[docker-nat]: upgrade docker-nat to buster (#4943)
move iptables to 1.8.2-4 (version in buster) Signed-off-by: Joyas Joseph <joyas_joseph@dell.com>
This commit is contained in:
parent
1ca47da40d
commit
18bfa6df08
@ -1,5 +1,5 @@
|
|||||||
{% from "dockers/dockerfile-macros.j2" import install_debian_packages, copy_files %}
|
{% from "dockers/dockerfile-macros.j2" import install_debian_packages, copy_files %}
|
||||||
FROM docker-config-engine-stretch
|
FROM docker-config-engine-buster
|
||||||
|
|
||||||
ARG docker_container_name
|
ARG docker_container_name
|
||||||
RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
|
RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf
|
||||||
|
@ -7,22 +7,20 @@ DOCKER_NAT_DBG = $(DOCKER_NAT_STEM)-$(DBG_IMAGE_MARK).gz
|
|||||||
$(DOCKER_NAT)_PATH = $(DOCKERS_PATH)/$(DOCKER_NAT_STEM)
|
$(DOCKER_NAT)_PATH = $(DOCKERS_PATH)/$(DOCKER_NAT_STEM)
|
||||||
|
|
||||||
$(DOCKER_NAT)_DEPENDS += $(SWSS) $(IPTABLESIP4TC) $(IPTABLESIP6TC) $(IPTABLESIPTC) $(IPXTABLES12) $(IPTABLES)
|
$(DOCKER_NAT)_DEPENDS += $(SWSS) $(IPTABLESIP4TC) $(IPTABLESIP6TC) $(IPTABLESIPTC) $(IPXTABLES12) $(IPTABLES)
|
||||||
$(DOCKER_NAT)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_STRETCH)_DBG_DEPENDS)
|
$(DOCKER_NAT)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_DEPENDS)
|
||||||
$(DOCKER_NAT)_DBG_DEPENDS += $(SWSS_DBG) $(LIBSWSSCOMMON_DBG)
|
$(DOCKER_NAT)_DBG_DEPENDS += $(SWSS_DBG) $(LIBSWSSCOMMON_DBG)
|
||||||
$(DOCKER_NAT)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_STRETCH)_DBG_IMAGE_PACKAGES)
|
$(DOCKER_NAT)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE_PACKAGES)
|
||||||
|
|
||||||
$(DOCKER_NAT)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH)
|
$(DOCKER_NAT)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BUSTER)
|
||||||
|
|
||||||
ifeq ($(ENABLE_NAT), y)
|
ifeq ($(ENABLE_NAT), y)
|
||||||
SONIC_DOCKER_IMAGES += $(DOCKER_NAT)
|
SONIC_DOCKER_IMAGES += $(DOCKER_NAT)
|
||||||
SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_NAT)
|
SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_NAT)
|
||||||
SONIC_STRETCH_DOCKERS += $(DOCKER_NAT)
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
ifeq ($(ENABLE_NAT), y)
|
ifeq ($(ENABLE_NAT), y)
|
||||||
SONIC_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG)
|
SONIC_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG)
|
||||||
SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG)
|
SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG)
|
||||||
SONIC_STRETCH_DBG_DOCKERS += $(DOCKER_NAT_DBG)
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
$(DOCKER_NAT)_CONTAINER_NAME = nat
|
$(DOCKER_NAT)_CONTAINER_NAME = nat
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
# iptables package
|
# iptables package
|
||||||
|
|
||||||
IPTABLES_VERSION = 1.6.0+snapshot20161117
|
IPTABLES_VERSION = 1.8.2
|
||||||
IPTABLES_VERSION_SUFFIX = 6
|
IPTABLES_VERSION_SUFFIX = 4
|
||||||
IPTABLES_VERSION_FULL = $(IPTABLES_VERSION)-$(IPTABLES_VERSION_SUFFIX)
|
IPTABLES_VERSION_FULL = $(IPTABLES_VERSION)-$(IPTABLES_VERSION_SUFFIX)
|
||||||
|
|
||||||
IPTABLES = iptables_$(IPTABLES_VERSION_FULL)_$(CONFIGURED_ARCH).deb
|
IPTABLES = iptables_$(IPTABLES_VERSION_FULL)_$(CONFIGURED_ARCH).deb
|
||||||
|
@ -10,7 +10,7 @@ Subject: [PATCH] Passing fullcone option for SNAT and DNAT
|
|||||||
3 files changed, 62 insertions(+), 3 deletions(-)
|
3 files changed, 62 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
|
diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
|
||||||
index a14d16f..4bfab98 100644
|
index 4907a2e..543421c 100644
|
||||||
--- a/extensions/libipt_DNAT.c
|
--- a/extensions/libipt_DNAT.c
|
||||||
+++ b/extensions/libipt_DNAT.c
|
+++ b/extensions/libipt_DNAT.c
|
||||||
@@ -8,14 +8,20 @@
|
@@ -8,14 +8,20 @@
|
||||||
@ -42,8 +42,17 @@ index a14d16f..4bfab98 100644
|
|||||||
+"[--random] [--persistent] [--fullcone]\n");
|
+"[--random] [--persistent] [--fullcone]\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void DNAT_help_v2(void)
|
||||||
|
@@ -41,7 +47,7 @@ static void DNAT_help_v2(void)
|
||||||
|
"DNAT target options:\n"
|
||||||
|
" --to-destination [<ipaddr>[-<ipaddr>]][:port[-port[/port]]]\n"
|
||||||
|
" Address to map destination to.\n"
|
||||||
|
-"[--random] [--persistent]\n");
|
||||||
|
+"[--random] [--persistent] [--fullcone]\n");
|
||||||
|
}
|
||||||
|
|
||||||
static const struct xt_option_entry DNAT_opts[] = {
|
static const struct xt_option_entry DNAT_opts[] = {
|
||||||
@@ -40,6 +46,7 @@ static const struct xt_option_entry DNAT_opts[] = {
|
@@ -49,6 +55,7 @@ static const struct xt_option_entry DNAT_opts[] = {
|
||||||
.flags = XTOPT_MAND | XTOPT_MULTI},
|
.flags = XTOPT_MAND | XTOPT_MULTI},
|
||||||
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
|
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
|
||||||
{.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE},
|
{.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE},
|
||||||
@ -51,7 +60,7 @@ index a14d16f..4bfab98 100644
|
|||||||
XTOPT_TABLEEND,
|
XTOPT_TABLEEND,
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -185,10 +192,14 @@ static void DNAT_parse(struct xt_option_call *cb)
|
@@ -194,10 +201,14 @@ static void DNAT_parse(struct xt_option_call *cb)
|
||||||
static void DNAT_fcheck(struct xt_fcheck_call *cb)
|
static void DNAT_fcheck(struct xt_fcheck_call *cb)
|
||||||
{
|
{
|
||||||
static const unsigned int f = F_TO_DEST | F_RANDOM;
|
static const unsigned int f = F_TO_DEST | F_RANDOM;
|
||||||
@ -66,7 +75,7 @@ index a14d16f..4bfab98 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
static void print_range(const struct nf_nat_ipv4_range *r)
|
static void print_range(const struct nf_nat_ipv4_range *r)
|
||||||
@@ -224,6 +235,8 @@ static void DNAT_print(const void *ip, const struct xt_entry_target *target,
|
@@ -233,6 +244,8 @@ static void DNAT_print(const void *ip, const struct xt_entry_target *target,
|
||||||
printf(" random");
|
printf(" random");
|
||||||
if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
|
if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
|
||||||
printf(" persistent");
|
printf(" persistent");
|
||||||
@ -75,7 +84,7 @@ index a14d16f..4bfab98 100644
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -239,6 +252,8 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target)
|
@@ -248,6 +261,8 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target)
|
||||||
printf(" --random");
|
printf(" --random");
|
||||||
if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
|
if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT)
|
||||||
printf(" --persistent");
|
printf(" --persistent");
|
||||||
@ -84,7 +93,7 @@ index a14d16f..4bfab98 100644
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -282,6 +297,11 @@ static int DNAT_xlate(struct xt_xlate *xl,
|
@@ -291,6 +306,11 @@ static int DNAT_xlate(struct xt_xlate *xl,
|
||||||
sep = ",";
|
sep = ",";
|
||||||
xt_xlate_add(xl, "%spersistent", sep);
|
xt_xlate_add(xl, "%spersistent", sep);
|
||||||
}
|
}
|
||||||
@ -96,11 +105,56 @@ index a14d16f..4bfab98 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
|
@@ -426,10 +446,14 @@ static void DNAT_parse_v2(struct xt_option_call *cb)
|
||||||
|
static void DNAT_fcheck_v2(struct xt_fcheck_call *cb)
|
||||||
|
{
|
||||||
|
static const unsigned int f = F_TO_DEST | F_RANDOM;
|
||||||
|
+ static const unsigned int c = F_FULLCONE;
|
||||||
|
struct nf_nat_range2 *range = cb->data;
|
||||||
|
|
||||||
|
if ((cb->xflags & f) == f)
|
||||||
|
range->flags |= NF_NAT_RANGE_PROTO_RANDOM;
|
||||||
|
+
|
||||||
|
+ if ((cb->xflags & c) == c)
|
||||||
|
+ range->flags |= NF_NAT_RANGE_FULLCONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static void print_range_v2(const struct nf_nat_range2 *range)
|
||||||
|
@@ -461,6 +485,8 @@ static void DNAT_print_v2(const void *ip, const struct xt_entry_target *target,
|
||||||
|
printf(" random");
|
||||||
|
if (range->flags & NF_NAT_RANGE_PERSISTENT)
|
||||||
|
printf(" persistent");
|
||||||
|
+ if (range->flags & NF_NAT_RANGE_FULLCONE)
|
||||||
|
+ printf(" fullcone");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void DNAT_save_v2(const void *ip, const struct xt_entry_target *target)
|
||||||
|
@@ -473,6 +499,8 @@ static void DNAT_save_v2(const void *ip, const struct xt_entry_target *target)
|
||||||
|
printf(" --random");
|
||||||
|
if (range->flags & NF_NAT_RANGE_PERSISTENT)
|
||||||
|
printf(" --persistent");
|
||||||
|
+ if (range->flags & NF_NAT_RANGE_FULLCONE)
|
||||||
|
+ printf(" --fullcone");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void print_range_xlate_v2(const struct nf_nat_range2 *range,
|
||||||
|
@@ -512,6 +540,11 @@ static int DNAT_xlate_v2(struct xt_xlate *xl,
|
||||||
|
sep = ",";
|
||||||
|
xt_xlate_add(xl, "%spersistent", sep);
|
||||||
|
}
|
||||||
|
+ if (range->flags & NF_NAT_RANGE_FULLCONE) {
|
||||||
|
+ if (sep_need)
|
||||||
|
+ sep = ",";
|
||||||
|
+ xt_xlate_add(xl, "%sfullcone", sep);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
|
diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
|
||||||
index b7b5fc7..88ff650 100644
|
index 90bf606..169457d 100644
|
||||||
--- a/extensions/libipt_MASQUERADE.c
|
--- a/extensions/libipt_MASQUERADE.c
|
||||||
+++ b/extensions/libipt_MASQUERADE.c
|
+++ b/extensions/libipt_MASQUERADE.c
|
||||||
@@ -8,9 +8,15 @@
|
@@ -8,10 +8,15 @@
|
||||||
#include <linux/netfilter_ipv4/ip_tables.h>
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
||||||
#include <linux/netfilter/nf_nat.h>
|
#include <linux/netfilter/nf_nat.h>
|
||||||
|
|
||||||
@ -111,17 +165,17 @@ index b7b5fc7..88ff650 100644
|
|||||||
enum {
|
enum {
|
||||||
O_TO_PORTS = 0,
|
O_TO_PORTS = 0,
|
||||||
O_RANDOM,
|
O_RANDOM,
|
||||||
+ O_RANDOM_FULLY,
|
O_RANDOM_FULLY,
|
||||||
+ O_FULLCONE
|
+ O_FULLCONE
|
||||||
};
|
};
|
||||||
|
|
||||||
static void MASQUERADE_help(void)
|
static void MASQUERADE_help(void)
|
||||||
@@ -20,12 +26,15 @@ static void MASQUERADE_help(void)
|
@@ -23,13 +28,16 @@ static void MASQUERADE_help(void)
|
||||||
" --to-ports <port>[-<port>]\n"
|
|
||||||
" Port (range) to map to.\n"
|
|
||||||
" --random\n"
|
" --random\n"
|
||||||
-" Randomize source port.\n");
|
" Randomize source port.\n"
|
||||||
+" Randomize source port.\n"
|
" --random-fully\n"
|
||||||
|
-" Fully randomize source port.\n");
|
||||||
|
+" Fully randomize source port.\n"
|
||||||
+" --fullcone\n"
|
+" --fullcone\n"
|
||||||
+" Do fullcone NAT mapping.\n");
|
