iptables

package
v0.0.0-...-0200fd0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 21, 2025 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// INPOD marks/masks
	InpodTProxyMark      = 0x111
	InpodTProxyMask      = 0xfff
	InpodMark            = 1337 // this needs to match the inpod config mark in ztunnel.
	InpodMask            = 0xfff
	InpodRestoreMask     = 0xffffffff
	ChainInpodOutput     = "ISTIO_OUTPUT"
	ChainInpodPrerouting = "ISTIO_PRERT"
	ChainHostPostrouting = "ISTIO_POSTRT"
	RouteTableInbound    = 100

	DNSCapturePort              = 15053
	ZtunnelInboundPort          = 15008
	ZtunnelOutboundPort         = 15001
	ZtunnelInboundPlaintextPort = 15006
	ProbeIPSet                  = "istio-inpod-probes"
)

Variables

This section is empty.

Functions

func AddInpodMarkIPRule

func AddInpodMarkIPRule(cfg *IptablesConfig) error

func AddLoopbackRoutes

func AddLoopbackRoutes(cfg *IptablesConfig) error

func DelInpodMarkIPRule

func DelInpodMarkIPRule(cfg *IptablesConfig) error

func DelLoopbackRoutes

func DelLoopbackRoutes(cfg *IptablesConfig) error

func NewIptablesConfigurator

func NewIptablesConfigurator(
	hostCfg *IptablesConfig,
	podCfg *IptablesConfig,
	hostDeps dep.Dependencies,
	podDeps dep.Dependencies,
	nlDeps NetlinkDependencies,
) (*IptablesConfigurator, *IptablesConfigurator, error)

func ReadSysctl

func ReadSysctl(key string) (string, error)

Types

type IptablesConfig

type IptablesConfig struct {
	TraceLogging           bool       `json:"IPTABLES_TRACE_LOGGING"`
	EnableIPv6             bool       `json:"ENABLE_INBOUND_IPV6"`
	RedirectDNS            bool       `json:"REDIRECT_DNS"`
	HostProbeSNATAddress   netip.Addr `json:"HOST_PROBE_SNAT_ADDRESS"`
	HostProbeV6SNATAddress netip.Addr `json:"HOST_PROBE_V6_SNAT_ADDRESS"`
	Reconcile              bool       `json:"RECONCILE"`
	CleanupOnly            bool       `json:"CLEANUP_ONLY"`
	ForceApply             bool       `json:"FORCE_APPLY"`
}

"global"/per-instance IptablesConfig

type IptablesConfigurator

type IptablesConfigurator struct {
	// contains filtered or unexported fields
}

func (*IptablesConfigurator) AppendHostRules

func (cfg *IptablesConfigurator) AppendHostRules() *builder.IptablesRuleBuilder

func (*IptablesConfigurator) AppendInpodRules

func (cfg *IptablesConfigurator) AppendInpodRules(podOverrides PodLevelOverrides) *builder.IptablesRuleBuilder

func (*IptablesConfigurator) CreateHostRulesForHealthChecks

func (cfg *IptablesConfigurator) CreateHostRulesForHealthChecks() error

Setup iptables rules for HOST netnamespace. Ideally this should be an idempotent function. NOTE that this expects to be run from within the HOST network namespace!

We need to do this specifically to be able to distinguish between traffic coming from different node-level processes via the nodeIP - kubelet (node-local healthchecks, which we do not capture) - kube-proxy (fowarded/proxied traffic from LoadBalancer-backed services, potentially with public IPs, which we must capture)

func (*IptablesConfigurator) CreateInpodRules

func (cfg *IptablesConfigurator) CreateInpodRules(log *istiolog.Scope, podOverrides PodLevelOverrides) error

Setup iptables rules for in-pod mode. Ideally this should be an idempotent function. NOTE that this expects to be run from within the pod network namespace!

func (*IptablesConfigurator) DeleteHostRules

func (cfg *IptablesConfigurator) DeleteHostRules()

func (*IptablesConfigurator) DeleteInpodRules

func (cfg *IptablesConfigurator) DeleteInpodRules(log *istiolog.Scope) error

type NetlinkDependencies

type NetlinkDependencies interface {
	AddInpodMarkIPRule(cfg *IptablesConfig) error
	DelInpodMarkIPRule(cfg *IptablesConfig) error
	AddLoopbackRoutes(cfg *IptablesConfig) error
	DelLoopbackRoutes(cfg *IptablesConfig) error
}

func EmptyNlDeps

func EmptyNlDeps() NetlinkDependencies

func RealNlDeps

func RealNlDeps() NetlinkDependencies

type PodLevelOverrides

type PodLevelOverrides struct {
	VirtualInterfaces []string
	IngressMode       bool
}

For inpod rules, any runtime/dynamic pod-level config overrides that may need to be taken into account when injecting pod rules

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL