In this installment, we discuss a powerful new feature: Host name-based routing. Host name-based routing simplifies IP routing by allowing host names to be used instead of rawIP addresses as arguments to the ip protocol in the --route-add and --route-block flags.
We will also demonstrate how to create network routing layers that allow a given network configuration to be easily applied across multiple application images.
Host Name-based IP Restrictions
In the previous blog post we saw that you can use routing flags such as --route-block=ip --route-add=ip://10.0.0.34 to restrict outbound container network traffic to all IP addresses except 10.0.0.34 or, conversely, use --route-block=ip://10.0.0.34 to block traffic only to a specified IP address.
This syntax has been extended to allow specifying host names instead of IP addresses. Often using a human-readable domain name is easier to setup, more readable, and is automatically maintained across IP address changes. When a host name is specified, it is treated as if its IP address had been specified. Cases where multiple IP addresses are resolved — including IPv6 — are handled properly.
Note however that you cannot specify a host name on the right side of a route-add mapping since the result would be ambiguous if the host name resolved to multiple IP addresses.
For example, to run a Chrome container allowing only access to the turbo.net and blog.turbo.net domains, you can use the command:
turbo new --route-block=ip --route-add=ip://turbo.net --route-add=ip://blog.turbo.net chrome https://turbo.net
Wildcards are supported in host name routing. So, for example, to unblock turbo.net and all of its subdomains, use the expression:
turbo new --route-block=ip --route-add=ip://*.turbo.net chrome https://blog.turbo.net
Or, to run a Chrome container disallowing access to the facebook.com domain and all of its subdomains:
turbo new --route-block=ip://*.facebook.com chrome
Creating IP Routing Layers
If you need to apply the same set of IP routing rules across multiple applications, it is inconvenient to repeat them each time you create a container. In this situation, you can create a layer containing the appropriate IP routing rules and apply it to all of the applicable containers.
For example, to create a layer that blocks access to all IP addresses except the turbo.net domain, the network 192.168.1.0/24, and 127.0.0.1, first create a container with the rules:
turbo new --no-run --route-block=ip --route-add=ip://turbo.net --route-add=ip://192.168.1.0/24 --route-add=ip://127.0.0.1
(Note we have used the --no-run flag here since we do not wish to execute this container.)
We then commit the routing container to a new image called network-blocking-layer:
turbo commit 605072f3 network-blocking-layer
In this case, the image is assigned ID 605072f3. We can now use this layer together with any image:
turbo new network-blocking-layer,firefox https://turbo.net turbo new network-blocking-layer,putty -ssh 192.168.1.1
These applications can in turn be committed to a new image that is ready for deployment:
turbo commit firefox#173a0d39 firefox-restricted turbo run firefox-restricted