ipset

Documentation

Index

• Constants
• Variables
• type AddrSet
• type Family
• type Initializer
• type Manager

Constants

const (
	CiliumNodeIPSetV4 = "cilium_node_set_v4"
	CiliumNodeIPSetV6 = "cilium_node_set_v6"
)

Variables

var Cell = cell.Module(
	"ipset",
	"Handle kernel IP sets configuration for Cilium",

	cell.Provide(newIPSetManager),

	cell.ProvidePrivate(
		tables.NewIPSetTable,

		reconciler.New[*tables.IPSetEntry],
		newReconcilerConfig,
		newOps,
	),
	cell.ProvidePrivate(func(logger logrus.FieldLogger) *ipset {
		return &ipset{
			executable: funcExecutable(func(ctx context.Context, name string, stdin string, arg ...string) ([]byte, error) {
				cmd := exec.CommandContext(ctx, name, arg...)
				cmd.Stdin = strings.NewReader(stdin)
				return cmd.Output()
			}),
			log: logger,
		}
	}),
	cell.ProvidePrivate(func(cfg *option.DaemonConfig) config {
		return config{NodeIPSetNeeded: cfg.NodeIpsetNeeded()}
	}),
)

Cell exposes methods to add and remove node IPs from the kernel IP sets. The sets are in turn referenced by iptables rules to exclude traffic to cluster nodes from being masqueraded. There are two distinct sets, one for IPv4 addresses and one for IPv6 addresses. Internally, the cell stores the desired IP sets state in a StateDB table and uses a reconciler to update the realized state (that is, the actual kernel IP sets). Other sets that do not pertain to Cilium configuration are not changed in any way.

Types

type AddrSet

type AddrSet = sets.Set[netip.Addr]

type Family

type Family string

const (
	INetFamily  Family = "inet"
	INet6Family Family = "inet6"
)

type Initializer

type Initializer interface {
	InitDone()
}

type Manager

type Manager interface {
	NewInitializer() Initializer
	AddToIPSet(name string, family Family, addrs ...netip.Addr)
	RemoveFromIPSet(name string, addrs ...netip.Addr)
}

Manager handles the kernel IP sets configuration