Documentation
¶
Index ¶
- Constants
- Variables
- func EndpointChainName(prefix string, ifaceName string, maxLen int) string
- func FilterRuleToIPVersion(ipVersion uint8, pRule *proto.Rule) *proto.Rule
- func PolicyChainName(prefix PolicyChainNamePrefix, polID *proto.PolicyID) string
- func ProfileChainName(prefix ProfileChainNamePrefix, profID *proto.ProfileID) string
- func SplitPortList(ports []*proto.PortRange) (splits [][]*proto.PortRange)
- type Config
- type DefaultEPMarkManager
- type DefaultRuleRenderer
- func (r *DefaultRuleRenderer) BlockedCIDRsToIptablesChains(cidrs []string, ipVersion uint8) []*Chain
- func (r *DefaultRuleRenderer) CalculateActions(pRule *proto.Rule, ipVersion uint8) (mark uint32, actions []generictables.Action)
- func (r *DefaultRuleRenderer) CalculateRuleMatch(pRule *proto.Rule, ipVersion uint8) generictables.MatchCriteria
- func (r *DefaultRuleRenderer) DNATsToIptablesChains(dnats map[string]string) []*Chain
- func (r *DefaultRuleRenderer) EndpointMarkDispatchChains(epMarkMapper EndpointMarkMapper, ...) []*generictables.Chain
- func (r *DefaultRuleRenderer) FilterInputChainAllowWG(ipVersion uint8, c Config, allowAction generictables.Action) []generictables.Rule
- func (r *DefaultRuleRenderer) FromHostDispatchChains(endpoints map[string]proto.HostEndpointID, defaultIfaceName string) []*generictables.Chain
- func (r *DefaultRuleRenderer) HostDispatchChains(endpoints map[string]proto.HostEndpointID, defaultIfaceName string, ...) []*generictables.Chain
- func (r *DefaultRuleRenderer) HostEndpointToFilterChains(ifaceName string, tiers []TierPolicyGroups, forwardTiers []TierPolicyGroups, ...) []*generictables.Chain
- func (r *DefaultRuleRenderer) HostEndpointToMangleEgressChains(ifaceName string, tiers []TierPolicyGroups, profileIDs []string) []*generictables.Chain
- func (r *DefaultRuleRenderer) HostEndpointToMangleIngressChains(ifaceName string, preDNATTiers []TierPolicyGroups) []*generictables.Chain
- func (r *DefaultRuleRenderer) HostEndpointToRawChains(ifaceName string, untrackedTiers []TierPolicyGroups) []*generictables.Chain
- func (r *DefaultRuleRenderer) HostEndpointToRawEgressChain(ifaceName string, untrackedTiers []TierPolicyGroups) *generictables.Chain
- func (r *DefaultRuleRenderer) ICMPv6Filter(action generictables.Action) []generictables.Rule
- func (r *DefaultRuleRenderer) IptablesFilterDenyAction() generictables.Action
- func (r *DefaultRuleRenderer) MakeNatOutgoingRule(protocol string, action Action, ipVersion uint8) Rule
- func (r *DefaultRuleRenderer) NATOutgoingChain(natOutgoingActive bool, ipVersion uint8) *Chain
- func (r *DefaultRuleRenderer) PolicyGroupToIptablesChains(group *PolicyGroup) []*generictables.Chain
- func (r *DefaultRuleRenderer) PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*generictables.Chain
- func (r *DefaultRuleRenderer) ProfileToIptablesChains(profileID *proto.ProfileID, profile *proto.Profile, ipVersion uint8) (inbound, outbound *generictables.Chain)
- func (r *DefaultRuleRenderer) ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []generictables.Rule
- func (r *DefaultRuleRenderer) ProtoRulesToIptablesRules(protoRules []*proto.Rule, ipVersion uint8, chainComments ...string) []generictables.Rule
- func (r *DefaultRuleRenderer) RPFilter(ipVersion uint8, mark, mask uint32, openStackSpecialCasesEnabled bool, ...) []generictables.Rule
- func (r *DefaultRuleRenderer) SNATsToIptablesChains(snats map[string]string) []*Chain
- func (r *DefaultRuleRenderer) StaticBPFModeRawChains(ipVersion uint8, wgEncryptHost, bypassHostConntrack bool) []*generictables.Chain
- func (r *DefaultRuleRenderer) StaticFilterForwardAppendRules() []generictables.Rule
- func (r *DefaultRuleRenderer) StaticFilterForwardChains() []*generictables.Chain
- func (r *DefaultRuleRenderer) StaticFilterInputChains(ipVersion uint8) []*generictables.Chain
- func (r *DefaultRuleRenderer) StaticFilterInputForwardCheckChain(ipVersion uint8) *generictables.Chain
- func (r *DefaultRuleRenderer) StaticFilterOutputChains(ipVersion uint8) []*generictables.Chain
- func (r *DefaultRuleRenderer) StaticFilterOutputForwardEndpointMarkChain() *generictables.Chain
- func (r *DefaultRuleRenderer) StaticFilterTableChains(ipVersion uint8) (chains []*generictables.Chain)
- func (r *DefaultRuleRenderer) StaticManglePostroutingChain(ipVersion uint8) *generictables.Chain
- func (r *DefaultRuleRenderer) StaticManglePreroutingChain(ipVersion uint8) *generictables.Chain
- func (r *DefaultRuleRenderer) StaticMangleTableChains(ipVersion uint8) []*generictables.Chain
- func (r *DefaultRuleRenderer) StaticNATOutputChains(ipVersion uint8) []*generictables.Chain
- func (r *DefaultRuleRenderer) StaticNATPostroutingChains(ipVersion uint8) []*generictables.Chain
- func (r *DefaultRuleRenderer) StaticNATPreroutingChains(ipVersion uint8) []*generictables.Chain
- func (r *DefaultRuleRenderer) StaticNATTableChains(ipVersion uint8) (chains []*generictables.Chain)
- func (r *DefaultRuleRenderer) StaticRawOutputChain(tcBypassMark uint32, ipVersion uint8) *generictables.Chain
- func (r *DefaultRuleRenderer) StaticRawPreroutingChain(ipVersion uint8) *generictables.Chain
- func (r *DefaultRuleRenderer) StaticRawTableChains(ipVersion uint8) []*generictables.Chain
- func (r *DefaultRuleRenderer) ToHostDispatchChains(endpoints map[string]proto.HostEndpointID, defaultIfaceName string) []*generictables.Chain
- func (r *DefaultRuleRenderer) WireguardIncomingMarkChain() *generictables.Chain
- func (r *DefaultRuleRenderer) WorkloadDispatchChains(endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*generictables.Chain
- func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains(ifaceName string, epMarkMapper EndpointMarkMapper, adminUp bool, ...) []*generictables.Chain
- func (r *DefaultRuleRenderer) WorkloadInterfaceAllowChains(endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*generictables.Chain
- type EndpointMarkMapper
- type HashCalculator32
- type PolicyChainNamePrefix
- type PolicyDirection
- type PolicyGroup
- type PolicyGroupSliceStringer
- type ProfileChainNamePrefix
- type RuleRenderer
- type TierPolicyGroups
- type TierPolicyGroupsStringer
Constants ¶
View Source
const ( // ChainNamePrefix is a prefix used for all our iptables chain names. We include a '-' at // the end to reduce clashes with other apps. Our OpenStack DHCP agent uses prefix // 'calico-dhcp-', for example. ChainNamePrefix = "cali-" // IPSetNamePrefix: similarly for IP sets, we use the following prefix; the IP sets layer // adds its own "-" so it isn't included here. IPSetNamePrefix = ipsets.IPSetNamePrefix ChainFilterInput = ChainNamePrefix + "INPUT" ChainFilterForward = ChainNamePrefix + "FORWARD" ChainFilterOutput = ChainNamePrefix + "OUTPUT" ChainRawPrerouting = ChainNamePrefix + "PREROUTING" ChainRawOutput = ChainNamePrefix + "OUTPUT" ChainRawUntrackedFlows = ChainNamePrefix + "untracked-flows" ChainRawBPFUntrackedPolicy = ChainNamePrefix + "untracked-policy" ChainFailsafeIn = ChainNamePrefix + "failsafe-in" ChainFailsafeOut = ChainNamePrefix + "failsafe-out" ChainNATPrerouting = ChainNamePrefix + "PREROUTING" ChainNATPostrouting = ChainNamePrefix + "POSTROUTING" ChainNATOutput = ChainNamePrefix + "OUTPUT" ChainNATOutgoing = ChainNamePrefix + "nat-outgoing" ChainManglePrerouting = ChainNamePrefix + "PREROUTING" ChainManglePostrouting = ChainNamePrefix + "POSTROUTING" IPSetIDNATOutgoingAllPools = "all-ipam-pools" IPSetIDNATOutgoingMasqPools = "masq-ipam-pools" IPSetIDAllHostNets = "all-hosts-net" IPSetIDAllVXLANSourceNets = "all-vxlan-net" IPSetIDThisHostIPs = "this-host" ChainFIPDnat = ChainNamePrefix + "fip-dnat" ChainFIPSnat = ChainNamePrefix + "fip-snat" ChainCIDRBlock = ChainNamePrefix + "cidr-block" PolicyInboundPfx PolicyChainNamePrefix = ChainNamePrefix + "pi-" PolicyOutboundPfx PolicyChainNamePrefix = ChainNamePrefix + "po-" ProfileInboundPfx ProfileChainNamePrefix = ChainNamePrefix + "pri-" ProfileOutboundPfx ProfileChainNamePrefix = ChainNamePrefix + "pro-" PolicyGroupInboundPrefix string = ChainNamePrefix + "gi-" PolicyGroupOutboundPrefix string = ChainNamePrefix + "go-" ChainWorkloadToHost = ChainNamePrefix + "wl-to-host" ChainFromWorkloadDispatch = ChainNamePrefix + "from-wl-dispatch" ChainToWorkloadDispatch = ChainNamePrefix + "to-wl-dispatch" ChainDispatchToHostEndpoint = ChainNamePrefix + "to-host-endpoint" ChainDispatchFromHostEndpoint = ChainNamePrefix + "from-host-endpoint" ChainDispatchToHostEndpointForward = ChainNamePrefix + "to-hep-forward" ChainDispatchFromHostEndPointForward = ChainNamePrefix + "from-hep-forward" ChainDispatchSetEndPointMark = ChainNamePrefix + "set-endpoint-mark" ChainDispatchFromEndPointMark = ChainNamePrefix + "from-endpoint-mark" ChainForwardCheck = ChainNamePrefix + "forward-check" ChainForwardEndpointMark = ChainNamePrefix + "forward-endpoint-mark" ChainSetWireguardIncomingMark = ChainNamePrefix + "wireguard-incoming-mark" ChainRpfSkip = ChainNamePrefix + "rpf-skip" WorkloadToEndpointPfx = ChainNamePrefix + "tw-" WorkloadPfxSpecialAllow = "ALLOW" WorkloadFromEndpointPfx = ChainNamePrefix + "fw-" SetEndPointMarkPfx = ChainNamePrefix + "sm-" HostToEndpointPfx = ChainNamePrefix + "th-" HostFromEndpointPfx = ChainNamePrefix + "fh-" HostToEndpointForwardPfx = ChainNamePrefix + "thfw-" HostFromEndpointForwardPfx = ChainNamePrefix + "fhfw-" RPFChain = ChainNamePrefix + "rpf" RuleHashPrefix = "cali:" // HistoricNATRuleInsertRegex is a regex pattern to match to match // special-case rules inserted by old versions of felix. Specifically, // Python felix used to insert a masquerade rule directly into the // POSTROUTING chain. // // Note: this regex depends on the output format of iptables-save so, // where possible, it's best to match only on part of the rule that // we're sure can't change (such as the ipset name in the masquerade // rule). HistoricInsertedNATRuleRegex = `-A POSTROUTING .* felix-masq-ipam-pools .*|` + `-A POSTROUTING -o tunl0 -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE` KubeProxyInsertRuleRegex = `-j KUBE-[a-zA-Z0-9-]*SERVICES|-j KUBE-FORWARD` )
View Source
const ( ProtoIPIP = 4 ProtoTCP = 6 ProtoUDP = 17 ProtoICMPv6 = 58 )
View Source
const MaxPolicyGroupUIDLength = iptables.MaxChainNameLength - len(PolicyGroupInboundPrefix)
MaxPolicyGroupUIDLength is sized for UIDs to fit into their chain names.
Variables ¶
View Source
var ( // AllHistoricChainNamePrefixes lists all the prefixes that we've used for chains. Keeping // track of the old names lets us clean them up. AllHistoricChainNamePrefixes = []string{ "cali-", "califw-", "calitw-", "califh-", "calith-", "calipi-", "calipo-", "felix-", } // AllHistoricIPSetNamePrefixes, similarly contains all the prefixes we've ever used for IP // sets. AllHistoricIPSetNamePrefixes = []string{"felix-", "cali"} // LegacyV4IPSetNames contains some extra IP set names that were used in older versions of // Felix and don't fit our versioned pattern. LegacyV4IPSetNames = []string{"felix-masq-ipam-pools", "felix-all-ipam-pools"} // Rule previxes used by kube-proxy. Note: we exclude the so-called utility chains KUBE-MARK-MASQ and co because // they are jointly owned by kube-proxy and kubelet. KubeProxyChainPrefixes = []string{ "KUBE-FORWARD", "KUBE-SERVICES", "KUBE-EXTERNAL-SERVICES", "KUBE-NODEPORTS", "KUBE-SVC-", "KUBE-SEP-", "KUBE-FW-", "KUBE-XLB-", } )
Functions ¶
func FilterRuleToIPVersion ¶
FilterRuleToIPVersion: If the rule applies to the given IP version, returns a copy of the rule excluding the CIDRs that are not of the given IP version. If the rule does not apply to the given IP version at all, returns nil.
