network: support --internal flag

Signed-off-by: ChengyuZhu6 <[email protected]>

Author: ChengyuZhu6

cmd/nerdctl/network/network_create.go

@@ -51,6 +51,7 @@ func createCommand() *cobra.Command {
 	cmd.Flags().String("ip-range", "", `Allocate container ip from a sub-range`)
 	cmd.Flags().StringArray("label", nil, "Set metadata for a network")
 	cmd.Flags().Bool("ipv6", false, "Enable IPv6 networking")
+	cmd.Flags().Bool("internal", false, "Restrict external access to the network")
 	return cmd
 }
 
@@ -100,6 +101,10 @@ func createAction(cmd *cobra.Command, args []string) error {
 	if err != nil {
 		return err
 	}
+	internal, err := cmd.Flags().GetBool("internal")
+	if err != nil {
+		return err
+	}
 
 	return network.Create(types.NetworkCreateOptions{
 		GOptions:    globalOptions,
@@ -113,5 +118,6 @@ func createAction(cmd *cobra.Command, args []string) error {
 		IPRange:     ipRangeStr,
 		Labels:      labels,
 		IPv6:        ipv6,
+		Internal:    internal,
 	}, cmd.OutOrStdout())
 }

pkg/api/types/network_types.go

@@ -35,6 +35,7 @@ type NetworkCreateOptions struct {
 	IPRange     string
 	Labels      []string
 	IPv6        bool
+	Internal    bool
 }
 
 // NetworkInspectOptions specifies options for `nerdctl network inspect`.

pkg/netutil/netutil.go

@@ -29,7 +29,7 @@ import (
 	"sort"
 	"strconv"
 
-	"github.com/containernetworking/cni/libcni"
+	libcni "github.com/containernetworking/cni/libcni"
 
 	containerd "github.com/containerd/containerd/v2/client"
 	"github.com/containerd/containerd/v2/pkg/namespaces"
@@ -306,11 +306,11 @@ func (e *CNIEnv) CreateNetwork(opts types.NetworkCreateOptions) (*NetworkConfig,
 	if _, ok := netMap[opts.Name]; ok {
 		return nil, errdefs.ErrAlreadyExists
 	}
-	ipam, err := e.generateIPAM(opts.IPAMDriver, opts.Subnets, opts.Gateway, opts.IPRange, opts.IPAMOptions, opts.IPv6)
+	ipam, err := e.generateIPAM(opts.IPAMDriver, opts.Subnets, opts.Gateway, opts.IPRange, opts.IPAMOptions, opts.IPv6, opts.Internal)
 	if err != nil {
 		return nil, err
 	}
-	plugins, err := e.generateCNIPlugins(opts.Driver, opts.Name, ipam, opts.Options, opts.IPv6)
+	plugins, err := e.generateCNIPlugins(opts.Driver, opts.Name, ipam, opts.Options, opts.IPv6, opts.Internal)
 	if err != nil {
 		return nil, err
 	}

pkg/netutil/netutil_unix.go

@@ -90,7 +90,7 @@ func (n *NetworkConfig) clean() error {
 	return nil
 }
 
-func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string]interface{}, opts map[string]string, ipv6 bool) ([]CNIPlugin, error) {
+func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string]interface{}, opts map[string]string, ipv6 bool, internal bool) ([]CNIPlugin, error) {
 	var (
 		plugins []CNIPlugin
 		err     error
@@ -124,12 +124,21 @@ func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string]
 		bridge.MTU = mtu
 		bridge.IPAM = ipam
 		bridge.IsGW = true
-		bridge.IPMasq = iPMasq
+		// If internal, disable masquerade regardless of options
+		if internal {
+			bridge.IPMasq = false
+		} else {
+			bridge.IPMasq = iPMasq
+		}
 		bridge.HairpinMode = true
 		if ipv6 {
 			bridge.Capabilities["ips"] = true
 		}
-		plugins = []CNIPlugin{bridge, newPortMapPlugin(), newFirewallPlugin(), newTuningPlugin()}
+		if internal {
+			plugins = []CNIPlugin{bridge, newFirewallPlugin(), newTuningPlugin()}
+		} else {
+			plugins = []CNIPlugin{bridge, newPortMapPlugin(), newFirewallPlugin(), newTuningPlugin()}
+		}
 		if name != DefaultNetworkName {
 			firewallPath := filepath.Join(e.Path, "firewall")
 			ok, err := firewallPluginGEQ110(firewallPath)
@@ -186,13 +195,15 @@ func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string]
 	return plugins, nil
 }
 
-func (e *CNIEnv) generateIPAM(driver string, subnets []string, gatewayStr, ipRangeStr string, opts map[string]string, ipv6 bool) (map[string]interface{}, error) {
+func (e *CNIEnv) generateIPAM(driver string, subnets []string, gatewayStr, ipRangeStr string, opts map[string]string, ipv6 bool, internal bool) (map[string]interface{}, error) {
 	var ipamConfig interface{}
 	switch driver {
 	case "default", "host-local":
 		ipamConf := newHostLocalIPAMConfig()
-		ipamConf.Routes = []IPAMRoute{
-			{Dst: "0.0.0.0/0"},
+		if !internal {
+			ipamConf.Routes = []IPAMRoute{
+				{Dst: "0.0.0.0/0"},
+			}
 		}
 		ranges, findIPv4, err := e.parseIPAMRanges(subnets, gatewayStr, ipRangeStr, ipv6)
 		if err != nil {

pkg/netutil/netutil_windows.go

@@ -30,7 +30,7 @@ const (
 
 	// When creating non-default network without passing in `--subnet` option,
 	// nerdctl assigns subnet address for the creation starting from `StartingCIDR`
-	// This prevents subnet address overlapping with `DefaultCIDR` used by the default networkß
+	// This prevents subnet address overlapping with `DefaultCIDR` used by the default network
 	StartingCIDR = "10.4.1.0/24"
 )
 
@@ -58,7 +58,7 @@ func (n *NetworkConfig) clean() error {
 	return nil
 }
 
-func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string]interface{}, opts map[string]string, ipv6 bool) ([]CNIPlugin, error) {
+func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string]interface{}, opts map[string]string, ipv6 bool, internal bool) ([]CNIPlugin, error) {
 	var plugins []CNIPlugin
 	switch driver {
 	case "nat":
@@ -71,7 +71,7 @@ func (e *CNIEnv) generateCNIPlugins(driver string, name string, ipam map[string]
 	return plugins, nil
 }
 
-func (e *CNIEnv) generateIPAM(driver string, subnets []string, gatewayStr, ipRangeStr string, opts map[string]string, ipv6 bool) (map[string]interface{}, error) {
+func (e *CNIEnv) generateIPAM(driver string, subnets []string, gatewayStr, ipRangeStr string, opts map[string]string, ipv6 bool, internal bool) (map[string]interface{}, error) {
 	switch driver {
 	case "default":
 	default: