implement $ingress_address and actually add rules

This commit adds Get-DockerIngressAddress
master
lub 5 years ago
parent 284c415076
commit 08491dcbba

@ -22,6 +22,8 @@ services:
protocol: udp protocol: udp
mode: ingress mode: ingress
- target: 30033 - target: 30033
published: "145.239.119.128:55123"
protocol: udp
mode: ingress mode: ingress
volumes: volumes:
- "/gluster/docker/gamemodeon-teamspeak_teamspeak/var/ts3server/:/var/ts3server/" - "/gluster/docker/gamemodeon-teamspeak_teamspeak/var/ts3server/:/var/ts3server/"

@ -82,6 +82,14 @@ function Add-IptablesRule {
} }
} }
} }
function Get-DockerIngressAddress {
param (
[string]$BridgeDevice = 'docker_gwbridge'
)
$bridge = docker network inspect $BridgeDevice | ConvertFrom-Json
$bridge.Containers.{ingress-sbox}.IPv4Address -replace '/.*'
}
# setup SWARM-NAT chain # setup SWARM-NAT chain
$chain = 'SWARM-NAT' $chain = 'SWARM-NAT'
@ -90,6 +98,9 @@ Add-IptablesChain -Chain $chain
Add-IptablesRule -Chain 'PREROUTING' -Rule '-m','addrtype','--dst-type','LOCAL','-j',$chain Add-IptablesRule -Chain 'PREROUTING' -Rule '-m','addrtype','--dst-type','LOCAL','-j',$chain
$ingress_address = Get-DockerIngressAddress
foreach($yaml in (Get-ChildItem -Filter '*.yml')) { foreach($yaml in (Get-ChildItem -Filter '*.yml')) {
Write-Output ('Processing {0}' -f $yaml) Write-Output ('Processing {0}' -f $yaml)
$definition = Get-Content -Path $yaml -Raw | ConvertFrom-Yaml $definition = Get-Content -Path $yaml -Raw | ConvertFrom-Yaml
@ -97,9 +108,9 @@ foreach($yaml in (Get-ChildItem -Filter '*.yml')) {
foreach($port in $definition.services.Values.ports) { foreach($port in $definition.services.Values.ports) {
$nat = @{ $nat = @{
protocol = $null protocol = $null
public_ip = $null ip = $null
public_port = $null port = $null
internal_port = $null published_port = $null
} }
if($port.Count -eq 4) { if($port.Count -eq 4) {
@ -107,16 +118,16 @@ foreach($yaml in (Get-ChildItem -Filter '*.yml')) {
$published_splitted = $port.published -split ':' $published_splitted = $port.published -split ':'
$nat.protocol = $port.protocol $nat.protocol = $port.protocol
$nat.public_ip = $published_splitted[0] $nat.ip = $published_splitted[0]
$nat.public_port = $port.target $nat.port = $port.target
$nat.internal_port = $published_splitted[1] $nat.published_port = $published_splitted[1]
} else { } else {
#short form #short form
$ports_splitted = $port -split ':' $ports_splitted = $port -split ':'
$nat.public_ip = $ports_splitted[0] $nat.ip = $ports_splitted[0]
$nat.public_port = $ports_splitted[2] $nat.port = $ports_splitted[2]
$nat.internal_port = $ports_splitted[1] $nat.published_port = $ports_splitted[1]
} }
if(!$nat.protocol) { if(!$nat.protocol) {
@ -132,40 +143,20 @@ foreach($yaml in (Get-ChildItem -Filter '*.yml')) {
continue continue
} }
if($nat.internal_port -ne $nat.public_port) { if($nat.published_port -ne $nat.port) {
Write-Output ('Additional NAT rule required, because published {0} and target {1} differ' ` Write-Output ('Additional NAT rule required, because published_port {0} and target {1} differ' `
-f $nat.internal_port,$nat.public_port) -f $nat.published_port,$nat.port)
$nat.protocol Write-Output ('Add rule for {0}:{1}' -f $nat.ip,$nat.port)
$nat.public_ip
$nat.public_port
$nat.internal_port
}
}
}
$rule = @(
'-p','tcp'
#TODO: port from bash '-m','tcp'
'--destination',$nat.ip
'--dport',$nat.port
'-j','DNAT'
bridge=$( '--to-destination','"{0}:{1}"' -f $ingress_address,$nat.port
docker network inspect docker_gwbridge \
--format '{{(index .Containers "ingress-sbox").IPv4Address}}' \
| cut -d'/' -f1
) )
Add-IptablesRule -Chain $chain -Rule $rule
internal_port=30000 }
public_port=30001 }
destination='145.239.119.128' }
rule="-p tcp -m tcp --destination ""${destination}"" --dport ""${public_port}""
-j DNAT --to-destination ""${bridge}:${internal_port}"""
if ! iptables -t nat -C SWARM-NAT $rule > /dev/null; then
Write-Output "Add rule for NAT from ${destination}:${public_port} to ${bridge}:${internal_port}"
iptables -t nat -A SWARM-NAT $rule
else
Write-Output "Rule for NAT from ${destination}:${public_port} to ${bridge}:${internal_port} already exists"
fi
Loading…
Cancel
Save