in cmd/ip-masq-agent-v2/ip-masq-agent.go [317:357]
func (m *MasqDaemon) syncMasqRules() error {
// make sure our custom chain for non-masquerade exists
_, err := m.iptables.EnsureChain(utiliptables.TableNAT, masqChain)
if err != nil {
return err
}
// ensure that any non-local in POSTROUTING jumps to masqChain
err = m.ensurePostroutingJump()
if err != nil {
return err
}
// build up lines to pass to iptables-restore
lines := bytes.NewBuffer(nil)
writeLine(lines, "*nat")
writeLine(lines, utiliptables.MakeChainLine(masqChain)) // effectively flushes masqChain atomically with rule restore
// link-local CIDR is always non-masquerade
if !m.config.MasqLinkLocal {
writeNonMasqRule(lines, linkLocalCIDR)
}
// non-masquerade for user-provided CIDRs
for _, cidr := range m.config.NonMasqueradeCIDRs {
if !isIPv6CIDR(cidr) {
writeNonMasqRule(lines, cidr)
}
}
// masquerade all other traffic that is not bound for a --dst-type LOCAL destination
writeMasqRule(lines)
writeLine(lines, "COMMIT")
err = m.iptables.RestoreAll(lines.Bytes(), utiliptables.NoFlushTables, utiliptables.NoRestoreCounters)
if err != nil {
return err
}
return nil
}