Documentation ¶
Index ¶
- Variables
- type Dependencies
- type DependenciesStub
- func (s *DependenciesStub) DetectIptablesVersion(ipV6 bool) (IptablesVersion, error)
- func (s *DependenciesStub) Run(logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, ...) error
- func (s *DependenciesStub) RunQuietlyAndIgnore(logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, ...)
- func (s *DependenciesStub) RunWithOutput(ogger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, ...) (*bytes.Buffer, error)
- type IptablesVersion
- type RealDependencies
- func (r *RealDependencies) DetectIptablesVersion(ipV6 bool) (IptablesVersion, error)
- func (r *RealDependencies) Run(logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, ...) error
- func (r *RealDependencies) RunQuietlyAndIgnore(logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, ...)
- func (r *RealDependencies) RunWithOutput(logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, ...) (*bytes.Buffer, error)
- type XTablesExittype
Constants ¶
This section is empty.
Variables ¶
var ( // IptablesRestoreLocking is the version where locking and -w is added to iptables-restore IptablesRestoreLocking = utilversion.MustParseGeneric("1.6.2") // IptablesLockfileEnv is the version where XTABLES_LOCKFILE is added to iptables. IptablesLockfileEnv = utilversion.MustParseGeneric("1.8.6") )
var DryRunFilePath = env.Register("DRY_RUN_FILE_PATH", "", "If provided, StdoutStubDependencies will write the input from stdin to the given file.")
Functions ¶
This section is empty.
Types ¶
type Dependencies ¶
type Dependencies interface { // Run runs a command Run(log *istiolog.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) error // Run runs a command and get the output RunWithOutput(log *istiolog.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) (*bytes.Buffer, error) // RunQuietlyAndIgnore runs a command quietly and ignores errors RunQuietlyAndIgnore(log *istiolog.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) // DetectIptablesVersion consults the available binaries and in-use tables to determine // which iptables variant (legacy, nft, v6, v4) we should use in the current context. DetectIptablesVersion(ipV6 bool) (IptablesVersion, error) }
Dependencies is used as abstraction for the commands used from the operating system
type DependenciesStub ¶
type DependenciesStub struct { ExecutedNormally []string ExecutedQuietly []string ExecutedStdin []string ExecutedAll []string }
TODO BML replace DIY mocks/state with something better
func (*DependenciesStub) DetectIptablesVersion ¶
func (s *DependenciesStub) DetectIptablesVersion(ipV6 bool) (IptablesVersion, error)
func (*DependenciesStub) Run ¶
func (s *DependenciesStub) Run(logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) error
func (*DependenciesStub) RunQuietlyAndIgnore ¶
func (s *DependenciesStub) RunQuietlyAndIgnore( logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string, )
func (*DependenciesStub) RunWithOutput ¶
func (s *DependenciesStub) RunWithOutput( ogger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string, ) (*bytes.Buffer, error)
type IptablesVersion ¶
type IptablesVersion struct { DetectedBinary string DetectedSaveBinary string DetectedRestoreBinary string // the actual version Version *utilversion.Version // true if legacy mode, false if nf_tables Legacy bool // true if we detected that existing rules are present for this variant (legacy, nft, v6) ExistingRules bool }
func (IptablesVersion) CmdToString ¶
func (v IptablesVersion) CmdToString(cmd constants.IptablesCmd) string
func (IptablesVersion) IsWriteCmd ¶
func (v IptablesVersion) IsWriteCmd(cmd constants.IptablesCmd) bool
IsWriteCmd returns true for all command types that do write actions (and thus need a lock)
func (IptablesVersion) NoLocks ¶
func (v IptablesVersion) NoLocks() bool
NoLocks returns true if this version does not use or support locks
type RealDependencies ¶
type RealDependencies struct { NetworkNamespace string // Should generally be set to true anytime we are "jumping" from a shared iptables // context (the node, an agent container) into a pod to do iptables stuff, // as it's faster and reduces contention for legacy iptables versions that use file-based locking. UsePodScopedXtablesLock bool }
RealDependencies implementation of interface Dependencies, which is used in production
func (*RealDependencies) DetectIptablesVersion ¶
func (r *RealDependencies) DetectIptablesVersion(ipV6 bool) (IptablesVersion, error)
It is not sufficient to check for the presence of one binary or the other in $PATH - we must choose a binary that is 1. Available in our $PATH 2. Matches where rules are actually defined in the netns we're operating in (legacy or nft, with a preference for the latter if both present)
This is designed to handle situations where, for instance, the host has nft-defined rules, and our default container binary is `legacy`, or vice-versa - we must match the binaries we have in our $PATH to what rules are actually defined in our current netns context.
Q: Why not simply "use the host default binary" at $PATH/iptables? A: Because we are running in our own container and do not have access to the host default binary. We are using our local binaries to update host rules, and we must pick the right match.
Basic selection logic is as follows: 1. see if we have `nft` binary set in our $PATH 2. see if we have existing rules in `nft` in our netns 3. If so, use `nft` binary set 4. Otherwise, see if we have `legacy` binary set, and use that. 5. Otherwise, see if we have `iptables` binary set, and use that (detecting whether it's nft or legacy).
func (*RealDependencies) Run ¶
func (r *RealDependencies) Run( logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string, ) error
Run runs a command
func (*RealDependencies) RunQuietlyAndIgnore ¶
func (r *RealDependencies) RunQuietlyAndIgnore( logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string, )
RunQuietlyAndIgnore runs a command quietly and ignores errors
func (*RealDependencies) RunWithOutput ¶
func (r *RealDependencies) RunWithOutput( logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string, ) (*bytes.Buffer, error)
Run runs a command and returns stdout
type XTablesExittype ¶
type XTablesExittype int
XTablesExittype is the exit type of xtables commands.
const ( // XTablesOtherProblem indicates a problem of other type in xtables XTablesOtherProblem XTablesExittype = iota + 1 // XTablesParameterProblem indicates a parameter problem in xtables XTablesParameterProblem // XTablesVersionProblem indicates a version problem in xtables XTablesVersionProblem // XTablesResourceProblem indicates a resource problem in xtables XTablesResourceProblem )
Learn from `xtables_exittype` of iptables. `XTF_ONLY_ONCE`, `XTF_NO_INVERT`, `XTF_BAD_VALUE`, `XTF_ONE_ACTION` will eventually turned out to be a parameter problem with explicit error message. Thus, we do not need to support them here.