+" Do fullcone NAT mapping.\n");
|
||||||
}
|
}
|
||||||
@ -129,13 +183,14 @@ index b7b5fc7..88ff650 100644
|
|||||||
static const struct xt_option_entry MASQUERADE_opts[] = {
|
static const struct xt_option_entry MASQUERADE_opts[] = {
|
||||||
{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
|
{.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
|
||||||
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
|
{.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
|
||||||
|
{.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
|
||||||
+ {.name = "fullcone", .id = O_FULLCONE, .type = XTTYPE_NONE},
|
+ {.name = "fullcone", .id = O_FULLCONE, .type = XTTYPE_NONE},
|
||||||
XTOPT_TABLEEND,
|
XTOPT_TABLEEND,
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -97,6 +106,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb)
|
@@ -104,6 +112,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb)
|
||||||
case O_RANDOM:
|
case O_RANDOM_FULLY:
|
||||||
mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM;
|
mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY;
|
||||||
break;
|
break;
|
||||||
+ case O_FULLCONE:
|
+ case O_FULLCONE:
|
||||||
+ mr->range[0].flags |= NF_NAT_RANGE_FULLCONE;
|
+ mr->range[0].flags |= NF_NAT_RANGE_FULLCONE;
|
||||||
@ -143,25 +198,27 @@ index b7b5fc7..88ff650 100644
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -116,6 +128,8 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
|
@@ -126,6 +137,9 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
|
||||||
|
|
||||||
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
|
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
|
||||||
printf(" random");
|
printf(" random-fully");
|
||||||
|
+
|
||||||
+ if (r->flags & NF_NAT_RANGE_FULLCONE)
|
+ if (r->flags & NF_NAT_RANGE_FULLCONE)
|
||||||
+ printf(" fullcone");
|
+ printf(" fullcone");
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
@@ -132,6 +146,8 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
|
@@ -145,6 +159,9 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
|
||||||
|
|
||||||
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
|
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
|
||||||
printf(" --random");
|
printf(" --random-fully");
|
||||||
|
+
|
||||||
+ if (r->flags & NF_NAT_RANGE_FULLCONE)
|
+ if (r->flags & NF_NAT_RANGE_FULLCONE)
|
||||||
+ printf(" --fullcone");
|
+ printf(" --fullcone");
|
||||||
}
|
}
|
||||||
|
|
||||||
static int MASQUERADE_xlate(struct xt_xlate *xl,
|
static int MASQUERADE_xlate(struct xt_xlate *xl,
|
||||||
@@ -153,6 +169,9 @@ static int MASQUERADE_xlate(struct xt_xlate *xl,
|
@@ -166,6 +183,9 @@ static int MASQUERADE_xlate(struct xt_xlate *xl,
|
||||||
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
|
if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
|
||||||
xt_xlate_add(xl, "random ");
|
xt_xlate_add(xl, "random ");
|
||||||
|
|
||||||
@ -172,7 +229,7 @@ index b7b5fc7..88ff650 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
|
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
|
||||||
index e92d811..9634ba9 100644
|
index e92d811..ad42b8c 100644
|
||||||
--- a/extensions/libipt_SNAT.c
|
--- a/extensions/libipt_SNAT.c
|
||||||
+++ b/extensions/libipt_SNAT.c
|
+++ b/extensions/libipt_SNAT.c
|
||||||
@@ -8,16 +8,22 @@
|
@@ -8,16 +8,22 @@
|
||||||
@ -262,6 +319,3 @@ index e92d811..9634ba9 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
--
|
|
||||||
2.18.0
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user