iptables

package

v1.15.4 Latest Latest Go to latest Published: Apr 11, 2024 License: Apache-2.0 Imports: 36 Imported by: 7

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

Package iptables manages iptables-related configuration for Cilium.

Index ¶

Constants
Variables
type Config
- func (def Config) Flags(flags *pflag.FlagSet)
type Manager
type SharedConfig

Constants ¶

View Source

const (
	CiliumNodeIpsetV4 = "cilium_node_set_v4"
	CiliumNodeIpsetV6 = "cilium_node_set_v6"
)

Variables ¶

View Source

var Cell = cell.Module(
	"iptables",
	"Handle iptables-related configuration for Cilium",

	cell.Config(defaultConfig),
	cell.ProvidePrivate(func(
		cfg *option.DaemonConfig,
	) SharedConfig {
		return SharedConfig{
			TunnelingEnabled:                cfg.TunnelingEnabled(),
			NodeIpsetNeeded:                 cfg.NodeIpsetNeeded(),
			Devices:                         cfg.GetDevices(),
			IptablesMasqueradingIPv4Enabled: cfg.IptablesMasqueradingIPv4Enabled(),
			IptablesMasqueradingIPv6Enabled: cfg.IptablesMasqueradingIPv6Enabled(),
			IPv4NativeRoutingCIDR:           cfg.GetIPv4NativeRoutingCIDR(),

			EnableIPv4:                  cfg.EnableIPv4,
			EnableIPv6:                  cfg.EnableIPv6,
			EnableXTSocketFallback:      cfg.EnableXTSocketFallback,
			EnableBPFTProxy:             cfg.EnableBPFTProxy,
			InstallNoConntrackIptRules:  cfg.InstallNoConntrackIptRules,
			EnableEndpointRoutes:        cfg.EnableEndpointRoutes,
			IPAM:                        cfg.IPAM,
			EnableIPSec:                 cfg.EnableIPSec,
			MasqueradeInterfaces:        cfg.MasqueradeInterfaces,
			EnableMasqueradeRouteSource: cfg.EnableMasqueradeRouteSource,
			EnableL7Proxy:               cfg.EnableL7Proxy,
		}
	}),
	cell.Provide(newIptablesManager),
)

Functions ¶

This section is empty.

Types ¶

type Config ¶ added in v1.15.0

type Config struct {
	// IPTablesLockTimeout defines the "-w" iptables option when the
	// iptables CLI is directly invoked from the Cilium agent.
	IPTablesLockTimeout time.Duration

	// DisableIptablesFeederRules specifies which chains will be excluded
	// when installing the feeder rules
	DisableIptablesFeederRules []string

	// IPTablesRandomFully defines the "--random-fully" iptables option when the
	// iptables CLI is directly invoked from the Cilium agent.
	IPTablesRandomFully bool

	// PrependIptablesChains, when enabled, prepends custom iptables chains instead of appending.
	PrependIptablesChains bool
}

func (Config) Flags ¶ added in v1.15.0

func (def Config) Flags(flags *pflag.FlagSet)

type Manager ¶ added in v1.15.0

type Manager struct {

	// This lock ensures there are no concurrent executions of the InstallRules() and
	// InstallProxyRules() methods, as otherwise we may end up with errors (as rules may have
	// been already removed or installed by a different execution of the method) or with an
	// inconsistent ruleset
	lock.Mutex
	// contains filtered or unexported fields
}

Manager manages the iptables-related configuration for Cilium.

func (*Manager) AddToNodeIpset ¶ added in v1.15.0

func (m *Manager) AddToNodeIpset(nodeIP net.IP)

AddToNodeIpset adds an IP address to the ipset for cluster nodes. It creates the ipset if it doesn't already exist and doesn't error if either the ipset or the IP already exist.

func (*Manager) DisableIPEarlyDemux ¶ added in v1.15.2

func (m *Manager) DisableIPEarlyDemux()

func (*Manager) GetProxyPort ¶ added in v1.15.0

func (m *Manager) GetProxyPort(name string) uint16

GetProxyPort finds a proxy port used for redirect 'name' installed earlier with InstallProxyRules. By convention "ingress" or "egress" is part of 'name' so it does not need to be specified explicitly. Returns 0 a TPROXY entry with 'name' can not be found.

func (*Manager) InstallNoTrackRules ¶ added in v1.15.0

func (m *Manager) InstallNoTrackRules(IP string, port uint16, ipv6 bool) error

InstallNoTrackRules is explicitly called when a pod has valid "policy.cilium.io/no-track-port" annotation. When InstallNoConntrackIptRules flag is set, a super set of v4 NOTRACK rules will be automatically installed upon agent bootstrap (via function addNoTrackPodTrafficRules) and this function will be skipped. When InstallNoConntrackIptRules is not set, this function will be executed to install NOTRACK rules. The rules installed by this function is very specific, for now, the only user is node-local-dns pods.

func (*Manager) InstallProxyRules ¶ added in v1.15.0

func (m *Manager) InstallProxyRules(ctx context.Context, proxyPort uint16, ingress, localOnly bool, name string) error

func (*Manager) InstallRules ¶ added in v1.15.0

func (m *Manager) InstallRules(ctx context.Context, ifName string, firstInitialization, install bool) error

InstallRules installs iptables rules for Cilium in specific use-cases (most specifically, interaction with kube-proxy).

func (*Manager) RemoveFromNodeIpset ¶ added in v1.15.0

func (m *Manager) RemoveFromNodeIpset(nodeIP net.IP)

RemoveFromBodeIpset removes an IP address from the ipset for cluster nodes.

func (*Manager) RemoveNoTrackRules ¶ added in v1.15.0

func (m *Manager) RemoveNoTrackRules(IP string, port uint16, ipv6 bool) error

See comments for InstallNoTrackRules.

func (*Manager) Start ¶ added in v1.15.0

func (m *Manager) Start(ctx cell.HookContext) error

Start initializes the iptables manager and checks for iptables kernel modules availability.

func (*Manager) Stop ¶ added in v1.15.0

func (m *Manager) Stop(ctx cell.HookContext) error

func (*Manager) SupportsOriginalSourceAddr ¶ added in v1.15.0

func (m *Manager) SupportsOriginalSourceAddr() bool

SupportsOriginalSourceAddr tells if an L7 proxy can use POD's original source address and port in the upstream connection to allow the destination to properly derive the source security ID from the source IP address.

type SharedConfig ¶ added in v1.15.0

type SharedConfig struct {
	TunnelingEnabled                bool
	NodeIpsetNeeded                 bool
	Devices                         []string
	IptablesMasqueradingIPv4Enabled bool
	IptablesMasqueradingIPv6Enabled bool
	IPv4NativeRoutingCIDR           *cidr.CIDR

	EnableIPv4                  bool
	EnableIPv6                  bool
	EnableXTSocketFallback      bool
	EnableBPFTProxy             bool
	InstallNoConntrackIptRules  bool
	EnableEndpointRoutes        bool
	IPAM                        string
	EnableIPSec                 bool
	MasqueradeInterfaces        []string
	EnableMasqueradeRouteSource bool
	EnableL7Proxy               bool
}

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL