iptablesctrl

package
v10.322.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 23, 2021 License: Apache-2.0 Imports: 37 Imported by: 0

Documentation

Index

Constants

View Source
const (
	//IPV4 version for ipv4
	IPV4 = iota
	//IPV6 version for ipv6
	IPV6
)
View Source
const (

	// TriremeInput represent the chain that contains pu input rules.
	TriremeInput = constants.ChainPrefix + "Pid-Net"
	// TriremeOutput represent the chain that contains pu output rules.
	TriremeOutput = constants.ChainPrefix + "Pid-App"

	// NetworkSvcInput represent the chain that contains NetworkSvc input rules.
	NetworkSvcInput = constants.ChainPrefix + "Svc-Net"

	// NetworkSvcOutput represent the chain that contains NetworkSvc output rules.
	NetworkSvcOutput = constants.ChainPrefix + "Svc-App"

	// HostModeInput represent the chain that contains Hostmode input rules.
	HostModeInput = constants.ChainPrefix + "Hst-Net"

	// HostModeOutput represent the chain that contains Hostmode output rules.
	HostModeOutput = constants.ChainPrefix + "Hst-App"
	// NfqueueOutput represents the chain that contains the nfqueue output rules
	NfqueueOutput = constants.ChainPrefix + "Nfq-OUT"
	// NfqueueInput represents the chain that contains the nfqueue input rules
	NfqueueInput = constants.ChainPrefix + "Nfq-IN"
	// IstioUID is the UID of the istio-proxy(envoy) that is used in the iptables to identify the
	// envoy generated traffic
	IstioUID = "1337"
	// IstioRedirPort is the port where the App traffic from the output chain
	// is redirected into Istio-proxy, we need to accept this traffic as we don't to come in between
	// APP --> Envoy traffic.
	IstioRedirPort = "15001"
)
View Source
const (

	// CustomQOSChain is the name of the chain where users can install custom QOS rules
	CustomQOSChain = "POST-CUSTOM-QOS"
)
View Source
const (
	// IPv4DefaultIP is the default ip address of ipv4 subnets
	IPv4DefaultIP = "0.0.0.0/0"
)
View Source
const (
	// IPv6DefaultIP is the default IP subnet of ipv6
	IPv6DefaultIP = "::/0"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ACLInfo

type ACLInfo struct {
	ContextID string
	PUType    common.PUType

	// Tables
	MangleTable string
	NatTable    string

	// Chains
	MainAppChain        string
	MainNetChain        string
	BPFPath             string
	HostInput           string
	HostOutput          string
	NfqueueOutput       string
	NfqueueInput        string
	NetworkSvcInput     string
	NetworkSvcOutput    string
	TriremeInput        string
	TriremeOutput       string
	NatProxyNetChain    string
	NatProxyAppChain    string
	MangleProxyNetChain string
	MangleProxyAppChain string
	PreRouting          string

	AppChain   string
	NetChain   string
	AppSection string
	NetSection string

	// serviceMesh chains
	IstioChain string

	// common info
	DefaultConnmark         string
	DefaultDropConnmark     string
	DefaultExternalConnmark string
	PacketMarkToSetConnmark string
	DefaultInputMark        string
	DefaultHandShakeMark    string

	RawSocketMark   string
	TargetTCPNetSet string
	TargetUDPNetSet string
	ExclusionsSet   string
	IpsetPrefix     string
	// IPv4 IPv6
	DefaultIP string

	// UDP rules
	Numpackets   string
	InitialCount string
	UDPSignature string

	// Linux PUs
	TCPPorts   string
	UDPPorts   string
	TCPPortSet string

	// ProxyRules
	DestIPSet     string
	SrvIPSet      string
	ProxyPort     string
	DNSProxyPort  string
	DNSServerIP   string
	CgroupMark    string
	ProxyMark     string
	AuthPhaseMark string

	PacketMark string
	Mark       string
	PortSet    string

	AppNFLOGPrefix              string
	AppNFLOGDropPacketLogPrefix string
	AppDefaultAction            string

	NetNFLOGPrefix              string
	NetNFLOGDropPacketLogPrefix string
	NetDefaultAction            string

	NFQueues    []int
	NumNFQueues int
	// icmpv6 allow bytecode
	ICMPv6Allow string

	// Istio Iptable rules
	IstioEnabled bool
	// contains filtered or unexported fields
}

ACLInfo keeps track of all information to create ACLs

type IPImpl

type IPImpl interface {
	provider.IptablesProvider
	IPVersion() int
	ProtocolAllowed(proto string) bool
	IPFilter() func(net.IP) bool
	GetDefaultIP() string
	NeedICMP() bool
}

IPImpl interface is to be used by the iptable implentors like ipv4 and ipv6.

func GetIPv4Impl

func GetIPv4Impl() (IPImpl, error)

GetIPv4Impl creates the instance of ipv4 struct which implements the interface ipImpl

func GetIPv6Impl

func GetIPv6Impl(ipv6Enabled bool) (IPImpl, error)

GetIPv6Impl creates the instance of ipv6 struct which implements the interface ipImpl

type Instance

type Instance struct {
	// contains filtered or unexported fields
}

Instance is the structure holding the ipv4 and ipv6 handles

func NewInstance

func NewInstance(fqc fqconfig.FilterQueue, mode constants.ModeType, ipv6Enabled bool, ebpf ebpf.BPFModule, iptablesLockfile string, serviceMeshType policy.ServiceMesh) (*Instance, error)

NewInstance creates a new iptables controller instance

func (*Instance) ACLProvider

func (i *Instance) ACLProvider() []provider.IptablesProvider

ACLProvider returns the current ACL provider that can be re-used by other entities.

func (*Instance) AddPortToPortSet

func (i *Instance) AddPortToPortSet(contextID string, port string) error

AddPortToPortSet adds ports to the portsets

func (*Instance) CleanUp

func (i *Instance) CleanUp() error

CleanUp requires the implementor to clean up all ACLs and destroy all the IP sets.

func (*Instance) ConfigureRules

func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error

ConfigureRules implments the ConfigureRules interface. It will create the port sets and then it will call install rules to create all the ACLs for the given chains. PortSets are only created here. Updates will use the exact same logic.

func (*Instance) CreateCustomRulesChain

func (i *Instance) CreateCustomRulesChain() error

CreateCustomRulesChain creates a custom rules chain if it doesnt exist

func (*Instance) DeletePortFromPortSet

func (i *Instance) DeletePortFromPortSet(contextID string, port string) error

DeletePortFromPortSet deletes ports from port sets

func (*Instance) DeleteRules

func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, containerInfo *policy.PUInfo) error

DeleteRules implements the DeleteRules interface. This is responsible for cleaning all ACLs and associated chains, as well as ll the sets that we have created. Note, that this only clears up the state for a given processing unit.

func (*Instance) Run

func (i *Instance) Run(ctx context.Context) error

Run starts the iptables controller

func (*Instance) SetTargetNetworks

func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error

SetTargetNetworks updates ths target networks. There are three different types of target networks:

  • TCPTargetNetworks for TCP traffic (by default 0.0.0.0/0)
  • UDPTargetNetworks for UDP traffic (by default empty)
  • ExcludedNetworks that are always ignored (by default empty)

func (*Instance) UpdateRules

func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error

UpdateRules implements the update part of the interface. Update will call installrules to install the new rules and then it will delete the old rules. For installations that do not have latests iptables-restore we time the operations so that the switch is almost atomic, by creating the new rules first. For latest kernel versions iptables-restorce will update all the rules in one shot.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL