rules

package
v1.11.0-cni-plu...-0883212 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 19, 2024 License: Apache-2.0, Apache-2.0 Imports: 25 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// ChainNamePrefix is a prefix used for all our iptables chain names.  We include a '-' at
	// the end to reduce clashes with other apps.  Our OpenStack DHCP agent uses prefix
	// 'calico-dhcp-', for example.
	ChainNamePrefix = "cali-"

	// IPSetNamePrefix: similarly for IP sets, we use the following prefix; the IP sets layer
	// adds its own "-" so it isn't included here.
	IPSetNamePrefix = ipsets.IPSetNamePrefix

	ChainFilterInput   = ChainNamePrefix + "INPUT"
	ChainFilterForward = ChainNamePrefix + "FORWARD"
	ChainFilterOutput  = ChainNamePrefix + "OUTPUT"

	ChainRawPrerouting         = ChainNamePrefix + "PREROUTING"
	ChainRawOutput             = ChainNamePrefix + "OUTPUT"
	ChainRawUntrackedFlows     = ChainNamePrefix + "untracked-flows"
	ChainRawBPFUntrackedPolicy = ChainNamePrefix + "untracked-policy"

	ChainFailsafeIn  = ChainNamePrefix + "failsafe-in"
	ChainFailsafeOut = ChainNamePrefix + "failsafe-out"

	ChainNATPrerouting  = ChainNamePrefix + "PREROUTING"
	ChainNATPostrouting = ChainNamePrefix + "POSTROUTING"
	ChainNATOutput      = ChainNamePrefix + "OUTPUT"
	ChainNATOutgoing    = ChainNamePrefix + "nat-outgoing"

	ChainManglePrerouting  = ChainNamePrefix + "PREROUTING"
	ChainManglePostrouting = ChainNamePrefix + "POSTROUTING"

	IPSetIDNATOutgoingAllPools  = "all-ipam-pools"
	IPSetIDNATOutgoingMasqPools = "masq-ipam-pools"

	IPSetIDAllHostNets        = "all-hosts-net"
	IPSetIDAllVXLANSourceNets = "all-vxlan-net"
	IPSetIDThisHostIPs        = "this-host"

	ChainFIPDnat = ChainNamePrefix + "fip-dnat"
	ChainFIPSnat = ChainNamePrefix + "fip-snat"

	ChainCIDRBlock = ChainNamePrefix + "cidr-block"

	PolicyInboundPfx   PolicyChainNamePrefix  = ChainNamePrefix + "pi-"
	PolicyOutboundPfx  PolicyChainNamePrefix  = ChainNamePrefix + "po-"
	ProfileInboundPfx  ProfileChainNamePrefix = ChainNamePrefix + "pri-"
	ProfileOutboundPfx ProfileChainNamePrefix = ChainNamePrefix + "pro-"

	PolicyGroupInboundPrefix  string = ChainNamePrefix + "gi-"
	PolicyGroupOutboundPrefix string = ChainNamePrefix + "go-"

	ChainWorkloadToHost       = ChainNamePrefix + "wl-to-host"
	ChainFromWorkloadDispatch = ChainNamePrefix + "from-wl-dispatch"
	ChainToWorkloadDispatch   = ChainNamePrefix + "to-wl-dispatch"

	ChainDispatchToHostEndpoint          = ChainNamePrefix + "to-host-endpoint"
	ChainDispatchFromHostEndpoint        = ChainNamePrefix + "from-host-endpoint"
	ChainDispatchToHostEndpointForward   = ChainNamePrefix + "to-hep-forward"
	ChainDispatchFromHostEndPointForward = ChainNamePrefix + "from-hep-forward"
	ChainDispatchSetEndPointMark         = ChainNamePrefix + "set-endpoint-mark"
	ChainDispatchFromEndPointMark        = ChainNamePrefix + "from-endpoint-mark"

	ChainForwardCheck        = ChainNamePrefix + "forward-check"
	ChainForwardEndpointMark = ChainNamePrefix + "forward-endpoint-mark"

	ChainSetWireguardIncomingMark = ChainNamePrefix + "wireguard-incoming-mark"

	ChainRpfSkip = ChainNamePrefix + "rpf-skip"

	WorkloadToEndpointPfx   = ChainNamePrefix + "tw-"
	WorkloadPfxSpecialAllow = "ALLOW"
	WorkloadFromEndpointPfx = ChainNamePrefix + "fw-"

	SetEndPointMarkPfx = ChainNamePrefix + "sm-"

	HostToEndpointPfx          = ChainNamePrefix + "th-"
	HostFromEndpointPfx        = ChainNamePrefix + "fh-"
	HostToEndpointForwardPfx   = ChainNamePrefix + "thfw-"
	HostFromEndpointForwardPfx = ChainNamePrefix + "fhfw-"

	RPFChain = ChainNamePrefix + "rpf"

	RuleHashPrefix = "cali:"

	// HistoricNATRuleInsertRegex is a regex pattern to match to match
	// special-case rules inserted by old versions of felix.  Specifically,
	// Python felix used to insert a masquerade rule directly into the
	// POSTROUTING chain.
	//
	// Note: this regex depends on the output format of iptables-save so,
	// where possible, it's best to match only on part of the rule that
	// we're sure can't change (such as the ipset name in the masquerade
	// rule).
	HistoricInsertedNATRuleRegex = `-A POSTROUTING .* felix-masq-ipam-pools .*|` +
		`-A POSTROUTING -o tunl0 -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE`

	KubeProxyInsertRuleRegex = `-j KUBE-[a-zA-Z0-9-]*SERVICES|-j KUBE-FORWARD`
)
View Source
const (
	ProtoIPIP   = 4
	ProtoTCP    = 6
	ProtoUDP    = 17
	ProtoICMPv6 = 58
)

MaxPolicyGroupUIDLength is sized for UIDs to fit into their chain names.

Variables

View Source
var (
	// AllHistoricChainNamePrefixes lists all the prefixes that we've used for chains.  Keeping
	// track of the old names lets us clean them up.
	AllHistoricChainNamePrefixes = []string{

		"cali-",

		"califw-",
		"calitw-",
		"califh-",
		"calith-",
		"calipi-",
		"calipo-",

		"felix-",
	}
	// AllHistoricIPSetNamePrefixes, similarly contains all the prefixes we've ever used for IP
	// sets.
	AllHistoricIPSetNamePrefixes = []string{"felix-", "cali"}
	// LegacyV4IPSetNames contains some extra IP set names that were used in older versions of
	// Felix and don't fit our versioned pattern.
	LegacyV4IPSetNames = []string{"felix-masq-ipam-pools", "felix-all-ipam-pools"}

	// Rule previxes used by kube-proxy.  Note: we exclude the so-called utility chains KUBE-MARK-MASQ and co because
	// they are jointly owned by kube-proxy and kubelet.
	KubeProxyChainPrefixes = []string{
		"KUBE-FORWARD",
		"KUBE-SERVICES",
		"KUBE-EXTERNAL-SERVICES",
		"KUBE-NODEPORTS",
		"KUBE-SVC-",
		"KUBE-SEP-",
		"KUBE-FW-",
		"KUBE-XLB-",
	}
)

Functions

func EndpointChainName

func EndpointChainName(prefix string, ifaceName string, maxLen int) string

func FilterRuleToIPVersion

func FilterRuleToIPVersion(ipVersion uint8, pRule *proto.Rule) *proto.Rule

FilterRuleToIPVersion: If the rule applies to the given IP version, returns a copy of the rule excluding the CIDRs that are not of the given IP version. If the rule does not apply to the given IP version at all, returns nil.

func PolicyChainName

func PolicyChainName(prefix PolicyChainNamePrefix, polID *proto.PolicyID) string

func ProfileChainName

func ProfileChainName(prefix ProfileChainNamePrefix, profID *proto.ProfileID) string

func SplitPortList

func SplitPortList(ports []*proto.PortRange) (splits [][]*proto.PortRange)

SplitPortList splits the input list of ports into groups containing up to 15 port numbers. If the input list is empty, it returns an empty slice.

The requirement to split into groups of 15, comes from iptables' limit on the number of ports "slots" in a multiport match. A single port takes up one slot, a range of ports requires 2.

