rules

package
v3.0.12+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 19, 2019 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// ChainNamePrefix is a prefix used for all our iptables chain names.  We include a '-' at
	// the end to reduce clashes with other apps.  Our OpenStack DHCP agent uses prefix
	// 'calico-dhcp-', for example.
	ChainNamePrefix = "cali-"
	// IPSetNamePrefix: similarly for IP sets, we use the following prefix; the IP sets layer
	// adds its own "-" so it isn't included here.
	IPSetNamePrefix = "cali"

	ChainFilterInput   = ChainNamePrefix + "INPUT"
	ChainFilterForward = ChainNamePrefix + "FORWARD"
	ChainFilterOutput  = ChainNamePrefix + "OUTPUT"

	ChainRawPrerouting = ChainNamePrefix + "PREROUTING"
	ChainRawOutput     = ChainNamePrefix + "OUTPUT"

	ChainFailsafeIn  = ChainNamePrefix + "failsafe-in"
	ChainFailsafeOut = ChainNamePrefix + "failsafe-out"

	ChainNATPrerouting  = ChainNamePrefix + "PREROUTING"
	ChainNATPostrouting = ChainNamePrefix + "POSTROUTING"
	ChainNATOutput      = ChainNamePrefix + "OUTPUT"
	ChainNATOutgoing    = ChainNamePrefix + "nat-outgoing"

	ChainManglePrerouting = ChainNamePrefix + "PREROUTING"

	IPSetIDNATOutgoingAllPools  = "all-ipam-pools"
	IPSetIDNATOutgoingMasqPools = "masq-ipam-pools"

	IPSetIDAllHostIPs = "all-hosts"

	ChainFIPDnat = ChainNamePrefix + "fip-dnat"
	ChainFIPSnat = ChainNamePrefix + "fip-snat"

	PolicyInboundPfx   PolicyChainNamePrefix  = ChainNamePrefix + "pi-"
	PolicyOutboundPfx  PolicyChainNamePrefix  = ChainNamePrefix + "po-"
	ProfileInboundPfx  ProfileChainNamePrefix = ChainNamePrefix + "pri-"
	ProfileOutboundPfx ProfileChainNamePrefix = ChainNamePrefix + "pro-"

	ChainWorkloadToHost       = ChainNamePrefix + "wl-to-host"
	ChainFromWorkloadDispatch = ChainNamePrefix + "from-wl-dispatch"
	ChainToWorkloadDispatch   = ChainNamePrefix + "to-wl-dispatch"

	ChainDispatchToHostEndpoint          = ChainNamePrefix + "to-host-endpoint"
	ChainDispatchFromHostEndpoint        = ChainNamePrefix + "from-host-endpoint"
	ChainDispatchToHostEndpointForward   = ChainNamePrefix + "to-hep-forward"
	ChainDispatchFromHostEndPointForward = ChainNamePrefix + "from-hep-forward"

	WorkloadToEndpointPfx   = ChainNamePrefix + "tw-"
	WorkloadFromEndpointPfx = ChainNamePrefix + "fw-"

	HostToEndpointPfx          = ChainNamePrefix + "th-"
	HostFromEndpointPfx        = ChainNamePrefix + "fh-"
	HostToEndpointForwardPfx   = ChainNamePrefix + "thfw-"
	HostFromEndpointForwardPfx = ChainNamePrefix + "fhfw-"

	RuleHashPrefix = "cali:"

	// HistoricNATRuleInsertRegex is a regex pattern to match to match
	// special-case rules inserted by old versions of felix.  Specifically,
	// Python felix used to insert a masquerade rule directly into the
	// POSTROUTING chain.
	//
	// Note: this regex depends on the output format of iptables-save so,
	// where possible, it's best to match only on part of the rule that
	// we're sure can't change (such as the ipset name in the masquerade
	// rule).
	HistoricInsertedNATRuleRegex = `-A POSTROUTING .* felix-masq-ipam-pools .*|` +
		`-A POSTROUTING -o tunl0 -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE`
)
View Source
const (
	ProtoIPIP   = 4
	ProtoICMPv6 = 58
)

Variables

View Source
var (
	// AllHistoricChainNamePrefixes lists all the prefixes that we've used for chains.  Keeping
	// track of the old names lets us clean them up.
	AllHistoricChainNamePrefixes = []string{

		"cali-",

		"califw-",
		"calitw-",
		"califh-",
		"calith-",
		"calipi-",
		"calipo-",

		"felix-",
	}
	// AllHistoricIPSetNamePrefixes, similarly contains all the prefixes we've ever used for IP
	// sets.
	AllHistoricIPSetNamePrefixes = []string{"felix-", "cali"}
	// LegacyV4IPSetNames contains some extra IP set names that were used in older versions of
	// Felix and don't fit our versioned pattern.
	LegacyV4IPSetNames = []string{"felix-masq-ipam-pools", "felix-all-ipam-pools"}
)
View Source
var SkipRule = errors.New("Rule skipped")

Functions

func EndpointChainName

func EndpointChainName(prefix string, ifaceName string) string

func PolicyChainName

func PolicyChainName(prefix PolicyChainNamePrefix, polID *proto.PolicyID) string

func ProfileChainName

func ProfileChainName(prefix ProfileChainNamePrefix, profID *proto.ProfileID) string

func SplitPortList

func SplitPortList(ports []*proto.PortRange) (splits [][]*proto.PortRange)

SplitPortList splits the input list of ports into groups containing up to 15 port numbers. If the input list is empty, it returns an empty slice.

The requirement to split into groups of 15, comes from iptables' limit on the number of ports "slots" in a multiport match. A single port takes up one slot, a range of ports requires 2.

Types

type Config

type Config struct {
	IPSetConfigV4 *ipsets.IPVersionConfig
	IPSetConfigV6 *ipsets.IPVersionConfig

	WorkloadIfacePrefixes []string

	IptablesMarkAccept   uint32
	IptablesMarkPass     uint32
	IptablesMarkScratch0 uint32
	IptablesMarkScratch1 uint32

	OpenStackMetadataIP          net.IP
	OpenStackMetadataPort        uint16
	OpenStackSpecialCasesEnabled bool

	IPIPEnabled bool
	// IPIPTunnelAddress is an address chosen from an IPAM pool, used as a source address
	// by the host when sending traffic to a workload over IPIP.
	IPIPTunnelAddress net.IP

	IptablesLogPrefix         string
	EndpointToHostAction      string
	IptablesFilterAllowAction string
	IptablesMangleAllowAction string

	FailsafeInboundHostPorts  []config.ProtoPort
	FailsafeOutboundHostPorts []config.ProtoPort

	DisableConntrackInvalid            bool
	IptablesNATOutgoingInterfaceFilter string
}

type DefaultRuleRenderer

type DefaultRuleRenderer struct {
	Config
	// contains filtered or unexported fields
}

func (*DefaultRuleRenderer) CalculateActions

func (r *DefaultRuleRenderer) CalculateActions(pRule *proto.Rule, ipVersion uint8) (mark uint32, actions []iptables.Action)

func (*DefaultRuleRenderer) CalculateRuleMatch

func (r *DefaultRuleRenderer) CalculateRuleMatch(pRule *proto.Rule, ipVersion uint8) (iptables.MatchCriteria, error)

func (*DefaultRuleRenderer) DNATsToIptablesChains

func (r *DefaultRuleRenderer) DNATsToIptablesChains(dnats map[string]string) []*iptables.Chain

func (*DefaultRuleRenderer) FromHostDispatchChains

func (r *DefaultRuleRenderer) FromHostDispatchChains(
	endpoints map[string]proto.HostEndpointID,
) []*Chain

func (*DefaultRuleRenderer) HostDispatchChains

func (r *DefaultRuleRenderer) HostDispatchChains(
	endpoints map[string]proto.HostEndpointID,
	applyOnForward bool,
) []*Chain

func (*DefaultRuleRenderer) HostEndpointToFilterChains

func (r *DefaultRuleRenderer) HostEndpointToFilterChains(
	ifaceName string,
	ingressPolicyNames []string,
	egressPolicyNames []string,
	ingressForwardPolicyNames []string,
	egressForwardPolicyNames []string,
	profileIDs []string,
) []*Chain

func (*DefaultRuleRenderer) HostEndpointToMangleChains

func (r *DefaultRuleRenderer) HostEndpointToMangleChains(
	ifaceName string,
	preDNATPolicyNames []string,
) []*Chain

func (*DefaultRuleRenderer) HostEndpointToRawChains

func (r *DefaultRuleRenderer) HostEndpointToRawChains(
	ifaceName string,
	ingressPolicyNames []string,
	egressPolicyNames []string,
) []*Chain

func (*DefaultRuleRenderer) MakeNatOutgoingRule

func (r *DefaultRuleRenderer) MakeNatOutgoingRule(protocol string, action iptables.Action, ipVersion uint8) iptables.Rule

func (*DefaultRuleRenderer) NATOutgoingChain

func (r *DefaultRuleRenderer) NATOutgoingChain(natOutgoingActive bool, ipVersion uint8) *iptables.Chain

func (*DefaultRuleRenderer) PolicyToIptablesChains

func (r *DefaultRuleRenderer) PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*iptables.Chain

func (*DefaultRuleRenderer) ProfileToIptablesChains

func (r *DefaultRuleRenderer) ProfileToIptablesChains(profileID *proto.ProfileID, profile *proto.Profile, ipVersion uint8) []*iptables.Chain

func (*DefaultRuleRenderer) ProtoRuleToIptablesRules

func (r *DefaultRuleRenderer) ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []iptables.Rule

func (*DefaultRuleRenderer) ProtoRulesToIptablesRules

func (r *DefaultRuleRenderer) ProtoRulesToIptablesRules(protoRules []*proto.Rule, ipVersion uint8) []iptables.Rule

func (*DefaultRuleRenderer) SNATsToIptablesChains

func (r *DefaultRuleRenderer) SNATsToIptablesChains(snats map[string]string) []*iptables.Chain

func (*DefaultRuleRenderer) StaticFilterForwardChains

func (r *DefaultRuleRenderer) StaticFilterForwardChains() []*Chain

func (*DefaultRuleRenderer) StaticFilterInputChains

func (r *DefaultRuleRenderer) StaticFilterInputChains(ipVersion uint8) []*Chain

func (*DefaultRuleRenderer) StaticFilterOutputChains

func (r *DefaultRuleRenderer) StaticFilterOutputChains(ipVersion uint8) []*Chain

func (*DefaultRuleRenderer) StaticFilterTableChains

func (r *DefaultRuleRenderer) StaticFilterTableChains(ipVersion uint8) (chains []*Chain)

func (*DefaultRuleRenderer) StaticManglePreroutingChain

func (r *DefaultRuleRenderer) StaticManglePreroutingChain(ipVersion uint8) *Chain

func (*DefaultRuleRenderer) StaticMangleTableChains

func (r *DefaultRuleRenderer) StaticMangleTableChains(ipVersion uint8) (chains []*Chain)

func (*DefaultRuleRenderer) StaticNATOutputChains

func (r *DefaultRuleRenderer) StaticNATOutputChains(ipVersion uint8) []*Chain

func (*DefaultRuleRenderer) StaticNATPostroutingChains

func (r *DefaultRuleRenderer) StaticNATPostroutingChains(ipVersion uint8) []*Chain

func (*DefaultRuleRenderer) StaticNATPreroutingChains

func (r *DefaultRuleRenderer) StaticNATPreroutingChains(ipVersion uint8) []*Chain

func (*DefaultRuleRenderer) StaticNATTableChains

func (r *DefaultRuleRenderer) StaticNATTableChains(ipVersion uint8) (chains []*Chain)

func (*DefaultRuleRenderer) StaticRawOutputChain

func (r *DefaultRuleRenderer) StaticRawOutputChain() *Chain

func (*DefaultRuleRenderer) StaticRawPreroutingChain

func (r *DefaultRuleRenderer) StaticRawPreroutingChain(ipVersion uint8) *Chain

func (*DefaultRuleRenderer) StaticRawTableChains

func (r *DefaultRuleRenderer) StaticRawTableChains(ipVersion uint8) []*Chain

func (*DefaultRuleRenderer) WorkloadDispatchChains

func (r *DefaultRuleRenderer) WorkloadDispatchChains(
	endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint,
) []*Chain

func (*DefaultRuleRenderer) WorkloadEndpointToIptablesChains

func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains(
	ifaceName string,
	adminUp bool,
	ingressPolicies []string,
	egressPolicies []string,
	profileIDs []string,
) []*Chain

type PolicyChainNamePrefix

type PolicyChainNamePrefix string

Typedefs to prevent accidentally passing the wrong prefix to the Policy/ProfileChainName()

type ProfileChainNamePrefix

type ProfileChainNamePrefix string

type RuleRenderer

type RuleRenderer interface {
	StaticFilterTableChains(ipVersion uint8) []*iptables.Chain
	StaticNATTableChains(ipVersion uint8) []*iptables.Chain
	StaticRawTableChains(ipVersion uint8) []*iptables.Chain
	StaticMangleTableChains(ipVersion uint8) []*iptables.Chain

	WorkloadDispatchChains(map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*iptables.Chain
	WorkloadEndpointToIptablesChains(
		ifaceName string,
		adminUp bool,
		ingressPolicies []string,
		egressPolicies []string,
		profileIDs []string,
	) []*iptables.Chain

	HostDispatchChains(map[string]proto.HostEndpointID, bool) []*iptables.Chain
	FromHostDispatchChains(map[string]proto.HostEndpointID) []*iptables.Chain
	HostEndpointToFilterChains(
		ifaceName string,
		ingressPolicyNames []string,
		egressPolicyNames []string,
		ingressForwardPolicyNames []string,
		egressForwardPolicyNames []string,
		profileIDs []string,
	) []*iptables.Chain
	HostEndpointToRawChains(
		ifaceName string,
		ingressPolicyNames []string,
		egressPolicyNames []string,
	) []*iptables.Chain
	HostEndpointToMangleChains(
		ifaceName string,
		preDNATPolicyNames []string,
	) []*iptables.Chain

	PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*iptables.Chain
	ProfileToIptablesChains(profileID *proto.ProfileID, policy *proto.Profile, ipVersion uint8) []*iptables.Chain
	ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []iptables.Rule

	MakeNatOutgoingRule(protocol string, action iptables.Action, ipVersion uint8) iptables.Rule
	NATOutgoingChain(active bool, ipVersion uint8) *iptables.Chain

	DNATsToIptablesChains(dnats map[string]string) []*iptables.Chain
	SNATsToIptablesChains(snats map[string]string) []*iptables.Chain
}

func NewRenderer

func NewRenderer(config Config) RuleRenderer

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL