Documentation
¶
Overview ¶
Package iptables manages iptables-related configuration for Cilium.
Index ¶
Constants ¶
This section is empty.
Variables ¶
View Source
var Cell = cell.Module( "iptables", "Handle iptables-related configuration for Cilium", ipset.Cell, cell.Config(defaultConfig), cell.ProvidePrivate(func( cfg *option.DaemonConfig, tunnelCfg tunnel.Config, ipsecCfg ipsec.Config, wgConfig wgTypes.Config, ) SharedConfig { return SharedConfig{ TunnelingEnabled: cfg.TunnelingEnabled(), TunnelPort: tunnelCfg.Port(), NodeIpsetNeeded: cfg.NodeIpsetNeeded(), IptablesMasqueradingIPv4Enabled: cfg.IptablesMasqueradingIPv4Enabled(), IptablesMasqueradingIPv6Enabled: cfg.IptablesMasqueradingIPv6Enabled(), EnableIPv4: cfg.EnableIPv4, EnableIPv6: cfg.EnableIPv6, EnableBPFTProxy: cfg.EnableBPFTProxy, InstallNoConntrackIptRules: cfg.InstallNoConntrackIptRules, EnableEndpointRoutes: cfg.EnableEndpointRoutes, IPAM: cfg.IPAM, EnableIPSec: ipsecCfg.Enabled(), MasqueradeInterfaces: cfg.MasqueradeInterfaces, EnableMasqueradeRouteSource: cfg.EnableMasqueradeRouteSource, EnableL7Proxy: cfg.EnableL7Proxy, InstallIptRules: cfg.InstallIptRules, EnableWireguard: wgConfig.Enabled(), } }), cell.Provide(newManager), )
Functions ¶
This section is empty.
Types ¶
type Config ¶ added in v1.15.0
type Config struct {
// IPTablesLockTimeout defines the "-w" iptables option when the
// iptables CLI is directly invoked from the Cilium agent.
IPTablesLockTimeout time.Duration
// DisableIptablesFeederRules specifies which chains will be excluded
// when installing the feeder rules
DisableIptablesFeederRules []string
// IPTablesRandomFully defines the "--random-fully" iptables option when the
// iptables CLI is directly invoked from the Cilium agent.
IPTablesRandomFully bool
// PrependIptablesChains, when enabled, prepends custom iptables chains instead of appending.
PrependIptablesChains bool
// EnableXTSocketFallback allows disabling of kernel's ip_early_demux
// sysctl option if `xt_socket` kernel module is not available.
EnableXTSocketFallback bool
}
type Manager ¶ added in v1.15.0
type Manager interface {
// InstallProxyRules creates the necessary datapath config (e.g., iptables
// rules for redirecting host proxy traffic on a specific ProxyPort)
InstallProxyRules(proxyPort uint16, name string)
// SupportsOriginalSourceAddr tells if the datapath supports
// use of original source addresses in proxy upstream
// connections.
SupportsOriginalSourceAddr() bool
// GetProxyPorts fetches the existing proxy ports configured in the
// datapath. Used early in bootstrap to reopen proxy ports.
GetProxyPorts() map[string]uint16
// InstallNoTrackRules is explicitly called when a pod has valid
// "policy.cilium.io/no-track-port" annotation. When
// InstallNoConntrackIptRules flag is set, a super set of v4 NOTRACK
// rules will be automatically installed upon agent bootstrap (via
// function addNoTrackPodTrafficRules) and this function will be
// skipped. When InstallNoConntrackIptRules is not set, this function
// will be executed to install NOTRACK rules. The rules installed by
// this function is very specific, for now, the only user is
// node-local-dns pods.
InstallNoTrackRules(ip netip.Addr, port uint16)
// See comments for InstallNoTrackRules.
RemoveNoTrackRules(ip netip.Addr, port uint16)
// AddNoTrackHostPorts/RemoveNoTrackHostPort are explicitly called when a pod has a valid "no-track-host-ports" annotation.
// causes iptables notrack rules to be added/removed so CT is skipped for pods using host networking on the requested ports.
AddNoTrackHostPorts(namespace, name string, ports []string)
RemoveNoTrackHostPorts(namespace, name string)
}
Manager manages iptables rules.
type SharedConfig ¶ added in v1.15.0
type SharedConfig struct {
}
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.