Types

type Config

type Config struct {
	IPSetConfigV4 *ipsets.IPVersionConfig
	IPSetConfigV6 *ipsets.IPVersionConfig

	WorkloadIfacePrefixes []string

	MarkAccept   uint32
	MarkPass     uint32
	MarkScratch0 uint32
	MarkScratch1 uint32
	MarkEndpoint uint32
	// MarkNonCaliEndpoint is an endpoint mark which is reserved
	// to mark non-calico (workload or host) endpoint.
	MarkNonCaliEndpoint uint32

	KubeNodePortRanges     []numorstring.Port
	KubeIPVSSupportEnabled bool

	OpenStackMetadataIP          net.IP
	OpenStackMetadataPort        uint16
	OpenStackSpecialCasesEnabled bool

	VXLANEnabled   bool
	VXLANEnabledV6 bool
	VXLANPort      int
	VXLANVNI       int

	IPIPEnabled            bool
	FelixConfigIPIPEnabled *bool
	// IPIPTunnelAddress is an address chosen from an IPAM pool, used as a source address
	// by the host when sending traffic to a workload over IPIP.
	IPIPTunnelAddress net.IP
	// Same for VXLAN.
	VXLANTunnelAddress   net.IP
	VXLANTunnelAddressV6 net.IP

	AllowVXLANPacketsFromWorkloads bool
	AllowIPIPPacketsFromWorkloads  bool

	WireguardEnabled            bool
	WireguardEnabledV6          bool
	WireguardInterfaceName      string
	WireguardInterfaceNameV6    string
	WireguardMark               uint32
	WireguardListeningPort      int
	WireguardListeningPortV6    int
	WireguardEncryptHostTraffic bool
	RouteSource                 string

	LogPrefix            string
	EndpointToHostAction string
	FilterAllowAction    string
	MangleAllowAction    string
	FilterDenyAction     string

	FailsafeInboundHostPorts  []config.ProtoPort
	FailsafeOutboundHostPorts []config.ProtoPort

	DisableConntrackInvalid bool

	NATPortRange                       numorstring.Port
	IptablesNATOutgoingInterfaceFilter string

	NATOutgoingAddress             net.IP
	BPFEnabled                     bool
	BPFForceTrackPacketsFromIfaces []string
	ServiceLoopPrevention          string

	NFTables bool
}

type DefaultEPMarkManager

type DefaultEPMarkManager struct {
	// contains filtered or unexported fields
}

func (*DefaultEPMarkManager) GetEndpointMark

func (epmm *DefaultEPMarkManager) GetEndpointMark(ep string) (uint32, error)

func (*DefaultEPMarkManager) GetMask

func (epmm *DefaultEPMarkManager) GetMask() uint32

func (*DefaultEPMarkManager) ReleaseEndpointMark

func (epmm *DefaultEPMarkManager) ReleaseEndpointMark(ep string)

func (*DefaultEPMarkManager) SetEndpointMark

func (epmm *DefaultEPMarkManager) SetEndpointMark(ep string, mark uint32) error

This is used to set a mark for an endpoint from previous allocated mark. The endpoint should not have a mark already.

type DefaultRuleRenderer

type DefaultRuleRenderer struct {
	generictables.ActionFactory

	Config

	NewMatch func() generictables.MatchCriteria
	// contains filtered or unexported fields
}

func (*DefaultRuleRenderer) BlockedCIDRsToIptablesChains

func (r *DefaultRuleRenderer) BlockedCIDRsToIptablesChains(cidrs []string, ipVersion uint8) []*Chain

func (*DefaultRuleRenderer) CalculateActions

func (r *DefaultRuleRenderer) CalculateActions(pRule *proto.Rule, ipVersion uint8) (mark uint32, actions []generictables.Action)

func (*DefaultRuleRenderer) CalculateRuleMatch

func (r *DefaultRuleRenderer) CalculateRuleMatch(pRule *proto.Rule, ipVersion uint8) generictables.MatchCriteria

func (*DefaultRuleRenderer) DNATsToIptablesChains

func (r *DefaultRuleRenderer) DNATsToIptablesChains(dnats map[string]string) []*Chain

func (*DefaultRuleRenderer) EndpointMarkDispatchChains

func (r *DefaultRuleRenderer) EndpointMarkDispatchChains(
	epMarkMapper EndpointMarkMapper,
	wlEndpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint,
	hepEndpoints map[string]proto.HostEndpointID,
) []*generictables.Chain

