Merge pull request #279 from mars1024/bugfix/ipmasq_source

change source of ipmasq rule from ipn to ip
containernetworking · May 10, 2019 · 0950a36 · 0950a36
2 parents a6a8a81 + 12b426a
commit 0950a36
Show file tree

Hide file tree

Showing 4 changed files with 134 additions and 44 deletions.
diff --git a/Godeps/Godeps.json b/Godeps/Godeps.json
diff --git a/pkg/ip/ipmasq_linux.go b/pkg/ip/ipmasq_linux.go
@@ -22,7 +22,7 @@ import (
 )
 
 // SetupIPMasq installs iptables rules to masquerade traffic
-// coming from ipn and going outside of it
+// coming from ip of ipn and going outside of ipn
 func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
 	isV6 := ipn.IP.To4() == nil
 
@@ -70,7 +70,8 @@ func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
 		return err
 	}
 
-	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment)
+	// Packets from the specific IP of this network will hit the chain
+	return ipt.AppendUnique("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
 }
 
 // TeardownIPMasq undoes the effects of SetupIPMasq
@@ -89,6 +90,12 @@ func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
 		return fmt.Errorf("failed to locate iptables: %v", err)
 	}
 
+	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.IP.String(), "-j", chain, "-m", "comment", "--comment", comment)
+	if err != nil && !isNotExist(err) {
+		return err
+	}
+
+	// for downward compatibility
 	err = ipt.Delete("nat", "POSTROUTING", "-s", ipn.String(), "-j", chain, "-m", "comment", "--comment", comment)
 	if err != nil && !isNotExist(err) {
 		return err

diff --git a/plugins/main/ptp/README.md b/plugins/main/ptp/README.md
@@ -26,7 +26,7 @@ The traffic of the container interface will be routed through the interface of t
 
 * `name` (string, required): the name of the network
 * `type` (string, required): "ptp"
-* `ipMasq` (boolean, optional): set up IP Masquerade on the host for traffic originating from this network and destined outside of it. Defaults to false.
+* `ipMasq` (boolean, optional): set up IP Masquerade on the host for traffic originating from ip of this network and destined outside of this network. Defaults to false.
 * `mtu` (integer, optional): explicitly set MTU to the specified value. Defaults to value chosen by the kernel.
 * `ipam` (dictionary, required): IPAM configuration to be used for this network.
 * `dns` (dictionary, optional): DNS information to return as described in the [Result](https://github.com/containernetworking/cni/blob/master/SPEC.md#result).
diff --git a/vendor/github.com/coreos/go-iptables/iptables/iptables.go b/vendor/github.com/coreos/go-iptables/iptables/iptables.go