Documentation ¶
Overview ¶
Package iptables manages iptables-related configuration for Cilium.
Index ¶
- Constants
- Variables
- type Config
- type Manager
- func (m *Manager) AddToNodeIpset(nodeIP net.IP)
- func (m *Manager) GetProxyPort(name string) uint16
- func (m *Manager) InstallNoTrackRules(IP string, port uint16, ipv6 bool) error
- func (m *Manager) InstallProxyRules(ctx context.Context, proxyPort uint16, ingress, localOnly bool, name string) error
- func (m *Manager) InstallRules(ctx context.Context, ifName string, firstInitialization, install bool) error
- func (m *Manager) RemoveFromNodeIpset(nodeIP net.IP)
- func (m *Manager) RemoveNoTrackRules(IP string, port uint16, ipv6 bool) error
- func (m *Manager) Start(ctx cell.HookContext) error
- func (m *Manager) Stop(ctx cell.HookContext) error
- func (m *Manager) SupportsOriginalSourceAddr() bool
- type SharedConfig
Constants ¶
const ( CiliumNodeIpsetV4 = "cilium_node_set_v4" CiliumNodeIpsetV6 = "cilium_node_set_v6" )
Variables ¶
var Cell = cell.Module( "iptables", "Handle iptables-related configuration for Cilium", cell.Config(defaultConfig), cell.ProvidePrivate(func( cfg *option.DaemonConfig, ) SharedConfig { return SharedConfig{ TunnelingEnabled: cfg.TunnelingEnabled(), NodeIpsetNeeded: cfg.NodeIpsetNeeded(), Devices: cfg.GetDevices(), IptablesMasqueradingIPv4Enabled: cfg.IptablesMasqueradingIPv4Enabled(), IptablesMasqueradingIPv6Enabled: cfg.IptablesMasqueradingIPv6Enabled(), IPv4NativeRoutingCIDR: cfg.GetIPv4NativeRoutingCIDR(), EnableIPv4: cfg.EnableIPv4, EnableIPv6: cfg.EnableIPv6, EnableXTSocketFallback: cfg.EnableXTSocketFallback, EnableBPFTProxy: cfg.EnableBPFTProxy, InstallNoConntrackIptRules: cfg.InstallNoConntrackIptRules, EnableEndpointRoutes: cfg.EnableEndpointRoutes, IPAM: cfg.IPAM, EnableIPSec: cfg.EnableIPSec, MasqueradeInterfaces: cfg.MasqueradeInterfaces, EnableMasqueradeRouteSource: cfg.EnableMasqueradeRouteSource, } }), cell.Provide(newIptablesManager), )
Functions ¶
This section is empty.
Types ¶
type Config ¶ added in v1.15.0
type Config struct { // IPTablesLockTimeout defines the "-w" iptables option when the // iptables CLI is directly invoked from the Cilium agent. IPTablesLockTimeout time.Duration // DisableIptablesFeederRules specifies which chains will be excluded // when installing the feeder rules DisableIptablesFeederRules []string // IPTablesRandomFully defines the "--random-fully" iptables option when the // iptables CLI is directly invoked from the Cilium agent. IPTablesRandomFully bool // PrependIptablesChains, when enabled, prepends custom iptables chains instead of appending. PrependIptablesChains bool }
type Manager ¶ added in v1.15.0
type Manager struct { // This lock ensures there are no concurrent executions of the InstallRules() and // InstallProxyRules() methods, as otherwise we may end up with errors (as rules may have // been already removed or installed by a different execution of the method) or with an // inconsistent ruleset lock.Mutex CNIChainingMode string // contains filtered or unexported fields }
Manager manages the iptables-related configuration for Cilium.
func (*Manager) AddToNodeIpset ¶ added in v1.15.0
AddToNodeIpset adds an IP address to the ipset for cluster nodes. It creates the ipset if it doesn't already exist and doesn't error if either the ipset or the IP already exist.
func (*Manager) GetProxyPort ¶ added in v1.15.0
GetProxyPort finds a proxy port used for redirect 'name' installed earlier with InstallProxyRules. By convention "ingress" or "egress" is part of 'name' so it does not need to be specified explicitly. Returns 0 a TPROXY entry with 'name' can not be found.
func (*Manager) InstallNoTrackRules ¶ added in v1.15.0
InstallNoTrackRules is explicitly called when a pod has valid "policy.cilium.io/no-track-port" annotation. When InstallNoConntrackIptRules flag is set, a super set of v4 NOTRACK rules will be automatically installed upon agent bootstrap (via function addNoTrackPodTrafficRules) and this function will be skipped. When InstallNoConntrackIptRules is not set, this function will be executed to install NOTRACK rules. The rules installed by this function is very specific, for now, the only user is node-local-dns pods.
func (*Manager) InstallProxyRules ¶ added in v1.15.0
func (*Manager) InstallRules ¶ added in v1.15.0
func (m *Manager) InstallRules(ctx context.Context, ifName string, firstInitialization, install bool) error
InstallRules installs iptables rules for Cilium in specific use-cases (most specifically, interaction with kube-proxy).
func (*Manager) RemoveFromNodeIpset ¶ added in v1.15.0
RemoveFromBodeIpset removes an IP address from the ipset for cluster nodes.
func (*Manager) RemoveNoTrackRules ¶ added in v1.15.0
See comments for InstallNoTrackRules.
func (*Manager) Start ¶ added in v1.15.0
func (m *Manager) Start(ctx cell.HookContext) error
Start initializes the iptables manager and checks for iptables kernel modules availability.
func (*Manager) SupportsOriginalSourceAddr ¶ added in v1.15.0
SupportsOriginalSourceAddr tells if an L7 proxy can use POD's original source address and port in the upstream connection to allow the destination to properly derive the source security ID from the source IP address.
type SharedConfig ¶ added in v1.15.0
type SharedConfig struct {}