adding iptables functionality

compose/docker-compose.contained.yml

@@ -3,15 +3,19 @@ version: "3.4"
 services:
   netmaker:
     container_name: netmaker
-    image: gravitl/netmaker:v0.9.4
+    image: gravitl/netmaker:v0.10.0.12
     volumes:
       - dnsconfig:/root/config/dnsconfig
       - /usr/bin/wg:/usr/bin/wg
       - sqldata:/root/data
     cap_add: 
       - NET_ADMIN
+      - NET_RAW
+      - SYS_MODULE
+    sysctls:
+      - net.ipv4.ip_forward=1
+      - net.ipv4.conf.all.src_valid_mark=1
     restart: always
-    privileged: true
     environment:
       SERVER_HOST: "SERVER_PUBLIC_IP"
       SERVER_API_CONN_STRING: "api.NETMAKER_BASE_DOMAIN:443"
@@ -25,11 +29,14 @@ services:
       GRPC_PORT: "50051"
       CLIENT_MODE: "on"
       MASTER_KEY: "REPLACE_MASTER_KEY"
-      SERVER_GRPC_WIREGUARD: "off"
       CORS_ALLOWED_ORIGIN: "*"
       DISPLAY_KEYS: "on"
       DATABASE: "sqlite"
       NODE_ID: "netmaker-server-1"
+      HOST_NETWORK: "off"
+      MANAGE_IPTABLES: "on"
+      PORT_FORWARD_SERVICES: "dns"
+      VERBOSITY: "1"
     ports:
       - "51821-51830:51821-51830/udp"
       - "8081:8081"
@@ -53,9 +60,6 @@ services:
     command: -conf /root/dnsconfig/Corefile
     container_name: coredns
     restart: always
-    ports:
-      - "COREDNS_IP:53:53/udp"
-      - "COREDNS_IP:53:53/tcp"
     volumes:
       - dnsconfig:/root/dnsconfig
   caddy:

compose/docker-compose.hostnetwork.yml

@@ -5,19 +5,16 @@ services:
     container_name: netmaker
     image: gravitl/netmaker:v0.9.4
     volumes:
-      - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
-      - /run/systemd/system:/run/systemd/system
-      - /etc/systemd/system:/etc/systemd/system
-      - /sys/fs/cgroup:/sys/fs/cgroup
-      - /usr/bin/wg:/usr/bin/wg
       - dnsconfig:/root/config/dnsconfig
+      - /usr/bin/wg:/usr/bin/wg
       - sqldata:/root/data
-    cap_add: 
+      - /run/xtables.lock:/run/xtables.lock
+    cap_add:
       - NET_ADMIN
-      - SYS_ADMIN
-    restart: always
+      - NET_RAW
+      - SYS_MODULE
     network_mode: host
-    privileged: true
+    restart: always
     environment:
       SERVER_HOST: "SERVER_PUBLIC_IP"
       SERVER_API_CONN_STRING: "api.NETMAKER_BASE_DOMAIN:443"
@@ -35,7 +32,11 @@ services:
       CORS_ALLOWED_ORIGIN: "*"
       DISPLAY_KEYS: "on"
       DATABASE: "sqlite"
+      HOST_NETWORK: "on"
       NODE_ID: "netmaker-server-1"
+      MANAGE_IPTABLES: "on"
+      PORT_FORWARD_SERVICES: ""
+      VERBOSITY: "1"
   netmaker-ui:
     container_name: netmaker-ui
     depends_on:
@@ -56,8 +57,8 @@ services:
     container_name: coredns
     restart: always
     ports:
-      - "COREDNS_IP:53:53/udp"
-      - "COREDNS_IP:53:53/tcp"
+      - "53053:53/udp"
+      - "53053:53/tcp"
     volumes:
       - dnsconfig:/root/dnsconfig
   caddy:

config/config.go

@@ -73,6 +73,7 @@ type ServerConfig struct {
 	Telemetry             string `yaml:"telemetry"`
 	ManageIPTables        string `yaml:"manageiptables"`
 	PortForwardServices   string `yaml:"portforwardservices"`
+	HostNetwork           string `yaml:"hostnetwork"`
 }
 
 // SQLConfig - Generic SQL Config

servercfg/serverconf.go

@@ -87,6 +87,8 @@ func GetServerConfig() config.ServerConfig {
 	}
 	cfg.Telemetry = Telemetry()
 	cfg.ManageIPTables = ManageIPTables()
+	services := strings.Join(GetPortForwardServiceList(), ",")
+	cfg.PortForwardServices = services
 
 	return cfg
 }
@@ -494,6 +496,17 @@ func IsSplitDNS() bool {
 	return issplit
 }
 
+// IsSplitDNS - checks if split dns is on
+func IsHostNetwork() bool {
+	ishost := false
+	if os.Getenv("HOST_NETWORK") == "on" {
+		ishost = true
+	} else if config.Config.Server.HostNetwork == "on" {
+		ishost = true
+	}
+	return ishost
+}
+
 // GetNodeID - gets the node id
 func GetNodeID() string {
 	var id string

serverctl/iptables.go

@@ -1,60 +1,130 @@
 package serverctl
 
 import (
+	"errors"
 	"net"
+	"os"
 	"os/exec"
 	"strings"
+	"time"
 
+	"github.com/gravitl/netmaker/logger"
 	"github.com/gravitl/netmaker/netclient/ncutils"
 	"github.com/gravitl/netmaker/servercfg"
 )
 
+const NETMAKER_PROCESS_NAME = "netmaker"
+
 // InitServerNetclient - intializes the server netclient
 func InitIPTables() error {
 	_, err := exec.LookPath("iptables")
 	if err != nil {
 		return err
 	}
-	setForwardPolicy()
-	portForwardServices()
-	return nil
+	err = setForwardPolicy()
+	if err != nil {
+		logger.Log(0, "error setting iptables forward policy: "+err.Error())
+	}
+
+	err = portForwardServices()
+	if err != nil {
+		return err
+	}
+	if isContainerized() && servercfg.IsHostNetwork() {
+		err = setHostCoreDNSMapping()
+	}
+	return err
 }
 
-func portForwardServices() {
+// set up port forwarding for services listed in config
+func portForwardServices() error {
+	var err error
 	services := servercfg.GetPortForwardServiceList()
-
+	if len(services) == 0 || services[0] == "" {
+		return nil
+	}
 	for _, service := range services {
 		switch service {
 		case "mq":
-			iptablesPortForward("mq", "1883", false)
+			err = iptablesPortForward("mq", "1883", "1883", false)
 		case "dns":
-			iptablesPortForward("mq", "1883", false)
+			err = iptablesPortForward("coredns", "53", "53", false)
 		case "ssh":
-			iptablesPortForward("127.0.0.1", "22", true)
+			err = iptablesPortForward("127.0.0.1", "22", "22", true)
 		default:
 			params := strings.Split(service, ":")
-			iptablesPortForward(params[0], params[1], true)
+			err = iptablesPortForward(params[0], params[1], params[2], true)
+		}
+		if err != nil {
+			return err
 		}
 	}
+	return nil
+}
+
+// determine if process is running in container
+func isContainerized() bool {
+	fileBytes, err := os.ReadFile("/proc/1/sched")
+	if err != nil {
+		logger.Log(1, "error determining containerization: "+err.Error())
+		return false
+	}
+	fileString := string(fileBytes)
+	return strings.Contains(fileString, NETMAKER_PROCESS_NAME)
 }
 
-func setForwardPolicy() {
-	ncutils.RunCmd("iptables --policy FORWARD ACCEPT", true)
+// make sure host allows forwarding
+func setForwardPolicy() error {
+	logger.Log(1, "setting iptables forward policy")
+	_, err := ncutils.RunCmd("iptables --policy FORWARD ACCEPT", false)
+	return err
 }
 
-func iptablesPortForward(entry string, port string, isIP bool) {
+// port forward from an entry, can contain a dns name for lookup
+func iptablesPortForward(entry string, inport string, outport string, isIP bool) error {
+	logger.Log(1, "forwarding "+entry+" traffic from host port "+inport+" to container port "+outport)
+
 	var address string
 	if !isIP {
-		ips, _ := net.LookupIP(entry)
-		for _, ip := range ips {
-			if ipv4 := ip.To4(); ipv4 != nil {
-				address = ip.String()
-				break
+	out:
+		for i := 1; i < 4; i++ {
+			ips, err := net.LookupIP(entry)
+			if err != nil && i > 2 {
+				return err
+			}
+			for _, ip := range ips {
+				if ipv4 := ip.To4(); ipv4 != nil {
+					address = ipv4.String()
+				}
 			}
+			if address != "" {
+				break out
+			}
+			time.Sleep(time.Second)
 		}
 	} else {
 		address = entry
 	}
-	ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+port+" -j DNAT --to-destination "+address+":"+port, true)
-	ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", true)
+	if address == "" {
+		return errors.New("could not locate ip for " + entry)
+	}
+
+	_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -p tcp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
+	if err != nil {
+		return err
+	}
+	_, err = ncutils.RunCmd("iptables -t nat -A PREROUTING -p udp --dport "+inport+" -j DNAT --to-destination "+address+":"+outport, false)
+	if err != nil {
+		return err
+	}
+	_, err = ncutils.RunCmd("iptables -t nat -A POSTROUTING -j MASQUERADE", false)
+	return err
+}
+
+// if running in host networking mode, run iptables to map to CoreDNS container
+func setHostCoreDNSMapping() error {
+	logger.Log(1, "forwarding dns traffic on host from netmaker interfaces to 53053")
+	ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p tcp --match tcp --dport 53 --jump REDIRECT --to-ports 53053", true)
+	_, err := ncutils.RunCmd("iptables -t nat -A PREROUTING -i nm-+ -p udp --match udp --dport 53 --jump REDIRECT --to-ports 53053", true)
+	return err
 }