trireme-lib: Index | Files

package iptablesctrl

import ""


Package Files

acls.go comparators.go instance.go ipsets.go iptables.go ipv4.go ipv6.go legacyacls.go portset.go rules.go templates.go


const (

    // TriremeInput represent the chain that contains pu input rules.
    TriremeInput = chainPrefix + "Pid-Net"
    // TriremeOutput represent the chain that contains pu output rules.
    TriremeOutput = chainPrefix + "Pid-App"

    // NetworkSvcInput represent the chain that contains NetworkSvc input rules.
    NetworkSvcInput = chainPrefix + "Svc-Net"

    // NetworkSvcOutput represent the chain that contains NetworkSvc output rules.
    NetworkSvcOutput = chainPrefix + "Svc-App"

    // HostModeInput represent the chain that contains Hostmode input rules.
    HostModeInput = chainPrefix + "Hst-Net"

    // HostModeOutput represent the chain that contains Hostmode output rules.
    HostModeOutput = chainPrefix + "Hst-App"
const (

    // IPv4DefaultIP is the default ip address of ipv4 subnets
    IPv4DefaultIP = ""
const (

    // IPv6DefaultIP is the default IP subnet of ipv6
    IPv6DefaultIP = "::/0"

type ACLInfo Uses

type ACLInfo struct {
    ContextID string
    PUType    common.PUType

    // Tables
    MangleTable string
    NatTable    string

    // Chains
    MainAppChain        string
    MainNetChain        string
    HostInput           string
    HostOutput          string
    NetworkSvcInput     string
    NetworkSvcOutput    string
    TriremeInput        string
    TriremeOutput       string
    UIDInput            string
    UIDOutput           string
    NatProxyNetChain    string
    NatProxyAppChain    string
    MangleProxyNetChain string
    MangleProxyAppChain string
    PreRouting          string

    AppChain   string
    NetChain   string
    AppSection string
    NetSection string

    // common info
    DefaultConnmark       string
    QueueBalanceAppSyn    string
    QueueBalanceAppSynAck string
    QueueBalanceAppAck    string
    QueueBalanceNetSyn    string
    QueueBalanceNetSynAck string
    QueueBalanceNetAck    string
    InitialMarkVal        string
    RawSocketMark         string
    TargetTCPNetSet       string
    TargetUDPNetSet       string
    ExclusionsSet         string

    // IPv4 IPv6
    DefaultIP string

    // UDP rules
    Numpackets   string
    InitialCount string
    UDPSignature string

    // Linux PUs
    TCPPorts   string
    UDPPorts   string
    TCPPortSet string

    // ProxyRules
    DestIPSet    string
    SrvIPSet     string
    ProxyPort    string
    DNSProxyPort string
    DNSServerIP  string
    CgroupMark   string
    ProxyMark    string
    ProxySetName string

    // UID PUs
    Mark    string
    UID     string
    PortSet string

    NFLOGPrefix            string
    NFLOGAcceptPrefix      string
    DefaultNFLOGDropPrefix string
    // contains filtered or unexported fields

ACLInfo keeps track of all information to create ACLs

type IPImpl Uses

type IPImpl interface {
    GetIPSetPrefix() string
    GetIPSetParam() *ipset.Params
    ProtocolAllowed(proto string) bool
    IPFilter() func(net.IP) bool
    GetDefaultIP() string
    NeedICMP() bool

IPImpl interface is to be used by the iptable implentors like ipv4 and ipv6.

func GetIPv4Impl Uses

func GetIPv4Impl() (IPImpl, error)

GetIPv4Impl creates the instance of ipv4 struct which implements the interface ipImpl

func GetIPv6Impl Uses

func GetIPv6Impl() (IPImpl, error)

GetIPv6Impl creates the instance of ipv6 struct which implements the interface ipImpl

type Instance Uses

type Instance struct {
    // contains filtered or unexported fields

Instance is the structure holding the ipv4 and ipv6 handles

func GetInstance Uses

func GetInstance() *Instance

GetInstance returns the instance of the iptables object.

func NewInstance Uses

func NewInstance(fqc *fqconfig.FilterQueue, mode constants.ModeType) (*Instance, error)

NewInstance creates a new iptables controller instance

func (*Instance) ACLProvider Uses

func (i *Instance) ACLProvider() []provider.IptablesProvider

ACLProvider returns the current ACL provider that can be re-used by other entities.

func (*Instance) AddPortToPortSet Uses

func (i *Instance) AddPortToPortSet(contextID string, port string) error

AddPortToPortSet adds ports to the portsets

func (*Instance) CleanUp Uses

func (i *Instance) CleanUp() error

CleanUp requires the implementor to clean up all ACLs and destroy all the IP sets.

func (*Instance) ConfigureRules Uses

func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error

ConfigureRules implments the ConfigureRules interface. It will create the port sets and then it will call install rules to create all the ACLs for the given chains. PortSets are only created here. Updates will use the exact same logic.

func (*Instance) DeletePortFromPortSet Uses

func (i *Instance) DeletePortFromPortSet(contextID string, port string) error

DeletePortFromPortSet deletes ports from port sets

func (*Instance) DeleteRules Uses

func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, proxyPort string, dnsProxyPort string, puType common.PUType) error

DeleteRules implements the DeleteRules interface. This is responsible for cleaning all ACLs and associated chains, as well as ll the sets that we have created. Note, that this only clears up the state for a given processing unit.

func (*Instance) Run Uses

func (i *Instance) Run(ctx context.Context) error

Run starts the iptables controller

func (*Instance) SetTargetNetworks Uses

func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error

SetTargetNetworks updates ths target networks. There are three different types of target networks:

- TCPTargetNetworks for TCP traffic (by default
- UDPTargetNetworks for UDP traffic (by default empty)
- ExcludedNetworks that are always ignored (by default empty)

func (*Instance) UpdateRules Uses

func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error

UpdateRules implements the update part of the interface. Update will call installrules to install the new rules and then it will delete the old rules. For installations that do not have latests iptables-restore we time the operations so that the switch is almost atomic, by creating the new rules first. For latest kernel versions iptables-restorce will update all the rules in one shot.

Package iptablesctrl imports 28 packages (graph) and is imported by 6 packages. Updated 2019-09-21. Refresh now. Tools for package owners.