65 lines
2.6 KiB
Plaintext
65 lines
2.6 KiB
Plaintext
# Allow connections to public ports on the host
|
|
@def &allow_local($proto, $port) = {
|
|
domain (ip ip6) table filter chain INPUT protocol $proto dport $port ACCEPT;
|
|
}
|
|
|
|
# Defines a service residing in a given container
|
|
@def &def_service($service, $container, $proto, $port) = {
|
|
# look up IP addresses of the container
|
|
@def $ip4 = @resolve("$container.$search_domain", A);
|
|
@def $ip6 = @resolve("ipv6.$container.$search_domain", AAAA);
|
|
@def $ula = @resolve("ula.$container.$search_domain", AAAA);
|
|
|
|
# chain to allow forwarding to the service
|
|
domain (ip ip6) table filter chain @cat("allow_", $service) daddr @ipfilter(($ip4 $ip6 $ula)) protocol $proto dport $port ACCEPT;
|
|
|
|
# chain to do the DNAT to change the address / port to the one of the container / service
|
|
domain ip table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "$ip4:$port";
|
|
domain ip6 table nat chain @cat("fwd_to_", $service) protocol $proto DNAT to "[$ip6]:$port";
|
|
}
|
|
|
|
|
|
# Forwards a public port to the given service
|
|
@def &forward_to_service($service, $proto, $port) = {
|
|
domain (ip ip6) {
|
|
# allow forwarding to the service
|
|
table filter chain FORWARD jump @cat("allow_", $service);
|
|
|
|
table nat {
|
|
# change destination address / port to the one of the container / service
|
|
chain PREROUTING interface $internet protocol $proto dport $port jump @cat("fwd_to_", $service);
|
|
}
|
|
}
|
|
}
|
|
|
|
# Allows connection from the given container to the specified service (which resides in another container)
|
|
@def &allow_service_for($service, $container) = {
|
|
@def $ip4 = @resolve("$container.$search_domain", A);
|
|
@def $ip6 = @resolve("ipv6.$container.$search_domain", AAAA);
|
|
@def $ula = @resolve("ula.$container.$search_domain", AAAA);
|
|
domain (ip ip6) table filter chain FORWARD saddr @ipfilter(($ip4 $ip6 $ula)) jump @cat("allow_", $service);
|
|
}
|
|
|
|
# Allows connection a specific service to all containers
|
|
@def &allow_service_for_all($service) = {
|
|
domain (ip ip6) table filter chain FORWARD interface $bridge jump @cat("allow_", $service);
|
|
}
|
|
|
|
# ----------------
|
|
# currently unused
|
|
|
|
@def &forward_to($container, $proto, $port) = {
|
|
# look up IP addresses of the container
|
|
@def $ip4 = @resolve($container.$search_domain, A);
|
|
@def $ip6 = @resolve("ipv6.$container.$search_domain", AAAA);
|
|
@def $ula = @resolve("ula.$container.$search_domain", AAAA);
|
|
|
|
domain (ip ip6) {
|
|
# allow forwarding to container
|
|
table filter chain FORWARD daddr @ipfilter(($ip4 $ip6 $ula)) protocol $proto dport $port ACCEPT;
|
|
|
|
# change destination address to the containers one
|
|
table nat chain PREROUTING interface $internet protocol $proto dport $port DNAT to @ipfilter($ip4 $ip6 $ula);
|
|
}
|
|
}
|