From 18bfa6df0823ee25742e6efe1a57ba78a4046cb8 Mon Sep 17 00:00:00 2001 From: joyas-joseph <51463120+joyas-joseph@users.noreply.github.com> Date: Wed, 15 Jul 2020 22:48:09 -0700 Subject: [PATCH] [docker-nat]: upgrade docker-nat to buster (#4943) move iptables to 1.8.2-4 (version in buster) Signed-off-by: Joyas Joseph --- dockers/docker-nat/Dockerfile.j2 | 2 +- rules/docker-nat.mk | 8 +- rules/iptables.mk | 4 +- ...ng-fullcone-option-for-SNAT-and-DNAT.patch | 110 +++++++++++++----- 4 files changed, 88 insertions(+), 36 deletions(-) diff --git a/dockers/docker-nat/Dockerfile.j2 b/dockers/docker-nat/Dockerfile.j2 index 30f4cd1c0..38930f786 100644 --- a/dockers/docker-nat/Dockerfile.j2 +++ b/dockers/docker-nat/Dockerfile.j2 @@ -1,5 +1,5 @@ {% from "dockers/dockerfile-macros.j2" import install_debian_packages, copy_files %} -FROM docker-config-engine-stretch +FROM docker-config-engine-buster ARG docker_container_name RUN [ -f /etc/rsyslog.conf ] && sed -ri "s/%syslogtag%/$docker_container_name#%syslogtag%/;" /etc/rsyslog.conf diff --git a/rules/docker-nat.mk b/rules/docker-nat.mk index b421bfd88..9738903a0 100644 --- a/rules/docker-nat.mk +++ b/rules/docker-nat.mk @@ -7,22 +7,20 @@ DOCKER_NAT_DBG = $(DOCKER_NAT_STEM)-$(DBG_IMAGE_MARK).gz $(DOCKER_NAT)_PATH = $(DOCKERS_PATH)/$(DOCKER_NAT_STEM) $(DOCKER_NAT)_DEPENDS += $(SWSS) $(IPTABLESIP4TC) $(IPTABLESIP6TC) $(IPTABLESIPTC) $(IPXTABLES12) $(IPTABLES) -$(DOCKER_NAT)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_STRETCH)_DBG_DEPENDS) +$(DOCKER_NAT)_DBG_DEPENDS = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_DEPENDS) $(DOCKER_NAT)_DBG_DEPENDS += $(SWSS_DBG) $(LIBSWSSCOMMON_DBG) -$(DOCKER_NAT)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_STRETCH)_DBG_IMAGE_PACKAGES) +$(DOCKER_NAT)_DBG_IMAGE_PACKAGES = $($(DOCKER_CONFIG_ENGINE_BUSTER)_DBG_IMAGE_PACKAGES) -$(DOCKER_NAT)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_STRETCH) +$(DOCKER_NAT)_LOAD_DOCKERS += $(DOCKER_CONFIG_ENGINE_BUSTER) ifeq ($(ENABLE_NAT), y) SONIC_DOCKER_IMAGES += $(DOCKER_NAT) SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_NAT) -SONIC_STRETCH_DOCKERS += $(DOCKER_NAT) endif ifeq ($(ENABLE_NAT), y) SONIC_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_NAT_DBG) -SONIC_STRETCH_DBG_DOCKERS += $(DOCKER_NAT_DBG) endif $(DOCKER_NAT)_CONTAINER_NAME = nat diff --git a/rules/iptables.mk b/rules/iptables.mk index a166f5817..fcdcc3434 100644 --- a/rules/iptables.mk +++ b/rules/iptables.mk @@ -1,7 +1,7 @@ # iptables package -IPTABLES_VERSION = 1.6.0+snapshot20161117 -IPTABLES_VERSION_SUFFIX = 6 +IPTABLES_VERSION = 1.8.2 +IPTABLES_VERSION_SUFFIX = 4 IPTABLES_VERSION_FULL = $(IPTABLES_VERSION)-$(IPTABLES_VERSION_SUFFIX) IPTABLES = iptables_$(IPTABLES_VERSION_FULL)_$(CONFIGURED_ARCH).deb diff --git a/src/iptables/patch/0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch b/src/iptables/patch/0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch index 528ce8ede..9ed886bb5 100644 --- a/src/iptables/patch/0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch +++ b/src/iptables/patch/0001-Passing-fullcone-option-for-SNAT-and-DNAT.patch @@ -10,7 +10,7 @@ Subject: [PATCH] Passing fullcone option for SNAT and DNAT 3 files changed, 62 insertions(+), 3 deletions(-) diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c -index a14d16f..4bfab98 100644 +index 4907a2e..543421c 100644 --- a/extensions/libipt_DNAT.c +++ b/extensions/libipt_DNAT.c @@ -8,14 +8,20 @@ @@ -42,8 +42,17 @@ index a14d16f..4bfab98 100644 +"[--random] [--persistent] [--fullcone]\n"); } + static void DNAT_help_v2(void) +@@ -41,7 +47,7 @@ static void DNAT_help_v2(void) + "DNAT target options:\n" + " --to-destination [[-]][:port[-port[/port]]]\n" + " Address to map destination to.\n" +-"[--random] [--persistent]\n"); ++"[--random] [--persistent] [--fullcone]\n"); + } + static const struct xt_option_entry DNAT_opts[] = { -@@ -40,6 +46,7 @@ static const struct xt_option_entry DNAT_opts[] = { +@@ -49,6 +55,7 @@ static const struct xt_option_entry DNAT_opts[] = { .flags = XTOPT_MAND | XTOPT_MULTI}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, {.name = "persistent", .id = O_PERSISTENT, .type = XTTYPE_NONE}, @@ -51,7 +60,7 @@ index a14d16f..4bfab98 100644 XTOPT_TABLEEND, }; -@@ -185,10 +192,14 @@ static void DNAT_parse(struct xt_option_call *cb) +@@ -194,10 +201,14 @@ static void DNAT_parse(struct xt_option_call *cb) static void DNAT_fcheck(struct xt_fcheck_call *cb) { static const unsigned int f = F_TO_DEST | F_RANDOM; @@ -66,7 +75,7 @@ index a14d16f..4bfab98 100644 } static void print_range(const struct nf_nat_ipv4_range *r) -@@ -224,6 +235,8 @@ static void DNAT_print(const void *ip, const struct xt_entry_target *target, +@@ -233,6 +244,8 @@ static void DNAT_print(const void *ip, const struct xt_entry_target *target, printf(" random"); if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) printf(" persistent"); @@ -75,7 +84,7 @@ index a14d16f..4bfab98 100644 } } -@@ -239,6 +252,8 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target) +@@ -248,6 +261,8 @@ static void DNAT_save(const void *ip, const struct xt_entry_target *target) printf(" --random"); if (info->mr.range[i].flags & NF_NAT_RANGE_PERSISTENT) printf(" --persistent"); @@ -84,7 +93,7 @@ index a14d16f..4bfab98 100644 } } -@@ -282,6 +297,11 @@ static int DNAT_xlate(struct xt_xlate *xl, +@@ -291,6 +306,11 @@ static int DNAT_xlate(struct xt_xlate *xl, sep = ","; xt_xlate_add(xl, "%spersistent", sep); } @@ -96,11 +105,56 @@ index a14d16f..4bfab98 100644 } return 1; +@@ -426,10 +446,14 @@ static void DNAT_parse_v2(struct xt_option_call *cb) + static void DNAT_fcheck_v2(struct xt_fcheck_call *cb) + { + static const unsigned int f = F_TO_DEST | F_RANDOM; ++ static const unsigned int c = F_FULLCONE; + struct nf_nat_range2 *range = cb->data; + + if ((cb->xflags & f) == f) + range->flags |= NF_NAT_RANGE_PROTO_RANDOM; ++ ++ if ((cb->xflags & c) == c) ++ range->flags |= NF_NAT_RANGE_FULLCONE; + } + + static void print_range_v2(const struct nf_nat_range2 *range) +@@ -461,6 +485,8 @@ static void DNAT_print_v2(const void *ip, const struct xt_entry_target *target, + printf(" random"); + if (range->flags & NF_NAT_RANGE_PERSISTENT) + printf(" persistent"); ++ if (range->flags & NF_NAT_RANGE_FULLCONE) ++ printf(" fullcone"); + } + + static void DNAT_save_v2(const void *ip, const struct xt_entry_target *target) +@@ -473,6 +499,8 @@ static void DNAT_save_v2(const void *ip, const struct xt_entry_target *target) + printf(" --random"); + if (range->flags & NF_NAT_RANGE_PERSISTENT) + printf(" --persistent"); ++ if (range->flags & NF_NAT_RANGE_FULLCONE) ++ printf(" --fullcone"); + } + + static void print_range_xlate_v2(const struct nf_nat_range2 *range, +@@ -512,6 +540,11 @@ static int DNAT_xlate_v2(struct xt_xlate *xl, + sep = ","; + xt_xlate_add(xl, "%spersistent", sep); + } ++ if (range->flags & NF_NAT_RANGE_FULLCONE) { ++ if (sep_need) ++ sep = ","; ++ xt_xlate_add(xl, "%sfullcone", sep); ++ } + + return 1; + } diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c -index b7b5fc7..88ff650 100644 +index 90bf606..169457d 100644 --- a/extensions/libipt_MASQUERADE.c +++ b/extensions/libipt_MASQUERADE.c -@@ -8,9 +8,15 @@ +@@ -8,10 +8,15 @@ #include #include @@ -111,17 +165,17 @@ index b7b5fc7..88ff650 100644 enum { O_TO_PORTS = 0, O_RANDOM, -+ O_RANDOM_FULLY, + O_RANDOM_FULLY, + O_FULLCONE }; static void MASQUERADE_help(void) -@@ -20,12 +26,15 @@ static void MASQUERADE_help(void) - " --to-ports [-]\n" - " Port (range) to map to.\n" +@@ -23,13 +28,16 @@ static void MASQUERADE_help(void) " --random\n" --" Randomize source port.\n"); -+" Randomize source port.\n" + " Randomize source port.\n" + " --random-fully\n" +-" Fully randomize source port.\n"); ++" Fully randomize source port.\n" +" --fullcone\n" +" Do fullcone NAT mapping.\n"); } @@ -129,13 +183,14 @@ index b7b5fc7..88ff650 100644 static const struct xt_option_entry MASQUERADE_opts[] = { {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING}, {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE}, + {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE}, + {.name = "fullcone", .id = O_FULLCONE, .type = XTTYPE_NONE}, XTOPT_TABLEEND, }; -@@ -97,6 +106,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb) - case O_RANDOM: - mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM; +@@ -104,6 +112,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb) + case O_RANDOM_FULLY: + mr->range[0].flags |= NF_NAT_RANGE_PROTO_RANDOM_FULLY; break; + case O_FULLCONE: + mr->range[0].flags |= NF_NAT_RANGE_FULLCONE; @@ -143,25 +198,27 @@ index b7b5fc7..88ff650 100644 } } -@@ -116,6 +128,8 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target, +@@ -126,6 +137,9 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target, - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" random"); + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) + printf(" random-fully"); ++ + if (r->flags & NF_NAT_RANGE_FULLCONE) + printf(" fullcone"); } static void -@@ -132,6 +146,8 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target) +@@ -145,6 +159,9 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target) - if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) - printf(" --random"); + if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) + printf(" --random-fully"); ++ + if (r->flags & NF_NAT_RANGE_FULLCONE) + printf(" --fullcone"); } static int MASQUERADE_xlate(struct xt_xlate *xl, -@@ -153,6 +169,9 @@ static int MASQUERADE_xlate(struct xt_xlate *xl, +@@ -166,6 +183,9 @@ static int MASQUERADE_xlate(struct xt_xlate *xl, if (r->flags & NF_NAT_RANGE_PROTO_RANDOM) xt_xlate_add(xl, "random "); @@ -172,7 +229,7 @@ index b7b5fc7..88ff650 100644 } diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c -index e92d811..9634ba9 100644 +index e92d811..ad42b8c 100644 --- a/extensions/libipt_SNAT.c +++ b/extensions/libipt_SNAT.c @@ -8,16 +8,22 @@ @@ -262,6 +319,3 @@ index e92d811..9634ba9 100644 } return 1; --- -2.18.0 -