From 2d5643a58ec0f63297ed2d5016da2b96f93f2232 Mon Sep 17 00:00:00 2001 From: Struan Bartlett Date: Sat, 4 Sep 2021 13:08:42 +0100 Subject: [PATCH] Correctly restore connection mark for UDP traffic, to allow e.g. DNS services to work (fix for https://github.com/newsnowlabs/docker-ingress-routing-daemon/issues/11) --- docker-ingress-routing-daemon | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docker-ingress-routing-daemon b/docker-ingress-routing-daemon index 29013cd..95fc6be 100755 --- a/docker-ingress-routing-daemon +++ b/docker-ingress-routing-daemon @@ -1,8 +1,8 @@ #!/bin/bash -VERSION=3.2.0 +VERSION=3.3.0 -# Ingress Routing Daemon v3.2.0 +# Ingress Routing Daemon v3.3.0 # Copyright © 2020-2021 Struan Bartlett # ---------------------------------------------------------------------- # Permission is hereby granted, free of charge, to any person @@ -276,7 +276,12 @@ docker events \ log "Container SERVICE=$SERVICE, ID=$ID, NID=$NID launched: ingress network interface $CIF found, so applying policy routes." - # 3. Map any connection mark on outgoing traffic to a firewall mark on the individual packets. + # 3. Map any connection mark on outgoing tcp or udp traffic to a firewall mark on the individual packets. + # These rules /could potentially/ be applied more selectively, according to --tcp-ports and --udp-ports, to make + # a marginal efficiency gain, but this is not necessary: as, if no connection mark has been set, because no + # TOS byte has been set by the load balancer, then none will be restored and legacy routing rules will apply. + # - See https://github.com/newsnowlabs/docker-ingress-routing-daemon/issues/11 + nsenter -n -t $NID iptables -t mangle -A OUTPUT -p udp -j CONNMARK --restore-mark nsenter -n -t $NID iptables -t mangle -A OUTPUT -p tcp -j CONNMARK --restore-mark # 3.1 Enable 'loose' rp_filter mode on interface $CIF (and 'all' as required by kernel