github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/acls_nonwindows.go (about) 1 // +build !windows 2 3 package iptablesctrl 4 5 import ( 6 "fmt" 7 "strconv" 8 9 "go.aporeto.io/enforcerd/trireme-lib/controller/pkg/packet" 10 markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants" 11 "go.uber.org/zap" 12 ) 13 14 // discoverCnsAgentBootPID is only used in Windows rules 15 var discoverCnsAgentBootPID = func() int { 16 return -1 17 } 18 19 // addContainerChain adds a chain for the specific container and redirects traffic there 20 // This simplifies significantly the management and makes the iptable rules more readable 21 // All rules related to a container are contained within the dedicated chain 22 func (i *iptables) addContainerChain(cfg *ACLInfo) error { 23 24 appChain := cfg.AppChain 25 netChain := cfg.NetChain 26 if err := i.impl.NewChain(appPacketIPTableContext, appChain); err != nil { 27 return fmt.Errorf("unable to add chain %s of context %s: %s", appChain, appPacketIPTableContext, err) 28 } 29 30 // if err := i.impl.NewChain(appProxyIPTableContext, appChain); err != nil { 31 // return fmt.Errorf("unable to add chain %s of context %s: %s", appChain, appPacketIPTableContext, err) 32 // } 33 34 if err := i.impl.NewChain(netPacketIPTableContext, netChain); err != nil { 35 return fmt.Errorf("unable to add netchain %s of context %s: %s", netChain, netPacketIPTableContext, err) 36 } 37 38 return nil 39 } 40 41 // deletePUChains removes all the container specific chains and basic rules 42 func (i *iptables) deletePUChains(cfg *ACLInfo) error { 43 44 if err := i.impl.ClearChain(appPacketIPTableContext, cfg.AppChain); err != nil { 45 zap.L().Warn("Failed to clear the container ack packets chain", 46 zap.String("appChain", cfg.AppChain), 47 zap.String("context", appPacketIPTableContext), 48 zap.Error(err), 49 ) 50 } 51 52 if err := i.impl.DeleteChain(appPacketIPTableContext, cfg.AppChain); err != nil { 53 zap.L().Warn("Failed to delete the container ack packets chain", 54 zap.String("appChain", cfg.AppChain), 55 zap.String("context", appPacketIPTableContext), 56 zap.Error(err), 57 ) 58 } 59 60 if err := i.impl.ClearChain(netPacketIPTableContext, cfg.NetChain); err != nil { 61 zap.L().Warn("Failed to clear the container net packets chain", 62 zap.String("netChain", cfg.NetChain), 63 zap.String("context", netPacketIPTableContext), 64 zap.Error(err), 65 ) 66 } 67 68 if err := i.impl.DeleteChain(netPacketIPTableContext, cfg.NetChain); err != nil { 69 zap.L().Warn("Failed to delete the container net packets chain", 70 zap.String("netChain", cfg.NetChain), 71 zap.String("context", netPacketIPTableContext), 72 zap.Error(err), 73 ) 74 } 75 76 return nil 77 } 78 79 func transformACLRules(aclRules [][]string, cfg *ACLInfo, rulesBucket *rulesInfo, isAppAcls bool) [][]string { 80 // pass through on linux 81 return aclRules 82 } 83 84 func (i *iptables) platformInit() error { 85 return nil 86 } 87 88 func (i *iptables) cleanACLs() error { // nolint 89 cfg, err := i.newACLInfo(0, "", nil, 0) 90 if err != nil { 91 return err 92 } 93 94 // First clear the nat rules 95 if err := i.removeGlobalHooks(cfg); err != nil { 96 zap.L().Error("unable to remove nat proxy rules") 97 } 98 99 // Clean all rules with TRI- sub 100 i.impl.ResetRules("TRI-") // nolint: errcheck 101 // Always return nil here. No reason to block anything if cleans fail. 102 return nil 103 } 104 105 func generateUDPACLRule() []string { 106 return []string{"-m", "string", "!", "--string", packet.UDPAuthMarker, "--algo", "bm", "--to", "128"} 107 } 108 109 func targetUDPNetworkClause(rule *aclIPset, targetUDPName string, ipMatchDirection string) []string { 110 return []string{"-m", "set", "!", "--match-set", targetUDPName, ipMatchDirection} 111 } 112 113 func connmarkUDPConnmarkClause() []string { 114 return []string{"-j", "CONNMARK", "--set-mark", strconv.Itoa(int(markconstants.DefaultExternalConnMark))} 115 }