func PolicyChainName ¶
func PolicyChainName(prefix PolicyChainNamePrefix, polID *proto.PolicyID) string
func ProfileChainName ¶
func ProfileChainName(prefix ProfileChainNamePrefix, profID *proto.ProfileID) string
func SplitPortList ¶
SplitPortList splits the input list of ports into groups containing up to 15 port numbers. If the input list is empty, it returns an empty slice.
The requirement to split into groups of 15, comes from iptables' limit on the number of ports "slots" in a multiport match. A single port takes up one slot, a range of ports requires 2.
Types ¶
type Config ¶
type Config struct {
IPSetConfigV4 *ipsets.IPVersionConfig
IPSetConfigV6 *ipsets.IPVersionConfig
WorkloadIfacePrefixes []string
MarkAccept uint32
MarkPass uint32
MarkScratch0 uint32
MarkScratch1 uint32
MarkEndpoint uint32
// MarkNonCaliEndpoint is an endpoint mark which is reserved
// to mark non-calico (workload or host) endpoint.
MarkNonCaliEndpoint uint32
KubeNodePortRanges []numorstring.Port
KubeIPVSSupportEnabled bool
OpenStackMetadataIP net.IP
OpenStackMetadataPort uint16
OpenStackSpecialCasesEnabled bool
VXLANEnabled bool
VXLANEnabledV6 bool
VXLANPort int
VXLANVNI int
IPIPEnabled bool
FelixConfigIPIPEnabled *bool
// IPIPTunnelAddress is an address chosen from an IPAM pool, used as a source address
// by the host when sending traffic to a workload over IPIP.
IPIPTunnelAddress net.IP
// Same for VXLAN.
VXLANTunnelAddress net.IP
VXLANTunnelAddressV6 net.IP
AllowVXLANPacketsFromWorkloads bool
AllowIPIPPacketsFromWorkloads bool
WireguardEnabled bool
WireguardEnabledV6 bool
WireguardInterfaceName string
WireguardInterfaceNameV6 string
WireguardMark uint32
WireguardListeningPort int
WireguardListeningPortV6 int
WireguardEncryptHostTraffic bool
RouteSource string
LogPrefix string
EndpointToHostAction string
FilterAllowAction string
MangleAllowAction string
FilterDenyAction string
FailsafeInboundHostPorts []config.ProtoPort
FailsafeOutboundHostPorts []config.ProtoPort
DisableConntrackInvalid bool
NATPortRange numorstring.Port
IptablesNATOutgoingInterfaceFilter string
NATOutgoingAddress net.IP
BPFEnabled bool
BPFForceTrackPacketsFromIfaces []string
ServiceLoopPrevention string
NFTables bool
}
type DefaultEPMarkManager ¶
type DefaultEPMarkManager struct {
// contains filtered or unexported fields
}
func (*DefaultEPMarkManager) GetEndpointMark ¶
func (epmm *DefaultEPMarkManager) GetEndpointMark(ep string) (uint32, error)
func (*DefaultEPMarkManager) GetMask ¶
func (epmm *DefaultEPMarkManager) GetMask() uint32
func (*DefaultEPMarkManager) ReleaseEndpointMark ¶
func (epmm *DefaultEPMarkManager) ReleaseEndpointMark(ep string)
func (*DefaultEPMarkManager) SetEndpointMark ¶
func (epmm *DefaultEPMarkManager) SetEndpointMark(ep string, mark uint32) error
This is used to set a mark for an endpoint from previous allocated mark. The endpoint should not have a mark already.
