Skip to content
This repository was archived by the owner on Nov 10, 2023. It is now read-only.

Commit bbf6f60

Browse files
jviidejviide
committed
Use marks to direct packets to tracetrout NFQUEUEs
This change makes it easier to run multiple tracetrout Docker images in e.g. a single Kubernetes pod. Huge thanks to @atonkyra and @ikisusi who helped to figure this out.
1 parent 9a364ea commit bbf6f60

File tree

2 files changed

+12
-6
lines changed

2 files changed

+12
-6
lines changed

Dockerfile

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,5 +12,7 @@ RUN apt-get -y update \
1212
WORKDIR /go/src/app
1313
COPY entrypoint.sh .
1414
COPY --from=builder /tracetrout .
15+
ENV PORT 8080
16+
ENV FILTER_QUEUE 0
1517
ENTRYPOINT ["sh", "entrypoint.sh"]
1618
CMD ["./tracetrout"]

entrypoint.sh

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,13 @@
1-
iptables -A OUTPUT -p tcp --sport 8080 -j NFQUEUE --queue-num 0
2-
iptables -A INPUT -p tcp --dport 8080 -j NFQUEUE --queue-num 0
3-
iptables -A INPUT -p icmp --icmp-type time-exceeded -j NFQUEUE --queue-num 0
1+
set -e
42

5-
ip6tables -A OUTPUT -p tcp --sport 8080 -j NFQUEUE --queue-num 0
6-
ip6tables -A INPUT -p tcp --dport 8080 -j NFQUEUE --queue-num 0
7-
ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j NFQUEUE --queue-num 0
3+
iptables -A INPUT -t mangle -j CONNMARK --restore-mark
4+
iptables -A INPUT -t mangle -m mark ! --mark 0 -j ACCEPT
5+
iptables -A INPUT -t mangle -p tcp --dport "${PORT}" -j MARK --set-mark 0x10000
6+
iptables -A INPUT -t mangle -p tcp --dport "${PORT}" -j MARK --or-mark "${FILTER_QUEUE}"
7+
iptables -A INPUT -t mangle -j CONNMARK --save-mark
8+
iptables -A OUTPUT -t mangle -j CONNMARK --restore-mark
9+
10+
iptables -A INPUT -m mark --mark 0x10000/0xffff0000 -m mark --mark "${FILTER_QUEUE}/0xffff" -j NFQUEUE --queue-num "${FILTER_QUEUE}"
11+
iptables -A OUTPUT -m mark --mark 0x10000/0xffff0000 -m mark --mark "${FILTER_QUEUE}/0xffff" -j NFQUEUE --queue-num "${FILTER_QUEUE}"
812

913
$@

0 commit comments

Comments
 (0)