# Allow connections to public ports on the host @def &allow_local($proto, $port) = { domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT; } # Defines a service residing in a given container @def &def_service($service, $container, $proto, $port) = { # look up IP addresses of the container @def $ip4 = @resolve($container, A); @def $ip6 = @resolve($container, AAAA); # chain to allow forwarding to the service domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT; # chain to do the DNAT to change the address / port to the one of the container / service domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port"; domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port"; } # Forwards a public port to the given service @def &forward_to_service($service, $proto, $port) = { domain (ip ip6) { # allow forwarding to the service table filter chain FORWARD jump @cat("allow_", $service); table nat { # change destination address / port to the one of the container / service chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service); } } } # Allows connection from the given container to the specified service (which resides in another container) @def &allow_service_for($service, $container) = { @def $ip4 = @resolve($container, A); @def $ip6 = @resolve($container, AAAA); domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6)) jump @cat("allow_", $service); } # Allows connection a specific service to all containers @def &allow_service_for_all($service) = { domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service); } # ---------------- # currently unused @def &forward_to($container, $proto, $port) = { # look up IP addresses of the container @def $ip4 = @resolve($container, A); @def $ip6 = @resolve($container, AAAA); domain (ip ip6) { # allow forwarding to container table filter chain FORWARD daddr @ipfilter(($ip4 $ip6)) protocol $proto dport $port ACCEPT; # change destination address to the containers one table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6); } }