Documentation
¶
Index ¶
Constants ¶
const ( // ProxyInboundChain is the chain to intercept inbound traffic. ProxyInboundChain = "CONSUL_PROXY_INBOUND" // ProxyInboundRedirectChain is the chain to redirect inbound traffic to the proxy. ProxyInboundRedirectChain = "CONSUL_PROXY_IN_REDIRECT" // ProxyOutputChain is the chain to intercept outbound traffic. ProxyOutputChain = "CONSUL_PROXY_OUTPUT" // ProxyOutputRedirectChain is the chain to redirect outbound traffic to the proxy ProxyOutputRedirectChain = "CONSUL_PROXY_REDIRECT" // DNSChain is the chain to redirect outbound DNS traffic to Consul DNS. DNSChain = "CONSUL_DNS_REDIRECT" DefaultTProxyOutboundPort = 15001 )
Variables ¶
This section is empty.
Functions ¶
func Setup ¶
Setup will set up iptables interception and redirection rules based on the configuration provided in cfg.
func SetupWithAdditionalRules ¶ added in v0.16.0
func SetupWithAdditionalRules(cfg Config, additionalRulesFn AdditionalRulesFn) error
SetupWithAdditionalRules will set up iptables interception and redirection rules based on the configuration provided in cfg. The additionalRulesFn will be applied after the normal set of rules. This implementation was inspired by https://github.com/openservicemesh/osm/blob/650a1a1dcf081ae90825f3b5dba6f30a0e532725/pkg/injector/iptables.go
Types ¶
type AdditionalRulesFn ¶ added in v0.16.0
type AdditionalRulesFn func(iptablesProvider Provider)
AdditionalRulesFn can be implemented by the caller to add environment specific rules (like ECS) that needs to be executed for traffic redirection to work properly.
This gets called by the Setup function after all the first class iptable rules are added. The implemented function should only call the `AddRule` and optionally the `Rules` method of the provider.
type Config ¶
type Config struct {
// ConsulDNSIP is the IP for Consul DNS to direct DNS queries to.
ConsulDNSIP string
// ConsulDNSPort is the port for Consul DNS to direct DNS queries to.
ConsulDNSPort int
// ProxyUserID is the user ID of the proxy process.
ProxyUserID string
// ProxyInboundPort is the port of the proxy's inbound listener.
ProxyInboundPort int
// ProxyInboundPort is the port of the proxy's outbound listener.
ProxyOutboundPort int
// ExcludeInboundPorts is the list of ports that should be excluded
// from inbound traffic redirection.
ExcludeInboundPorts []string
// ExcludeOutboundPorts is the list of ports that should be excluded
// from outbound traffic redirection.
ExcludeOutboundPorts []string
// ExcludeOutboundCIDRs is the list of IP CIDRs that should be excluded
// from outbound traffic redirection.
ExcludeOutboundCIDRs []string
// ExcludeUIDs is the list of additional user IDs to exclude
// from traffic redirection.
ExcludeUIDs []string
// NetNS is the network namespace where the traffic redirection rules
// should be applied. This must be a path to the network namespace,
// e.g. /var/run/netns/foo.
NetNS string
// IptablesProvider is the Provider that will apply iptables rules.
IptablesProvider Provider
}
Config is used to configure which traffic interception and redirection rules should be applied with the iptables commands.
type Provider ¶
type Provider interface {
// AddRule adds a rule without executing it.
AddRule(name string, args ...string)
// ApplyRules executes rules that have been added via AddRule.
// This operation is currently not atomic, and if there's an error applying rules,
// you may be left in a state where partial rules were applied.
// ApplyRules should not be called twice on the same instance in order to avoid
// duplicate rule application.
ApplyRules() error
// Rules returns the list of rules that have been added (including those not yet
// applied).
Rules() []string
}
Provider is an interface for executing iptables rules.
Source Files