[docker-nat]: upgrade docker-nat to buster (#4943)

move iptables to 1.8.2-4 (version in buster)

Signed-off-by: Joyas Joseph <joyas_joseph@dell.com>
This commit is contained in:
joyas-joseph 2020-07-15 22:48:09 -07:00 committed by GitHub
parent 1ca47da40d
commit 18bfa6df08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 88 additions and 36 deletions

View File

@ -1,5 +1,5 @@
{% from "dockers/dockerfile-macros.j2" import install_debian_packages, copy_files %} {% from "dockers/dockerfile-macros.j2" import install_debian_packages, copy_files %}
FROM docker-config-engine-stretch FROM docker-config-engine-buster
ARG docker_container_name ARG docker_container_name
RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf

View File

@ -7,22 +7,20 @@ DOCKER_NAT_DBG = $(DOCKER_NAT_STEM)-$(DBG_IMAGE_MARK).gz
$(DOCKER_NAT)_PATH = $(DOCKERS_PATH)/$(DOCKER_NAT_STEM) $(DOCKER_NAT)_PATH = $(DOCKERS_PATH)/$(DOCKER_NAT_STEM)
$(DOCKER_NAT)_DEPENDS += $(SWSS) $(IPTABLESIP4TC) $(IPTABLESIP6TC) $(IPTABLESIPTC) $(IPXTABLES12) $(IPTABLES) $(DOCKER_NAT)_DEPENDS += $(SWSS) $(IPTABLESIP4TC) $(IPTABLESIP6TC) $(IPTABLESIPTC) $(IPXTABLES12) $(IPTABLES)
$(DOCKER_NAT)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_STRETCH)_DBG_DEPENDS) $(DOCKER_NAT)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_DEPENDS)
$(DOCKER_NAT)_DBG_DEPENDS += $(SWSS_DBG) $(LIBSWSSCOMMON_DBG) $(DOCKER_NAT)_DBG_DEPENDS += $(SWSS_DBG) $(LIBSWSSCOMMON_DBG)
$(DOCKER_NAT)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_STRETCH)_DBG_IMAGE_PACKAGES) $(DOCKER_NAT)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE_PACKAGES)
$(DOCKER_NAT)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH) $(DOCKER_NAT)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BUSTER)
ifeq ($(ENABLE_NAT), y) ifeq ($(ENABLE_NAT), y)
SONIC_DOCKER_IMAGES += $(DOCKER_NAT) SONIC_DOCKER_IMAGES += $(DOCKER_NAT)
SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_NAT) SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_NAT)
SONIC_STRETCH_DOCKERS += $(DOCKER_NAT)
endif endif
ifeq ($(ENABLE_NAT), y) ifeq ($(ENABLE_NAT), y)
SONIC_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG) SONIC_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG)
SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG)
SONIC_STRETCH_DBG_DOCKERS += $(DOCKER_NAT_DBG)
endif endif
$(DOCKER_NAT)_CONTAINER_NAME = nat $(DOCKER_NAT)_CONTAINER_NAME = nat

View File

@ -1,7 +1,7 @@
# iptables package # iptables package
IPTABLES_VERSION = 1.6.0+snapshot20161117 IPTABLES_VERSION = 1.8.2
IPTABLES_VERSION_SUFFIX = 6 IPTABLES_VERSION_SUFFIX = 4
IPTABLES_VERSION_FULL = $(IPTABLES_VERSION)-$(IPTABLES_VERSION_SUFFIX) IPTABLES_VERSION_FULL = $(IPTABLES_VERSION)-$(IPTABLES_VERSION_SUFFIX)
IPTABLES = iptables_$(IPTABLES_VERSION_FULL)_$(CONFIGURED_ARCH).deb IPTABLES = iptables_$(IPTABLES_VERSION_FULL)_$(CONFIGURED_ARCH).deb

View File

@ -10,7 +10,7 @@ Subject: [PATCH] Passing fullcone option for SNAT and DNAT
3 files changed, 62 insertions(+), 3 deletions(-) 3 files changed, 62 insertions(+), 3 deletions(-)
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index a14d16f..4bfab98 100644 index 4907a2e..543421c 100644
--- a/extensions/libipt_DNAT.c --- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c +++ b/extensions/libipt_DNAT.c
@@ -8,14 +8,20 @@ @@ -8,14 +8,20 @@
@ -42,8 +42,17 @@ index a14d16f..4bfab98 100644
+"[--random] [--persistent] [--fullcone]\n"); +"[--random] [--persistent] [--fullcone]\n");
} }
static void DNAT_help_v2(void)
@@ -41,7 +47,7 @@ static void DNAT_help_v2(void)
"DNAT target options:\n"
" --to-destination [<ipaddr>[-<ipaddr>]][:port[-port[/port]]]\n"
" Address to map destination to.\n"
-"[--random] [--persistent]\n");
+"[--random] [--persistent] [--fullcone]\n");
}
static const struct xt_option_entry DNAT_opts[] = { static const struct xt_option_entry DNAT_opts[] = {
@@ -40,6 +46,7 @@ static const struct xt_option_entry DNAT_opts[] = { @@ -49,6 +55,7 @@ static const struct xt_option_entry DNAT_opts[] = {
.flags = XTOPT_MAND | XTOPT_MULTI}, .flags = XTOPT_MAND | XTOPT_MULTI},
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
{.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE},
@ -51,7 +60,7 @@ index a14d16f..4bfab98 100644
XTOPT_TABLEEND, XTOPT_TABLEEND,
}; };
@@ -185,10 +192,14 @@ static void DNAT_parse(struct xt_option_call *cb) @@ -194,10 +201,14 @@ static void DNAT_parse(struct xt_option_call *cb)
static void DNAT_fcheck(struct xt_fcheck_call *cb) static void DNAT_fcheck(struct xt_fcheck_call *cb)
{ {
static const unsigned int f = F_TO_DEST | F_RANDOM; static const unsigned int f = F_TO_DEST | F_RANDOM;
@ -66,7 +75,7 @@ index a14d16f..4bfab98 100644
} }
static void print_range(const struct nf_nat_ipv4_range *r) static void print_range(const struct nf_nat_ipv4_range *r)
@@ -224,6 +235,8 @@ static void DNAT_print(const void *ip, const struct xt_entry_target *target, @@ -233,6 +244,8 @@ static void DNAT_print(const void *ip, const struct xt_entry_target *target,
printf(" random"); printf(" random");
if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
printf(" persistent"); printf(" persistent");
@ -75,7 +84,7 @@ index a14d16f..4bfab98 100644
} }
} }
@@ -239,6 +252,8 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target) @@ -248,6 +261,8 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target)
printf(" --random"); printf(" --random");
if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
printf(" --persistent"); printf(" --persistent");
@ -84,7 +93,7 @@ index a14d16f..4bfab98 100644
} }
} }
@@ -282,6 +297,11 @@ static int DNAT_xlate(struct xt_xlate *xl, @@ -291,6 +306,11 @@ static int DNAT_xlate(struct xt_xlate *xl,
sep = ","; sep = ",";
xt_xlate_add(xl, "%spersistent", sep); xt_xlate_add(xl, "%spersistent", sep);
} }
@ -96,11 +105,56 @@ index a14d16f..4bfab98 100644
} }
return 1; return 1;
@@ -426,10 +446,14 @@ static void DNAT_parse_v2(struct xt_option_call *cb)
static void DNAT_fcheck_v2(struct xt_fcheck_call *cb)
{
static const unsigned int f = F_TO_DEST | F_RANDOM;
+ static const unsigned int c = F_FULLCONE;
struct nf_nat_range2 *range = cb->data;
if ((cb->xflags & f) == f)
range->flags |= NF_NAT_RANGE_PROTO_RANDOM;
+
+ if ((cb->xflags & c) == c)
+ range->flags |= NF_NAT_RANGE_FULLCONE;
}
static void print_range_v2(const struct nf_nat_range2 *range)
@@ -461,6 +485,8 @@ static void DNAT_print_v2(const void *ip, const struct xt_entry_target *target,
printf(" random");
if (range->flags & NF_NAT_RANGE_PERSISTENT)
printf(" persistent");
+ if (range->flags & NF_NAT_RANGE_FULLCONE)
+ printf(" fullcone");
}
static void DNAT_save_v2(const void *ip, const struct xt_entry_target *target)
@@ -473,6 +499,8 @@ static void DNAT_save_v2(const void *ip, const struct xt_entry_target *target)
printf(" --random");
if (range->flags & NF_NAT_RANGE_PERSISTENT)
