Documentation
¶
Overview ¶
Policy enforcer package translates romana policies into iptables rules.
Index ¶
- func ApplyIPtables(iptables *iptsave.IPtables, exec utilexec.Executable, restoreFlags ...string) error
- func EnsureChainExists(table *iptsave.IPtable, chainName string) *iptsave.IPchain
- func InsertNormalRule(chain *iptsave.IPchain, rule *iptsave.IPrule)
- func LoadIPtables(exec utilexec.Executable) (*iptsave.IPtables, error)
- func MakeBaseRules() []*iptsave.IPchain
- func MakeConntrackEstablishedRule() *iptsave.IPrule
- func MakeIngressTenantJumpRule(tenant common.Tenant, netConfig firewall.NetConfig) *iptsave.IPrule
- func MakeOperatorPolicyChainName() string
- func MakeOperatorPolicyIngressChainName() string
- func MakePolicyChainFooterRule() *iptsave.IPrule
- func MakePolicyIngressJump(peer common.Endpoint, targetChain string, netConfig firewall.NetConfig) *iptsave.IPrule
- func MakePolicyRule(rule common.Rule) []*iptsave.IPrule
- func MakeRomanaPolicyIngressName(policy common.Policy, idx int) string
- func MakeRomanaPolicyName(policy common.Policy) string
- func MakeRuleDefaultWithBody(body string, target string) *iptsave.IPrule
- func MakeRuleWithBody(body string, target string) *iptsave.IPrule
- func MakeSegmentPolicyChainName(tenantID uint64, segmentID uint64) string
- func MakeSegmentPolicyJumpRule(tenant common.Tenant, segment common.Segment, netConfig firewall.NetConfig) *iptsave.IPrule
- func MakeSimpleJumpRule(target string) *iptsave.IPrule
- func MakeTenantIngressChainName(tenant common.Tenant) string
- func MakeTenantWideIngressChainName(tenantID uint64) string
- func MakeTenantWidePolicyJumpRule(tenant common.Tenant) *iptsave.IPrule
- func ValidateIPtables(iptables *iptsave.IPtables, exec utilexec.Executable) bool
- type Enforcer
- type Interface
- type PolicyTargetType
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ApplyIPtables ¶
func ApplyIPtables(iptables *iptsave.IPtables, exec utilexec.Executable, restoreFlags ...string) error
ApplyIPtables calls iptables-restore to apply iptables.
func EnsureChainExists ¶
EnsureChainExists ensures that IPchain exists in IPtable.
func InsertNormalRule ¶
InsertNormalRule discovers position in a chain just above all DROP and RETURN rules. Useful for the rules other then default drops and chain terminators.
func LoadIPtables ¶
func LoadIPtables(exec utilexec.Executable) (*iptsave.IPtables, error)
LoadIPtables calls iptables-save, parses result into iptsave.IPtables.
func MakeBaseRules ¶
func MakeConntrackEstablishedRule ¶
MakeConntrackEstablishedRule returns a rule that usually sits on top of a certan chain and accepts TCP packets known to iptables conntrack module.
func MakeIngressTenantJumpRule ¶
MakeIngressTenantJumpRule makes a rule to send traffic from romana ingress chain into a tenant specific chain. -A ROMANA-FORWARD-IN -m u32 --u32 "0x10&0xff00f000=0xa002000" -j ROMANA-FW-T2
func MakeOperatorPolicyChainName ¶
func MakeOperatorPolicyChainName() string
MakeOperatorPolicyChainName returns the name for iptables chain that hosts policies applied to all tenants.
func MakeOperatorPolicyIngressChainName ¶
func MakeOperatorPolicyIngressChainName() string
func MakePolicyChainFooterRule ¶
MakePolicyChainFooterRule returns iptsave rule that sits at the bottom of a chain which hosts jumps to the romana policies. The rule is redaundant in many cases since default chain policy is also RETURN, but it highlights a flow.
func MakePolicyIngressJump ¶
func MakePolicyIngressJump(peer common.Endpoint, targetChain string, netConfig firewall.NetConfig) *iptsave.IPrule
MakePolicyIngressJump makes jump rule from policy into policy ingress chain.
func MakePolicyRule ¶
MakePolicyRule translates common.Rule into iptsave.IPrule.
func MakeRomanaPolicyIngressName ¶
MakeRomanaPolicyIngressName returns the name of iptables chain that hosts one ingress field of a policy.
func MakeRomanaPolicyName ¶
MakeRomanaPolicyName returns the name of iptables chain that hosts policy related rules.
func MakeRuleDefaultWithBody ¶
MakeRuleDefaultWithBody is a convinience function that returns a simple iptsave.IPrule with one match and one default (e.g. ACCEPT,DROP,RETURN) action.
func MakeRuleWithBody ¶
MakeRuleWithBody is a convinience function that returns a simple iptsave.IPrule with one match and one action.
func MakeSegmentPolicyChainName ¶
MakeSegmentPolicyChainName returns the name of iptables chain that holds policies for specific tenant's segment.
func MakeSegmentPolicyJumpRule ¶
func MakeSegmentPolicyJumpRule(tenant common.Tenant, segment common.Segment, netConfig firewall.NetConfig) *iptsave.IPrule
MakeSegmentPolicyJumpRule makes a rule to send traffic from tenant specific chain into a segment specific chain. -A ROMANA-FW-T2 -m u32 --u32 "0x10&0xff00ff00=0xa002000" -j ROMANA-T2-S0
func MakeSimpleJumpRule ¶
MakeSimpleJumpRule is a convinience function that returns ipsave.IPrule with no match field and single action field. e.g. `-j TARGET`
func MakeTenantIngressChainName ¶
MakeTenantIngressChainName returns the name of iptables chain that holds ingress rules for specific romana tenant.
func MakeTenantWideIngressChainName ¶
MakeTenantWideIngressChainName returns a name for iptables chain that hosts policies that are applied to entire tenant.
func MakeTenantWidePolicyJumpRule ¶
MakeTenantWidePolicyJumpRule returns a rule that jumps into the iptables chain that hosts policies for the entire tenant.
func ValidateIPtables ¶
func ValidateIPtables(iptables *iptsave.IPtables, exec utilexec.Executable) bool
ValidateIPtables calls iptables-restore to validate iptables.
Types ¶
type Enforcer ¶
type Enforcer struct {
// contains filtered or unexported fields
}
Endpoint implements Interface.
type Interface ¶
type Interface interface {
// Run starts internal loop that handles updates from policies.
Run(<-chan struct{})
}
Interface defines policy enforcer behavior.
func New ¶
func New(tenantCache tenantCache.Interface, policyCache policyCache.Interface, network firewall.NetConfig, exec utilexec.Executable, refreshSeconds int) Interface
New returns new policy enforcer.
type PolicyTargetType ¶
type PolicyTargetType string
PolicyTargetType represents type of common.Policy.AppliedTo.
const ( // OperatorPolicyTarget represents a policy // that applied to all traffic going towards pods, // including traffic from host. OperatorPolicyTarget PolicyTargetType = "operator" // OperatorPolicyIngressTarget represents a policy // that applied to traffic traveling from pods to the host. OperatorPolicyIngressTarget PolicyTargetType = "operator-ingress" // TenantWidePolicyTarget represents a policy that targets entire tenant. TenantWidePolicyTarget PolicyTargetType = "tenant-wide" // TenantSegmentPolicyTarget represents a policy that targets // sepcific segment withing a tenant. TenantSegmentPolicyTarget PolicyTargetType = "tenant-segment" UnknownPolicyTarget PolicyTargetType = "unknown" )
func DetectPolicyTargetType ¶
func DetectPolicyTargetType(target common.Endpoint) PolicyTargetType
DetectPolicyTargetType identifies given endpoint as one of valid policy target types.