Documentation
¶
Index ¶
- Constants
- Variables
- func EndpointChainName(prefix string, ifaceName string) string
- func PolicyChainName(prefix PolicyChainNamePrefix, polID *proto.PolicyID) string
- func ProfileChainName(prefix ProfileChainNamePrefix, profID *proto.ProfileID) string
- func SplitPortList(ports []*proto.PortRange) (splits [][]*proto.PortRange)
- type Config
- type DefaultRuleRenderer
- func (r *DefaultRuleRenderer) CalculateActions(match iptables.MatchCriteria, pRule *proto.Rule, ipVersion uint8) (mark uint32, actions []iptables.Action)
- func (r *DefaultRuleRenderer) CalculateRuleMatch(pRule *proto.Rule, ipVersion uint8) (iptables.MatchCriteria, error)
- func (r *DefaultRuleRenderer) DNATsToIptablesChains(dnats map[string]string) []*iptables.Chain
- func (r *DefaultRuleRenderer) HostDispatchChains(endpoints map[string]proto.HostEndpointID) []*Chain
- func (r *DefaultRuleRenderer) HostEndpointToFilterChains(ifaceName string, policyNames []string, profileIDs []string) []*Chain
- func (r *DefaultRuleRenderer) HostEndpointToRawChains(ifaceName string, untrackedPolicyNames []string) []*Chain
- func (r *DefaultRuleRenderer) NATOutgoingChain(natOutgoingActive bool, ipVersion uint8) *iptables.Chain
- func (r *DefaultRuleRenderer) PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*iptables.Chain
- func (r *DefaultRuleRenderer) ProfileToIptablesChains(profileID *proto.ProfileID, profile *proto.Profile, ipVersion uint8) []*iptables.Chain
- func (r *DefaultRuleRenderer) ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []iptables.Rule
- func (r *DefaultRuleRenderer) ProtoRulesToIptablesRules(protoRules []*proto.Rule, ipVersion uint8) []iptables.Rule
- func (r *DefaultRuleRenderer) SNATsToIptablesChains(snats map[string]string) []*iptables.Chain
- func (r *DefaultRuleRenderer) StaticFilterForwardChains() []*Chain
- func (r *DefaultRuleRenderer) StaticFilterInputChains(ipVersion uint8) []*Chain
- func (r *DefaultRuleRenderer) StaticFilterOutputChains() []*Chain
- func (r *DefaultRuleRenderer) StaticFilterTableChains(ipVersion uint8) (chains []*Chain)
- func (r *DefaultRuleRenderer) StaticNATOutputChains(ipVersion uint8) []*Chain
- func (r *DefaultRuleRenderer) StaticNATPostroutingChains(ipVersion uint8) []*Chain
- func (r *DefaultRuleRenderer) StaticNATPreroutingChains(ipVersion uint8) []*Chain
- func (r *DefaultRuleRenderer) StaticNATTableChains(ipVersion uint8) (chains []*Chain)
- func (r *DefaultRuleRenderer) StaticRawOutputChain() *Chain
- func (r *DefaultRuleRenderer) StaticRawPreroutingChain(ipVersion uint8) *Chain
- func (r *DefaultRuleRenderer) StaticRawTableChains(ipVersion uint8) []*Chain
- func (r *DefaultRuleRenderer) WorkloadDispatchChains(endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*Chain
- func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains(ifaceName string, adminUp bool, policies []string, profileIDs []string) []*Chain
- type PolicyChainNamePrefix
- type ProfileChainNamePrefix
- type RuleRenderer
Constants ¶
View Source
const ( // ChainNamePrefix is a prefix used for all our iptables chain names. We include a '-' at // the end to reduce clashes with other apps. Our OpenStack DHCP agent uses prefix // 'calico-dhcp-', for example. ChainNamePrefix = "cali-" // IPSetNamePrefix: similarly for IP sets, we use the following prefix; the IP sets layer // adds its own "-" so it isn't included here. IPSetNamePrefix = "cali" ChainFilterInput = ChainNamePrefix + "INPUT" ChainFilterForward = ChainNamePrefix + "FORWARD" ChainFilterOutput = ChainNamePrefix + "OUTPUT" ChainRawPrerouting = ChainNamePrefix + "PREROUTING" ChainRawOutput = ChainNamePrefix + "OUTPUT" ChainFailsafeIn = ChainNamePrefix + "failsafe-in" ChainFailsafeOut = ChainNamePrefix + "failsafe-out" ChainNATPrerouting = ChainNamePrefix + "PREROUTING" ChainNATPostrouting = ChainNamePrefix + "POSTROUTING" ChainNATOutput = ChainNamePrefix + "OUTPUT" ChainNATOutgoing = ChainNamePrefix + "nat-outgoing" IPSetIDNATOutgoingAllPools = "all-ipam-pools" IPSetIDNATOutgoingMasqPools = "masq-ipam-pools" IPSetIDAllHostIPs = "all-hosts" ChainFIPDnat = ChainNamePrefix + "fip-dnat" ChainFIPSnat = ChainNamePrefix + "fip-snat" PolicyInboundPfx PolicyChainNamePrefix = ChainNamePrefix + "pi-" PolicyOutboundPfx PolicyChainNamePrefix = ChainNamePrefix + "po-" ProfileInboundPfx ProfileChainNamePrefix = ChainNamePrefix + "pri-" ProfileOutboundPfx ProfileChainNamePrefix = ChainNamePrefix + "pro-" ChainWorkloadToHost = ChainNamePrefix + "wl-to-host" ChainFromWorkloadDispatch = ChainNamePrefix + "from-wl-dispatch" ChainToWorkloadDispatch = ChainNamePrefix + "to-wl-dispatch" ChainDispatchToHostEndpoint = ChainNamePrefix + "to-host-endpoint" ChainDispatchFromHostEndpoint = ChainNamePrefix + "from-host-endpoint" WorkloadToEndpointPfx = ChainNamePrefix + "tw-" WorkloadFromEndpointPfx = ChainNamePrefix + "fw-" HostToEndpointPfx = ChainNamePrefix + "th-" HostFromEndpointPfx = ChainNamePrefix + "fh-" RuleHashPrefix = "cali:" // HistoricNATRuleInsertRegex is a regex pattern to match to match // special-case rules inserted by old versions of felix. Specifically, // Python felix used to insert a masquerade rule directly into the // POSTROUTING chain. // // Note: this regex depends on the output format of iptables-save so, // where possible, it's best to match only on part of the rule that // we're sure can't change (such as the ipset name in the masquerade // rule). HistoricInsertedNATRuleRegex = `-A POSTROUTING .* felix-masq-ipam-pools .*|` + `-A POSTROUTING -o tunl0 -m addrtype ! --src-type LOCAL --limit-iface-out -m addrtype --src-type LOCAL -j MASQUERADE` )
View Source
const ( ProtoIPIP = 4 ProtoICMPv6 = 58 )
Variables ¶
View Source
var ( // AllHistoricChainNamePrefixes lists all the prefixes that we've used for chains. Keeping // track of the old names lets us clean them up. AllHistoricChainNamePrefixes = []string{ "cali-", "califw-", "calitw-", "califh-", "calith-", "calipi-", "calipo-", "felix-", } // AllHistoricIPSetNamePrefixes, similarly contains all the prefixes we've ever used for IP // sets. AllHistoricIPSetNamePrefixes = []string{"felix-", "cali"} // LegacyV4IPSetNames contains some extra IP set names that were used in older versions of // Felix and don't fit our versioned pattern. LegacyV4IPSetNames = []string{"felix-masq-ipam-pools", "felix-all-ipam-pools"} )
View Source
var SkipRule = errors.New("Rule skipped")
Functions ¶
func EndpointChainName ¶
func PolicyChainName ¶
func PolicyChainName(prefix PolicyChainNamePrefix, polID *proto.PolicyID) string
func ProfileChainName ¶
func ProfileChainName(prefix ProfileChainNamePrefix, profID *proto.ProfileID) string
func SplitPortList ¶
SplitPortList splits the input list of ports into groups containing up to 15 port numbers. It always returns at least one (possibly empty) split.
The requirement to split into groups of 15, comes from iptables' limit on the number of ports "slots" in a multiport match. A single port takes up one slot, a range of ports requires 2.
Types ¶
type Config ¶
type Config struct {
IPSetConfigV4 *ipsets.IPVersionConfig
IPSetConfigV6 *ipsets.IPVersionConfig
WorkloadIfacePrefixes []string
IptablesMarkAccept uint32
IptablesMarkPass uint32
IptablesMarkFromWorkload uint32
OpenStackMetadataIP net.IP
OpenStackMetadataPort uint16
OpenStackSpecialCasesEnabled bool
IPIPEnabled bool
IPIPTunnelAddress net.IP
IptablesLogPrefix string
EndpointToHostAction string
FailsafeInboundHostPorts []config.ProtoPort
FailsafeOutboundHostPorts []config.ProtoPort
DisableConntrackInvalid bool
}
type DefaultRuleRenderer ¶
type DefaultRuleRenderer struct {
Config
// contains filtered or unexported fields
}
func (*DefaultRuleRenderer) CalculateActions ¶
func (r *DefaultRuleRenderer) CalculateActions(match iptables.MatchCriteria, pRule *proto.Rule, ipVersion uint8) (mark uint32, actions []iptables.Action)
func (*DefaultRuleRenderer) CalculateRuleMatch ¶
func (r *DefaultRuleRenderer) CalculateRuleMatch(pRule *proto.Rule, ipVersion uint8) (iptables.MatchCriteria, error)
func (*DefaultRuleRenderer) DNATsToIptablesChains ¶
func (r *DefaultRuleRenderer) DNATsToIptablesChains(dnats map[string]string) []*iptables.Chain
func (*DefaultRuleRenderer) HostDispatchChains ¶
func (r *DefaultRuleRenderer) HostDispatchChains( endpoints map[string]proto.HostEndpointID, ) []*Chain
func (*DefaultRuleRenderer) HostEndpointToFilterChains ¶
func (r *DefaultRuleRenderer) HostEndpointToFilterChains( ifaceName string, policyNames []string, profileIDs []string, ) []*Chain
func (*DefaultRuleRenderer) HostEndpointToRawChains ¶
func (r *DefaultRuleRenderer) HostEndpointToRawChains( ifaceName string, untrackedPolicyNames []string, ) []*Chain
func (*DefaultRuleRenderer) NATOutgoingChain ¶
func (r *DefaultRuleRenderer) NATOutgoingChain(natOutgoingActive bool, ipVersion uint8) *iptables.Chain
func (*DefaultRuleRenderer) PolicyToIptablesChains ¶
func (*DefaultRuleRenderer) ProfileToIptablesChains ¶
func (*DefaultRuleRenderer) ProtoRuleToIptablesRules ¶
func (*DefaultRuleRenderer) ProtoRulesToIptablesRules ¶
func (*DefaultRuleRenderer) SNATsToIptablesChains ¶
func (r *DefaultRuleRenderer) SNATsToIptablesChains(snats map[string]string) []*iptables.Chain
func (*DefaultRuleRenderer) StaticFilterForwardChains ¶
func (r *DefaultRuleRenderer) StaticFilterForwardChains() []*Chain
func (*DefaultRuleRenderer) StaticFilterInputChains ¶
func (r *DefaultRuleRenderer) StaticFilterInputChains(ipVersion uint8) []*Chain
func (*DefaultRuleRenderer) StaticFilterOutputChains ¶
func (r *DefaultRuleRenderer) StaticFilterOutputChains() []*Chain
func (*DefaultRuleRenderer) StaticFilterTableChains ¶
func (r *DefaultRuleRenderer) StaticFilterTableChains(ipVersion uint8) (chains []*Chain)
func (*DefaultRuleRenderer) StaticNATOutputChains ¶
func (r *DefaultRuleRenderer) StaticNATOutputChains(ipVersion uint8) []*Chain
func (*DefaultRuleRenderer) StaticNATPostroutingChains ¶
func (r *DefaultRuleRenderer) StaticNATPostroutingChains(ipVersion uint8) []*Chain
func (*DefaultRuleRenderer) StaticNATPreroutingChains ¶
func (r *DefaultRuleRenderer) StaticNATPreroutingChains(ipVersion uint8) []*Chain
func (*DefaultRuleRenderer) StaticNATTableChains ¶
func (r *DefaultRuleRenderer) StaticNATTableChains(ipVersion uint8) (chains []*Chain)
func (*DefaultRuleRenderer) StaticRawOutputChain ¶
func (r *DefaultRuleRenderer) StaticRawOutputChain() *Chain
func (*DefaultRuleRenderer) StaticRawPreroutingChain ¶
func (r *DefaultRuleRenderer) StaticRawPreroutingChain(ipVersion uint8) *Chain
func (*DefaultRuleRenderer) StaticRawTableChains ¶
func (r *DefaultRuleRenderer) StaticRawTableChains(ipVersion uint8) []*Chain
func (*DefaultRuleRenderer) WorkloadDispatchChains ¶
func (r *DefaultRuleRenderer) WorkloadDispatchChains( endpoints map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint, ) []*Chain
func (*DefaultRuleRenderer) WorkloadEndpointToIptablesChains ¶
func (r *DefaultRuleRenderer) WorkloadEndpointToIptablesChains( ifaceName string, adminUp bool, policies []string, profileIDs []string, ) []*Chain
type PolicyChainNamePrefix ¶
type PolicyChainNamePrefix string
Typedefs to prevent accidentally passing the wrong prefix to the Policy/ProfileChainName()
type ProfileChainNamePrefix ¶
type ProfileChainNamePrefix string
type RuleRenderer ¶
type RuleRenderer interface {
StaticFilterTableChains(ipVersion uint8) []*iptables.Chain
StaticNATTableChains(ipVersion uint8) []*iptables.Chain
StaticRawTableChains(ipVersion uint8) []*iptables.Chain
WorkloadDispatchChains(map[proto.WorkloadEndpointID]*proto.WorkloadEndpoint) []*iptables.Chain
WorkloadEndpointToIptablesChains(
ifaceName string,
adminUp bool,
policies []string,
profileIDs []string,
) []*iptables.Chain
HostDispatchChains(map[string]proto.HostEndpointID) []*iptables.Chain
HostEndpointToFilterChains(
ifaceName string,
policyNames []string,
profileIDs []string,
) []*iptables.Chain
HostEndpointToRawChains(
ifaceName string,
untrackedPolicyNames []string,
) []*iptables.Chain
PolicyToIptablesChains(policyID *proto.PolicyID, policy *proto.Policy, ipVersion uint8) []*iptables.Chain
ProfileToIptablesChains(profileID *proto.ProfileID, policy *proto.Profile, ipVersion uint8) []*iptables.Chain
ProtoRuleToIptablesRules(pRule *proto.Rule, ipVersion uint8) []iptables.Rule
NATOutgoingChain(active bool, ipVersion uint8) *iptables.Chain
DNATsToIptablesChains(dnats map[string]string) []*iptables.Chain
SNATsToIptablesChains(snats map[string]string) []*iptables.Chain
}
func NewRenderer ¶
func NewRenderer(config Config) RuleRenderer
Source Files
Click to show internal directories.
Click to hide internal directories.