Merge pull request #339 from gnawux/portmapping

port mapping: move the pod level whitelist rules to pod setup

src/init.c

@@ -553,6 +553,7 @@ static void hyper_flush_channel()
 
 void hyper_pod_destroyed(struct hyper_pod *pod, int failed)
 {
+	hyper_cleanup_portmapping(pod);
 	hyper_cleanup_mounts(pod);
 	hyper_ctl_append_msg(&hyper_epoll.ctl, failed?ERROR:ACK, NULL, 0);
 	// Todo: this doesn't make sure peer receives the data

src/portmapping.c

@@ -161,26 +161,14 @@ int hyper_setup_portmapping(struct hyper_pod *pod)
 		fprintf(stderr, "sysctl: setup default nf_conntrack_tcp_timeout_established(%s) failed\n", timeout);
 	}
 
-	return 0;
-}
-
-int hyper_setup_container_portmapping(struct hyper_container *c, struct hyper_pod *pod)
-{
-	// only allow network request from internal white list
-	int i = 0, j = 0;
-	char rule[128] = {0};
-	char iptables_restore[512];
-
-	// restore iptables rules
-	if (sprintf(iptables_restore, "iptables-restore /tmp/hyper/shared/%s-iptables", c->id) > 0) {
-		hyper_cmd(iptables_restore);
-	}
-
+	// configure the white list rules for lan access
 	if (pod->portmap_white_lists == NULL || (pod->portmap_white_lists->i_num == 0 &&
 			pod->portmap_white_lists->e_num == 0)) {
 		return 0;
 	}
 
+	int j = 0;
+	char rule[128] = {0};
 	for (j=0; j<pod->portmap_white_lists->i_num; j++) {
 		sprintf(rule, "-s %s -j ACCEPT",
 			pod->portmap_white_lists->internal_networks[j]);
@@ -196,6 +184,26 @@ int hyper_setup_container_portmapping(struct hyper_container *c, struct hyper_po
 		}
 	}
 
+	return 0;
+}
+
+int hyper_setup_container_portmapping(struct hyper_container *c, struct hyper_pod *pod)
+{
+	// only allow network request from internal white list
+	int i = 0, j = 0;
+	char rule[128] = {0};
+	char iptables_restore[512];
+
+	// restore iptables rules
+	if (sprintf(iptables_restore, "iptables-restore /tmp/hyper/shared/%s-iptables", c->id) > 0) {
+		hyper_cmd(iptables_restore);
+	}
+
+	if (pod->portmap_white_lists == NULL || (pod->portmap_white_lists->i_num == 0 &&
+			pod->portmap_white_lists->e_num == 0)) {
+		return 0;
+	}
+
 	if (c->ports_num == 0) {
 		return 0;
 	}
@@ -250,14 +258,15 @@ int hyper_setup_container_portmapping(struct hyper_container *c, struct hyper_po
 	return 0;
 }
 
-void hyper_cleanup_container_portmapping(struct hyper_container *c, struct hyper_pod *pod)
+// cleanup pod level portmapping configurations
+void hyper_cleanup_portmapping(struct hyper_pod *pod)
 {
 	if (pod->portmap_white_lists == NULL || (pod->portmap_white_lists->i_num == 0 &&
 			pod->portmap_white_lists->e_num == 0)) {
 		return;
 	}
 
-	int i = 0, j = 0;
+	int j = 0;
 	char rule[128] = {0};
 	for (j=0; j<pod->portmap_white_lists->i_num; j++) {
 		sprintf(rule, "-s %s -j ACCEPT",
@@ -272,7 +281,17 @@ void hyper_cleanup_container_portmapping(struct hyper_container *c, struct hyper
 			fprintf(stderr, "cleanup accept_rule '%s' failed\n", rule);
 		}
 	}
+}
+
+void hyper_cleanup_container_portmapping(struct hyper_container *c, struct hyper_pod *pod)
+{
+	if (pod->portmap_white_lists == NULL || (pod->portmap_white_lists->i_num == 0 &&
+			pod->portmap_white_lists->e_num == 0)) {
+		return;
+	}
 
+	int i = 0, j = 0;
+	char rule[128] = {0};
 	if (c->ports_num == 0) {
 		return;
 	}

src/portmapping.h

@@ -17,6 +17,7 @@ struct hyper_pod;
 struct hyper_container;
 int hyper_setup_portmapping(struct hyper_pod *pod);
 int hyper_setup_container_portmapping(struct hyper_container *c, struct hyper_pod *pod);
+void hyper_cleanup_portmapping(struct hyper_pod *pod);
 void hyper_cleanup_container_portmapping(struct hyper_container *c, struct hyper_pod *pod);
 
 #endif