enforcer

package
v1.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 12, 2017 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Policy enforcer package translates romana policies into iptables rules.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ApplyIPtables 

func ApplyIPtables(iptables *iptsave.IPtables, exec utilexec.Executable, restoreFlags ...string) error

ApplyIPtables calls iptables-restore to apply iptables.

func EnsureChainExists 

func EnsureChainExists(table *iptsave.IPtable, chainName string) *iptsave.IPchain

EnsureChainExists ensures that IPchain exists in IPtable.

func InsertNormalRule 

func InsertNormalRule(chain *iptsave.IPchain, rule *iptsave.IPrule)

InsertNormalRule discovers position in a chain just above all DROP and RETURN rules. Useful for the rules other then default drops and chain terminators.

func LoadIPtables 

func LoadIPtables(exec utilexec.Executable) (*iptsave.IPtables, error)

LoadIPtables calls iptables-save, parses result into iptsave.IPtables.

func MakeBaseRules 

func MakeBaseRules() []*iptsave.IPchain

func MakeConntrackEstablishedRule 

func MakeConntrackEstablishedRule() *iptsave.IPrule

MakeConntrackEstablishedRule returns a rule that usually sits on top of a certan chain and accepts TCP packets known to iptables conntrack module.

func MakeIngressTenantJumpRule 

func MakeIngressTenantJumpRule(tenant common.Tenant, netConfig firewall.NetConfig) *iptsave.IPrule

MakeIngressTenantJumpRule makes a rule to send traffic from romana ingress chain into a tenant specific chain. -A ROMANA-FORWARD-IN -m u32 --u32 "0x10&0xff00f000=0xa002000" -j ROMANA-FW-T2

func MakeOperatorPolicyChainName 

func MakeOperatorPolicyChainName() string

MakeOperatorPolicyChainName returns the name for iptables chain that hosts policies applied to all tenants.

func MakeOperatorPolicyIngressChainName 

func MakeOperatorPolicyIngressChainName() string

func MakePolicyChainFooterRule 

func MakePolicyChainFooterRule() *iptsave.IPrule

MakePolicyChainFooterRule returns iptsave rule that sits at the bottom of a chain which hosts jumps to the romana policies. The rule is redaundant in many cases since default chain policy is also RETURN, but it highlights a flow.

func MakePolicyIngressJump 

func MakePolicyIngressJump(peer common.Endpoint, targetChain string, netConfig firewall.NetConfig) *iptsave.IPrule

MakePolicyIngressJump makes jump rule from policy into policy ingress chain.

func MakePolicyRule 

func MakePolicyRule(rule common.Rule) []*iptsave.IPrule

MakePolicyRule translates common.Rule into iptsave.IPrule.

func MakeRomanaPolicyIngressName 

func MakeRomanaPolicyIngressName(policy common.Policy, idx int) string

MakeRomanaPolicyIngressName returns the name of iptables chain that hosts one ingress field of a policy.

func MakeRomanaPolicyName 

func MakeRomanaPolicyName(policy common.Policy) string

MakeRomanaPolicyName returns the name of iptables chain that hosts policy related rules.

func MakeRuleDefaultWithBody 

func MakeRuleDefaultWithBody(body string, target string) *iptsave.IPrule

MakeRuleDefaultWithBody is a convinience function that returns a simple iptsave.IPrule with one match and one default (e.g. ACCEPT,DROP,RETURN) action.

func MakeRuleWithBody 

func MakeRuleWithBody(body string, target string) *iptsave.IPrule

MakeRuleWithBody is a convinience function that returns a simple iptsave.IPrule with one match and one action.

func MakeSegmentPolicyChainName 

func MakeSegmentPolicyChainName(tenantID uint64, segmentID uint64) string

MakeSegmentPolicyChainName returns the name of iptables chain that holds policies for specific tenant's segment.

func MakeSegmentPolicyJumpRule 

func MakeSegmentPolicyJumpRule(tenant common.Tenant, segment common.Segment, netConfig firewall.NetConfig) *iptsave.IPrule

MakeSegmentPolicyJumpRule makes a rule to send traffic from tenant specific chain into a segment specific chain. -A ROMANA-FW-T2 -m u32 --u32 "0x10&0xff00ff00=0xa002000" -j ROMANA-T2-S0

func MakeSimpleJumpRule 

func MakeSimpleJumpRule(target string) *iptsave.IPrule

MakeSimpleJumpRule is a convinience function that returns ipsave.IPrule with no match field and single action field. e.g. `-j TARGET`

func MakeTenantIngressChainName 

func MakeTenantIngressChainName(tenant common.Tenant) string

MakeTenantIngressChainName returns the name of iptables chain that holds ingress rules for specific romana tenant.

func MakeTenantWideIngressChainName 

func MakeTenantWideIngressChainName(tenantID uint64) string

MakeTenantWideIngressChainName returns a name for iptables chain that hosts policies that are applied to entire tenant.

func MakeTenantWidePolicyJumpRule 

func MakeTenantWidePolicyJumpRule(tenant common.Tenant) *iptsave.IPrule

MakeTenantWidePolicyJumpRule returns a rule that jumps into the iptables chain that hosts policies for the entire tenant.

func ValidateIPtables 

func ValidateIPtables(iptables *iptsave.IPtables, exec utilexec.Executable) bool

ValidateIPtables calls iptables-restore to validate iptables.

Types

type Enforcer 

type Enforcer struct {
	// contains filtered or unexported fields
}

Endpoint implements Interface.

func (*Enforcer) Continue 

func (a *Enforcer) Continue()

Continue main loop.

func (*Enforcer) Pause 

func (a *Enforcer) Pause()

Pause main loop.

func (*Enforcer) Run 

func (a *Enforcer) Run(stop <-chan struct{})

Run implements Interface. It reads notifications from the policy cache and from the tenant cache, when either cache chagned re-renders all iptables rules.

type Interface 

type Interface interface {
	// Run starts internal loop that handles updates from policies.
	Run(<-chan struct{})
}

Interface defines policy enforcer behavior.

func New 

func New(tenantCache tenantCache.Interface, policyCache policyCache.Interface, network firewall.NetConfig, exec utilexec.Executable, refreshSeconds int) Interface

New returns new policy enforcer.

type PolicyTargetType 

type PolicyTargetType string

PolicyTargetType represents type of common.Policy.AppliedTo. 

const (
	// OperatorPolicyTarget represents a policy
	// that applied to all traffic going towards pods,
	// including traffic from host.
	OperatorPolicyTarget PolicyTargetType = "operator"

	// OperatorPolicyIngressTarget represents a policy
	// that applied to traffic traveling from pods to the host.
	OperatorPolicyIngressTarget PolicyTargetType = "operator-ingress"

	// TenantWidePolicyTarget represents a policy that targets entire tenant.
	TenantWidePolicyTarget PolicyTargetType = "tenant-wide"

	// TenantSegmentPolicyTarget represents a policy that targets
	// sepcific segment withing a tenant.
	TenantSegmentPolicyTarget PolicyTargetType = "tenant-segment"

	UnknownPolicyTarget PolicyTargetType = "unknown"
)

func DetectPolicyTargetType 

func DetectPolicyTargetType(target common.Endpoint) PolicyTargetType

DetectPolicyTargetType identifies given endpoint as one of valid policy target types.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.