iptablesctrl

package
v10.163.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 5, 2019 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// TriremeInput represent the chain that contains pu input rules.
	TriremeInput = chainPrefix + "Pid-Net"
	// TriremeOutput represent the chain that contains pu output rules.
	TriremeOutput = chainPrefix + "Pid-App"

	// NetworkSvcInput represent the chain that contains NetworkSvc input rules.
	NetworkSvcInput = chainPrefix + "Svc-Net"

	// NetworkSvcOutput represent the chain that contains NetworkSvc output rules.
	NetworkSvcOutput = chainPrefix + "Svc-App"

	// HostModeInput represent the chain that contains Hostmode input rules.
	HostModeInput = chainPrefix + "Hst-Net"

	// HostModeOutput represent the chain that contains Hostmode output rules.
	HostModeOutput = chainPrefix + "Hst-App"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ACLInfo

type ACLInfo struct {
	ContextID string
	PUType    common.PUType

	// Tables
	MangleTable string
	NatTable    string

	// Chains
	MainAppChain        string
	MainNetChain        string
	HostInput           string
	HostOutput          string
	NetworkSvcInput     string
	NetworkSvcOutput    string
	TriremeInput        string
	TriremeOutput       string
	UIDInput            string
	UIDOutput           string
	NatProxyNetChain    string
	NatProxyAppChain    string
	MangleProxyNetChain string
	MangleProxyAppChain string
	PreRouting          string

	AppChain   string
	NetChain   string
	AppSection string
	NetSection string

	// common info
	DefaultConnmark       string
	QueueBalanceAppSyn    string
	QueueBalanceAppSynAck string
	QueueBalanceAppAck    string
	QueueBalanceNetSyn    string
	QueueBalanceNetSynAck string
	QueueBalanceNetAck    string
	InitialMarkVal        string
	RawSocketMark         string
	TargetTCPNetSet       string
	TargetUDPNetSet       string
	ExclusionsSet         string

	// UDP rules
	Numpackets   string
	InitialCount string
	UDPSignature string

	// Linux PUs
	TCPPorts   string
	UDPPorts   string
	TCPPortSet string

	// ProxyRules
	DestIPSet    string
	SrvIPSet     string
	ProxyPort    string
	CgroupMark   string
	ProxyMark    string
	ProxySetName string

	// UID PUs
	Mark    string
	UID     string
	PortSet string

	NFLOGPrefix       string
	NFLOGAcceptPrefix string
}

ACLInfo keeps track of all information to create ACLs

type Instance

type Instance struct {
	// contains filtered or unexported fields
}

Instance is the structure holding all information about a implementation

func GetInstance

func GetInstance() *Instance

GetInstance returns the instance of the iptables object.

func NewInstance

func NewInstance(fqc *fqconfig.FilterQueue, mode constants.ModeType, cfg *runtime.Configuration) (*Instance, error)

NewInstance creates a new iptables controller instance

func (*Instance) ACLProvider

func (i *Instance) ACLProvider() provider.IptablesProvider

ACLProvider returns the current ACL provider that can be re-used by other entities.

func (*Instance) AddPortToPortSet

func (i *Instance) AddPortToPortSet(contextID string, port string) error

AddPortToPortSet adds ports to the portsets

func (*Instance) CleanUp

func (i *Instance) CleanUp() error

CleanUp requires the implementor to clean up all ACLs and destroy all the IP sets.

func (*Instance) ConfigureRules

func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error

ConfigureRules implments the ConfigureRules interface. It will create the port sets and then it will call install rules to create all the ACLs for the given chains. PortSets are only created here. Updates will use the exact same logic.

func (*Instance) DeletePortFromPortSet

func (i *Instance) DeletePortFromPortSet(contextID string, port string) error

DeletePortFromPortSet deletes ports from port sets

func (*Instance) DeleteRules

func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, proxyPort string, puType common.PUType) error

DeleteRules implements the DeleteRules interface. This is responsible for cleaning all ACLs and associated chains, as well as ll the sets that we have created. Note, that this only clears up the state for a given processing unit.

func (*Instance) Run

func (i *Instance) Run(ctx context.Context) error

Run starts the iptables controller

func (*Instance) SetTargetNetworks

func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error

SetTargetNetworks updates ths target networks. There are three different types of target networks:

  • TCPTargetNetworks for TCP traffic (by default 0.0.0.0/0)
  • UDPTargetNetworks for UDP traffic (by default empty)
  • ExcludedNetworks that are always ignored (by default empty)

func (*Instance) UpdateRules

func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error

UpdateRules implements the update part of the interface. Update will call installrules to install the new rules and then it will delete the old rules. For installations that do not have latests iptables-restore we time the operations so that the switch is almost atomic, by creating the new rules first. For latest kernel versions iptables-restorce will update all the rules in one shot.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL