Skip to content

Commit fb9fbe9

Browse files
struanbstruanb
authored
Support for passing through iptables --wait and --wait-seconds options
1 parent 54bde9c commit fb9fbe9

File tree

2 files changed

+47
-34
lines changed

2 files changed

+47
-34
lines changed

README.md

+3
Original file line numberDiff line numberDiff line change
@@ -100,6 +100,9 @@ Usage: ./docker-ingress-routing-daemon [--install [OPTIONS] | --uninstall | --he
100100
--no-performance - disable performance optimisations
101101
--indexed-ids - use sequential ids for load balancers
102102
(forced where ingress subnet larger than /24)
103+
104+
--iptables-wait - pass '--iptables-wait' option to iptables
105+
--iptables-wait-seconds <n> - pass '--iptables-wait <n>' option to iptables
103106
104107
(services, ports and IPs may be comma or space-separated or may be specified
105108
multiple times)

docker-ingress-routing-daemon

+44-34
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,11 @@
11
#!/bin/bash
22

3-
VERSION=4.1.1
3+
VERSION=4.2.0
4+
IPTABLES=$(which iptables)
5+
IPTABLES_OPTS=()
46

5-
# Ingress Routing Daemon v4.1.1
6-
# Copyright © 2020-2021 Struan Bartlett
7+
# Ingress Routing Daemon v4.2.0
8+
# Copyright © 2020-2023 Struan Bartlett
79
# ----------------------------------------------------------------------
810
# Permission is hereby granted, free of charge, to any person
911
# obtaining a copy of this software and associated documentation files
@@ -73,7 +75,7 @@ route_ingress() {
7375
fi
7476

7577
local IPTABLE_COMMENT="docker-ingress-routing-daemon"
76-
if nsenter -n -t $NID iptables -t mangle -C OUTPUT -m comment --comment "$IPTABLE_COMMENT" 2>/dev/null; then
78+
if nsenter -n -t $NID iptables "${IPTABLES_OPTS[@]}" -t mangle -C OUTPUT -m comment --comment "$IPTABLE_COMMENT" 2>/dev/null; then
7779
log "Detected container for service '$SERVICE', with ID '$ID' and NID '$NID': mangle table already configured, so skipping."
7880
return
7981
fi
@@ -86,9 +88,9 @@ route_ingress() {
8688
# TOS byte has been set by the load balancer, then none will be restored and legacy routing rules will apply.
8789
# - See https://github.com/newsnowlabs/docker-ingress-routing-daemon/issues/11
8890
log "- Adding container mangle table iptables rules"
89-
nsenter -n -t $NID iptables -t mangle -A OUTPUT -m comment --comment "$IPTABLE_COMMENT"
90-
nsenter -n -t $NID iptables -t mangle -A OUTPUT -p udp -j CONNMARK --restore-mark
91-
nsenter -n -t $NID iptables -t mangle -A OUTPUT -p tcp -j CONNMARK --restore-mark
91+
nsenter -n -t $NID iptables "${IPTABLES_OPTS[@]}" -t mangle -A OUTPUT -m comment --comment "$IPTABLE_COMMENT"
92+
nsenter -n -t $NID iptables "${IPTABLES_OPTS[@]}" -t mangle -A OUTPUT -p udp -j CONNMARK --restore-mark
93+
nsenter -n -t $NID iptables "${IPTABLES_OPTS[@]}" -t mangle -A OUTPUT -p tcp -j CONNMARK --restore-mark
9294

9395
# 3.1 Enable 'loose' rp_filter mode on interface $CIF (and 'all' as required by kernel
9496
# see https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt)
@@ -108,7 +110,7 @@ route_ingress() {
108110
log "- Adding container policy routing/firewall rules for load-balancer #$NODE_ID with IP $NODE_IP"
109111

110112
# 2. Map the TOS value on any incoming packets to a connection mark, using the same value.
111-
nsenter -n -t $NID iptables -t mangle -A PREROUTING -m tos --tos $NODE_ID/0xff -j CONNMARK --set-xmark $NODE_ID/0xffffffff
113+
nsenter -n -t $NID iptables "${IPTABLES_OPTS[@]}" -t mangle -A PREROUTING -m tos --tos $NODE_ID/0xff -j CONNMARK --set-xmark $NODE_ID/0xffffffff
112114

113115
# 4. Select the correct routing table to use, according to the firewall mark on the outgoing packet.
114116
nsenter -n -t $NID ip rule add from $INGRESS_SUBNET fwmark $NODE_ID lookup $NODE_ID prio 32700
@@ -134,6 +136,9 @@ usage() {
134136
echo " --preexisting - optionally install rules where needed" >&2
135137
echo " on preexisting containers (recommended)" >&2
136138
echo >&2
139+
echo " --iptables-wait - pass '--wait' option to iptables" >&2
140+
echo " --iptables-wait-seconds <n> - pass '--wait <n>' option to iptables" >&2
141+
echo >&2
137142
echo " --no-performance - disable performance optimisations" >&2
138143
echo " --indexed-ids - use sequential ids for load balancers" >&2
139144
echo " (forced where ingress subnet larger than /24)" >&2
@@ -171,6 +176,8 @@ do
171176
--no-performance) shift; PERFORMANCE=0; continue; ;;
172177
--indexed-ids) shift; INDEXED_IDS=1; continue; ;;
173178
--preexisting) shift; PREEXISTING=1; continue; ;;
179+
--iptables-wait) shift; IPTABLES_WAIT=1; continue; ;;
180+
--iptables-wait-seconds) shift; IPTABLES_WAIT=1; IPTABLES_WAIT_SECONDS="$1"; shift; continue; ;;
174181

175182
-h|--help) usage; ;;
176183
'') break; ;;
@@ -182,6 +189,9 @@ done
182189
# Display usage, unless --install or --uninstall
183190
[ -z "$INSTALL" ] && usage
184191

192+
# Add '--iptables-wait' or '--iptables-wait $IPTABLES_WAIT_SECONDS' to iptables options
193+
[ -n "$IPTABLES_WAIT" ] && IPTABLES_OPTS+=(--wait $IPTABLES_WAIT_SECONDS)
194+
185195
# Convert arrays to comma-separated strings
186196
TCPServicePortString=$(echo ${TCP_PORTS[@]} | tr ' ' ',')
187197
UDPServicePortString=$(echo ${UDP_PORTS[@]} | tr ' ' ',')
@@ -209,31 +219,31 @@ fi
209219
# Delete any relevant preexisting rules.
210220
log "Cleaning up any stale load-balancer rules ..."
211221

212-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -S | \
222+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t nat -S | \
213223
grep -- '-m ipvs --ipvs -j ACCEPT' | \
214224
sed -r 's/^-A /-D /' | \
215225
while read RULE; \
216226
do
217-
log "- Deleting old rule: iptables -t nat $RULE"
218-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat $RULE
227+
log "- Deleting old rule: iptables "${IPTABLES_OPTS[@]}" -t nat $RULE"
228+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t nat $RULE
219229
done
220230

221-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t mangle -S | \
231+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t mangle -S | \
222232
grep -- '-j TOS --set-tos' | \
223233
sed -r 's/^-A /-D /' | \
224234
while read RULE; \
225235
do
226-
log "- Deleting old rule: iptables -t mangle $RULE"
227-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t mangle $RULE
236+
log "- Deleting old rule: iptables "${IPTABLES_OPTS[@]}" -t mangle $RULE"
237+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t mangle $RULE
228238
done
229239

230-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t raw -S | \
240+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t raw -S | \
231241
grep -- '-j CT --notrack' | \
232242
sed -r 's/^-A /-D /' | \
233243
while read RULE; \
234244
do
235-
log "- Deleting old rule: iptables -t raw $RULE"
236-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t raw $RULE
245+
log "- Deleting old rule: iptables "${IPTABLES_OPTS[@]}" -t raw $RULE"
246+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t raw $RULE
237247
done
238248

239249
if [ "$INSTALL" = "0" ]; then
@@ -303,39 +313,39 @@ if [ -n "$NODE_ID" ]; then
303313

304314
# Add a rule ahead of the ingress network SNAT rule, that will cause the SNAT rule to be skipped.
305315
if [ -z "$TCPServicePortString" ] && [ -z "$UDPServicePortString" ]; then
306-
log "- Adding ingress_sbox iptables nat rule: iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT"
307-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT
316+
log "- Adding ingress_sbox iptables nat rule: iptables "${IPTABLES_OPTS[@]}" -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT"
317+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t nat -I POSTROUTING -d $INGRESS_SUBNET -m ipvs --ipvs -j ACCEPT
308318

309319
# 1. Set TOS to NODE_ID in all outgoing packets to INGRESS_SUBNET
310-
log "- Adding ingress_sbox iptables mangle rule: iptables -t mangle -A POSTROUTING -d $INGRESS_SUBNET -j TOS --set-tos $NODE_ID/0xff"
311-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t mangle -A POSTROUTING -d $INGRESS_SUBNET -j TOS --set-tos $NODE_ID/0xff
320+
log "- Adding ingress_sbox iptables mangle rule: iptables "${IPTABLES_OPTS[@]}" -t mangle -A POSTROUTING -d $INGRESS_SUBNET -j TOS --set-tos $NODE_ID/0xff"
321+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t mangle -A POSTROUTING -d $INGRESS_SUBNET -j TOS --set-tos $NODE_ID/0xff
312322

313-
log "- Adding ingress_sbox connection tracking disable rule: iptables -t raw -I PREROUTING -j CT --notrack"
314-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t raw -I PREROUTING -j CT --notrack
323+
log "- Adding ingress_sbox connection tracking disable rule: iptables "${IPTABLES_OPTS[@]}" -t raw -I PREROUTING -j CT --notrack"
324+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t raw -I PREROUTING -j CT --notrack
315325
else
316326

317327
if [ -n "$TCPServicePortString" ]; then
318-
log "- Adding ingress_sbox iptables nat rule: iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -p tcp -m multiport --dports $TCPServicePortString -m ipvs --ipvs -j ACCEPT"
319-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -p tcp -m multiport --dports $TCPServicePortString -m ipvs --ipvs -j ACCEPT
328+
log "- Adding ingress_sbox iptables nat rule: iptables "${IPTABLES_OPTS[@]}" -t nat -I POSTROUTING -d $INGRESS_SUBNET -p tcp -m multiport --dports $TCPServicePortString -m ipvs --ipvs -j ACCEPT"
329+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t nat -I POSTROUTING -d $INGRESS_SUBNET -p tcp -m multiport --dports $TCPServicePortString -m ipvs --ipvs -j ACCEPT
320330

321331
# 1. Set TOS to NODE_ID in all outgoing packets to INGRESS_SUBNET
322-
log "- Adding ingress_sbox iptables mangle rule: iptables -t mangle -A POSTROUTING -d $INGRESS_SUBNET -p tcp -m multiport --dports $TCPServicePortString -j TOS --set-tos $NODE_ID/0xff"
323-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t mangle -A POSTROUTING -d $INGRESS_SUBNET -p tcp -m multiport --dports $TCPServicePortString -j TOS --set-tos $NODE_ID/0xff
332+
log "- Adding ingress_sbox iptables mangle rule: iptables "${IPTABLES_OPTS[@]}" -t mangle -A POSTROUTING -d $INGRESS_SUBNET -p tcp -m multiport --dports $TCPServicePortString -j TOS --set-tos $NODE_ID/0xff"
333+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t mangle -A POSTROUTING -d $INGRESS_SUBNET -p tcp -m multiport --dports $TCPServicePortString -j TOS --set-tos $NODE_ID/0xff
324334

325-
log "- Adding ingress_sbox connection tracking disable rule: iptables -t raw -I PREROUTING -p tcp -m multiport --dports $TCPServicePortString -j CT --notrack"
326-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t raw -I PREROUTING -p tcp -m multiport --dports $TCPServicePortString -j CT --notrack
335+
log "- Adding ingress_sbox connection tracking disable rule: iptables "${IPTABLES_OPTS[@]}" -t raw -I PREROUTING -p tcp -m multiport --dports $TCPServicePortString -j CT --notrack"
336+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t raw -I PREROUTING -p tcp -m multiport --dports $TCPServicePortString -j CT --notrack
327337
fi
328338

329339
if [ -n "$UDPServicePortString" ]; then
330-
log "- Adding ingress_sbox iptables nat rule: iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -p udp -m multiport --dports $UDPServicePortString -m ipvs --ipvs -j ACCEPT"
331-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t nat -I POSTROUTING -d $INGRESS_SUBNET -p udp -m multiport --dports $UDPServicePortString -m ipvs --ipvs -j ACCEPT
340+
log "- Adding ingress_sbox iptables nat rule: iptables "${IPTABLES_OPTS[@]}" -t nat -I POSTROUTING -d $INGRESS_SUBNET -p udp -m multiport --dports $UDPServicePortString -m ipvs --ipvs -j ACCEPT"
341+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t nat -I POSTROUTING -d $INGRESS_SUBNET -p udp -m multiport --dports $UDPServicePortString -m ipvs --ipvs -j ACCEPT
332342

333343
# 1. Set TOS to NODE_ID in all outgoing packets to INGRESS_SUBNET
334-
log "- Adding ingress_sbox iptables mangle rule: iptables -t mangle -A POSTROUTING -d $INGRESS_SUBNET -p udp -m multiport --dports $UDPServicePortString -j TOS --set-tos $NODE_ID/0xff"
335-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t mangle -A POSTROUTING -d $INGRESS_SUBNET -p udp -m multiport --dports $UDPServicePortString -j TOS --set-tos $NODE_ID/0xff
344+
log "- Adding ingress_sbox iptables mangle rule: iptables "${IPTABLES_OPTS[@]}" -t mangle -A POSTROUTING -d $INGRESS_SUBNET -p udp -m multiport --dports $UDPServicePortString -j TOS --set-tos $NODE_ID/0xff"
345+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t mangle -A POSTROUTING -d $INGRESS_SUBNET -p udp -m multiport --dports $UDPServicePortString -j TOS --set-tos $NODE_ID/0xff
336346

337347
log "- Adding ingress_sbox connection tracking disable rule: iptables -p udp -m multiport --dports $UDPServicePortString -j CT --notrack"
338-
nsenter --net=/var/run/docker/netns/ingress_sbox iptables -t raw -I PREROUTING -p udp -m multiport --dports $UDPServicePortString -j CT --notrack
348+
nsenter --net=/var/run/docker/netns/ingress_sbox iptables "${IPTABLES_OPTS[@]}" -t raw -I PREROUTING -p udp -m multiport --dports $UDPServicePortString -j CT --notrack
339349
fi
340350

341351
fi

0 commit comments

Comments
 (0)