Correctly restore connection mark for UDP traffic, to allow e.g. DNS …

…services to work (fix for #11)
newsnowlabs · Sep 4, 2021 · 2d5643a · 2d5643a
1 parent 379df73
commit 2d5643a
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/docker-ingress-routing-daemon b/docker-ingress-routing-daemon
@@ -1,8 +1,8 @@
 #!/bin/bash
 
-VERSION=3.2.0
+VERSION=3.3.0
 
-# Ingress Routing Daemon v3.2.0
+# Ingress Routing Daemon v3.3.0
 # Copyright © 2020-2021 Struan Bartlett
 # ----------------------------------------------------------------------
 # Permission is hereby granted, free of charge, to any person 
@@ -276,7 +276,12 @@ docker events \
 
     log "Container SERVICE=$SERVICE, ID=$ID, NID=$NID launched: ingress network interface $CIF found, so applying policy routes."
 
-    # 3. Map any connection mark on outgoing traffic to a firewall mark on the individual packets.
+    # 3. Map any connection mark on outgoing tcp or udp traffic to a firewall mark on the individual packets.
+    #    These rules /could potentially/ be applied more selectively, according to --tcp-ports and --udp-ports, to make
+    #    a marginal efficiency gain, but this is not necessary: as, if no connection mark has been set, because no
+    #    TOS byte has been set by the load balancer, then none will be restored and legacy routing rules will apply.
+    #    - See https://github.com/newsnowlabs/docker-ingress-routing-daemon/issues/11
+    nsenter -n -t $NID iptables -t mangle -A OUTPUT -p udp -j CONNMARK --restore-mark
     nsenter -n -t $NID iptables -t mangle -A OUTPUT -p tcp -j CONNMARK --restore-mark
 
     # 3.1 Enable 'loose' rp_filter mode on interface $CIF (and 'all' as required by kernel