trireme-lib: go.aporeto.io/trireme-lib/controller/internal/supervisor/iptablesctrl Index | Files

package iptablesctrl

import "go.aporeto.io/trireme-lib/controller/internal/supervisor/iptablesctrl"

Index

Package Files

acls.go acls_nonwindows.go comparators.go constants_nonwindows.go instance.go ipsets.go iptables.go ipv4.go ipv6.go ipv6_nonwindows.go legacyacls.go portset.go rules.go templates.go

Constants

const (

    // TriremeInput represent the chain that contains pu input rules.
    TriremeInput = chainPrefix + "Pid-Net"
    // TriremeOutput represent the chain that contains pu output rules.
    TriremeOutput = chainPrefix + "Pid-App"

    // NetworkSvcInput represent the chain that contains NetworkSvc input rules.
    NetworkSvcInput = chainPrefix + "Svc-Net"

    // NetworkSvcOutput represent the chain that contains NetworkSvc output rules.
    NetworkSvcOutput = chainPrefix + "Svc-App"

    // HostModeInput represent the chain that contains Hostmode input rules.
    HostModeInput = chainPrefix + "Hst-Net"

    // HostModeOutput represent the chain that contains Hostmode output rules.
    HostModeOutput = chainPrefix + "Hst-App"
)
const (

    // IPv4DefaultIP is the default ip address of ipv4 subnets
    IPv4DefaultIP = "0.0.0.0/0"
)
const (

    // IPv6DefaultIP is the default IP subnet of ipv6
    IPv6DefaultIP = "::/0"
)

type ACLInfo Uses

type ACLInfo struct {
    ContextID string
    PUType    common.PUType

    // Tables
    MangleTable string
    NatTable    string

    // Chains
    MainAppChain        string
    MainNetChain        string
    BPFPath             string
    HostInput           string
    HostOutput          string
    NetworkSvcInput     string
    NetworkSvcOutput    string
    TriremeInput        string
    TriremeOutput       string
    UIDInput            string
    UIDOutput           string
    NatProxyNetChain    string
    NatProxyAppChain    string
    MangleProxyNetChain string
    MangleProxyAppChain string
    PreRouting          string

    AppChain   string
    NetChain   string
    AppSection string
    NetSection string

    // common info
    DefaultConnmark         string
    DefaultExternalConnmark string
    QueueBalanceAppSyn      string
    QueueBalanceAppSynAck   string
    QueueBalanceAppAck      string
    QueueBalanceNetSyn      string
    QueueBalanceNetSynAck   string
    QueueBalanceNetAck      string

    InitialMarkVal  string
    RawSocketMark   string
    TargetTCPNetSet string
    TargetUDPNetSet string
    ExclusionsSet   string
    IpsetPrefix     string
    NetSynQueues    []uint32
    NetAckQueues    []uint32
    NetSynAckQueues []uint32
    AppSynQueues    []uint32
    AppSynAckQueues []uint32
    AppAckQueues    []uint32
    QueueMask       string
    MarkMask        string
    HMarkRandomSeed string
    // IPv4 IPv6
    DefaultIP string

    IsLegacyKernel bool

    // UDP rules
    Numpackets   string
    InitialCount string
    UDPSignature string

    // Linux PUs
    TCPPorts   string
    UDPPorts   string
    TCPPortSet string

    // ProxyRules
    DestIPSet     string
    SrvIPSet      string
    ProxyPort     string
    DNSProxyPort  string
    DNSServerIP   string
    CgroupMark    string
    ProxyMark     string
    AuthPhaseMark string
    ProxySetName  string

    // UID PUs
    PacketMark             string
    Mark                   string
    UID                    string
    PortSet                string
    NFLOGPrefix            string
    NFLOGAcceptPrefix      string
    DefaultNFLOGDropPrefix string
    // contains filtered or unexported fields
}

ACLInfo keeps track of all information to create ACLs

type IPImpl Uses

type IPImpl interface {
    provider.IptablesProvider
    GetIPSetPrefix() string
    IPsetVersion() int
    GetIPSetParam() *ipset.Params
    ProtocolAllowed(proto string) bool
    IPFilter() func(net.IP) bool
    GetDefaultIP() string
    NeedICMP() bool
}

IPImpl interface is to be used by the iptable implentors like ipv4 and ipv6.

func GetIPv4Impl Uses

func GetIPv4Impl() (IPImpl, error)

GetIPv4Impl creates the instance of ipv4 struct which implements the interface ipImpl

func GetIPv6Impl Uses

func GetIPv6Impl(ipv6Enabled bool) (IPImpl, error)

GetIPv6Impl creates the instance of ipv6 struct which implements the interface ipImpl

type Instance Uses

type Instance struct {
    // contains filtered or unexported fields
}

Instance is the structure holding the ipv4 and ipv6 handles

func GetInstance Uses

func GetInstance() *Instance

GetInstance returns the instance of the iptables object.

func NewInstance Uses

func NewInstance(fqc *fqconfig.FilterQueue, mode constants.ModeType, aclmanager ipsetmanager.ACLManager, ipv6Enabled bool, ebpf ebpf.BPFModule) (*Instance, error)

NewInstance creates a new iptables controller instance

func (*Instance) ACLProvider Uses

func (i *Instance) ACLProvider() []provider.IptablesProvider

ACLProvider returns the current ACL provider that can be re-used by other entities.

func (*Instance) AddPortToPortSet Uses

func (i *Instance) AddPortToPortSet(contextID string, port string) error

AddPortToPortSet adds ports to the portsets

func (*Instance) CleanUp Uses

func (i *Instance) CleanUp() error

CleanUp requires the implementor to clean up all ACLs and destroy all the IP sets.

func (*Instance) ConfigureRules Uses

func (i *Instance) ConfigureRules(version int, contextID string, pu *policy.PUInfo) error

ConfigureRules implments the ConfigureRules interface. It will create the port sets and then it will call install rules to create all the ACLs for the given chains. PortSets are only created here. Updates will use the exact same logic.

func (*Instance) DeletePortFromPortSet Uses

func (i *Instance) DeletePortFromPortSet(contextID string, port string) error

DeletePortFromPortSet deletes ports from port sets

func (*Instance) DeleteRules Uses

func (i *Instance) DeleteRules(version int, contextID string, tcpPorts, udpPorts string, mark string, username string, containerInfo *policy.PUInfo) error

DeleteRules implements the DeleteRules interface. This is responsible for cleaning all ACLs and associated chains, as well as ll the sets that we have created. Note, that this only clears up the state for a given processing unit.

func (*Instance) Run Uses

func (i *Instance) Run(ctx context.Context) error

Run starts the iptables controller

func (*Instance) SetTargetNetworks Uses

func (i *Instance) SetTargetNetworks(c *runtime.Configuration) error

SetTargetNetworks updates ths target networks. There are three different types of target networks:

- TCPTargetNetworks for TCP traffic (by default 0.0.0.0/0)
- UDPTargetNetworks for UDP traffic (by default empty)
- ExcludedNetworks that are always ignored (by default empty)

func (*Instance) UpdateRules Uses

func (i *Instance) UpdateRules(version int, contextID string, containerInfo *policy.PUInfo, oldContainerInfo *policy.PUInfo) error

UpdateRules implements the update part of the interface. Update will call installrules to install the new rules and then it will delete the old rules. For installations that do not have latests iptables-restore we time the operations so that the switch is almost atomic, by creating the new rules first. For latest kernel versions iptables-restorce will update all the rules in one shot.

Package iptablesctrl imports 30 packages (graph) and is imported by 6 packages. Updated 2020-03-29. Refresh now. Tools for package owners.