firewall

package
v2.0.2+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 7, 2018 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	InputChainIndex      = 0
	OutputChainIndex     = 1
	ForwardInChainIndex  = 2
	ForwardOutChainIndex = 3

	ChainNameEndpointToHost  = "ROMANA-INPUT"
	ChainNameHostToEndpoint  = "ROMANA-FORWARD-IN"
	ChainNameEndpointEgress  = "ROMANA-FORWARD-OUT"
	ChainNameEndpointIngress = "ROMANA-FORWARD-IN"
)

Variables

This section is empty.

Functions

func MaskToInt 

func MaskToInt(mask net.IPMask) (uint64, error)

MaskToInt converts net.IPMask to integer. TODO Not strictly firewall method, maybe put in different place.

func RomanaNetNetmaskInt 

func RomanaNetNetmaskInt(nc NetConfig) (uint64, error)

RomanaNetNetmaskInt returns integer representation of pseudo net netmask.

Types

type Firewall 

type Firewall interface {
	// Init initializes firewall.
	Init(utilexec.Executable, FirewallStore, NetConfig) error

	// SetEndpoint prepares firewall instance for using ProvisionEndpoint method.
	SetEndpoint(FirewallEndpoint) error

	// SetDefaultRules allows to inject a set of rules to be installed during
	// ProvisionEndpoint run.
	SetDefaultRules([]FirewallRule) error

	// ProvisionEndpoint generates and applies rules for given endpoint.
	// Make sure to run SetEndpoint first.
	ProvisionEndpoint() error

	// EnsureRule checks if specified rule in desired state.
	EnsureRule(FirewallRule, RuleState) error

	// Metadata provides access to the metadata associated with current instance of firewall.
	// Access method, does not require Init.
	Metadata() map[string]interface{}

	// Provider is a name of current firewall implementation.
	// Allows package users to implement behaviour specific
	// for firewall type e.g. special rules format for iptables.
	// Access method, does not require Init.
	Provider() string

	// ListRules returns a list of firewall rules.
	// Access method, does not require Init.
	ListRules() ([]IPtablesRule, error)

	// Cleanup deletes DB records and uninstall rules associated with given endpoint.
	// Does not require Init.
	Cleanup(netif FirewallEndpoint) error
}

Firewall interface allows different implementations to be used with romana agent.

func NewFirewall 

func NewFirewall(provider Provider) (Firewall, error)

NewFirewall returns instance of Firewall backed by requested provider

type FirewallEndpoint 

type FirewallEndpoint interface {
	GetMac() string
	GetIP() net.IP
	GetName() string
}

FirewallEndpoint is an interface for agent to pass endpoint definition.

type FirewallRule 

type FirewallRule interface {
	GetBody() string
	SetBody(string)
	GetType() string
}

FirewallRule is an interface that represents abstract firewall rule. Firewall users should use it to inject rules into the firewall.

func NewFirewallRule 

func NewFirewallRule() FirewallRule

NewFirewallrule returns firewall rule of appropriate type.

type FirewallStore 

type FirewallStore interface {
	// GetDb Returns fully initialized DbStore object
	GetDb() *sql.DB

	// GetMutex return instance of mutex used guard firewall database.
	GetMutex() *sync.RWMutex
}

FirewallStore defines how database should be passed into firewall instance.

type IPTsaveFirewall 

type IPTsaveFirewall struct {
	CurrentState *iptsave.IPtables
	DesiredState *iptsave.IPtables
	Store        firewallStore
	// contains filtered or unexported fields
}

IPTsaveFirewall implements romana Firewall using iptables-save|iptables-restore.

func (*IPTsaveFirewall) Cleanup 

func (i *IPTsaveFirewall) Cleanup(netif FirewallEndpoint) error

Cleanup implements Firewall interface.

func (*IPTsaveFirewall) EnsureRule 

func (i *IPTsaveFirewall) EnsureRule(rule FirewallRule, opType RuleState) error

EnsureRule implements Firewall interface. It schedules given rule for transition in given state and stores it in firewall store.

func (*IPTsaveFirewall) Init 

func (i *IPTsaveFirewall) Init(utilexec utilexec.Executable, store FirewallStore, nc NetConfig) error

Init implements Firewall interface

func (*IPTsaveFirewall) ListRules 

func (i *IPTsaveFirewall) ListRules() ([]IPtablesRule, error)

ListRules implements Firewall interface.

func (*IPTsaveFirewall) Metadata 

func (i *IPTsaveFirewall) Metadata() map[string]interface{}

Metadata implements Firewall interface.

func (*IPTsaveFirewall) Provider 

func (i *IPTsaveFirewall) Provider() string

Provider implements Firewall interface.

func (*IPTsaveFirewall) ProvisionEndpoint 

func (i *IPTsaveFirewall) ProvisionEndpoint() error

ProvisionEndpoint implements Firewall interface.

func (*IPTsaveFirewall) SetDefaultRules 

func (i *IPTsaveFirewall) SetDefaultRules(rules []FirewallRule) error

SetDefaultRules implements Firewall interface. The implementation iterates over the provided rules and ensures that each of them is present.

func (*IPTsaveFirewall) SetEndpoint 

func (i *IPTsaveFirewall) SetEndpoint(netif FirewallEndpoint) error

SetEndpoint implements Firewall interface. It initializes endpoint dependend values of firewall.

type IPtables 

type IPtables struct {
	Store firewallStore
	// contains filtered or unexported fields
}

IPtables implements romana Firewall using iptables.

func (IPtables) Cleanup 

func (fw IPtables) Cleanup(netif FirewallEndpoint) error

Cleanup implements Firewall interface.

func (*IPtables) CreateChains 

func (fw *IPtables) CreateChains(chains []IPtablesChain) error

CreateChains creates IPtables chains such as ROMANA-T0S0-OUTPUT, ROMANA-T0S0-FORWARD, ROMANA-T0S0-INPUT.

func (*IPtables) CreateDefaultDropRule 

func (fw *IPtables) CreateDefaultDropRule(chain int) error

CreateDefaultDropRule creates iptables Rules to drop all unidentified traffic in the given chain

func (*IPtables) CreateDefaultRule 

func (fw *IPtables) CreateDefaultRule(chain int, target string) error

CreateDefaultRule creates iptables rule for a chain with the specified target

func (*IPtables) CreateRules 

func (fw *IPtables) CreateRules(chain int) error

CreateRules creates iptables Rules for the given Romana chain to allow a traffic to flow between the Host and Endpoint.

func (*IPtables) CreateU32Rules 

func (fw *IPtables) CreateU32Rules(chain int) error

CreateU32Rules creates wildcard iptables Rules for the given Romana chain. These Rules serve to restrict traffic between segments and tenants. * Deprecated, outdated *

func (*IPtables) DivertTrafficToRomanaIPtablesChain 

func (fw *IPtables) DivertTrafficToRomanaIPtablesChain(chain IPtablesChain, opType opDivertTrafficAction) error

DivertTrafficToRomanaIPtablesChain injects iptables Rules to send traffic into the ROMANA chain. We need to do this for each tenant/segment pair as each pair will have different chain name.

func (IPtables) EnsureRule 

func (fw IPtables) EnsureRule(rule FirewallRule, opType RuleState) error

EnsureRule verifies if given iptables rule exists and creates if it's not.

func (*IPtables) Init 

func (fw *IPtables) Init(utilexec utilexec.Executable, store FirewallStore, nc NetConfig) error

Init implements Firewall interface.

func (IPtables) ListRules 

func (fw IPtables) ListRules() ([]IPtablesRule, error)

ListRules implements Firewall interface

func (IPtables) Metadata 

func (fw IPtables) Metadata() map[string]interface{}

Metadata implements Firewall interface.

func (IPtables) Provider 

func (fw IPtables) Provider() string

Provider implements Firewall interface.

func (IPtables) ProvisionEndpoint 

func (fw IPtables) ProvisionEndpoint() error

ProvisionEndpoint creates iptables Rules for given endpoint in given environment

func (*IPtables) RomanaNetNetmaskInt 

func (fw *IPtables) RomanaNetNetmaskInt() (uint64, error)

RomanaNetNetmaskInt returns integer representation of pseudo net netmask.

func (*IPtables) SetDefaultRules 

func (fw *IPtables) SetDefaultRules(rules []FirewallRule) error

SetDefaultRules implements Firewall interface.

func (*IPtables) SetEndpoint 

func (fw *IPtables) SetEndpoint(netif FirewallEndpoint) error

SetEndpoint implements Firewall interface.

type IPtablesChain 

type IPtablesChain struct {
	BaseChain  string
	Directions []string
	Rules      []*IPtablesRule
	ChainName  string
}

IPtablesChain describes state of the particular firewall chain.

func NewIPtablesChain 

func NewIPtablesChain(baseChain string, direction []string, rules []*IPtablesRule, chainName string) *IPtablesChain

NewIPtablesChain initializes a new firewall chain.

type IPtablesRule 

type IPtablesRule struct {
	//	ID    uint64 `sql:"AUTO_INCREMENT"`
	Body  string
	State string
}

IPtablesRule represents a single iptables rule managed by the agent.

func (*IPtablesRule) GetBody 

func (r *IPtablesRule) GetBody() string

GetBody implements FirewallRule interface.

func (*IPtablesRule) GetType 

func (r *IPtablesRule) GetType() string

GetType implements FirewallRule interface.

func (*IPtablesRule) SetBody 

func (r *IPtablesRule) SetBody(body string)

SetBody implements FirewallRule interface

type NetConfig 

type NetConfig interface {

	// Returns romana network cidr.
	PNetCIDR() (cidr *net.IPNet, err error)

	// Returns prefix bits from romana network config.
	PrefixBits() uint

	// Returns port bits from romana network config.
	PortBits() uint

	// Returns tenant bits from romana network config.
	TenantBits() uint

	// Returns segment bits from romana network config.
	SegmentBits() uint

	// Returns endpoint bits from romana network config.
	EndpointBits() uint

	// Returns EndpointNetmaskSize bits from romana network config.
	EndpointNetmaskSize() uint64

	// Returns IP address of romana-gw interface on the host
	// where agent is running.
	RomanaGW() net.IP
}

NetConfig exposes agent runtime configuration to the consumers outside of the agent who can't have a dependency on the agent (e.g. pkg/utils/firewall).

type Provider 

type Provider int

Provider represents a type of firewall implementation. 

const (
	// shellex is a default firewall implementation
	// based on line-by-line firewall provisioning
	ShellexProvider Provider = iota

	// iptsave is an implementation of firewall
	// based on iptables-save/iptabels-restore
	IPTsaveProvider
)

type RuleState 

type RuleState int

RuleState is a parameter for ensureIPtablesRule function which describes desired state of firewall rule. 

const (
	// Indicates that rule should be placed at the
	// bottom of the chain/list.
	EnsureLast RuleState = iota

	// Indicates that rule should be placed at the
	// top of the chain/list.
	EnsureFirst

	// Indicates that rule must be removed.
	EnsureAbsent
)

func (RuleState) String 

func (i RuleState) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.