Documentation ¶
Index ¶
- Constants
- func AddEndpointRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ...) ([]uint64, error)
- func AddEndpointUpdateRule(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, index int, ...) ([]uint64, error)
- func AddServiceAffinityMap(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, ...) error
- func AddServiceChains(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error
- func AddServiceMatchActRule(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, ...) ([]uint64, error)
- func AddToNodeportSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, ...) error
- func AddToSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, ...) error
- func DeleteChain(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string) error
- func DeleteEndpointRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ...) error
- func DeleteEndpointUpdateRule(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ...) error
- func DeleteServiceAffinityMap(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error
- func DeleteServiceChains(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error
- func DeleteServiceRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ...) error
- func GetSvcChain(tableFamily nftables.TableFamily, svcID string) map[nftables.TableFamily]SVCChain
- func ProgramServiceEndpoints(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, ...) ([]uint64, error)
- func RemoveFromNodeportSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, ...) error
- func RemoveFromSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, ...) error
- type EPRule
- type EPnft
- type NFTInterface
- type Rule
- type SVCChain
- type SVCnft
Constants ¶
const ( FilterInput = "filter-input" FilterOutput = "filter-output" FilterForward = "filter-forward" K8sFilterFirewall = "k8s-filter-firewall" K8sFilterServices = "k8s-filter-services" K8sFilterForward = "k8s-filter-forward" K8sFilterDoReject = "k8s-filter-do-reject" NatPrerouting = "nat-prerouting" NatOutput = "nat-output" NatPostrouting = "nat-postrouting" K8sNATMarkDrop = "k8s-nat-mark-drop" K8sNATDoMarkMasq = "k8s-nat-do-mark-masq" K8sNATMarkMasq = "k8s-nat-mark-masq" K8sNATDoMasquerade = "k8s-nat-do-masquerade" K8sNATServices = "k8s-nat-services" K8sNATNodeports = "k8s-nat-nodeports" K8sNATPostrouting = "k8s-nat-postrouting" K8sNoEndpointsSet = "no-endpoints" K8sNodeportSet = "nodeports" K8sMarkMasqSet = "do-mark-masq" K8sClusterIPSet = "cluster-ip" K8sExternalIPSet = "external-ip" K8sLoadbalancerIPSet = "loadbalancer-ip" K8sSvcPrefix = "k8s-nfproxy-svc-" K8sFwPrefix = "k8s-nfproxy-fw-" K8sXlbPrefix = "k8s-nfproxy-xlb-" K8sAffinityMap = "affinity-map-" )
Variables ¶
This section is empty.
Functions ¶
func AddEndpointRules ¶
func AddEndpointRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ipaddr string, proto v1.Protocol, port int32, serviceID string) ([]uint64, error)
AddEndpointRules defines function which creates new nftables chain, rule and if successful return rule ID.
func AddEndpointUpdateRule ¶
func AddEndpointUpdateRule(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, index int, svcID string, timeout int) ([]uint64, error)
AddEndpointUpdateRule creates an ednpoint chain and programs Update rule, this rules will update (refresh) endpoint entry in a Service Affinity map.
func AddServiceAffinityMap ¶
func AddServiceAffinityMap(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, timeout int) error
AddServiceAffinityMap creates a map used for Service's Affinity implementation. When service affinity is enabled, this map will be updated by "update/refreshed" from aging out by a rule of each aviable endpoint.
func AddServiceChains ¶
func AddServiceChains(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error
AddServiceChains adds a specific to service port chains k8s-nfproxy-svc-{svcID},k8s-nfproxy-fw-{svcID}, k8s-nfproxy-xlb-{svcID}
func AddServiceMatchActRule ¶
func AddServiceMatchActRule(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, epchains []*EPRule, ruleID uint64) ([]uint64, error)
AddServiceMatchActRule programms Service Port's MatchAct rule. This rule is inserted as a second rule (after the counter rule) in order to process packet based on the content of Service Port's Affinity map. If the map has an entry for a specific source, then traffic will be send to the same endpoint chain instead of round robin load balancing between available endpoints.
func AddToNodeportSet ¶
func AddToNodeportSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, port uint16, chain string) error
AddToNodeportSet adds service's port to the nodeport set
func AddToSet ¶
func AddToSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, addr string, port uint16, set string, chain string) error
AddToSet adds service's proto.ip.port to a set specified by set parameter
func DeleteChain ¶
func DeleteChain(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string) error
DeleteChain deletes chain associated with a service or an endpoint
func DeleteEndpointRules ¶
func DeleteEndpointRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ruleID []uint64) error
DeleteEndpointRules delete nftables rules associated with an endpoint and then deletes endpoint's chain
func DeleteEndpointUpdateRule ¶
func DeleteEndpointUpdateRule(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, updateRuleID int) error
DeleteEndpointUpdateRule removes Update rule when Service Port's Session Affinity confiugration is removed.
func DeleteServiceAffinityMap ¶
func DeleteServiceAffinityMap(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error
DeleteServiceAffinityMap removes service's affinity map
func DeleteServiceChains ¶
func DeleteServiceChains(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error
DeleteServiceChains removes a specific to service port chains k8s-nfproxy-svc-{svcID},k8s-nfproxy-fw-{svcID}, k8s-nfproxy-xlb-{svcID}
func DeleteServiceRules ¶
func DeleteServiceRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ruleID []uint64) error
DeleteServiceRules deletes nftables rules associated with a service
func GetSvcChain ¶
func GetSvcChain(tableFamily nftables.TableFamily, svcID string) map[nftables.TableFamily]SVCChain
GetSvcChain builds a chain map used by a specific service
func ProgramServiceEndpoints ¶
func ProgramServiceEndpoints(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, epchains []*EPRule, ruleID []uint64, withAffinity bool, svcPortName string) ([]uint64, error)
ProgramServiceEndpoints programms endpoints to the service chain, if multiple endpoint exists, endpoint rules will be programmed for loadbalancing.
func RemoveFromNodeportSet ¶
func RemoveFromNodeportSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, port uint16, chain string) error
RemoveFromNodeportSet removes service's proto.ip.port from a set specified by a parameter set
func RemoveFromSet ¶
func RemoveFromSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, addr string, port uint16, set string, chain string) error
RemoveFromSet removes service's proto.ip.port from a set specified by a parameter set
Types ¶
type EPRule ¶
type EPRule struct { Rule // EpIndex defines an endpoint index for a specific service port. If the service port // has multiple endpoints, each and point has a unique index. It is used for Service Affinity // implementation as endpoint's "update" rule must update only its own index. EpIndex int WithAffinity bool MaxAgeSeconds int ServiceID string }
EPRule defines Endpoint specific nftables rule, it carries endpoint specific variables in addition to common ones found in Rule struct
type EPnft ¶
type EPnft struct { Interface *NFTInterface Rule map[nftables.TableFamily]*EPRule }
EPnft defines per endpoint nftables info. This information allows manipulating rules, sets in ipv4 and ipv6 tables and chains.
type NFTInterface ¶
type NFTInterface struct { ClusterCidrIpv4 string ClusterCidrIpv6 string CIv4 nftableslib.ChainsInterface CIv6 nftableslib.ChainsInterface SIv4 nftableslib.SetsInterface SIv6 nftableslib.SetsInterface // contains filtered or unexported fields }
NFTInterface provides interfaces to access ipv4/6 chains and ipv4/6 sets
func InitNFTables ¶
func InitNFTables(clusterCIDRIPv4, clusterCIDRIPv6 string) (*NFTInterface, error)
InitNFTables initializes connection to netfilter and instantiates nftables table interface
type Rule ¶
Rule defines nftables chain name, rule and once programmed, rule id is stored in RuleID slice.
type SVCChain ¶
SVCChain defines a map of chains a service uses for its rules, the key is chain names, it is combined from a chain prefix "k8s-nfproxy-svc-" or "k8s-nfproxy-fw-" and service's unique ID
type SVCnft ¶
type SVCnft struct { Interface *NFTInterface Chains map[nftables.TableFamily]SVCChain WithEndpoints bool WithAffinity bool MaxAgeSeconds int ServiceID string }
SVCnft defines per IP Family nftables chains used by individual service.