type DefaultRuleRenderer ¶
type DefaultRuleRenderer struct {
generictables.ActionFactory
Config
NewMatch func() generictables.MatchCriteria
// contains filtered or unexported fields
}
func (*DefaultRuleRenderer) BlockedCIDRsToIptablesChains ¶
func (r *DefaultRuleRenderer) BlockedCIDRsToIptablesChains(cidrs []string, ipVersion uint8) []*Chain
func (*DefaultRuleRenderer) CalculateActions ¶
func (r *DefaultRuleRenderer) CalculateActions(pRule *proto.Rule, ipVersion uint8) (mark uint32, actions []generictables.Action)
func (*DefaultRuleRenderer) CalculateRuleMatch ¶
func (r *DefaultRuleRenderer) CalculateRuleMatch(pRule *proto.Rule, ipVersion uint8) generictables.MatchCriteria
func (*DefaultRuleRenderer) DNATsToIptablesChains ¶
func (r *DefaultRuleRenderer) DNATsToIptablesChains(dnats map[string]string) []*Chain
func (*DefaultRuleRenderer) EndpointMarkDispatchChains ¶
func (r *DefaultRuleRenderer) EndpointMarkDispatchChains( epMarkMapper EndpointMarkMapper, wlEndpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint, hepEndpoints map[string]proto.HostEndpointID, ) []*generictables.Chain
In some scenario, e.g. packet goes to an kubernetes ipvs service ip. Traffic goes through input/output filter chain instead of forward filter chain. It is not feasible to match on an incoming workload/host interface with service ips. Assemble a set-endpoint-mark chain to set the endpoint mark matching on the incoming workload/host interface and a from-endpoint-mark chain to jump to a corresponding endpoint chain matching on its endpoint mark.
func (*DefaultRuleRenderer) FilterInputChainAllowWG ¶
func (r *DefaultRuleRenderer) FilterInputChainAllowWG(ipVersion uint8, c Config, allowAction generictables.Action) []generictables.Rule
func (*DefaultRuleRenderer) FromHostDispatchChains ¶
func (r *DefaultRuleRenderer) FromHostDispatchChains( endpoints map[string]proto.HostEndpointID, defaultIfaceName string, ) []*generictables.Chain
For pre-DNAT policy, which only applies on ingress from a host endpoint.
func (*DefaultRuleRenderer) HostDispatchChains ¶
func (r *DefaultRuleRenderer) HostDispatchChains( endpoints map[string]proto.HostEndpointID, defaultIfaceName string, applyOnForward bool, ) []*generictables.Chain
func (*DefaultRuleRenderer) HostEndpointToFilterChains ¶
func (r *DefaultRuleRenderer) HostEndpointToFilterChains( ifaceName string, tiers []TierPolicyGroups, forwardTiers []TierPolicyGroups, epMarkMapper EndpointMarkMapper, profileIDs []string, ) []*generictables.Chain
func (*DefaultRuleRenderer) HostEndpointToMangleEgressChains ¶
func (r *DefaultRuleRenderer) HostEndpointToMangleEgressChains( ifaceName string, tiers []TierPolicyGroups, profileIDs []string, ) []*generictables.Chain
func (*DefaultRuleRenderer) HostEndpointToMangleIngressChains ¶
func (r *DefaultRuleRenderer) HostEndpointToMangleIngressChains( ifaceName string, preDNATTiers []TierPolicyGroups, ) []*generictables.Chain
func (*DefaultRuleRenderer) HostEndpointToRawChains ¶
func (r *DefaultRuleRenderer) HostEndpointToRawChains( ifaceName string, untrackedTiers []TierPolicyGroups, ) []*generictables.Chain
func (*DefaultRuleRenderer) HostEndpointToRawEgressChain ¶
func (r *DefaultRuleRenderer) HostEndpointToRawEgressChain( ifaceName string, untrackedTiers []TierPolicyGroups, ) *generictables.Chain
func (*DefaultRuleRenderer) ICMPv6Filter ¶
func (r *DefaultRuleRenderer) ICMPv6Filter(action generictables.Action) []generictables.Rule
func (*DefaultRuleRenderer) IptablesFilterDenyAction ¶
func (r *DefaultRuleRenderer) IptablesFilterDenyAction() generictables.Action
func (*DefaultRuleRenderer) MakeNatOutgoingRule ¶
func (r *DefaultRuleRenderer) MakeNatOutgoingRule(protocol string, action Action, ipVersion uint8) Rule
func (*DefaultRuleRenderer) NATOutgoingChain ¶
func (r *DefaultRuleRenderer) NATOutgoingChain(natOutgoingActive bool, ipVersion uint8) *Chain
func (*DefaultRuleRenderer) PolicyGroupToIptablesChains ¶
func (r *DefaultRuleRenderer) PolicyGroupToIptablesChains(group *PolicyGroup) []*generictables.Chain
func (*DefaultRuleRenderer) PolicyToIptablesChains ¶
func (r *DefaultRuleRenderer) PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*generictables.Chain
func (*DefaultRuleRenderer) ProfileToIptablesChains ¶
func (r *DefaultRuleRenderer) ProfileToIptablesChains(profileID *proto.ProfileID, profile *proto.Profile, ipVersion uint8) (inbound, outbound *generictables.Chain)
func (*DefaultRuleRenderer) ProtoRuleToIptablesRules ¶
func (r *DefaultRuleRenderer) ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []generictables.Rule
func (*DefaultRuleRenderer) ProtoRulesToIptablesRules ¶
func (r *DefaultRuleRenderer) ProtoRulesToIptablesRules(protoRules []*proto.Rule, ipVersion uint8, chainComments ...string) []generictables.Rule
func (*DefaultRuleRenderer) RPFilter ¶
func (r *DefaultRuleRenderer) RPFilter(ipVersion uint8, mark, mask uint32, openStackSpecialCasesEnabled bool, dropActionOverride generictables.Action) []generictables.Rule
RPFilter returns rules that implement RPF
func (*DefaultRuleRenderer) SNATsToIptablesChains ¶
func (r *DefaultRuleRenderer) SNATsToIptablesChains(snats map[string]string) []*Chain
func (*DefaultRuleRenderer) StaticBPFModeRawChains ¶
func (r *DefaultRuleRenderer) StaticBPFModeRawChains(ipVersion uint8, wgEncryptHost, bypassHostConntrack bool, ) []*generictables.Chain
func (*DefaultRuleRenderer) StaticFilterForwardAppendRules ¶
func (r *DefaultRuleRenderer) StaticFilterForwardAppendRules() []generictables.Rule
StaticFilterForwardAppendRules returns rules which should be statically appended to the end of the filter table's forward chain.
func (*DefaultRuleRenderer) StaticFilterForwardChains ¶
func (r *DefaultRuleRenderer) StaticFilterForwardChains() []*generictables.Chain
func (*DefaultRuleRenderer) StaticFilterInputChains ¶
func (r *DefaultRuleRenderer) StaticFilterInputChains(ipVersion uint8) []*generictables.Chain
func (*DefaultRuleRenderer) StaticFilterInputForwardCheckChain ¶
func (r *DefaultRuleRenderer) StaticFilterInputForwardCheckChain(ipVersion uint8) *generictables.Chain
Forward check chain is to check if a packet belongs to a forwarded traffic or not. With kube-proxy running in ipvs mode, both local or forwarded traffic goes through INPUT filter chain.
func (*DefaultRuleRenderer) StaticFilterOutputChains ¶
func (r *DefaultRuleRenderer) StaticFilterOutputChains(ipVersion uint8) []*generictables.Chain
func (*DefaultRuleRenderer) StaticFilterOutputForwardEndpointMarkChain ¶
func (r *DefaultRuleRenderer) StaticFilterOutputForwardEndpointMarkChain() *generictables.Chain
With kube-proxy running in ipvs mode, we categorise traffic going through OUTPUT chain into three classes. Class 1. forwarded packet originated from a calico workload or host endpoint --> INPUT filter --> OUTPUT filter Class 2. forwarded packet originated from a non calico endpoint --> INPUT filter --> OUTPUT filter Class 3. local process originated packet --> OUTPUT filter This function handles traffic in Class 1 and Class 2.
func (*DefaultRuleRenderer) StaticFilterTableChains ¶
func (r *DefaultRuleRenderer) StaticFilterTableChains(ipVersion uint8) (chains []*generictables.Chain)
func (*DefaultRuleRenderer) StaticManglePostroutingChain ¶
func (r *DefaultRuleRenderer) StaticManglePostroutingChain(ipVersion uint8) *generictables.Chain
func (*DefaultRuleRenderer) StaticManglePreroutingChain ¶
func (r *DefaultRuleRenderer) StaticManglePreroutingChain(ipVersion uint8) *generictables.Chain
func (*DefaultRuleRenderer) StaticMangleTableChains ¶
func (r *DefaultRuleRenderer) StaticMangleTableChains(ipVersion uint8) []*generictables.Chain
func (*DefaultRuleRenderer) StaticNATOutputChains ¶
func (r *DefaultRuleRenderer) StaticNATOutputChains(ipVersion uint8) []*generictables.Chain
func (*DefaultRuleRenderer) StaticNATPostroutingChains ¶
func (r *DefaultRuleRenderer) StaticNATPostroutingChains(ipVersion uint8) []*generictables.Chain
func (*DefaultRuleRenderer) StaticNATPreroutingChains ¶
func (r *DefaultRuleRenderer) StaticNATPreroutingChains(ipVersion uint8) []*generictables.Chain
func (*DefaultRuleRenderer) StaticNATTableChains ¶
func (r *DefaultRuleRenderer) StaticNATTableChains(ipVersion uint8) (chains []*generictables.Chain)
func (*DefaultRuleRenderer) StaticRawOutputChain ¶
func (r *DefaultRuleRenderer) StaticRawOutputChain(tcBypassMark uint32, ipVersion uint8) *generictables.Chain
func (*DefaultRuleRenderer) StaticRawPreroutingChain ¶
func (r *DefaultRuleRenderer) StaticRawPreroutingChain(ipVersion uint8) *generictables.Chain
func (*DefaultRuleRenderer) StaticRawTableChains ¶
func (r *DefaultRuleRenderer) StaticRawTableChains(ipVersion uint8) []*generictables.Chain
func (*DefaultRuleRenderer) ToHostDispatchChains ¶
func (r *DefaultRuleRenderer) ToHostDispatchChains( endpoints map[string]proto.HostEndpointID, defaultIfaceName string, ) []*generictables.Chain
For applying normal host endpoint egress policy to traffic from the host which has been DNAT'd.
func (*DefaultRuleRenderer) WireguardIncomingMarkChain ¶
func (r *DefaultRuleRenderer) WireguardIncomingMarkChain() *generictables.Chain
func (*DefaultRuleRenderer) WorkloadDispatchChains ¶
func (r *DefaultRuleRenderer) WorkloadDispatchChains( endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint, ) []*generictables.Chain
func (*DefaultRuleRenderer) WorkloadEndpointToIptablesChains ¶
func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains( ifaceName string, epMarkMapper EndpointMarkMapper, adminUp bool, tiers []TierPolicyGroups, profileIDs []string, ) []*generictables.Chain
func (*DefaultRuleRenderer) WorkloadInterfaceAllowChains ¶
func (r *DefaultRuleRenderer) WorkloadInterfaceAllowChains( endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint, ) []*generictables.Chain
type EndpointMarkMapper ¶
type EndpointMarkMapper interface {
GetMask() uint32
GetEndpointMark(ep string) (uint32, error)
ReleaseEndpointMark(ep string)
SetEndpointMark(ep string, mark uint32) error
}
Endpoint Mark Mapper (EPM) provides set of functions to manage allocation/free endpoint mark bit given a mark bit mask. Note: This is not thread safe.
func NewEndpointMarkMapper ¶
func NewEndpointMarkMapper(markMask, nonCaliMark uint32) EndpointMarkMapper
func NewEndpointMarkMapperWithShim ¶
func NewEndpointMarkMapperWithShim(markMask, nonCaliMark uint32, hash32 HashCalculator32) EndpointMarkMapper
type HashCalculator32 ¶
type HashCalculator32 interface {
// Write (via the embedded io.Writer interface) adds more data to the running hash.
// It never returns an error.
io.Writer
// Sum32 returns a hash result of uint32.
// It does not change the underlying hash state.
Sum32() uint32
// Reset resets the Hash to its initial state.
Reset()
}
This interface has subset of functions of built in hash32 interface.
type PolicyChainNamePrefix ¶
type PolicyChainNamePrefix string
Typedefs to prevent accidentally passing the wrong prefix to the Policy/ProfileChainName()
type PolicyDirection ¶
type PolicyDirection string
const ( PolicyDirectionInbound PolicyDirection = "inbound" // AKA ingress PolicyDirectionOutbound PolicyDirection = "outbound" // AKA egress )
type PolicyGroup ¶
type PolicyGroup struct {
// Tier is only used in enterprise. There can be policies with the same
// name in different tiers so we need to disambiguate.
Tier string
// Direction matches the policy model direction inbound/outbound. Each
// group is either inbound or outbound since the set of active policy
// can differ between the directions (a policy may have inbound rules
// only, for example).
Direction PolicyDirection
PolicyNames []string
// Selector is the original selector used by the grouped policies. By
// grouping on selector, we ensure that if one policy in a group matches
// an endpoint then all policies in that group must match the endpoint.
// Thus, two endpoint that share any policy in the group must share the
// whole group.
Selector string
// contains filtered or unexported fields
}
PolicyGroup represents a sequence of one or more policies extracted from a list of policies. If large enough (currently >1 entry) it will be programmed into its own chain.
func (*PolicyGroup) ChainName ¶
func (g *PolicyGroup) ChainName() string
func (*PolicyGroup) ShouldBeInlined ¶
func (g *PolicyGroup) ShouldBeInlined() bool
func (*PolicyGroup) UniqueID ¶
func (g *PolicyGroup) UniqueID() string
type PolicyGroupSliceStringer ¶
type PolicyGroupSliceStringer []*PolicyGroup
PolicyGroupSliceStringer provides a String() method for a slice of PolicyGroup pointers.
func (PolicyGroupSliceStringer) String ¶
func (p PolicyGroupSliceStringer) String() string
type ProfileChainNamePrefix ¶
type ProfileChainNamePrefix string
Typedefs to prevent accidentally passing the wrong prefix to the Policy/ProfileChainName()
type RuleRenderer ¶
type RuleRenderer interface {
StaticFilterTableChains(ipVersion uint8) []*generictables.Chain
StaticNATTableChains(ipVersion uint8) []*generictables.Chain
StaticNATPostroutingChains(ipVersion uint8) []*generictables.Chain
StaticRawTableChains(ipVersion uint8) []*generictables.Chain
StaticBPFModeRawChains(ipVersion uint8, wgEncryptHost, disableConntrack bool) []*generictables.Chain
StaticMangleTableChains(ipVersion uint8) []*generictables.Chain
StaticFilterForwardAppendRules() []generictables.Rule
WorkloadDispatchChains(map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*generictables.Chain
WorkloadEndpointToIptablesChains(
ifaceName string,
epMarkMapper EndpointMarkMapper,
adminUp bool,
tiers []TierPolicyGroups,
profileIDs []string,
) []*generictables.Chain
PolicyGroupToIptablesChains(group *PolicyGroup) []*generictables.Chain
WorkloadInterfaceAllowChains(endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*generictables.Chain
EndpointMarkDispatchChains(
epMarkMapper EndpointMarkMapper,
wlEndpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint,
hepEndpoints map[string]proto.HostEndpointID,
) []*generictables.Chain
HostDispatchChains(map[string]proto.HostEndpointID, string, bool) []*generictables.Chain
FromHostDispatchChains(map[string]proto.HostEndpointID, string) []*generictables.Chain
ToHostDispatchChains(map[string]proto.HostEndpointID, string) []*generictables.Chain
HostEndpointToFilterChains(
ifaceName string,
tiers []TierPolicyGroups,
forwardTiers []TierPolicyGroups,
epMarkMapper EndpointMarkMapper,
profileIDs []string,
) []*generictables.Chain
HostEndpointToMangleEgressChains(
ifaceName string,
tiers []TierPolicyGroups,
profileIDs []string,
) []*generictables.Chain
HostEndpointToRawEgressChain(
ifaceName string,
untrackedTiers []TierPolicyGroups,
) *generictables.Chain
HostEndpointToRawChains(
ifaceName string,
untrackedTiers []TierPolicyGroups,
) []*generictables.Chain
HostEndpointToMangleIngressChains(
ifaceName string,
preDNATTiers []TierPolicyGroups,
) []*generictables.Chain
PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*generictables.Chain
ProfileToIptablesChains(profileID *proto.ProfileID, policy *proto.Profile, ipVersion uint8) (inbound, outbound *generictables.Chain)
ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []generictables.Rule
MakeNatOutgoingRule(protocol string, action generictables.Action, ipVersion uint8) generictables.Rule
NATOutgoingChain(active bool, ipVersion uint8) *generictables.Chain
DNATsToIptablesChains(dnats map[string]string) []*generictables.Chain
SNATsToIptablesChains(snats map[string]string) []*generictables.Chain
BlockedCIDRsToIptablesChains(cidrs []string, ipVersion uint8) []*generictables.Chain
WireguardIncomingMarkChain() *generictables.Chain
IptablesFilterDenyAction() generictables.Action
FilterInputChainAllowWG(ipVersion uint8, c Config, allowAction generictables.Action) []generictables.Rule
ICMPv6Filter(action generictables.Action) []generictables.Rule
}
func NewRenderer ¶
func NewRenderer(config Config) RuleRenderer
type TierPolicyGroups ¶
type TierPolicyGroups struct {
Name string
DefaultAction string
IngressPolicies []*PolicyGroup
EgressPolicies []*PolicyGroup
}
type TierPolicyGroupsStringer ¶
type TierPolicyGroupsStringer []TierPolicyGroups
func (TierPolicyGroupsStringer) String ¶
func (tiers TierPolicyGroupsStringer) String() string
Source Files
Click to show internal directories.
Click to hide internal directories.