printf(" --persistent");
+ if (range->flags & NF_NAT_RANGE_FULLCONE)
+ printf(" --fullcone");
}
static void print_range_xlate_v2(const struct nf_nat_range2 *range,
@@ -512,6 +540,11 @@ static int DNAT_xlate_v2(struct xt_xlate *xl,
sep = ",";
xt_xlate_add(xl, "%spersistent", sep);
}
+ if (range->flags & NF_NAT_RANGE_FULLCONE) {
+ if (sep_need)
+ sep = ",";
+ xt_xlate_add(xl, "%sfullcone", sep);
+ }
return 1;
}
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index b7b5fc7..88ff650 100644 index 90bf606..169457d 100644
--- a/extensions/libipt_MASQUERADE.c --- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c +++ b/extensions/libipt_MASQUERADE.c
@@ -8,9 +8,15 @@ @@ -8,10 +8,15 @@
#include <linux/netfilter_ipv4/ip_tables.h> #include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h> #include <linux/netfilter/nf_nat.h>
@ -111,17 +165,17 @@ index b7b5fc7..88ff650 100644
enum { enum {
O_TO_PORTS = 0, O_TO_PORTS = 0,
O_RANDOM, O_RANDOM,
+ O_RANDOM_FULLY, O_RANDOM_FULLY,
+ O_FULLCONE + O_FULLCONE
}; };
static void MASQUERADE_help(void) static void MASQUERADE_help(void)
@@ -20,12 +26,15 @@ static void MASQUERADE_help(void) @@ -23,13 +28,16 @@ static void MASQUERADE_help(void)
" --to-ports <port>[-<port>]\n"
" Port (range) to map to.\n"
" --random\n" " --random\n"
-" Randomize source port.\n"); " Randomize source port.\n"
+" Randomize source port.\n" " --random-fully\n"
-" Fully randomize source port.\n");
+" Fully randomize source port.\n"
+" --fullcone\n" +" --fullcone\n"
+" Do fullcone NAT mapping.\n"); +" Do fullcone NAT mapping.\n");
} }
@ -129,13 +183,14 @@ index b7b5fc7..88ff650 100644
static const struct xt_option_entry MASQUERADE_opts[] = { static const struct xt_option_entry MASQUERADE_opts[] = {
{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
{.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
+ {.name = "fullcone", .id = O_FULLCONE, .type = XTTYPE_NONE}, + {.name = "fullcone", .id = O_FULLCONE, .type = XTTYPE_NONE},
XTOPT_TABLEEND, XTOPT_TABLEEND,
}; };
@@ -97,6 +106,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb) @@ -104,6 +112,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb)
case O_RANDOM: case O_RANDOM_FULLY:
mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM; mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
break; break;
+ case O_FULLCONE: + case O_FULLCONE:
+ mr->range[0].flags |= NF_NAT_RANGE_FULLCONE; + mr->range[0].flags |= NF_NAT_RANGE_FULLCONE;
@ -143,25 +198,27 @@ index b7b5fc7..88ff650 100644
} }
} }
@@ -116,6 +128,8 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target, @@ -126,6 +137,9 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
printf(" random"); printf(" random-fully");
+
+ if (r->flags & NF_NAT_RANGE_FULLCONE) + if (r->flags & NF_NAT_RANGE_FULLCONE)
+ printf(" fullcone"); + printf(" fullcone");
} }
static void static void
@@ -132,6 +146,8 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target) @@ -145,6 +159,9 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
printf(" --random"); printf(" --random-fully");
+
+ if (r->flags & NF_NAT_RANGE_FULLCONE) + if (r->flags & NF_NAT_RANGE_FULLCONE)
+ printf(" --fullcone"); + printf(" --fullcone");
} }
static int MASQUERADE_xlate(struct xt_xlate *xl, static int MASQUERADE_xlate(struct xt_xlate *xl,
@@ -153,6 +169,9 @@ static int MASQUERADE_xlate(struct xt_xlate *xl, @@ -166,6 +183,9 @@ static int MASQUERADE_xlate(struct xt_xlate *xl,
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
xt_xlate_add(xl, "random "); xt_xlate_add(xl, "random ");
@ -172,7 +229,7 @@ index b7b5fc7..88ff650 100644
} }
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index e92d811..9634ba9 100644 index e92d811..ad42b8c 100644
--- a/extensions/libipt_SNAT.c --- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c +++ b/extensions/libipt_SNAT.c
@@ -8,16 +8,22 @@ @@ -8,16 +8,22 @@
@ -262,6 +319,3 @@ index e92d811..9634ba9 100644
} }
return 1; return 1;
--
2.18.0