- iptables pkg functions are coded to discard
the xtables_lock error message about acquiring
the lock, because all the calls are done with
the wait logic. But the error message has
slightly changed between iptables 1.4.x and 1.6.
This lead to false positives causing docker
network create to fil in presence of concurrent calls.
- Fixed message mark to be common among the two main versions.
Signed-off-by: Alessandro Boch <aboch@docker.com>
- in bridge driver modprobe for br_netfilter only if EnableIPTables==true
- move FirewalldInit() to iptables pakcage Init()
- move modprobe for nf_nat and xt_conntrack in iptables.initCheck()
Signed-off-by: Alessandro Boch <aboch@docker.com>
- Fix npe in sbJoin error path
- Fail again endpoint Join in case of failure
in programming the external connectivity
- In bridge, look for parent and child container configs
in the generic data
- iptables.Exists() might be called before any other call to
iptables.raw(). We need to call checkInit() then.
Introduced by 1638fbdf27
Signed-off-by: Alessandro Boch <aboch@docker.com>
- Fixed exists to attempt a raw exists check only when
"iptables -C ..." execution returns error becasue of "unsupported option"
- Fixed raw exists to not match substring
- Added GetVersion method
Signed-off-by: Alessandro Boch <aboch@docker.com>
- iptables to provide a native API
- resolver.go to invoke the iptables native API
when programming tables in the container
Signed-off-by: Alessandro Boch <aboch@docker.com>
This way we won't vendor test related functions in docker anymore.
It also moves netns related functions to a new ns package to be able to
call the ns init function in tests. I think this also helps with the
overall package isolation.
Signed-off-by: David Calavera <david.calavera@gmail.com>
for the bridge driver.
Moves two config options, namely EnableIPTables and EnableUserlandProxy
from networks to the driver.
Closes#242
Signed-off-by: Mohammad Banikazemi <MBanikazemi@gmail.com>
The `iptables.Exists` function is wrong in two ways:
1. The iptables -C call doesn't add `-j DOCKER` and fails to match
2. The long path takes ordering into account in comparison and fails to match
This patch fixes issue 1 by including `-j DOCKER` in the check.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
* When userland-proxy is disabled, enable hairpin mode on the host-side of the veth
* When userland-proxy is enabled, fix the iptable rules appropriately
Signed-off-by: Madhu Venugopal <madhu@docker.com>
- Package types to define the interfaces libnetwork errors
may implement, so that caller can categorize them.
Signed-off-by: Alessandro Boch <aboch@docker.com>