In some scenario, e.g. packet goes to an kubernetes ipvs service ip. Traffic goes through input/output filter chain instead of forward filter chain. It is not feasible to match on an incoming workload/host interface with service ips. Assemble a set-endpoint-mark chain to set the endpoint mark matching on the incoming workload/host interface and a from-endpoint-mark chain to jump to a corresponding endpoint chain matching on its endpoint mark.

func (*DefaultRuleRenderer) FilterInputChainAllowWG

func (r *DefaultRuleRenderer) FilterInputChainAllowWG(ipVersion uint8, c Config, allowAction generictables.Action) []generictables.Rule

func (*DefaultRuleRenderer) FromHostDispatchChains

func (r *DefaultRuleRenderer) FromHostDispatchChains(
	endpoints map[string]proto.HostEndpointID,
	defaultIfaceName string,
) []*generictables.Chain

For pre-DNAT policy, which only applies on ingress from a host endpoint.

func (*DefaultRuleRenderer) HostDispatchChains

func (r *DefaultRuleRenderer) HostDispatchChains(
	endpoints map[string]proto.HostEndpointID,
	defaultIfaceName string,
	applyOnForward bool,
) []*generictables.Chain

func (*DefaultRuleRenderer) HostEndpointToFilterChains

func (r *DefaultRuleRenderer) HostEndpointToFilterChains(
	ifaceName string,
	tiers []TierPolicyGroups,
	forwardTiers []TierPolicyGroups,
	epMarkMapper EndpointMarkMapper,
	profileIDs []string,
) []*generictables.Chain

func (*DefaultRuleRenderer) HostEndpointToMangleEgressChains

func (r *DefaultRuleRenderer) HostEndpointToMangleEgressChains(
	ifaceName string,
	tiers []TierPolicyGroups,
	profileIDs []string,
) []*generictables.Chain

func (*DefaultRuleRenderer) HostEndpointToMangleIngressChains

func (r *DefaultRuleRenderer) HostEndpointToMangleIngressChains(
	ifaceName string,
	preDNATTiers []TierPolicyGroups,
) []*generictables.Chain

func (*DefaultRuleRenderer) HostEndpointToRawChains

func (r *DefaultRuleRenderer) HostEndpointToRawChains(
	ifaceName string,
	untrackedTiers []TierPolicyGroups,
) []*generictables.Chain

func (*DefaultRuleRenderer) HostEndpointToRawEgressChain

func (r *DefaultRuleRenderer) HostEndpointToRawEgressChain(
	ifaceName string,
	untrackedTiers []TierPolicyGroups,
) *generictables.Chain

func (*DefaultRuleRenderer) ICMPv6Filter

func (r *DefaultRuleRenderer) ICMPv6Filter(action generictables.Action) []generictables.Rule

func (*DefaultRuleRenderer) IptablesFilterDenyAction

func (r *DefaultRuleRenderer) IptablesFilterDenyAction() generictables.Action

func (*DefaultRuleRenderer) MakeNatOutgoingRule

func (r *DefaultRuleRenderer) MakeNatOutgoingRule(protocol string, action Action, ipVersion uint8) Rule

func (*DefaultRuleRenderer) NATOutgoingChain

func (r *DefaultRuleRenderer) NATOutgoingChain(natOutgoingActive bool, ipVersion uint8) *Chain

func (*DefaultRuleRenderer) PolicyGroupToIptablesChains

func (r *DefaultRuleRenderer) PolicyGroupToIptablesChains(group *PolicyGroup) []*generictables.Chain

func (*DefaultRuleRenderer) PolicyToIptablesChains

func (r *DefaultRuleRenderer) PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*generictables.Chain

func (*DefaultRuleRenderer) ProfileToIptablesChains

func (r *DefaultRuleRenderer) ProfileToIptablesChains(profileID *proto.ProfileID, profile *proto.Profile, ipVersion uint8) (inbound, outbound *generictables.Chain)

func (*DefaultRuleRenderer) ProtoRuleToIptablesRules

func (r *DefaultRuleRenderer) ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []generictables.Rule

func (*DefaultRuleRenderer) ProtoRulesToIptablesRules

func (r *DefaultRuleRenderer) ProtoRulesToIptablesRules(protoRules []*proto.Rule, ipVersion uint8, chainComments ...string) []generictables.Rule

func (*DefaultRuleRenderer) RPFilter

func (r *DefaultRuleRenderer) RPFilter(ipVersion uint8, mark, mask uint32, openStackSpecialCasesEnabled bool, dropActionOverride generictables.Action) []generictables.Rule

RPFilter returns rules that implement RPF

func (*DefaultRuleRenderer) SNATsToIptablesChains

func (r *DefaultRuleRenderer) SNATsToIptablesChains(snats map[string]string) []*Chain

func (*DefaultRuleRenderer) StaticBPFModeRawChains

func (r *DefaultRuleRenderer) StaticBPFModeRawChains(ipVersion uint8,
	wgEncryptHost, bypassHostConntrack bool,
) []*generictables.Chain

func (*DefaultRuleRenderer) StaticFilterForwardAppendRules

func (r *DefaultRuleRenderer) StaticFilterForwardAppendRules() []generictables.Rule

StaticFilterForwardAppendRules returns rules which should be statically appended to the end of the filter table's forward chain.

func (*DefaultRuleRenderer) StaticFilterForwardChains

func (r *DefaultRuleRenderer) StaticFilterForwardChains() []*generictables.Chain

func (*DefaultRuleRenderer) StaticFilterInputChains

func (r *DefaultRuleRenderer) StaticFilterInputChains(ipVersion uint8) []*generictables.Chain

func (*DefaultRuleRenderer) StaticFilterInputForwardCheckChain

func (r *DefaultRuleRenderer) StaticFilterInputForwardCheckChain(ipVersion uint8) *generictables.Chain

Forward check chain is to check if a packet belongs to a forwarded traffic or not. With kube-proxy running in ipvs mode, both local or forwarded traffic goes through INPUT filter chain.

func (*DefaultRuleRenderer) StaticFilterOutputChains

func (r *DefaultRuleRenderer) StaticFilterOutputChains(ipVersion uint8) []*generictables.Chain

func (*DefaultRuleRenderer) StaticFilterOutputForwardEndpointMarkChain

func (r *DefaultRuleRenderer) StaticFilterOutputForwardEndpointMarkChain() *generictables.Chain

With kube-proxy running in ipvs mode, we categorise traffic going through OUTPUT chain into three classes. Class 1. forwarded packet originated from a calico workload or host endpoint --> INPUT filter --> OUTPUT filter Class 2. forwarded packet originated from a non calico endpoint --> INPUT filter --> OUTPUT filter Class 3. local process originated packet --> OUTPUT filter This function handles traffic in Class 1 and Class 2.

func (*DefaultRuleRenderer) StaticFilterTableChains

func (r *DefaultRuleRenderer) StaticFilterTableChains(ipVersion uint8) (chains []*generictables.Chain)

func (*DefaultRuleRenderer) StaticManglePostroutingChain

func (r *DefaultRuleRenderer) StaticManglePostroutingChain(ipVersion uint8) *generictables.Chain

func (*DefaultRuleRenderer) StaticManglePreroutingChain

func (r *DefaultRuleRenderer) StaticManglePreroutingChain(ipVersion uint8) *generictables.Chain

func (*DefaultRuleRenderer) StaticMangleTableChains

func (r *DefaultRuleRenderer) StaticMangleTableChains(ipVersion uint8) []*generictables.Chain

func (*DefaultRuleRenderer) StaticNATOutputChains

func (r *DefaultRuleRenderer) StaticNATOutputChains(ipVersion uint8) []*generictables.Chain

func (*DefaultRuleRenderer) StaticNATPostroutingChains

func (r *DefaultRuleRenderer) StaticNATPostroutingChains(ipVersion uint8) []*generictables.Chain

func (*DefaultRuleRenderer) StaticNATPreroutingChains

func (r *DefaultRuleRenderer) StaticNATPreroutingChains(ipVersion uint8) []*generictables.Chain

func (*DefaultRuleRenderer) StaticNATTableChains

func (r *DefaultRuleRenderer) StaticNATTableChains(ipVersion uint8) (chains []*generictables.Chain)

func (*DefaultRuleRenderer) StaticRawOutputChain

func (r *DefaultRuleRenderer) StaticRawOutputChain(tcBypassMark uint32, ipVersion uint8) *generictables.Chain

func (*DefaultRuleRenderer) StaticRawPreroutingChain

func (r *DefaultRuleRenderer) StaticRawPreroutingChain(ipVersion uint8) *generictables.Chain

func (*DefaultRuleRenderer) StaticRawTableChains

func (r *DefaultRuleRenderer) StaticRawTableChains(ipVersion uint8) []*generictables.Chain

func (*DefaultRuleRenderer) ToHostDispatchChains

func (r *DefaultRuleRenderer) ToHostDispatchChains(
	endpoints map[string]proto.HostEndpointID,
	defaultIfaceName string,
) []*generictables.Chain

For applying normal host endpoint egress policy to traffic from the host which has been DNAT'd.

func (*DefaultRuleRenderer) WireguardIncomingMarkChain

func (r *DefaultRuleRenderer) WireguardIncomingMarkChain() *generictables.Chain

func (*DefaultRuleRenderer) WorkloadDispatchChains

func (r *DefaultRuleRenderer) WorkloadDispatchChains(
	endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint,
) []*generictables.Chain

func (*DefaultRuleRenderer) WorkloadEndpointToIptablesChains

func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains(
	ifaceName string,
	epMarkMapper EndpointMarkMapper,
	adminUp bool,
	tiers []TierPolicyGroups,
	profileIDs []string,
) []*generictables.Chain

func (*DefaultRuleRenderer) WorkloadInterfaceAllowChains

func (r *DefaultRuleRenderer) WorkloadInterfaceAllowChains(
	endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint,
) []*generictables.Chain

type EndpointMarkMapper

type EndpointMarkMapper interface {
	GetMask() uint32
	GetEndpointMark(ep string) (uint32, error)
	ReleaseEndpointMark(ep string)
	SetEndpointMark(ep string, mark uint32) error
}

Endpoint Mark Mapper (EPM) provides set of functions to manage allocation/free endpoint mark bit given a mark bit mask. Note: This is not thread safe.

func NewEndpointMarkMapper

func NewEndpointMarkMapper(markMask, nonCaliMark uint32) EndpointMarkMapper

func NewEndpointMarkMapperWithShim

func NewEndpointMarkMapperWithShim(markMask, nonCaliMark uint32, hash32 HashCalculator32) EndpointMarkMapper

type HashCalculator32

type HashCalculator32 interface {
	// Write (via the embedded io.Writer interface) adds more data to the running hash.
	// It never returns an error.
	io.Writer

	// Sum32 returns a hash result of uint32.
	// It does not change the underlying hash state.
	Sum32() uint32

	// Reset resets the Hash to its initial state.
	Reset()
}

This interface has subset of functions of built in hash32 interface.

type PolicyChainNamePrefix

type PolicyChainNamePrefix string

Typedefs to prevent accidentally passing the wrong prefix to the Policy/ProfileChainName()

type PolicyDirection

type PolicyDirection string
const (
	PolicyDirectionInbound  PolicyDirection = "inbound"  // AKA ingress
	PolicyDirectionOutbound PolicyDirection = "outbound" // AKA egress
)

type PolicyGroup

type PolicyGroup struct {
	// Tier is only used in enterprise.  There can be policies with the same
	// name in different tiers so we need to disambiguate.
	Tier string
	// Direction matches the policy model direction inbound/outbound. Each
	// group is either inbound or outbound since the set of active policy
	// can differ between the directions (a policy may have inbound rules
	// only, for example).
	Direction   PolicyDirection
	PolicyNames []string
	// Selector is the original selector used by the grouped policies.  By
	// grouping on selector, we ensure that if one policy in a group matches
	// an endpoint then all policies in that group must match the endpoint.
	// Thus, two endpoint that share any policy in the group must share the
	// whole group.
	Selector string
	// contains filtered or unexported fields
}

PolicyGroup represents a sequence of one or more policies extracted from a list of policies. If large enough (currently >1 entry) it will be programmed into its own chain.

func (*PolicyGroup) ChainName

func (g *PolicyGroup) ChainName() string

func (*PolicyGroup) ShouldBeInlined

func (g *PolicyGroup) ShouldBeInlined() bool

func (*PolicyGroup) UniqueID

func (g *PolicyGroup) UniqueID() string

type PolicyGroupSliceStringer

type PolicyGroupSliceStringer []*PolicyGroup

PolicyGroupSliceStringer provides a String() method for a slice of PolicyGroup pointers.

