iptables

package
v1.17.0-pre.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 2, 2024 License: Apache-2.0 Imports: 43 Imported by: 7

Documentation

Overview

Package iptables manages iptables-related configuration for Cilium.

Index

Constants

This section is empty.

Variables

View Source
var Cell = cell.Module(
	"iptables",
	"Handle iptables-related configuration for Cilium",

	ipset.Cell,

	cell.Config(defaultConfig),
	cell.ProvidePrivate(func(
		cfg *option.DaemonConfig,
	) SharedConfig {
		return SharedConfig{
			TunnelingEnabled:                cfg.TunnelingEnabled(),
			NodeIpsetNeeded:                 cfg.NodeIpsetNeeded(),
			IptablesMasqueradingIPv4Enabled: cfg.IptablesMasqueradingIPv4Enabled(),
			IptablesMasqueradingIPv6Enabled: cfg.IptablesMasqueradingIPv6Enabled(),

			EnableIPv4:                  cfg.EnableIPv4,
			EnableIPv6:                  cfg.EnableIPv6,
			EnableBPFTProxy:             cfg.EnableBPFTProxy,
			InstallNoConntrackIptRules:  cfg.InstallNoConntrackIptRules,
			EnableEndpointRoutes:        cfg.EnableEndpointRoutes,
			IPAM:                        cfg.IPAM,
			EnableIPSec:                 cfg.EnableIPSec,
			MasqueradeInterfaces:        cfg.MasqueradeInterfaces,
			EnableMasqueradeRouteSource: cfg.EnableMasqueradeRouteSource,
			EnableL7Proxy:               cfg.EnableL7Proxy,
			InstallIptRules:             cfg.InstallIptRules,
		}
	}),
	cell.Provide(newIptablesManager),
)

Functions

This section is empty.

Types

type Config added in v1.15.0

type Config struct {
	// IPTablesLockTimeout defines the "-w" iptables option when the
	// iptables CLI is directly invoked from the Cilium agent.
	IPTablesLockTimeout time.Duration

	// DisableIptablesFeederRules specifies which chains will be excluded
	// when installing the feeder rules
	DisableIptablesFeederRules []string

	// IPTablesRandomFully defines the "--random-fully" iptables option when the
	// iptables CLI is directly invoked from the Cilium agent.
	IPTablesRandomFully bool

	// PrependIptablesChains, when enabled, prepends custom iptables chains instead of appending.
	PrependIptablesChains bool

	// EnableXTSocketFallback allows disabling of kernel's ip_early_demux
	// sysctl option if `xt_socket` kernel module is not available.
	EnableXTSocketFallback bool
}

func (Config) Flags added in v1.15.0

func (def Config) Flags(flags *pflag.FlagSet)

type Manager added in v1.15.0

type Manager struct {
	// contains filtered or unexported fields
}

Manager manages the iptables-related configuration for Cilium.

func (*Manager) GetProxyPorts added in v1.15.11

func (m *Manager) GetProxyPorts() map[string]uint16

GetProxyPorts enumerates all existing TPROXY rules in the datapath installed earlier with InstallProxyRules and returns all proxy ports found.

func (*Manager) InstallNoTrackRules added in v1.15.0

func (m *Manager) InstallNoTrackRules(ip netip.Addr, port uint16)

InstallNoTrackRules is explicitly called when a pod has valid "policy.cilium.io/no-track-port" annotation. When InstallNoConntrackIptRules flag is set, a super set of v4 NOTRACK rules will be automatically installed upon agent bootstrap (via function addNoTrackPodTrafficRules) and this function will be skipped. When InstallNoConntrackIptRules is not set, this function will be executed to install NOTRACK rules. The rules installed by this function is very specific, for now, the only user is node-local-dns pods.

func (*Manager) InstallProxyRules added in v1.15.0

func (m *Manager) InstallProxyRules(proxyPort uint16, name string)

func (*Manager) RemoveNoTrackRules added in v1.15.0

func (m *Manager) RemoveNoTrackRules(ip netip.Addr, port uint16)

See comments for InstallNoTrackRules.

func (*Manager) Start added in v1.15.0

func (m *Manager) Start(ctx cell.HookContext) error

Start initializes the iptables manager and checks for iptables kernel modules availability.

func (*Manager) Stop added in v1.15.0

func (m *Manager) Stop(ctx cell.HookContext) error

func (*Manager) SupportsOriginalSourceAddr added in v1.15.0

func (m *Manager) SupportsOriginalSourceAddr() bool

SupportsOriginalSourceAddr tells if an L7 proxy can use POD's original source address and port in the upstream connection to allow the destination to properly derive the source security ID from the source IP address.

type SharedConfig added in v1.15.0

type SharedConfig struct {
	TunnelingEnabled                bool
	NodeIpsetNeeded                 bool
	IptablesMasqueradingIPv4Enabled bool
	IptablesMasqueradingIPv6Enabled bool

	EnableIPv4                  bool
	EnableIPv6                  bool
	EnableXTSocketFallback      bool
	EnableBPFTProxy             bool
	InstallNoConntrackIptRules  bool
	EnableEndpointRoutes        bool
	IPAM                        string
	EnableIPSec                 bool
	MasqueradeInterfaces        []string
	EnableMasqueradeRouteSource bool
	EnableL7Proxy               bool
	InstallIptRules             bool
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL