conlink 2.1.0 → 2.2.0

package/Dockerfile

@@ -28,7 +28,7 @@ RUN apt-get -y install libpcap-dev tcpdump iproute2 iputils-ping curl \
                        openvswitch-switch openvswitch-testcontroller
 
 COPY --from=build /app/ /app/
-ADD link-add.sh link-del.sh link-mirred.sh /app/
+ADD link-add.sh link-del.sh link-mirred.sh link-forward.sh /app/
 ADD schema.yaml /app/build/
 
 ENV PATH /app:$PATH

package/README.md

@@ -92,28 +92,31 @@ interfaces in the host.
 
 The following table describes the link properties:
 
-| property  | link types | format     | default | description              |
-|-----------|------------|------------|---------|--------------------------|
-| type      | *          | string 1   | veth    | link/interface type      |
-| service   | *          | string     | 2       | compose service          |
-| container | *          | string     |         | container name           |
-| bridge    | veth       | string     |         | conlink bridge / domain  |
-| outer-dev | not dummy  | string[15] |         | conlink/host intf name   |
-| dev       | *          | string[15] | eth0    | container intf name      |
-| ip        | *          | CIDR       |         | IP CIDR (index offset)   |
-| mac       | 3          | MAC        |         | MAC addr (index offset)  |
-| mtu       | *          | number 4   | 9000    | intf MTU                 |
-| route     | *          | string     |         | ip route add args        |
-| nat       | *          | IP         |         | DNAT/SNAT to IP          |
-| netem     | *          | string     |         | tc qdisc NetEm options   |
-| mode      | 5          | string     |         | virt intf mode           |
-| vlanid    | vlan       | number     |         | VLAN ID                  |
+| property  | link types | format         | default | description              |
+|-----------|------------|----------------|---------|--------------------------|
+| type      | *          | string 1       | veth    | link/interface type      |
+| service   | *          | string         | 2       | compose service          |
+| container | *          | string         |         | container name           |
+| bridge    | veth       | string         |         | conlink bridge / domain  |
+| outer-dev | not dummy  | string[15]     |         | conlink/host intf name   |
+| dev       | *          | string[15]     | eth0    | container intf name      |
+| ip        | *          | CIDR           |         | IP CIDR 7                |
+| mac       | 3          | MAC            |         | MAC addr 7               |
+| mtu       | *          | number 4       | 65535   | intf MTU                 |
+| route     | *          | string         |         | ip route add args        |
+| nat       | *          | IP             |         | DNAT/SNAT to IP          |
+| netem     | *          | string         |         | tc qdisc NetEm options   |
+| mode      | 5          | string         |         | virt intf mode           |
+| vlanid    | vlan       | number         |         | VLAN ID                  |
+| forward   | veth       | string array 6 |         | forward conlink ports 7  |
 
 - 1 - veth, dummy, vlan, ipvlan, macvlan, ipvtap, macvtap
 - 2 - defaults to outer compose service
 - 3 - not ipvlan/ipvtap
 - 4 - max MTU of parent device for \*vlan, \*vtap types
 - 5 - macvlan, macvtap, ipvlan, ipvtap
+- 6 - string syntax: `conlink_port:container_port/proto`
+- 7 - offset by scale/replica index
 
 Each link has a 'type' key that defaults to "veth" and each link
 definition must also have either a `service` key or a `container` key.
@@ -135,6 +138,18 @@ than the MTU of the parent (outer-dev) device.
 For the `netem` property, refer to the `netem` man page. The `OPTIONS`
 grammar defines the valid strings for the `netem` property.
 
+The `forward` property is an array of strings that defines ports to
+forward from the conlink container into the container over this link.
+Traffic arriving on the conlink container's docker interface of type
+`proto` and destined for port `conlink_port` is forwarded over this
+link to the container IP and port `container_port` (`ip` is required).
+The initial port (`conlink_port`) is offset by the service
+replica/scale number (minus 1). So if the first replica has port 80
+forwarded then the second replica will have port 81 forwarded.
+For publicly publishing a port, the conlink container needs to be on
+a docker network and the `conlink_port` should match the target port
+of a docker published port (for the conlink container).
+
 ### Bridges
 
 The bridge settings currently only support the "mode" setting. If
@@ -449,8 +464,10 @@ Start the test7 compose configuration:
 docker-compose -f examples/test7-compose.yaml up --build --force-recreate
 ```
 
-Show the links in both node containers to see that the MAC addresses
-are `00:0a:0b:0c:0d:0*` and the MTUs are set to `4111`.
+Show the links in both node containers to see that on the eth0
+interfaces the MAC addresses are `00:0a:0b:0c:0d:0*` and the MTUs are
+set to `4111`. The eth1 interfaces should have the command line set
+default MTU of `5111`.
 
 ```
 docker-compose -f examples/test7-compose.yaml exec --index 1 node ip link
@@ -517,6 +534,54 @@ docker-compose -f examples/test9-compose.yaml up --build --force-recreate
 docker-compose -f examples/test9-compose.yaml exec node ping 10.0.1.2
 ```
 
+### test10: port forwarding
+
+This example demonstrates port forwarding from the conlink container
+to two containers running simple web servers.
+
+Start the test10 compose configuration:
+
+```
+docker-compose -f examples/test10-compose.yaml up --build --force-recreate
+```
+
+Ports 3080 and 8080 are both published on the host by the conlink
+container using standard Docker port mapping. The internal mapping of
+those ports (1080 and 1180 respectively) are both are forwarded to
+port 80 in the node1 container using conlink's port forwarding
+mechanism. The two paths look like this:
+
+```
+host:3080 --> 1080 (in conlink) --> node1:80
+host:8080 --> 1180 (in conlink) --> node1:80
+```
+
+Use curl on the host to query both of these paths to node1:
+
+```
+curl 0.0.0.0:3080
+curl 0.0.0.0:8080
+```
+
+Ports 80 and 81 are published on the host by the conlink container
+using standard Docker port mapping. Then conlink forwards from ports
+80 and 81 to the first and second replica (respectively) of node2,
+each of which listen internally on port 80. The two paths look like
+this:
+
+```
+host:80 -> 80 (in conlink) -> node2_1:80
+host:81 -> 81 (in conlink) -> node2_2:80
+```
+
+Use curl on the host to query both replicas of node2:
+
+```
+curl 0.0.0.0:80
+curl 0.0.0.0:81
+```
+
+
 ## GraphViz network configuration rendering
 
 You can use d3 and GraphViz to create a visual graph rendering of

package/examples/test10-compose.yaml

@@ -0,0 +1,38 @@
+version: "2.4"
+
+services:
+  node1:
+    image: python:3-alpine
+    network_mode: none
+    command: "python3 -m http.server -d /var 80"
+    x-network:
+      links:
+        - {bridge: s2, ip: "10.0.1.1/24", route: "default",
+           forward: ["1080:80/tcp", "1180:80/tcp"]}
+
+  node2:
+    image: python:3-alpine
+    network_mode: none
+    scale: 2
+    command: "python3 -m http.server -d /usr 80"
+    x-network:
+      links:
+        - {bridge: s1, ip: "10.0.2.1/24", route: "default",
+           forward: ["80:80/tcp"]}
+
+  network:
+    build: {context: ../}
+    image: conlink
+    pid: host
+    cap_add: [SYS_ADMIN, NET_ADMIN, SYS_NICE, NET_BROADCAST, IPC_LOCK]
+    security_opt: [ 'apparmor:unconfined' ] # needed on Ubuntu 18.04
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker:/var/lib/docker
+      - ../:/test
+    ports:
+      - "3080:1080/tcp"
+      - "8080:1180/tcp"
+      - "80:80/tcp"
+      - "81:81/tcp"
+    command: /app/build/conlink.js --compose-file /test/examples/test10-compose.yaml

package/examples/test7-compose.yaml

@@ -15,7 +15,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/lib/docker:/var/lib/docker
       - ./:/test
-    command: /app/build/conlink.js --compose-file /test/test7-compose.yaml
+    command: /app/build/conlink.js --default-mtu 5111 --compose-file /test/test7-compose.yaml
 
   node:
     image: alpine
@@ -29,3 +29,6 @@ services:
           mac: 00:0a:0b:0c:0d:01
           mtu: 4111
           netem: "delay 40ms rate 10mbit"
+        - bridge: s2
+          ip: 100.0.1.1/16
+          dev: eth1

package/link-add.sh

@@ -45,6 +45,8 @@ usage () {
   echo >&2 ""
   echo >&2 "  --netem NETEM            - tc qdisc netem OPTIONS (man 8 netem)"
   echo >&2 "  --nat TARGET             - Stateless NAT traffic to/from TARGET"
+  echo >&2 "                             (in primary/PID0 netns)"
+  echo >&2 ""
   exit 2
 }
 

package/link-forward.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Copyright (c) 2024, Equinix, Inc
+# Licensed under MPL 2.0
+
+set -e
+
+usage () {
+  echo >&2 "${0} [OPTIONS] <add|del> INTF_A INTF_B PORT_A:IP:PORT_B/PROTO"
+  echo >&2 ""
+  echo >&2 "Match traffic on INTF_A that has destination port PORT_A and"
+  echo >&2 "protocol PROTO (tcp or udp). Forward/DNAT traffic to IP:PORT_B "
+  echo >&2 "via INTF_B."
+  exit 2
+}
+
+info() { echo "link-forward [${LOG_ID}] ${*}"; }
+
+IPTABLES() {
+  case "${action}" in
+    add) iptables -C "${@}" 2>/dev/null || iptables -I "${@}" ;;
+    del) iptables -D "${@}" 2>/dev/null || true;;
+  esac
+}
+
+action=$1; shift || usage
+intf_a=$1; shift || usage
+intf_b=$1; shift || usage
+spec=$1;   shift || usage
+read port_a ip port_b proto <<< "${spec//[:\/]/ }"
+
+[ "${action}" -a "${intf_a}" -a "${intf_b}" ] || usage
+[ "${port_a}" -a "${ip}" -a "${port_b}" -a "${proto}" ] || usage
+
+LOG_ID="${spec}"
+
+info "${action^} forwarding ${intf_a} -> ${intf_b}"
+
+IPTABLES PREROUTING -t nat -i ${intf_a} -p ${proto} --dport ${port_a} -j DNAT --to-destination ${ip}:${port_b}
+IPTABLES POSTROUTING -t nat -o ${intf_b} -j MASQUERADE
+
+case "${action}" in
+  add) ip route replace ${ip} dev ${intf_b} ;;
+  del) ip route delete ${ip} dev ${intf_b} || true;;
+esac

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "conlink",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "conlink -  Declarative Low-Level Networking for Containers",
   "repository": "https://github.com/LonoCloud/conlink",
   "license": "SEE LICENSE IN LICENSE",

package/run-tests.sh

@@ -29,37 +29,47 @@ dc_init() {
   done
 }
 
-dc_wait() {
-  local tries="${1}" cont="${2}" try=1 svc= idx= result=
+dc_run() {
+  local cont="${1}" svc= idx= result=0
   case "${cont}" in
       *_[0-9]|*_[0-9][0-9]) svc="${cont%_*}" idx="${cont##*_}" ;;
       *)                    svc="${cont}"    idx=1            ;;
   esac
-  shift; shift
+  shift
 
   #echo "target: ${1}, service: ${svc}, index: ${idx}"
+  if [ "${VERBOSE}" ]; then
+    vecho "    Running: dc exec -T --index ${idx} ${svc} sh -c ${*}"
+    dc exec -T --index ${idx} ${svc} sh -c "${*}" || result=$?
+  else
+    dc exec -T --index ${idx} ${svc} sh -c "${*}" > /dev/null || result=$?
+  fi
+  return ${result}
+}
+
+do_test() {
+  local tries="${1}"; shift
+  local name="${TEST_NUM} ${GROUP}: ${@}" try=1 result=
+  TEST_NUM=$(( TEST_NUM + 1 ))
+  vecho "  > Running test ${name}"
   while true; do
