Documentation ¶
Index ¶
- Constants
- type ACLInfo
- type Instance
- func (i *Instance) ACLProvider() provider.IptablesProvider
- func (i *Instance) AddPortToPortSet(contextID string, port string) error
- func (i *Instance) CleanUp() error
- func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error
- func (i *Instance) DeletePortFromPortSet(contextID string, port string) error
- func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, ...) error
- func (i *Instance) Run(ctx context.Context) error
- func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error
- func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, ...) error
Constants ¶
const ( // TriremeInput represent the chain that contains pu input rules. TriremeInput = chainPrefix + "Pid-Net" // TriremeOutput represent the chain that contains pu output rules. TriremeOutput = chainPrefix + "Pid-App" // NetworkSvcInput represent the chain that contains NetworkSvc input rules. NetworkSvcInput = chainPrefix + "Svc-Net" // NetworkSvcOutput represent the chain that contains NetworkSvc output rules. NetworkSvcOutput = chainPrefix + "Svc-App" // HostModeInput represent the chain that contains Hostmode input rules. HostModeInput = chainPrefix + "Hst-Net" // HostModeOutput represent the chain that contains Hostmode output rules. HostModeOutput = chainPrefix + "Hst-App" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ACLInfo ¶
type ACLInfo struct { ContextID string PUType common.PUType // Tables MangleTable string NatTable string // Chains MainAppChain string MainNetChain string HostInput string HostOutput string NetworkSvcInput string NetworkSvcOutput string TriremeInput string TriremeOutput string UIDInput string UIDOutput string NatProxyNetChain string NatProxyAppChain string MangleProxyNetChain string MangleProxyAppChain string PreRouting string AppChain string NetChain string AppSection string NetSection string // common info DefaultConnmark string QueueBalanceAppSyn string QueueBalanceAppSynAck string QueueBalanceAppAck string QueueBalanceNetSyn string QueueBalanceNetSynAck string QueueBalanceNetAck string InitialMarkVal string RawSocketMark string TargetTCPNetSet string TargetUDPNetSet string ExclusionsSet string // UDP rules Numpackets string InitialCount string UDPSignature string // Linux PUs TCPPorts string UDPPorts string TCPPortSet string // ProxyRules DestIPSet string SrvIPSet string ProxyPort string CgroupMark string ProxyMark string ProxySetName string // UID PUs Mark string UID string PortSet string NFLOGPrefix string NFLOGAcceptPrefix string }
ACLInfo keeps track of all information to create ACLs
type Instance ¶
type Instance struct {
// contains filtered or unexported fields
}
Instance is the structure holding all information about a implementation
func GetInstance ¶
func GetInstance() *Instance
GetInstance returns the instance of the iptables object.
func NewInstance ¶
func NewInstance(fqc *fqconfig.FilterQueue, mode constants.ModeType, cfg *runtime.Configuration) (*Instance, error)
NewInstance creates a new iptables controller instance
func (*Instance) ACLProvider ¶
func (i *Instance) ACLProvider() provider.IptablesProvider
ACLProvider returns the current ACL provider that can be re-used by other entities.
func (*Instance) AddPortToPortSet ¶
AddPortToPortSet adds ports to the portsets
func (*Instance) CleanUp ¶
CleanUp requires the implementor to clean up all ACLs and destroy all the IP sets.
func (*Instance) ConfigureRules ¶
ConfigureRules implments the ConfigureRules interface. It will create the port sets and then it will call install rules to create all the ACLs for the given chains. PortSets are only created here. Updates will use the exact same logic.
func (*Instance) DeletePortFromPortSet ¶
DeletePortFromPortSet deletes ports from port sets
func (*Instance) DeleteRules ¶
func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, proxyPort string, puType common.PUType) error
DeleteRules implements the DeleteRules interface. This is responsible for cleaning all ACLs and associated chains, as well as ll the sets that we have created. Note, that this only clears up the state for a given processing unit.
func (*Instance) SetTargetNetworks ¶
func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error
SetTargetNetworks updates ths target networks. There are three different types of target networks:
- TCPTargetNetworks for TCP traffic (by default 0.0.0.0/0)
- UDPTargetNetworks for UDP traffic (by default empty)
- ExcludedNetworks that are always ignored (by default empty)
func (*Instance) UpdateRules ¶
func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error
UpdateRules implements the update part of the interface. Update will call installrules to install the new rules and then it will delete the old rules. For installations that do not have latests iptables-restore we time the operations so that the switch is almost atomic, by creating the new rules first. For latest kernel versions iptables-restorce will update all the rules in one shot.