port mapping: move the pod level whitelist rules to pod setup

from container setup

Signed-off-by: Xu Wang <[email protected]>

Author: gnawux

src/portmapping.c

@@ -161,26 +161,14 @@ int hyper_setup_portmapping(struct hyper_pod *pod)
 		fprintf(stderr, "sysctl: setup default nf_conntrack_tcp_timeout_established(%s) failed\n", timeout);
 	}
 
-	return 0;
-}
-
-int hyper_setup_container_portmapping(struct hyper_container *c, struct hyper_pod *pod)
-{
-	// only allow network request from internal white list
-	int i = 0, j = 0;
-	char rule[128] = {0};
-	char iptables_restore[512];
-
-	// restore iptables rules
-	if (sprintf(iptables_restore, "iptables-restore /tmp/hyper/shared/%s-iptables", c->id) > 0) {
-		hyper_cmd(iptables_restore);
-	}
-
+	// configure the white list rules for lan access
 	if (pod->portmap_white_lists == NULL || (pod->portmap_white_lists->i_num == 0 &&
 			pod->portmap_white_lists->e_num == 0)) {
 		return 0;
 	}
 
+	int j = 0;
+	char rule[128] = {0};
 	for (j=0; j<pod->portmap_white_lists->i_num; j++) {
 		sprintf(rule, "-s %s -j ACCEPT",
 			pod->portmap_white_lists->internal_networks[j]);
@@ -196,6 +184,26 @@ int hyper_setup_container_portmapping(struct hyper_container *c, struct hyper_po
 		}
 	}
 
+	return 0;
+}
+
+int hyper_setup_container_portmapping(struct hyper_container *c, struct hyper_pod *pod)
+{
+	// only allow network request from internal white list
+	int i = 0, j = 0;
+	char rule[128] = {0};
+	char iptables_restore[512];
+
+	// restore iptables rules
+	if (sprintf(iptables_restore, "iptables-restore /tmp/hyper/shared/%s-iptables", c->id) > 0) {
+		hyper_cmd(iptables_restore);
+	}
+
+	if (pod->portmap_white_lists == NULL || (pod->portmap_white_lists->i_num == 0 &&
+			pod->portmap_white_lists->e_num == 0)) {
+		return 0;
+	}
+
 	if (c->ports_num == 0) {
 		return 0;
 	}