dependencies

package
v0.0.0-...-0851711 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 9, 2025 License: Apache-2.0 Imports: 16 Imported by: 12

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// IptablesRestoreLocking is the version where locking and -w is added to iptables-restore
	IptablesRestoreLocking = utilversion.MustParseGeneric("1.6.2")
	// IptablesLockfileEnv is the version where XTABLES_LOCKFILE is added to iptables.
	IptablesLockfileEnv = utilversion.MustParseGeneric("1.8.6")
)
View Source
var DryRunFilePath = env.Register("DRY_RUN_FILE_PATH", "", "If provided, StdoutStubDependencies will write the input from stdin to the given file.")

Functions

This section is empty.

Types

type Dependencies

type Dependencies interface {
	// Run runs a command
	Run(log *istiolog.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) error

	// Run runs a command and get the output
	RunWithOutput(log *istiolog.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) (*bytes.Buffer, error)

	// RunQuietlyAndIgnore runs a command quietly and ignores errors
	RunQuietlyAndIgnore(log *istiolog.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string)

	// DetectIptablesVersion consults the available binaries and in-use tables to determine
	// which iptables variant (legacy, nft, v6, v4) we should use in the current context.
	DetectIptablesVersion(ipV6 bool) (IptablesVersion, error)
}

Dependencies is used as abstraction for the commands used from the operating system

type DependenciesStub

type DependenciesStub struct {
	ExecutedNormally []string
	ExecutedQuietly  []string
	ExecutedStdin    []string
	ExecutedAll      []string
}

TODO BML replace DIY mocks/state with something better

func (*DependenciesStub) DetectIptablesVersion

func (s *DependenciesStub) DetectIptablesVersion(ipV6 bool) (IptablesVersion, error)

func (*DependenciesStub) Run

func (s *DependenciesStub) Run(logger *log.Scope, cmd constants.IptablesCmd, iptVer *IptablesVersion, stdin io.ReadSeeker, args ...string) error

func (*DependenciesStub) RunQuietlyAndIgnore

func (s *DependenciesStub) RunQuietlyAndIgnore(
	logger *log.Scope,
	cmd constants.IptablesCmd,
	iptVer *IptablesVersion,
	stdin io.ReadSeeker,
	args ...string,
)

func (*DependenciesStub) RunWithOutput

func (s *DependenciesStub) RunWithOutput(
	ogger *log.Scope,
	cmd constants.IptablesCmd,
	iptVer *IptablesVersion,
	stdin io.ReadSeeker,
	args ...string,
) (*bytes.Buffer, error)

type IptablesVersion

type IptablesVersion struct {
	DetectedBinary        string
	DetectedSaveBinary    string
	DetectedRestoreBinary string
	// the actual version
	Version *utilversion.Version
	// true if legacy mode, false if nf_tables
	Legacy bool
	// true if we detected that existing rules are present for this variant (legacy, nft, v6)
	ExistingRules bool
}

func (IptablesVersion) CmdToString

func (v IptablesVersion) CmdToString(cmd constants.IptablesCmd) string

func (IptablesVersion) IsWriteCmd

func (v IptablesVersion) IsWriteCmd(cmd constants.IptablesCmd) bool

IsWriteCmd returns true for all command types that do write actions (and thus need a lock)

func (IptablesVersion) NoLocks

func (v IptablesVersion) NoLocks() bool

NoLocks returns true if this version does not use or support locks

type RealDependencies

type RealDependencies struct {
	NetworkNamespace string
	// Should generally be set to true anytime we are "jumping" from a shared iptables
	// context (the node, an agent container) into a pod to do iptables stuff,
	// as it's faster and reduces contention for legacy iptables versions that use file-based locking.
	UsePodScopedXtablesLock bool
}

RealDependencies implementation of interface Dependencies, which is used in production

func (*RealDependencies) DetectIptablesVersion

func (r *RealDependencies) DetectIptablesVersion(ipV6 bool) (IptablesVersion, error)

It is not sufficient to check for the presence of one binary or the other in $PATH - we must choose a binary that is 1. Available in our $PATH 2. Matches where rules are actually defined in the netns we're operating in (legacy or nft, with a preference for the latter if both present)

This is designed to handle situations where, for instance, the host has nft-defined rules, and our default container binary is `legacy`, or vice-versa - we must match the binaries we have in our $PATH to what rules are actually defined in our current netns context.

Q: Why not simply "use the host default binary" at $PATH/iptables? A: Because we are running in our own container and do not have access to the host default binary. We are using our local binaries to update host rules, and we must pick the right match.

Basic selection logic is as follows: 1. see if we have `nft` binary set in our $PATH 2. see if we have existing rules in `nft` in our netns 3. If so, use `nft` binary set 4. Otherwise, see if we have `legacy` binary set, and use that. 5. Otherwise, see if we have `iptables` binary set, and use that (detecting whether it's nft or legacy).

func (*RealDependencies) Run

func (r *RealDependencies) Run(
	logger *log.Scope,
	cmd constants.IptablesCmd,
	iptVer *IptablesVersion,
	stdin io.ReadSeeker,
	args ...string,
) error

Run runs a command

func (*RealDependencies) RunQuietlyAndIgnore

func (r *RealDependencies) RunQuietlyAndIgnore(
	logger *log.Scope,
	cmd constants.IptablesCmd,
	iptVer *IptablesVersion,
	stdin io.ReadSeeker,
	args ...string,
)

RunQuietlyAndIgnore runs a command quietly and ignores errors

func (*RealDependencies) RunWithOutput

func (r *RealDependencies) RunWithOutput(
	logger *log.Scope,
	cmd constants.IptablesCmd,
	iptVer *IptablesVersion,
	stdin io.ReadSeeker,
	args ...string,
) (*bytes.Buffer, error)

Run runs a command and returns stdout

type XTablesExittype

type XTablesExittype int

XTablesExittype is the exit type of xtables commands.

const (
	// XTablesOtherProblem indicates a problem of other type in xtables
	XTablesOtherProblem XTablesExittype = iota + 1
	// XTablesParameterProblem indicates a parameter problem in xtables
	XTablesParameterProblem
	// XTablesVersionProblem indicates a version problem in xtables
	XTablesVersionProblem
	// XTablesResourceProblem indicates a resource problem in xtables
	XTablesResourceProblem
)

Learn from `xtables_exittype` of iptables. `XTF_ONLY_ONCE`, `XTF_NO_INVERT`, `XTF_BAD_VALUE`, `XTF_ONE_ACTION` will eventually turned out to be a parameter problem with explicit error message. Thus, we do not need to support them here.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL