iptables

package
v0.0.0-...-04bbcd1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 4, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// INPOD marks/masks
	InpodTProxyMark      = 0x111
	InpodTProxyMask      = 0xfff
	InpodMark            = 1337 // this needs to match the inpod config mark in ztunnel.
	InpodMask            = 0xfff
	InpodRestoreMask     = 0xffffffff
	ChainInpodOutput     = "ISTIO_OUTPUT"
	ChainInpodPrerouting = "ISTIO_PRERT"
	ChainHostPostrouting = "ISTIO_POSTRT"
	RouteTableInbound    = 100

	DNSCapturePort              = 15053
	ZtunnelInboundPort          = 15008
	ZtunnelOutboundPort         = 15001
	ZtunnelInboundPlaintextPort = 15006
	ProbeIPSet                  = "istio-inpod-probes"
)

Variables

This section is empty.

Functions

func AddInpodMarkIPRule 

func AddInpodMarkIPRule(cfg *Config) error

func AddLoopbackRoutes 

func AddLoopbackRoutes(cfg *Config) error

func DelInpodMarkIPRule 

func DelInpodMarkIPRule(cfg *Config) error

func DelLoopbackRoutes 

func DelLoopbackRoutes(cfg *Config) error

Types

type Config 

type Config struct {
	RestoreFormat bool `json:"RESTORE_FORMAT"`
	TraceLogging  bool `json:"IPTABLES_TRACE_LOGGING"`
	EnableIPv6    bool `json:"ENABLE_INBOUND_IPV6"`
	RedirectDNS   bool `json:"REDIRECT_DNS"`
}

type IptablesConfigurator 

type IptablesConfigurator struct {
	// contains filtered or unexported fields
}

func NewIptablesConfigurator 

func NewIptablesConfigurator(cfg *Config, ext dep.Dependencies, nlDeps NetlinkDependencies) (*IptablesConfigurator, error)

func (*IptablesConfigurator) CreateHostRulesForHealthChecks 

func (cfg *IptablesConfigurator) CreateHostRulesForHealthChecks(hostSNATIP, hostSNATIPV6 *netip.Addr) error

Setup iptables rules for HOST netnamespace. Ideally this should be an idempotent function. NOTE that this expects to be run from within the HOST network namespace!

We need to do this specifically to be able to distinguish between traffic coming from different node-level processes via the nodeIP - kubelet (node-local healthchecks, which we do not capture) - kube-proxy (fowarded/proxied traffic from LoadBalancer-backed services, potentially with public IPs, which we must capture)

func (*IptablesConfigurator) CreateInpodRules 

func (cfg *IptablesConfigurator) CreateInpodRules(hostProbeSNAT *netip.Addr) error

Setup iptables rules for in-pod mode. Ideally this should be an idempotent function. NOTE that this expects to be run from within the pod network namespace!

func (*IptablesConfigurator) DeleteHostRules 

func (cfg *IptablesConfigurator) DeleteHostRules()

func (*IptablesConfigurator) DeleteInpodRules 

func (cfg *IptablesConfigurator) DeleteInpodRules() error

type NetlinkDependencies 

type NetlinkDependencies interface {
	AddInpodMarkIPRule(cfg *Config) error
	DelInpodMarkIPRule(cfg *Config) error
	AddLoopbackRoutes(cfg *Config) error
	DelLoopbackRoutes(cfg *Config) error
}

func EmptyNlDeps 

func EmptyNlDeps() NetlinkDependencies

func RealNlDeps 

func RealNlDeps() NetlinkDependencies

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.