params, "--destination", network.End.String())
}
}
ports := r.Ports
if ports != nil {
if ports.End != ports.Start {
params = append(params, "--destination-port", fmt.Sprintf("%d:%d", ports.Start, ports.End))
} else {
params = append(params, "--destination-port", fmt.Sprintf("%d", ports.Start))
}
}
if r.ICMPs != nil {
icmpType := fmt.Sprintf("%d", r.ICMPs.Type)
if r.ICMPs.Code != nil {
icmpType = fmt.Sprintf("%d/%d", r.ICMPs.Type, *r.ICMPs.Code)
}
params = append(params, "--icmp-type", icmpType)
}
if r.Log {
params = append(params, "--goto", chain+"-log")
} else {
params = append(params, "--jump", "RETURN")
}
params = append(params, "-m", "comment", "--comment", r.Handle)
return params
}