proxy

package
v0.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 28, 2026 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type DummyProxyProcessor 

type DummyProxyProcessor struct{}

func (*DummyProxyProcessor) CleanupICMPAllow added in v0.3.0 

func (d *DummyProxyProcessor) CleanupICMPAllow(keep map[string]string) error

func (*DummyProxyProcessor) CleanupPortFilters added in v0.3.0 

func (d *DummyProxyProcessor) CleanupPortFilters(keep map[string]PortFilterEntry) error

func (*DummyProxyProcessor) CleanupRules 

func (d *DummyProxyProcessor) CleanupRules(KeepMap map[string]string) error

func (*DummyProxyProcessor) DeleteICMPAllow added in v0.3.0 

func (d *DummyProxyProcessor) DeleteICMPAllow(SvcIP, PodIP string) error

func (*DummyProxyProcessor) DeletePortFilter added in v0.3.0 

func (d *DummyProxyProcessor) DeletePortFilter(SvcIP, PodIP string) error

func (*DummyProxyProcessor) DeleteRules 

func (d *DummyProxyProcessor) DeleteRules(SvcIP, PodIP string) error

func (*DummyProxyProcessor) EnsureICMPAllow added in v0.3.0 

func (d *DummyProxyProcessor) EnsureICMPAllow(SvcIP, PodIP string) error

func (*DummyProxyProcessor) EnsurePortFilter added in v0.3.0 

func (d *DummyProxyProcessor) EnsurePortFilter(SvcIP, PodIP string, Ports []corev1.ServicePort) error

func (*DummyProxyProcessor) EnsureRules 

func (d *DummyProxyProcessor) EnsureRules(SvcIP, PodIP string) error

func (*DummyProxyProcessor) InitRules 

func (d *DummyProxyProcessor) InitRules() error

type NFTProxyProcessor 

type NFTProxyProcessor struct {
	// contains filtered or unexported fields
}

NFTProxyProcessor implements a NATProcessor using nftables.

func (*NFTProxyProcessor) CleanupICMPAllow added in v0.3.0 

func (p *NFTProxyProcessor) CleanupICMPAllow(keep map[string]string) error

CleanupICMPAllow reconciles icmp_allowed_pods with the desired snapshot. keep is keyed by svcIP (caller convenience); the value is the podIP that must remain in the set. Single-pass diff with one Flush, mirroring CleanupPortFilters.

func (*NFTProxyProcessor) CleanupPortFilters added in v0.3.0 

func (p *NFTProxyProcessor) CleanupPortFilters(keep map[string]PortFilterEntry) error

CleanupPortFilters reconciles port_filter state with the desired snapshot. The keep map is keyed by svcIP (for caller convenience) but the on-disk nft set keys are pod IPs. The implementation is a single-pass diff: it fetches current state once, computes additions and removals in memory, batches SetAddElements / SetDeleteElements per set, and Flushes exactly once.

func (*NFTProxyProcessor) CleanupRules 

func (p *NFTProxyProcessor) CleanupRules(keepMap map[string]string) error

CleanupRules receives a keepMap (keys: svcIP, values: podIP) representing the desired state. It recovers from an inconsistent state by: 1. Removing any mappings in the pod_svc and svc_pod maps that do not match keepMap. 2. Adding any missing mappings from keepMap into both maps. 3. Cleaning up the raw sets (pod and svc) so that only the desired IPs remain.

func (*NFTProxyProcessor) DeleteICMPAllow added in v0.3.0 

func (p *NFTProxyProcessor) DeleteICMPAllow(svcIP, podIP string) error

DeleteICMPAllow removes podIP from icmp_allowed_pods. Tolerates ENOENT for clean idempotency. svcIP is used only for logging context.

func (*NFTProxyProcessor) DeletePortFilter added in v0.3.0 

func (p *NFTProxyProcessor) DeletePortFilter(svcIP, podIP string) error

DeletePortFilter removes podIP from filtered_pods and clears any allowed port entries for it. svcIP is used only for logging context. Tolerates ENOENT for clean idempotency.

func (*NFTProxyProcessor) DeleteRules 

func (p *NFTProxyProcessor) DeleteRules(svcIP, podIP string) error

DeleteRules removes the mapping for the given svcIP and podIP from both maps and commits the removal from NAT translation maps.

func (*NFTProxyProcessor) EnsureICMPAllow added in v0.3.0 

func (p *NFTProxyProcessor) EnsureICMPAllow(svcIP, podIP string) error

EnsureICMPAllow adds podIP to the icmp_allowed_pods set so that ICMP traffic to that pod IP bypasses the port_filter drop rule. svcIP is used only for logging context. Idempotent.

func (*NFTProxyProcessor) EnsurePortFilter added in v0.3.0 

func (p *NFTProxyProcessor) EnsurePortFilter(svcIP, podIP string, ports []corev1.ServicePort) error

EnsurePortFilter installs ingress port filtering rules for the given (svcIP, podIP) pair. The actual nft set keys are pod IPs, because the port_filter chain runs at priority filter (0), after ingress_dnat has rewritten daddr from svcIP to podIP. The given ports are the only ones permitted on the post-DNAT pod IP; all other traffic destined to that pod IP is dropped. Idempotent.

func (*NFTProxyProcessor) EnsureRules 

func (p *NFTProxyProcessor) EnsureRules(svcIP, podIP string) error

EnsureRules ensures that a one-to-one mapping exists between svcIP and podIP. If a mapping already exists for svcIP with a different podIP, the old mapping is removed (from svc_pod, pod_svc, and from the raw pod set) before the new mapping is added.

func (*NFTProxyProcessor) InitRules 

func (p *NFTProxyProcessor) InitRules() error

InitRules initializes the nftables configuration in a single table "cozy_proxy". It flushes the entire ruleset, then re-creates the table with the desired sets, maps, and chains.

type PortFilterEntry added in v0.3.0 

type PortFilterEntry struct {
	PodIP string
	Ports []corev1.ServicePort
}

PortFilterEntry describes a port-filter desired state in the controller's reconciliation snapshot. Keyed by service IP in the caller map.

type ProxyProcessor 

type ProxyProcessor interface {
	InitRules() error
	EnsureRules(SvcIP, PodIP string) error
	DeleteRules(SvcIP, PodIP string) error
	CleanupRules(KeepMap map[string]string) error

	// EnsurePortFilter installs (or replaces) ingress port-filtering rules
	// for the given pod IP. Only TCP/UDP traffic destined to one of the
	// listed ports (in the post-DNAT pod IP) will be accepted; any other
	// port is dropped after the ingress_dnat rewrite. Pass an empty ports
	// slice to disable filtering for the (svcIP, podIP) pair (equivalent
	// to DeletePortFilter).
	EnsurePortFilter(SvcIP, PodIP string, Ports []corev1.ServicePort) error

	// DeletePortFilter removes any port-filtering rules previously installed
	// for the (svcIP, podIP) pair. No-op if none exist.
	DeletePortFilter(SvcIP, PodIP string) error

	// CleanupPortFilters keeps only the port-filter entries listed in
	// keepFilters. Any stale entries are removed. The PortFilterEntry struct
	// carries both the pod IP (used as the actual nft key) and the ports.
	CleanupPortFilters(keepFilters map[string]PortFilterEntry) error

	// EnsureICMPAllow adds the pod IP to the ICMP allowlist consulted by the
	// port_filter chain. With this in place, ICMP traffic to a pod that is
	// otherwise port-filtered is accepted instead of dropped (preserves ping,
	// PMTU discovery, ICMP unreachable signalling). Idempotent.
	EnsureICMPAllow(SvcIP, PodIP string) error

	// DeleteICMPAllow removes the pod IP from the ICMP allowlist. No-op if
	// not present.
	DeleteICMPAllow(SvcIP, PodIP string) error

	// CleanupICMPAllow keeps only the entries listed in keepICMP (svcIP →
	// podIP) in the ICMP allowlist; everything else is removed.
	CleanupICMPAllow(keepICMP map[string]string) error
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.