From 08491dcbbae2e2fc52b4318a7800ce2430a60b80 Mon Sep 17 00:00:00 2001 From: lub Date: Sun, 18 Aug 2019 23:10:42 +0200 Subject: [PATCH] implement $ingress_address and actually add rules This commit adds Get-DockerIngressAddress --- example.yml | 2 ++ expose_forwards.ps1 | 79 ++++++++++++++++++++------------------------- 2 files changed, 37 insertions(+), 44 deletions(-) diff --git a/example.yml b/example.yml index a3029c6..91fac6c 100644 --- a/example.yml +++ b/example.yml @@ -22,6 +22,8 @@ services: protocol: udp mode: ingress - target: 30033 + published: "145.239.119.128:55123" + protocol: udp mode: ingress volumes: - "/gluster/docker/gamemodeon-teamspeak_teamspeak/var/ts3server/:/var/ts3server/" diff --git a/expose_forwards.ps1 b/expose_forwards.ps1 index 0fea1f9..9ef613a 100644 --- a/expose_forwards.ps1 +++ b/expose_forwards.ps1 @@ -82,6 +82,14 @@ function Add-IptablesRule { } } } +function Get-DockerIngressAddress { + param ( + [string]$BridgeDevice = 'docker_gwbridge' + ) + + $bridge = docker network inspect $BridgeDevice | ConvertFrom-Json + $bridge.Containers.{ingress-sbox}.IPv4Address -replace '/.*' +} # setup SWARM-NAT chain $chain = 'SWARM-NAT' @@ -90,6 +98,9 @@ Add-IptablesChain -Chain $chain Add-IptablesRule -Chain 'PREROUTING' -Rule '-m','addrtype','--dst-type','LOCAL','-j',$chain +$ingress_address = Get-DockerIngressAddress + + foreach($yaml in (Get-ChildItem -Filter '*.yml')) { Write-Output ('Processing {0}' -f $yaml) $definition = Get-Content -Path $yaml -Raw | ConvertFrom-Yaml @@ -97,9 +108,9 @@ foreach($yaml in (Get-ChildItem -Filter '*.yml')) { foreach($port in $definition.services.Values.ports) { $nat = @{ protocol = $null - public_ip = $null - public_port = $null - internal_port = $null + ip = $null + port = $null + published_port = $null } if($port.Count -eq 4) { @@ -107,16 +118,16 @@ foreach($yaml in (Get-ChildItem -Filter '*.yml')) { $published_splitted = $port.published -split ':' $nat.protocol = $port.protocol - $nat.public_ip = $published_splitted[0] - $nat.public_port = $port.target - $nat.internal_port = $published_splitted[1] + $nat.ip = $published_splitted[0] + $nat.port = $port.target + $nat.published_port = $published_splitted[1] } else { #short form $ports_splitted = $port -split ':' - $nat.public_ip = $ports_splitted[0] - $nat.public_port = $ports_splitted[2] - $nat.internal_port = $ports_splitted[1] + $nat.ip = $ports_splitted[0] + $nat.port = $ports_splitted[2] + $nat.published_port = $ports_splitted[1] } if(!$nat.protocol) { @@ -132,40 +143,20 @@ foreach($yaml in (Get-ChildItem -Filter '*.yml')) { continue } - if($nat.internal_port -ne $nat.public_port) { - Write-Output ('Additional NAT rule required, because published {0} and target {1} differ' ` - -f $nat.internal_port,$nat.public_port) - $nat.protocol - $nat.public_ip - $nat.public_port - $nat.internal_port + if($nat.published_port -ne $nat.port) { + Write-Output ('Additional NAT rule required, because published_port {0} and target {1} differ' ` + -f $nat.published_port,$nat.port) + Write-Output ('Add rule for {0}:{1}' -f $nat.ip,$nat.port) + + $rule = @( + '-p','tcp' + '-m','tcp' + '--destination',$nat.ip + '--dport',$nat.port + '-j','DNAT' + '--to-destination','"{0}:{1}"' -f $ingress_address,$nat.port + ) + Add-IptablesRule -Chain $chain -Rule $rule } } -} - - - -#TODO: port from bash - - - -bridge=$( - docker network inspect docker_gwbridge \ - --format '{{(index .Containers "ingress-sbox").IPv4Address}}' \ - | cut -d'/' -f1 -) - -internal_port=30000 -public_port=30001 -destination='145.239.119.128' - - -rule="-p tcp -m tcp --destination ""${destination}"" --dport ""${public_port}"" - -j DNAT --to-destination ""${bridge}:${internal_port}""" - -if ! iptables -t nat -C SWARM-NAT $rule > /dev/null; then - Write-Output "Add rule for NAT from ${destination}:${public_port} to ${bridge}:${internal_port}" - iptables -t nat -A SWARM-NAT $rule -else - Write-Output "Rule for NAT from ${destination}:${public_port} to ${bridge}:${internal_port} already exists" -fi \ No newline at end of file +} \ No newline at end of file