The highest tagged major version is
Documentation
¶
Index ¶
- Constants
- type ACLInfo
- type IPImpl
- type Instance
- func (i *Instance) ACLProvider() []provider.IptablesProvider
- func (i *Instance) AddPortToPortSet(contextID string, port string) error
- func (i *Instance) CleanUp() error
- func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error
- func (i *Instance) CreateCustomRulesChain() error
- func (i *Instance) DeletePortFromPortSet(contextID string, port string) error
- func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, ...) error
- func (i *Instance) Run(ctx context.Context) error
- func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error
- func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, ...) error
Constants ¶
const ( //IPV4 version for ipv4 IPV4 = iota //IPV6 version for ipv6 IPV6 )
const ( // TriremeInput represent the chain that contains pu input rules. TriremeInput = constants.ChainPrefix + "Pid-Net" // TriremeOutput represent the chain that contains pu output rules. TriremeOutput = constants.ChainPrefix + "Pid-App" // NetworkSvcInput represent the chain that contains NetworkSvc input rules. NetworkSvcInput = constants.ChainPrefix + "Svc-Net" // NetworkSvcOutput represent the chain that contains NetworkSvc output rules. NetworkSvcOutput = constants.ChainPrefix + "Svc-App" // HostModeInput represent the chain that contains Hostmode input rules. HostModeInput = constants.ChainPrefix + "Hst-Net" // HostModeOutput represent the chain that contains Hostmode output rules. HostModeOutput = constants.ChainPrefix + "Hst-App" // NfqueueOutput represents the chain that contains the nfqueue output rules NfqueueOutput = constants.ChainPrefix + "Nfq-OUT" // NfqueueInput represents the chain that contains the nfqueue input rules NfqueueInput = constants.ChainPrefix + "Nfq-IN" // IstioUID is the UID of the istio-proxy(envoy) that is used in the iptables to identify the // envoy generated traffic IstioUID = "1337" // IstioRedirPort is the port where the App traffic from the output chain // is redirected into Istio-proxy, we need to accept this traffic as we don't to come in between // APP --> Envoy traffic. IstioRedirPort = "15001" )
const (
// CustomQOSChain is the name of the chain where users can install custom QOS rules
CustomQOSChain = "POST-CUSTOM-QOS"
)
const (
// IPv4DefaultIP is the default ip address of ipv4 subnets
IPv4DefaultIP = "0.0.0.0/0"
)
const (
// IPv6DefaultIP is the default IP subnet of ipv6
IPv6DefaultIP = "::/0"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ACLInfo ¶
type ACLInfo struct {
ContextID string
PUType common.PUType
// Tables
MangleTable string
NatTable string
// Chains
MainAppChain string
MainNetChain string
BPFPath string
HostInput string
HostOutput string
NfqueueOutput string
NfqueueInput string
NetworkSvcInput string
NetworkSvcOutput string
TriremeInput string
TriremeOutput string
NatProxyNetChain string
NatProxyAppChain string
MangleProxyNetChain string
MangleProxyAppChain string
PreRouting string
AppChain string
NetChain string
AppSection string
NetSection string
// serviceMesh chains
IstioChain string
// common info
DefaultConnmark string
DefaultDropConnmark string
DefaultExternalConnmark string
PacketMarkToSetConnmark string
DefaultInputMark string
DefaultHandShakeMark string
RawSocketMark string
TargetTCPNetSet string
TargetUDPNetSet string
ExclusionsSet string
IpsetPrefix string
// IPv4 IPv6
DefaultIP string
// UDP rules
Numpackets string
InitialCount string
UDPSignature string
// Linux PUs
TCPPorts string
UDPPorts string
TCPPortSet string
// ProxyRules
DestIPSet string
SrvIPSet string
ProxyPort string
DNSProxyPort string
DNSServerIP string
CgroupMark string
ProxyMark string
AuthPhaseMark string
PacketMark string
Mark string
PortSet string
AppNFLOGPrefix string
AppNFLOGDropPacketLogPrefix string
AppDefaultAction string
NetNFLOGPrefix string
NetNFLOGDropPacketLogPrefix string
NetDefaultAction string
NFQueues []int
NumNFQueues int
// icmpv6 allow bytecode
ICMPv6Allow string
// Istio Iptable rules
IstioEnabled bool
// contains filtered or unexported fields
}
ACLInfo keeps track of all information to create ACLs
type IPImpl ¶
type IPImpl interface {
provider.IptablesProvider
IPVersion() int
ProtocolAllowed(proto string) bool
IPFilter() func(net.IP) bool
GetDefaultIP() string
NeedICMP() bool
}
IPImpl interface is to be used by the iptable implentors like ipv4 and ipv6.
func GetIPv4Impl ¶
GetIPv4Impl creates the instance of ipv4 struct which implements the interface ipImpl
func GetIPv6Impl ¶
GetIPv6Impl creates the instance of ipv6 struct which implements the interface ipImpl
type Instance ¶
type Instance struct {
// contains filtered or unexported fields
}
Instance is the structure holding the ipv4 and ipv6 handles
func NewInstance ¶
func NewInstance(fqc fqconfig.FilterQueue, mode constants.ModeType, ipv6Enabled bool, ebpf ebpf.BPFModule, iptablesLockfile string, serviceMeshType policy.ServiceMesh) (*Instance, error)
NewInstance creates a new iptables controller instance
func (*Instance) ACLProvider ¶
func (i *Instance) ACLProvider() []provider.IptablesProvider
ACLProvider returns the current ACL provider that can be re-used by other entities.
func (*Instance) AddPortToPortSet ¶
AddPortToPortSet adds ports to the portsets
func (*Instance) CleanUp ¶
CleanUp requires the implementor to clean up all ACLs and destroy all the IP sets.
func (*Instance) ConfigureRules ¶
ConfigureRules implments the ConfigureRules interface. It will create the port sets and then it will call install rules to create all the ACLs for the given chains. PortSets are only created here. Updates will use the exact same logic.
func (*Instance) CreateCustomRulesChain ¶
CreateCustomRulesChain creates a custom rules chain if it doesnt exist
func (*Instance) DeletePortFromPortSet ¶
DeletePortFromPortSet deletes ports from port sets
func (*Instance) DeleteRules ¶
func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, containerInfo *policy.PUInfo) error
DeleteRules implements the DeleteRules interface. This is responsible for cleaning all ACLs and associated chains, as well as ll the sets that we have created. Note, that this only clears up the state for a given processing unit.
func (*Instance) SetTargetNetworks ¶
func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error
SetTargetNetworks updates ths target networks. There are three different types of target networks:
- TCPTargetNetworks for TCP traffic (by default 0.0.0.0/0)
- UDPTargetNetworks for UDP traffic (by default empty)
- ExcludedNetworks that are always ignored (by default empty)
func (*Instance) UpdateRules ¶
func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error
UpdateRules implements the update part of the interface. Update will call installrules to install the new rules and then it will delete the old rules. For installations that do not have latests iptables-restore we time the operations so that the switch is almost atomic, by creating the new rules first. For latest kernel versions iptables-restorce will update all the rules in one shot.
Source Files