Documentation ¶
Index ¶
- Constants
- type ACLInfo
- type IPImpl
- type Instance
- func (i *Instance) ACLProvider() []provider.IptablesProvider
- func (i *Instance) AddPortToPortSet(contextID string, port string) error
- func (i *Instance) CleanUp() error
- func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error
- func (i *Instance) DeletePortFromPortSet(contextID string, port string) error
- func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, ...) error
- func (i *Instance) Run(ctx context.Context) error
- func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error
- func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, ...) error
Constants ¶
const ( // TriremeInput represent the chain that contains pu input rules. TriremeInput = chainPrefix + "Pid-Net" // TriremeOutput represent the chain that contains pu output rules. TriremeOutput = chainPrefix + "Pid-App" // NetworkSvcInput represent the chain that contains NetworkSvc input rules. NetworkSvcInput = chainPrefix + "Svc-Net" // NetworkSvcOutput represent the chain that contains NetworkSvc output rules. NetworkSvcOutput = chainPrefix + "Svc-App" // HostModeInput represent the chain that contains Hostmode input rules. HostModeInput = chainPrefix + "Hst-Net" // HostModeOutput represent the chain that contains Hostmode output rules. HostModeOutput = chainPrefix + "Hst-App" )
const (
// IPv4DefaultIP is the default ip address of ipv4 subnets
IPv4DefaultIP = "0.0.0.0/0"
)
const (
// IPv6DefaultIP is the default IP subnet of ipv6
IPv6DefaultIP = "::/0"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ACLInfo ¶
type ACLInfo struct { ContextID string PUType common.PUType // Tables MangleTable string NatTable string // Chains MainAppChain string MainNetChain string BPFPath string HostInput string HostOutput string NetworkSvcInput string NetworkSvcOutput string TriremeInput string TriremeOutput string UIDInput string UIDOutput string NatProxyNetChain string NatProxyAppChain string MangleProxyNetChain string MangleProxyAppChain string PreRouting string AppChain string NetChain string AppSection string NetSection string // common info DefaultConnmark string DefaultExternalConnmark string QueueBalanceAppSyn string QueueBalanceAppSynAck string QueueBalanceAppAck string QueueBalanceNetSyn string QueueBalanceNetSynAck string QueueBalanceNetAck string InitialMarkVal string RawSocketMark string TargetTCPNetSet string TargetUDPNetSet string ExclusionsSet string IpsetPrefix string NetSynQueues []uint32 NetAckQueues []uint32 NetSynAckQueues []uint32 AppSynQueues []uint32 AppSynAckQueues []uint32 AppAckQueues []uint32 QueueMask string MarkMask string HMarkRandomSeed string // IPv4 IPv6 DefaultIP string IsLegacyKernel bool // UDP rules Numpackets string InitialCount string UDPSignature string // Linux PUs TCPPorts string UDPPorts string TCPPortSet string // ProxyRules DestIPSet string SrvIPSet string ProxyPort string DNSProxyPort string DNSServerIP string CgroupMark string ProxyMark string AuthPhaseMark string ProxySetName string // UID PUs PacketMark string Mark string UID string PortSet string NFLOGPrefix string NFLOGAcceptPrefix string DefaultNFLOGDropPrefix string // icmpv6 allow bytecode ICMPv6Allow string // contains filtered or unexported fields }
ACLInfo keeps track of all information to create ACLs
type IPImpl ¶
type IPImpl interface { provider.IptablesProvider GetIPSetPrefix() string IPsetVersion() int GetIPSetParam() *ipset.Params ProtocolAllowed(proto string) bool IPFilter() func(net.IP) bool GetDefaultIP() string NeedICMP() bool }
IPImpl interface is to be used by the iptable implentors like ipv4 and ipv6.
func GetIPv4Impl ¶
GetIPv4Impl creates the instance of ipv4 struct which implements the interface ipImpl
func GetIPv6Impl ¶
GetIPv6Impl creates the instance of ipv6 struct which implements the interface ipImpl
type Instance ¶
type Instance struct {
// contains filtered or unexported fields
}
Instance is the structure holding the ipv4 and ipv6 handles
func GetInstance ¶
func GetInstance() *Instance
GetInstance returns the instance of the iptables object.
func NewInstance ¶
func NewInstance(fqc *fqconfig.FilterQueue, mode constants.ModeType, aclmanager ipsetmanager.ACLManager, ipv6Enabled bool, ebpf ebpf.BPFModule) (*Instance, error)
NewInstance creates a new iptables controller instance
func (*Instance) ACLProvider ¶
func (i *Instance) ACLProvider() []provider.IptablesProvider
ACLProvider returns the current ACL provider that can be re-used by other entities.
func (*Instance) AddPortToPortSet ¶
AddPortToPortSet adds ports to the portsets
func (*Instance) CleanUp ¶
CleanUp requires the implementor to clean up all ACLs and destroy all the IP sets.
func (*Instance) ConfigureRules ¶
ConfigureRules implments the ConfigureRules interface. It will create the port sets and then it will call install rules to create all the ACLs for the given chains. PortSets are only created here. Updates will use the exact same logic.
func (*Instance) DeletePortFromPortSet ¶
DeletePortFromPortSet deletes ports from port sets
func (*Instance) DeleteRules ¶
func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, containerInfo *policy.PUInfo) error
DeleteRules implements the DeleteRules interface. This is responsible for cleaning all ACLs and associated chains, as well as ll the sets that we have created. Note, that this only clears up the state for a given processing unit.
func (*Instance) SetTargetNetworks ¶
func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error
SetTargetNetworks updates ths target networks. There are three different types of target networks:
- TCPTargetNetworks for TCP traffic (by default 0.0.0.0/0)
- UDPTargetNetworks for UDP traffic (by default empty)
- ExcludedNetworks that are always ignored (by default empty)
func (*Instance) UpdateRules ¶
func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error
UpdateRules implements the update part of the interface. Update will call installrules to install the new rules and then it will delete the old rules. For installations that do not have latests iptables-restore we time the operations so that the switch is almost atomic, by creating the new rules first. For latest kernel versions iptables-restorce will update all the rules in one shot.