func (PolicyGroupSliceStringer) String

func (p PolicyGroupSliceStringer) String() string

type ProfileChainNamePrefix

type ProfileChainNamePrefix string

Typedefs to prevent accidentally passing the wrong prefix to the Policy/ProfileChainName()

type RuleRenderer

type RuleRenderer interface {
	StaticFilterTableChains(ipVersion uint8) []*generictables.Chain
	StaticNATTableChains(ipVersion uint8) []*generictables.Chain
	StaticNATPostroutingChains(ipVersion uint8) []*generictables.Chain
	StaticRawTableChains(ipVersion uint8) []*generictables.Chain
	StaticBPFModeRawChains(ipVersion uint8, wgEncryptHost, disableConntrack bool) []*generictables.Chain
	StaticMangleTableChains(ipVersion uint8) []*generictables.Chain
	StaticFilterForwardAppendRules() []generictables.Rule

	WorkloadDispatchChains(map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*generictables.Chain
	WorkloadEndpointToIptablesChains(
		ifaceName string,
		epMarkMapper EndpointMarkMapper,
		adminUp bool,
		tiers []TierPolicyGroups,
		profileIDs []string,
	) []*generictables.Chain
	PolicyGroupToIptablesChains(group *PolicyGroup) []*generictables.Chain

	WorkloadInterfaceAllowChains(endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*generictables.Chain

	EndpointMarkDispatchChains(
		epMarkMapper EndpointMarkMapper,
		wlEndpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint,
		hepEndpoints map[string]proto.HostEndpointID,
	) []*generictables.Chain

	HostDispatchChains(map[string]proto.HostEndpointID, string, bool) []*generictables.Chain
	FromHostDispatchChains(map[string]proto.HostEndpointID, string) []*generictables.Chain
	ToHostDispatchChains(map[string]proto.HostEndpointID, string) []*generictables.Chain
	HostEndpointToFilterChains(
		ifaceName string,
		tiers []TierPolicyGroups,
		forwardTiers []TierPolicyGroups,
		epMarkMapper EndpointMarkMapper,
		profileIDs []string,
	) []*generictables.Chain
	HostEndpointToMangleEgressChains(
		ifaceName string,
		tiers []TierPolicyGroups,
		profileIDs []string,
	) []*generictables.Chain
	HostEndpointToRawEgressChain(
		ifaceName string,
		untrackedTiers []TierPolicyGroups,
	) *generictables.Chain
	HostEndpointToRawChains(
		ifaceName string,
		untrackedTiers []TierPolicyGroups,
	) []*generictables.Chain
	HostEndpointToMangleIngressChains(
		ifaceName string,
		preDNATTiers []TierPolicyGroups,
	) []*generictables.Chain

	PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*generictables.Chain
	ProfileToIptablesChains(profileID *proto.ProfileID, policy *proto.Profile, ipVersion uint8) (inbound, outbound *generictables.Chain)
	ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []generictables.Rule

	MakeNatOutgoingRule(protocol string, action generictables.Action, ipVersion uint8) generictables.Rule
	NATOutgoingChain(active bool, ipVersion uint8) *generictables.Chain

	DNATsToIptablesChains(dnats map[string]string) []*generictables.Chain
	SNATsToIptablesChains(snats map[string]string) []*generictables.Chain
	BlockedCIDRsToIptablesChains(cidrs []string, ipVersion uint8) []*generictables.Chain

	WireguardIncomingMarkChain() *generictables.Chain

	IptablesFilterDenyAction() generictables.Action

	FilterInputChainAllowWG(ipVersion uint8, c Config, allowAction generictables.Action) []generictables.Rule
	ICMPv6Filter(action generictables.Action) []generictables.Rule
}

func NewRenderer

func NewRenderer(config Config) RuleRenderer

type TierPolicyGroups

type TierPolicyGroups struct {
	Name            string
	DefaultAction   string
	IngressPolicies []*PolicyGroup
	EgressPolicies  []*PolicyGroup
}

type TierPolicyGroupsStringer

type TierPolicyGroupsStringer []TierPolicyGroups

func (TierPolicyGroupsStringer) String

func (tiers TierPolicyGroupsStringer) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL