iptables

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 31, 2023 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package iptables contains the necessary data structures and functions to interact with iptables and therefore insert/delete filter and NAT rules.

Index

Constants

View Source
const (

	// MASQUERADE action constant.
	MASQUERADE = "MASQUERADE"
	// SNAT action constant.
	SNAT = "SNAT"
	// DNAT action constant.
	DNAT = "DNAT"
	// NETMAP action constant.
	NETMAP = "NETMAP"
	// ACCEPT action constant.
	ACCEPT = "ACCEPT"
	// DROP action constant.
	DROP = "DROP"

	// ESTABLISHED state: the packet is associated with a connection which has seen packets in both directions.
	ESTABLISHED = "ESTABLISHED"
	// RELATED state: the packet is associated with a connection which is related to another already ESTABLISHED connection.
	RELATED = "RELATED"

	// IPSetNameMaxLength is the maximum number of characters accepted for the name of an IPSet.
	IPSetNameMaxLength = 31
)

Variables

This section is empty.

Functions

This section is empty.

Types

type EndpointInfo added in v0.10.0

type EndpointInfo struct {
	Address       string
	SrcClusterIDs []string
	Deleting      bool
}

EndpointInfo contains informations useful to create rules allowing traffic towards service endpoints.

type IPTHandler

type IPTHandler struct {
	Ipt iptables.IPTables
}

IPTHandler a handler that exposes all the functions needed to configure the iptables chains and rules.

func NewIPTHandler

func NewIPTHandler() (IPTHandler, error)

NewIPTHandler return the iptables handler used to configure the iptables rules.

func (IPTHandler) EnsureChainRulesPerCluster

func (h IPTHandler) EnsureChainRulesPerCluster(tep *netv1alpha1.TunnelEndpoint) error

EnsureChainRulesPerCluster reads TunnelEndpoint resource and makes sure that chain rules for the given cluster exist.

func (IPTHandler) EnsureChainsPerCluster

func (h IPTHandler) EnsureChainsPerCluster(clusterID string) error

EnsureChainsPerCluster is used to be sure input, output, postrouting and prerouting chain for a given cluster are present in the NAT table and Filter table.

func (IPTHandler) EnsureClusterForwardRules added in v0.10.0

func (h IPTHandler) EnsureClusterForwardRules(tep *netv1alpha1.TunnelEndpoint) error

EnsureClusterForwardRules ensures the starting DROP rule for IntraClusterTrafficSegregation security mode.

func (IPTHandler) EnsureForwardExtRules added in v0.6.0

func (h IPTHandler) EnsureForwardExtRules(tep *netv1alpha1.TunnelEndpoint) error

EnsureForwardExtRules makes sure that the forwarding rules for a given cluster are in place and updated.

func (IPTHandler) EnsurePostroutingRules

func (h IPTHandler) EnsurePostroutingRules(tep *netv1alpha1.TunnelEndpoint) error

EnsurePostroutingRules makes sure that the postrouting rules for a given cluster are in place and updated.

func (IPTHandler) EnsurePreroutingRulesPerNatMapping

func (h IPTHandler) EnsurePreroutingRulesPerNatMapping(nm *netv1alpha1.NatMapping) error

EnsurePreroutingRulesPerNatMapping makes sure that the prerouting rules extracted from a NatMapping resource are place and updated.

func (IPTHandler) EnsurePreroutingRulesPerTunnelEndpoint

func (h IPTHandler) EnsurePreroutingRulesPerTunnelEndpoint(tep *netv1alpha1.TunnelEndpoint) error

EnsurePreroutingRulesPerTunnelEndpoint makes sure that the prerouting rules extracted from a TunnelEndpoint resource are place and updated.

func (IPTHandler) EnsureRulesForClustersForwarding added in v0.10.0

func (h IPTHandler) EnsureRulesForClustersForwarding(podsInfo, endpointslicesInfo *sync.Map, ipSetHandler *liqoipset.IPSHandler) error

EnsureRulesForClustersForwarding ensures the forward rules for traffic allowed by IntraClusterTrafficSegregation security mode.

func (IPTHandler) Init

func (h IPTHandler) Init() error

Init function is called at startup of the operator. here we: create LIQONET-FORWARD in the filter table and insert it in the "FORWARD" chain. create LIQONET-INPUT in the filter table and insert it in the input chain. create LIQONET-POSTROUTING in the nat table and insert it in the "POSTROUTING" chain. create LIQONET-PREROUTING in the nat table and insert it in the "PREROUTING" chain.

func (IPTHandler) ListRulesInChain

func (h IPTHandler) ListRulesInChain(chain string) ([]string, error)

ListRulesInChain is used to adjust the result returned by List of go-iptables.

func (IPTHandler) RemoveIPTablesConfigurationPerCluster

func (h IPTHandler) RemoveIPTablesConfigurationPerCluster(tep *netv1alpha1.TunnelEndpoint) error

RemoveIPTablesConfigurationPerCluster clears and deletes input, forward, prerouting and postrouting chains for a remote cluster. In order to remove them, function first deletes related rules in LIQO-POSTROUTING, LIQO-PREROUTING, LIQO-FORWARD and LIQO-INPUT.

func (IPTHandler) Terminate

func (h IPTHandler) Terminate() error

Terminate func is the counterpart of Init. It removes Liqo configuration from iptables.

type IPTableRule

type IPTableRule []string

IPTableRule is a slice of string. This is the format used by module go-iptables.

func ParseRule added in v0.6.0

func ParseRule(rule string) (IPTableRule, error)

ParseRule parses a string rule in the format used by go-iptables.

func (IPTableRule) String added in v0.6.0

func (itr IPTableRule) String() string

String returns the string representation of the rule.

type PodInfo added in v0.10.0

type PodInfo struct {
	PodIP           string
	RemoteClusterID string
	Deleting        bool
}

PodInfo contains informations useful to create rules allowing traffic towards offloaded pods.

type RuleInsertionStrategyType added in v0.10.0

type RuleInsertionStrategyType string

RuleInsertionStrategyType represents different insertion strategies for inserting an iptables rule in a table.

const (
	// Prepend indicates to insert the rule as first.
	Prepend RuleInsertionStrategyType = "Prepended"
	// Append indicates to insert the rule as last.
	Append RuleInsertionStrategyType = "Appended"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL