iptables-poller

#!/usr/bin/ruby

require 'socket'
require 'optparse'
require 'English'

# We need IP forwarding and local routing to make this work
SYSCTL_KEYS = {
  'net.ipv4.ip_forward' => '1',
  'net.ipv4.conf.all.route_localnet' => '1'
}.freeze

# We can ignore rancher IPSec. Strings to avoid type casting
INGORE_PORTS = %w(500 4500)

CATTLE_CHAIN = 'CATTLE_PREROUTING'
CATTLE_CHAIN_COMMAND = "iptables -t nat -S #{CATTLE_CHAIN}"

POLLER_OUTPUT_CHAIN = 'POLLER_OUTPUT'
POLLER_POSTROUTING_CHAIN = 'POLLER_POSTROUTING'

POLLER_OUTPUT = '-d %{host_ip} -p %{proto} --dport %{source_port} -j DNAT --to %{dest_address}:%{dest_port}'
POLLER_POSTROUTING = '-d %{dest_address} -p %{proto} --dport %{dest_port} -j SNAT --to-source %{host_ip}'

POLLER_VERSION = '0.2.0'

# Exception to be raised when system call failed.
class ExecFailed < RuntimeError
  attr_reader :command, :exit_code, :output

  def initialize(command, exit_code, output)
    @command = command.chomp
    @exit_code = exit_code
    @output = output
  end

  def inspect
    "ExecFailed: command `#{command}`, failed with #{exit_code}, output:\n #{output}"
  end
  alias_method :to_s, :inspect
end

# :nodoc:
module IPTables
  # Instead of regexp, lets try with optparse
  class DNAT
    # Parsed iptables rule
    Rule = Struct.new(:proto, :source_port, :dest_address, :dest_port) do
      # <# tcp://:500 -> 10.0.1.1:466>
      def to_s
        "<#{proto}://:#{source_port} -> #{dest_address}:#{dest_port}>"
      end
    end

    def self.parse(options)
      rule = Rule.new

      opt_parser = OptionParser.new do |opts|
        opts.on('-A ADD_CHAIN')
        opts.on('-p PROTO') do |proto|
          rule.proto = proto
        end
        opts.on('-m MARK_TYPE')
        opts.on('--dst-type TYPE')
        opts.on('--dport PORT') do |source_port|
          rule.source_port = source_port
        end
        opts.on('-j JUMP_CHAIN')
        opts.on('--to-destination ADDR') do |dest|
          rule.dest_address, rule.dest_port = dest.split(':')
        end
      end

      opt_parser.parse!(options.split)

      rule
    end
  end
end

def log(message)
  puts "[#{Time.now}] #{message}"
end

def debug(message)
  puts "DEBUG [#{Time.now}] #{message}" if ENV['DEBUG']
end

def exec_safely(command)
  output = `#{command} 2>&1`
  exit_status = $CHILD_STATUS.exitstatus

  if exit_status != 0
    fail ExecFailed.new(command, exit_status, output)
  else
    return output
  end
end

# Return current list of IPv4 addresses attachet to the host
def host_ips
  return host_ips_from_env if host_ips_from_env.any?
  host_ips_from_iface(main_iface)
end

# Return the array of the hosts, if any set by 'POLLER_HOST_IP'
def host_ips_from_env
  @env_host_ips ||= ENV.fetch('POLLER_HOST_IP', '').split(/\s*,\s*/)
end

# Return array of IPv4 addresses on the
def host_ips_from_iface(iface_name)
  ipv4_ifaddrs.find_all { |iface| iface.name == iface_name }
    .map {|iface| iface.addr.ip_address }
end

# Returns the name of the currenly selected interface
def main_iface
  @main_iface ||= ENV.fetch('POLLER_IFACE', first_interface_name)
end

# Returns the name of the first interface with non-loopback IPv4 address
def first_interface_name
  @first_interface_name ||= ipv4_ifaddrs.map(&:name).uniq.first
end

def ipv4_ifaddrs
  Socket.getifaddrs.find_all do |iface|
    addr = iface.addr
    addr.ipv4? && !addr.ipv4_loopback?
  end
end

# Check that we got at least one address.
def check_host_ip
  log "Detecting host IP addresses to attach chain rules..."
  if host_ips.empty?
    log "Can't detect IPv4 addresses on #{first_interface_name}."

    log <<-ERROR

    Set `POLLER_HOST_IP` enviroment variable to explicitly specify host IP
    addresses. Multiple addresses can be specified and separated by comma
    For example:

        POLLER_HOST_IP= "10.0.0.1, 10.0.0.2"

    Set `POLLER_IFACE` enviroment variable to specify the specific interface,
    where IP addresses should be detected.

    Note: IPv6 and loopback IP's are ignored.

    ERROR

    exit 1
  end

  if host_ips_from_env.any?
    log "\tUsing POLLER_HOST_IP: #{host_ips.join(", ")}"
  else
    log "\tUsing '#{main_iface}': #{host_ips.join(", ")}"
  end
end

# Check that we can access CATTLE_PREROUTING chain
def check_cattle
  log "Checking #{CATTLE_CHAIN} iptables chain..."

  raw_cattle_prerouting

  log "\tDone. Cattle is available"
end

def check_sysctl
  log 'Checking host configuration...'

  SYSCTL_KEYS.each do |key, value|
    result = exec_safely("sysctl -n #{key}").chomp
    next if result == value

    log "\t#{key} is not '#{value}'. Please set this key in /etc/sysctl.conf"
    log "\tor in /etc/sysctl.d/<xx>-<name>.conf and reboot the host."

    log "\tOther required keys: #{SYSCTL_KEYS.keys.join(', ')}"

    exit 1
  end

  log "\tDone. All keys are set"
end

def raw_cattle_prerouting
  exec_safely CATTLE_CHAIN_COMMAND

rescue ExecFailed => failure
  log "Can't access CATTLE_PREROUTING iptables chain."
  log "\tEnsure that container started with --privileged and try again."
  log "\tTried with #{failure.command}, exit code #{failure.exit_code}, log:"

  puts failure.output

  exit 1
end

def cattle_prerouting
  lines = raw_cattle_prerouting.split("\n")
  _chain_name = lines.shift.split.last

  # It will fail on unknown options, but let it fail.
  rules = lines.map do |rule|
    IPTables::DNAT.parse(rule)
  end

  rules
    .reject { |rule| INGORE_PORTS.include? rule.source_port }
    .sort_by { |rule| rule.source_port.to_i }
end

def create_chains
  log 'Cleaning and creating chains...'

  # We don't actually care about failures here
  `iptables -t nat -N #{POLLER_OUTPUT_CHAIN} 2>&1`
  `iptables -t nat -N #{POLLER_POSTROUTING_CHAIN} 2>&1`

  # Flush if anything exist before
  exec_safely "iptables -t nat -F #{POLLER_OUTPUT_CHAIN}"
  exec_safely "iptables -t nat -F #{POLLER_POSTROUTING_CHAIN}"

  # Reference to the OUTPUT/POSTROUTING chain
  exec_safely "iptables -t nat -A OUTPUT -j #{POLLER_OUTPUT_CHAIN}"
  exec_safely "iptables -t nat -A POSTROUTING -j #{POLLER_POSTROUTING_CHAIN}"
end

def flush_chains
  debug "Flushing chains: #{POLLER_OUTPUT_CHAIN}, #{POLLER_POSTROUTING_CHAIN}"

  exec_safely "iptables -t nat -F #{POLLER_OUTPUT_CHAIN}"
  exec_safely "iptables -t nat -F #{POLLER_POSTROUTING_CHAIN}"
end

def update_rules(new_set)
  flush_chains

  # Maybe it's better to generate file and feed it to iptables at once with
  # COMMIT command. This way some connections may fail while rules are updated.

  host_ips.each do |host_ip|
    new_set.each do |rule|
      rule = rule.to_h.merge host_ip: host_ip

      out_rule = format(POLLER_OUTPUT, rule)
      post_rule = format(POLLER_POSTROUTING, rule)

      exec_safely "iptables -t nat -A #{POLLER_OUTPUT_CHAIN} #{out_rule}"
      exec_safely "iptables -t nat -A #{POLLER_POSTROUTING_CHAIN} #{post_rule}"
    end
  end

  log 'iptables chain updated'
rescue ExecFailed => failure
  log "Can't set iptables rules. Tried #{failure.command}, failed with: "
  puts failure.output

  exit 4
end

log "Starting Rancher iptables poller #{POLLER_VERSION}..."

check_host_ip

check_cattle
check_sysctl

create_chains

@last_set = []
@last_ips = host_ips
@running = true
@delay = 1.0

log "Started with polling #{@delay}s delay"

trap_callback = proc do
  puts
  log 'Stopping ...'
  @running = false
end

Signal.trap('INT', &trap_callback)
Signal.trap('TERM', &trap_callback)

while @running
  current_set = cattle_prerouting

  if current_set != @last_set
    log 'Chain changed:'
    log "\tBefore: [#{@last_set.join(', ')}]"
    log "\t After: [#{current_set.join(', ')}]"

    update_rules current_set

    @last_set = current_set
  end

  if host_ips != @last_ips
    log 'IPs changed:'
    log "\tBefore: [#{@last_ips.join(', ')}]"
    log "\t After: [#{host_ips.join(', ')}]"

    update_rules current_set

    @last_ips = host_ips
  end

  sleep @delay
end

log 'Exited.'