     result=0
-    if [ "${VERBOSE}" ]; then
-      vecho "Running: dc exec -T --index ${idx} ${svc} sh -c ${*}"
-      dc exec -T --index ${idx} ${svc} sh -c "${*}" || result=$?
+    if [ "${WITH_DC}" ]; then
+      dc_run "${@}" || result=$?
     else
-      dc exec -T --index ${idx} ${svc} sh -c "${*}" > /dev/null || result=$?
+      vecho "    Running: eval ${*}"
+      if [ "${VERBOSE}" ]; then
+        sh -c "${*}" || result=$?
+      else
+        sh -c "${*}" >/dev/null || result=$?
+      fi
     fi
     [ "${result}" -eq 0 -o "${try}" -ge "${tries}" ] && break
     echo "    command failed (${result}), sleeping 2s before retry (${try}/${tries})"
     sleep 2
     try=$(( try + 1 ))
   done
-  return ${result}
-}
-
-dc_test() {
-  name="${TEST_NUM} ${GROUP}: ${@}"
-  TEST_NUM=$(( TEST_NUM + 1 ))
-  vecho "  > Running test: ${name}"
-  dc_wait 1 "${@}"
-  RESULTS["${name}"]=$?
+  RESULTS["${name}"]=${result}
   if [ "${RESULTS["${name}"]}" = 0 ]; then
     PASS=$(( PASS + 1 ))
     vecho "  > PASS (0 for ${*})"
@@ -67,8 +77,12 @@ dc_test() {
     FAIL=$(( FAIL + 1 ))
     echo "  > FAIL (${RESULTS[${name}]} for ${*})"
   fi
+  return ${result}
 }
 
+dc_wait() { WITH_DC=1 do_test "${@}"; }
+dc_test() { WITH_DC=1 do_test 1 "${@}"; }
+
 
 echo -e "\n\n>>> test1: combined config"
 GROUP=test1
@@ -137,8 +151,8 @@ dc_test node_1 'ip link show eth0 | grep "ether 00:0a:0b:0c:0d:01"'
 dc_test node_2 'ip link show eth0 | grep "ether 00:0a:0b:0c:0d:02"'
 dc_test node_1 'ip link show eth0 | grep "mtu 4111"'
 dc_test node_2 'ip link show eth0 | grep "mtu 4111"'
-echo " >> Check for round-trip ping delay of 80ms"
-dc_test node_1 'ping -c2 10.0.1.2 | tail -n1 | grep "max = 80\."'
+echo " >> Check for min round-trip ping delay of about 80ms"
+dc_test node_1 'ping -c5 10.0.1.2 | grep "min/avg/max = 8[012345]\."'
 
 
 echo -e "\n\n>>> test9: bridge modes and variable templating"
@@ -170,6 +184,20 @@ dc_test network 'tc filter show dev node_1-eth0 parent ffff: | grep "action orde
 echo " >> Check for round-trip ping connectivity (BRIDGE_MODE=patch)"
 dc_test node_1 'ping -c2 10.0.1.2'
 
+echo -e "\n\n>>> test10: port forwarding"
+GROUP=test10
+echo "COMPOSE_FILE=examples/test10-compose.yaml" > .env
+
+dc_init; dc_wait 10 node1_1 'ip addr | grep "10\.0\.1\.1"' \
+    || die "test10 startup failed"
+echo " >> Check ping between replicas"
+dc_test node2_1 'ping -c2 10.0.2.2'
+echo " >> Ensure ports are forwarded correctly"
+do_test 10 'curl -s -S "http://0.0.0.0:3080" | grep "log"'
+do_test 10 'curl -s -S "http://0.0.0.0:8080" | grep "log"'
+do_test 10 'curl -s -S "http://0.0.0.0:80" | grep "share"'
+do_test 10 'curl -s -S "http://0.0.0.0:81" | grep "share"'
+
 
 echo -e "\n\n>>> Cleaning up"
 dc down -t1 --remove-orphans

package/schema.yaml

@@ -45,6 +45,9 @@ properties:
         netem:     {type: string}
         mode:      {type: string}
         vlanid:    {type: number}
+        forward:
+          type: array
+          items: {type: string, pattern: "^[0-9]{1,5}:[0-9]{1,5}/(tcp|udp)$"}
 
   bridges:
     type: array

package/src/conlink/core.cljs

@@ -30,6 +30,8 @@ General Options:
   --default-bridge-mode BRIDGE-MODE Default bridge mode (ovs, linux, patch, or auto)
                                     to use for bridge/switch connections
                                     [default: auto] [env: CONLINK_BRIDGE_MODE]
+  --default-mtu MTU                 Default link MTU (for non *vlan types)
+                                    [default: 65535]
   --network-file NETWORK-FILE...    Network config file
   --compose-file COMPOSE-FILE...    Docker compose file with network config
   --compose-project NAME            Docker compose project name for resolving
@@ -57,6 +59,7 @@ General Options:
 (def VLAN-TYPES #{:vlan :macvlan :macvtap :ipvlan :ipvtap})
 (def LINK-ADD-OPTS [:ip :mac :route :mtu :nat :netem :mode :vlanid :remote :vni])
 (def INTF-MAX-LEN 15)
+(def DOCKER-INTF "DOCKER-ETH0")
 
 (def ctx (atom {:error        #(apply Eprintln "ERROR:" %&)
                 :warn         #(apply Eprintln "WARNING:" %&)
@@ -96,31 +99,52 @@ General Options:
     net-cfg))
 
 (defn enrich-link
-  "Resolve bridge name to full bridge map.
-  Add default values to a link:
+  "Check and enrich link config
+  - Resolve bridge name to full bridge map.
+  - Add default values to a link:
     - type: veth
     - dev: eth0
-    - mtu: 9000 (for non *vlan type)
+    - mtu: --default-mtu (for non *vlan type)
     - base: :conlink for veth type, :host for *vlan types, :local otherwise"
-  [{:as link :keys [type base bridge ip vlanid]} bridges]
-  (let [type (keyword (or type "veth"))
+  [{:as link :keys [type base bridge ip forward]} bridges]
+  (let [{:keys [default-mtu docker-eth0?]} @ctx
+        type (keyword (or type "veth"))
+        dev (get link :dev "eth0")
         base-default (cond (= :veth type)     :conlink
                            (VLAN-TYPES type)  :host
                            :else              :local)
         base (get link :base base-default)
+        bridge (get bridges bridge)
         link (merge
                link
                {:type type
-                :dev  (get link :dev "eth0")
+                :dev  dev
                 :base base}
                (when bridge
-                 {:bridge (get bridges bridge)})
+                 {:bridge bridge})
                (when (not (VLAN-TYPES type))
-                 {:mtu  (get link :mtu 9000)}))]
+                 {:mtu  (get link :mtu default-mtu)})
+               (when forward
+                 {:forward
+                  (map #(let [[port_a port_b proto] (S/split % #"[:/]")]
+                          [(js/parseInt port_a) (js/parseInt port_b) proto])
+                       forward)}))]
+    (when forward
+      (let [link-id (str (or (:service link) (:container link)) ":" dev)
+            pre (str "link '" link-id "' has forward setting")]
+        (when (not= :veth type)
+          (fatal 1 (str pre " but is not of type :veth")))
+        (when (not (#{:ovs :linux} (:mode bridge)))
+          (fatal 1 (str pre " but bridge mode is not 'ovs' or 'linux'")))
+        (when (not ip)
+          (fatal 1 (str pre " but does not have IP")))
+        (when (not docker-eth0?)
+          (fatal 1 (str pre " but no docker eth0 is present")))))
     link))
 
 (defn enrich-bridge
-  "If bridge mode is :auto then return :ovs if the 'openvswitch' kernel module
+  "Check and enrich bridge config.
+  If bridge mode is :auto then return :ovs if the 'openvswitch' kernel module
   is loaded otherwise fall back to :linux. Exit with an error if mode is :ovs
   or :patch and the 'openvswitch' or 'act_mirred' kernel modules are not
   loaded respectively."
@@ -223,7 +247,7 @@ General Options:
   "Add offset value to ip and mac keys in a link definition to account
   for multiple instances of that link i.e. a compose service with
   multiple replicas (scale >= 2)."
-  [{:as link :keys [ip mac]} offset]
+  [{:as link :keys [ip mac forward]} offset]
   ;; TODO: add vlanid
   (let [mac (when mac
               (addrs/int->mac
@@ -232,8 +256,15 @@ General Options:
              (let [[ip prefix] (S/split ip #"/")]
                (str (addrs/int->ip
                       (+ offset (addrs/ip->int ip)))
-                    "/" prefix)))]
-    (merge link (when mac {:mac mac}) (when ip {:ip ip}))))
+                    "/" prefix)))
+        forward (when forward
+                  (map #(let [[port_a port_b proto] %]
+                          [(+ offset port_a) port_b proto])
+                       forward))]
+    (merge link
+           (when mac {:mac mac})
+           (when ip {:ip ip})
+           (when forward {:forward forward}))))
 
 
 (defn link-instance-enrich
@@ -305,26 +336,36 @@ General Options:
         (P/recur cmds)
         res))))
 
+(defn kmod-loaded?
+  "Return whether kernel module 'kmod' is loaded."
+  [kmod]
+  (P/let [cmd (str "grep -o '^" kmod "\\>' /proc/modules")
+          res (run cmd {:quiet true})]
+    (and (= 0 (:code res)) (= kmod (trim (:stdout res))))))
+
+(defn intf-exists?
+  "Return whether network interface exists"
+  [intf]
+  (P/let [cmd (str "[ -d /sys/class/net/" intf " ]")
+          res (run cmd {:quiet true})]
+    (= 0 (:code res))))
+
 (defn rename-docker-eth0
-  "If eth0 exists, then rename it to DOCKER-ETH0 to prevent 'RTNETLINK
+  "Rename docker's provided eth0 to DOCKER-INTF to prevent 'RTNETLINK
   answers: File exists' errors during creation of links that use
   'eth0' device name. This is necessary because even if the netns is
   specified with the same link create command, the creation and move
   does not appear to be idempotent and results in the conflict."
   []
   (P/let [{:keys [log]} @ctx
-          res (run "[ -d /sys/class/net/eth0 ]" {:quiet true})]
-    (if (not= 0 (:code res))
-      (log "No eth0 docker network interface detected")
-      (P/let [_ (log "Renaming eth0 to DOCKER-ETH0")
-              res (run* [(str "ip route save dev eth0 > /tmp/routesave")
-                         (str "ip link set eth0 down")
-                         (str "ip link set eth0 name DOCKER-ETH0")
-                         (str "ip link set DOCKER-ETH0 up")
-                         (str "ip route restore < /tmp/routesave")]
-                        {:id "rename"})]
-        (when (not= 0 (:code res))
-          (fatal 1 "Could not rename docker eth0 interface"))))))
+          res (run* [(str "ip route save dev eth0 > /tmp/routesave")
+                     (str "ip link set eth0 down")
+                     (str "ip link set eth0 name " DOCKER-INTF)
+                     (str "ip link set " DOCKER-INTF " up")
+                     (str "ip route restore < /tmp/routesave")]
+                    {:id "rename"})]
+    (when (not= 0 (:code res))
+      (fatal 1 "Could not rename docker eth0 interface"))))
 
 (defn start-ovs
   "Start and initialize the openvswitch daemons. Exit with error if it
@@ -335,13 +376,6 @@ General Options:
       (fatal 1 (str "Failed starting OVS: " (:stderr res)))
       res)))
 
-(defn kmod-loaded?
-  "Return whether kernel module 'kmod' is loaded."
-  [kmod]
-  (P/let [cmd (str "grep -o '^" kmod "\\>' /proc/modules")
-          res (run cmd {:quiet true})]
-    (and (= 0 (:code res)) (= kmod (trim (:stdout res))))))
-
 ;;; Bridge commands
 
 (defn check-no-bridge
@@ -377,7 +411,7 @@ General Options:
     (if (not cmd)
       (info (str "Ignoring bridge/switch " bridge " for mode " mode))
       (P/let [_ (info "Creating bridge/switch" bridge)
-              res (run cmd)]
+              res (run* [cmd (str "ip link set " bridge " up")])]
         (if (not= 0 (:code res))
           (error (str "Unable to create bridge/switch " bridge))
           (swap! ctx assoc-in [:network-state :bridges bridge :status] :created))
@@ -470,7 +504,7 @@ General Options:
   line arguments from the 'link' definition and reports the results."
   [link]
   (P/let [{:keys [error]} @ctx
-          {:keys [type dev outer-dev pid outer-pid container dev-id]} link
+          {:keys [type dev outer-dev pid outer-pid dev-id]} link
           cmd (str "link-add.sh"
                    " '" (name type) "' '" pid "' '" dev "'"
                    (when outer-pid (str " --pid1 " outer-pid))
@@ -499,6 +533,26 @@ General Options:
         (error (str "Unable to delete " dev-id ": " (:stderr res)))))
     res))
 
+;;; Port forward command
+
+(defn forward-modify
+  "Depending on 'action' create ('add') or delete ('del') port
+  forwards defined by :forward property of 'link'."
+  [link action]
+  (P/let [{:keys [error]} @ctx
+          {:keys [outer-dev dev-id bridge ip forward]} link]
+    (P/all (for [fwd forward]
+             (P/let [[port_a port_b proto] fwd
+                     ip (S/replace ip #"/.*" "")
+                     cmd (str "link-forward.sh " action
+                              " " DOCKER-INTF " " (:bridge bridge)
+                              " " port_a ":" ip ":" port_b "/" proto)
+                     res (run cmd {:id dev-id})]
+               (when (not= 0 (:code res))
+                 (error (str "Unable to " action " forward "
+                             "'" fwd "' for " dev-id)))
+               res)))))
+
 
 ;;; docker/docker-compose utilities
 
@@ -597,7 +651,7 @@ General Options:
   [link action]
   (P/let
     [{:keys [error log]} @ctx
-     {:keys [type outer-dev bridge dev-id]} link
+     {:keys [type outer-dev bridge dev-id forward]} link
      status-path [:network-state :devices dev-id :status]
      link-status (get-in @ctx status-path)]
     (log (str (get {"start" "Creating" "die" "Deleting"} action)
@@ -613,6 +667,7 @@ General Options:
             (if (= :patch (:mode bridge))
               (patch-add-link bridge outer-dev)
               (bridge-add-link bridge outer-dev)))
+          (when forward (forward-modify link "add"))
           (swap! ctx assoc-in status-path :created)))
 
       "die"
@@ -620,6 +675,7 @@ General Options:
         (error (str "Link " dev-id " does not exist"))
         (P/do
           (swap! ctx assoc-in status-path :deleting)
+          (when forward (forward-modify link "del"))
           (when bridge
             (if (= :patch (:mode bridge))
               (patch-drop-link bridge outer-dev)
@@ -777,12 +833,16 @@ General Options:
      {:keys [network-file compose-file compose-project]} opts
      env (js->clj (js/Object.assign #js {} js/process.env))
      self-pid js/process.pid
+     self-cid (get-container-id)
      schema (load-config (:config-schema opts))
      kmod-ovs? (kmod-loaded? "openvswitch")
      kmod-mirred? (kmod-loaded? "act_mirred")
+     docker-eth0? (and self-cid (intf-exists? "eth0"))
      _ (swap! ctx merge {:default-bridge-mode (:default-bridge-mode opts)
+                         :default-mtu (:default-mtu opts)
                          :kmod-ovs? kmod-ovs?
-                         :kmod-mirred? kmod-mirred?})
+                         :kmod-mirred? kmod-mirred?
+                         :docker-eth0? docker-eth0?})
      network-config (P/-> (load-configs compose-file network-file)
                           (interpolate-walk env)
                           (check-schema schema verbose)
@@ -796,7 +856,6 @@ General Options:
      _ (when (and (not docker) (not podman))
          (fatal 1 "Failed to start either docker or podman client/listener"))
 
-     self-cid (get-container-id)
      self-container-obj (when self-cid
                           (get-container (or docker podman) self-cid))
      self-container (inspect-container self-container-obj)
@@ -830,7 +889,8 @@ General Options:
       (info "Detected compose context:" compose-project))
 
     (P/do
-      (when self-cid
+      (when docker-eth0?
+        (log "Renaming eth0 to" DOCKER-INTF)
         (rename-docker-eth0))
 
       (when (some #(= :ovs (:mode %)) (-> network-config :bridges vals))