iptablesctrl

package
v10.267.34+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 26, 2020 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// TriremeInput represent the chain that contains pu input rules.
	TriremeInput = chainPrefix + "Pid-Net"
	// TriremeOutput represent the chain that contains pu output rules.
	TriremeOutput = chainPrefix + "Pid-App"

	// NetworkSvcInput represent the chain that contains NetworkSvc input rules.
	NetworkSvcInput = chainPrefix + "Svc-Net"

	// NetworkSvcOutput represent the chain that contains NetworkSvc output rules.
	NetworkSvcOutput = chainPrefix + "Svc-App"

	// HostModeInput represent the chain that contains Hostmode input rules.
	HostModeInput = chainPrefix + "Hst-Net"

	// HostModeOutput represent the chain that contains Hostmode output rules.
	HostModeOutput = chainPrefix + "Hst-App"
)
View Source
const (

	// IPv4DefaultIP is the default ip address of ipv4 subnets
	IPv4DefaultIP = "0.0.0.0/0"
)
View Source
const (

	// IPv6DefaultIP is the default IP subnet of ipv6
	IPv6DefaultIP = "::/0"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ACLInfo

type ACLInfo struct {
	ContextID string
	PUType    common.PUType

	// Tables
	MangleTable string
	NatTable    string

	// Chains
	MainAppChain        string
	MainNetChain        string
	BPFPath             string
	HostInput           string
	HostOutput          string
	NetworkSvcInput     string
	NetworkSvcOutput    string
	TriremeInput        string
	TriremeOutput       string
	UIDInput            string
	UIDOutput           string
	NatProxyNetChain    string
	NatProxyAppChain    string
	MangleProxyNetChain string
	MangleProxyAppChain string
	PreRouting          string

	AppChain   string
	NetChain   string
	AppSection string
	NetSection string

	// common info
	DefaultConnmark         string
	DefaultExternalConnmark string
	QueueBalanceAppSyn      string
	QueueBalanceAppSynAck   string
	QueueBalanceAppAck      string
	QueueBalanceNetSyn      string
	QueueBalanceNetSynAck   string
	QueueBalanceNetAck      string

	InitialMarkVal  string
	RawSocketMark   string
	TargetTCPNetSet string
	TargetUDPNetSet string
	ExclusionsSet   string
	IpsetPrefix     string
	NetSynQueues    []uint32
	NetAckQueues    []uint32
	NetSynAckQueues []uint32
	AppSynQueues    []uint32
	AppSynAckQueues []uint32
	AppAckQueues    []uint32
	QueueMask       string
	MarkMask        string
	HMarkRandomSeed string
	// IPv4 IPv6
	DefaultIP string

	IsLegacyKernel bool

	// UDP rules
	Numpackets   string
	InitialCount string
	UDPSignature string

	// Linux PUs
	TCPPorts   string
	UDPPorts   string
	TCPPortSet string

	// ProxyRules
	DestIPSet     string
	SrvIPSet      string
	ProxyPort     string
	DNSProxyPort  string
	DNSServerIP   string
	CgroupMark    string
	ProxyMark     string
	AuthPhaseMark string
	ProxySetName  string

	// UID PUs
	PacketMark             string
	Mark                   string
	UID                    string
	PortSet                string
	NFLOGPrefix            string
	NFLOGAcceptPrefix      string
	DefaultNFLOGDropPrefix string
	// icmpv6 allow bytecode
	ICMPv6Allow string
	// contains filtered or unexported fields
}

ACLInfo keeps track of all information to create ACLs

type IPImpl

type IPImpl interface {
	provider.IptablesProvider
	GetIPSetPrefix() string
	IPsetVersion() int
	GetIPSetParam() *ipset.Params
	ProtocolAllowed(proto string) bool
	IPFilter() func(net.IP) bool
	GetDefaultIP() string
	NeedICMP() bool
}

IPImpl interface is to be used by the iptable implentors like ipv4 and ipv6.

func GetIPv4Impl

func GetIPv4Impl() (IPImpl, error)

GetIPv4Impl creates the instance of ipv4 struct which implements the interface ipImpl

func GetIPv6Impl

func GetIPv6Impl(ipv6Enabled bool) (IPImpl, error)

GetIPv6Impl creates the instance of ipv6 struct which implements the interface ipImpl

type Instance

type Instance struct {
	// contains filtered or unexported fields
}

Instance is the structure holding the ipv4 and ipv6 handles

func GetInstance

func GetInstance() *Instance

GetInstance returns the instance of the iptables object.

func NewInstance

func NewInstance(fqc *fqconfig.FilterQueue, mode constants.ModeType, aclmanager ipsetmanager.ACLManager, ipv6Enabled bool, ebpf ebpf.BPFModule) (*Instance, error)

NewInstance creates a new iptables controller instance

func (*Instance) ACLProvider

func (i *Instance) ACLProvider() []provider.IptablesProvider

ACLProvider returns the current ACL provider that can be re-used by other entities.

func (*Instance) AddPortToPortSet

func (i *Instance) AddPortToPortSet(contextID string, port string) error

AddPortToPortSet adds ports to the portsets

func (*Instance) CleanUp

func (i *Instance) CleanUp() error

CleanUp requires the implementor to clean up all ACLs and destroy all the IP sets.

func (*Instance) ConfigureRules

func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error

ConfigureRules implments the ConfigureRules interface. It will create the port sets and then it will call install rules to create all the ACLs for the given chains. PortSets are only created here. Updates will use the exact same logic.

func (*Instance) DeletePortFromPortSet

func (i *Instance) DeletePortFromPortSet(contextID string, port string) error

DeletePortFromPortSet deletes ports from port sets

func (*Instance) DeleteRules

func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, containerInfo *policy.PUInfo) error

DeleteRules implements the DeleteRules interface. This is responsible for cleaning all ACLs and associated chains, as well as ll the sets that we have created. Note, that this only clears up the state for a given processing unit.

func (*Instance) Run

func (i *Instance) Run(ctx context.Context) error

Run starts the iptables controller

func (*Instance) SetTargetNetworks

func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error

SetTargetNetworks updates ths target networks. There are three different types of target networks:

  • TCPTargetNetworks for TCP traffic (by default 0.0.0.0/0)
  • UDPTargetNetworks for UDP traffic (by default empty)
  • ExcludedNetworks that are always ignored (by default empty)

func (*Instance) UpdateRules

func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error

UpdateRules implements the update part of the interface. Update will call installrules to install the new rules and then it will delete the old rules. For installations that do not have latests iptables-restore we time the operations so that the switch is almost atomic, by creating the new rules first. For latest kernel versions iptables-restorce will update all the rules in one shot.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL