iptables

package
v1.14.9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 26, 2024 License: Apache-2.0 Imports: 32 Imported by: 7

Documentation

Overview

Package iptables manages iptables-related configuration for Cilium.

Index

Constants

View Source
const (
	CiliumNodeIpsetV4 = "cilium_node_set_v4"
	CiliumNodeIpsetV6 = "cilium_node_set_v6"
)

Variables

This section is empty.

Functions

func KernelHasNetfilter

func KernelHasNetfilter() bool

KernelHasNetfilter probes whether iptables related modules are present in the kernel and returns true if indeed the case, else false.

Types

type IptablesManager

type IptablesManager struct {
	// This lock ensures there are no concurrent executions of the InstallRules() and
	// InstallProxyRules() methods, as otherwise we may end up with errors (as rules may have
	// been already removed or installed by a different execution of the method) or with an
	// inconsistent ruleset
	lock.Mutex
	// contains filtered or unexported fields
}

IptablesManager manages the iptables-related configuration for Cilium.

func (*IptablesManager) AddToNodeIpset added in v1.14.6

func (m *IptablesManager) AddToNodeIpset(nodeIP net.IP)

AddToNodeIpset adds an IP address to the ipset for cluster nodes. It creates the ipset if it doesn't already exist and doesn't error if either the ipset or the IP already exist.

func (*IptablesManager) DisableIPEarlyDemux added in v1.13.13

func (m *IptablesManager) DisableIPEarlyDemux()

func (*IptablesManager) GetProxyPort

func (m *IptablesManager) GetProxyPort(name string) uint16

GetProxyPort finds a proxy port used for redirect 'name' installed earlier with InstallProxyRules. By convention "ingress" or "egress" is part of 'name' so it does not need to be specified explicitly. Returns 0 a TPROXY entry with 'name' can not be found.

func (*IptablesManager) Init

func (m *IptablesManager) Init(cniConfigManager cni.CNIConfigManager)

Init initializes the iptables manager and checks for iptables kernel modules availability.

func (*IptablesManager) InstallNoTrackRules

func (m *IptablesManager) InstallNoTrackRules(IP string, port uint16, ipv6 bool) error

InstallNoTrackRules is explicitly called when a pod has valid "policy.cilium.io/no-track-port" annotation. When InstallNoConntrackIptRules flag is set, a super set of v4 NOTRACK rules will be automatically installed upon agent bootstrap (via function addNoTrackPodTrafficRules) and this function will be skipped. When InstallNoConntrackIptRules is not set, this function will be executed to install NOTRACK rules. The rules installed by this function is very specific, for now, the only user is node-local-dns pods.

func (*IptablesManager) InstallProxyRules

func (m *IptablesManager) InstallProxyRules(ctx context.Context, proxyPort uint16, ingress, localOnly bool, name string) error

func (*IptablesManager) InstallRules

func (m *IptablesManager) InstallRules(ctx context.Context, ifName string, firstInitialization, install bool) error

InstallRules installs iptables rules for Cilium in specific use-cases (most specifically, interaction with kube-proxy).

func (*IptablesManager) RemoveFromNodeIpset added in v1.14.6

func (m *IptablesManager) RemoveFromNodeIpset(nodeIP net.IP)

RemoveFromBodeIpset removes an IP address from the ipset for cluster nodes.

func (*IptablesManager) RemoveNoTrackRules

func (m *IptablesManager) RemoveNoTrackRules(IP string, port uint16, ipv6 bool) error

See comments for InstallNoTrackRules.

func (*IptablesManager) SupportsOriginalSourceAddr

func (m *IptablesManager) SupportsOriginalSourceAddr() bool

SupportsOriginalSourceAddr tells if an L7 proxy can use POD's original source address and port in the upstream connection to allow the destination to properly derive the source security ID from the source IP address.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL