github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/acls_rhel6.go (about) 1 // +build rhel6 2 3 package iptablesctrl 4 5 import ( 6 "strings" 7 "text/template" 8 9 "go.aporeto.io/enforcerd/trireme-lib/common" 10 "go.aporeto.io/enforcerd/trireme-lib/controller/constants" 11 "go.aporeto.io/enforcerd/trireme-lib/policy" 12 "go.aporeto.io/gaia/protocols" 13 "go.uber.org/zap" 14 ) 15 16 const ( 17 tcpProto = "tcp" 18 icmpProto = "icmp" 19 udpProto = "udp" 20 ) 21 22 func (i *iptables) aclSkipProto(proto string) bool { 23 if splits := strings.Split(proto, "/"); strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP || strings.ToUpper(splits[0]) == protocols.L4ProtocolICMP6 { 24 return true 25 } 26 return false 27 } 28 29 // This refers to the pu chain rules for pus in older distros like RH 6.9/Ubuntu 14.04. The rules 30 // consider source ports to identify packets from the process. 31 func (i *iptables) legacyPuChainRules(cfg *ACLInfo) ([][]string, bool) { 32 if !(cfg.PUType == common.HostNetworkPU || cfg.PUType == common.HostPU) { 33 return nil, false 34 } 35 36 iptableCgroupSection := cfg.AppSection 37 iptableNetSection := cfg.NetSection 38 rules := [][]string{} 39 if cfg.TCPPorts != "0" { 40 rules = append(rules, [][]string{ 41 { 42 appPacketIPTableContext, 43 iptableCgroupSection, 44 "-p", icmpProto, 45 "-m", "comment", "--comment", "Server-specific-chain", 46 "-j", "MARK", "--set-mark", cfg.PacketMark, 47 }, 48 { 49 appPacketIPTableContext, 50 iptableCgroupSection, 51 "-p", tcpProto, 52 "-m", "multiport", 53 "--source-ports", cfg.TCPPorts, 54 "-m", "comment", "--comment", "Server-specific-chain", 55 "-j", "MARK", "--set-mark", cfg.PacketMark, 56 }, 57 { 58 appPacketIPTableContext, 59 iptableCgroupSection, 60 "-p", tcpProto, 61 "-m", "multiport", 62 "--source-ports", cfg.TCPPorts, 63 "-m", "comment", "--comment", "Server-specific-chain", 64 "-j", cfg.AppChain, 65 }, 66 { 67 netPacketIPTableContext, 68 iptableNetSection, 69 "-p", tcpProto, 70 "-m", "multiport", 71 "--destination-ports", cfg.TCPPorts, 72 "-m", "comment", "--comment", "Container-specific-chain", 73 "-j", cfg.NetChain, 74 }}...) 75 } 76 77 if cfg.UDPPorts != "0" { 78 rules = append(rules, [][]string{ 79 { 80 appPacketIPTableContext, 81 iptableCgroupSection, 82 "-p", udpProto, 83 "-m", "multiport", 84 "--source-ports", cfg.UDPPorts, 85 "-m", "comment", "--comment", "Server-specific-chain", 86 "-j", "MARK", "--set-mark", cfg.PacketMark, 87 }, 88 { 89 appPacketIPTableContext, 90 iptableCgroupSection, 91 "-p", udpProto, "-m", "mark", "--mark", cfg.PacketMark, 92 "-m", "addrtype", "--src-type", "LOCAL", 93 "-m", "addrtype", "--dst-type", "LOCAL", 94 "-m", "state", "--state", "NEW", 95 "-j", "NFLOG", "--nflog-group", "10", 96 "--nflog-prefix", policy.DefaultLogPrefix(cfg.ContextID, policy.Accept), 97 }, 98 { 99 appPacketIPTableContext, 100 iptableCgroupSection, 101 "-m", "comment", "--comment", "traffic-same-pu", 102 "-p", udpProto, "-m", "mark", "--mark", cfg.PacketMark, 103 "-m", "addrtype", "--src-type", "LOCAL", 104 "-m", "addrtype", "--dst-type", "LOCAL", 105 "-j", "ACCEPT", 106 }, 107 { 108 appPacketIPTableContext, 109 iptableCgroupSection, 110 "-p", udpProto, 111 "-m", "multiport", 112 "--source-ports", cfg.UDPPorts, 113 "-m", "comment", "--comment", "Server-specific-chain", 114 "-j", cfg.AppChain, 115 }, 116 { 117 netPacketIPTableContext, 118 iptableNetSection, 119 "-m", "comment", "--comment", "traffic-same-pu", 120 "-p", udpProto, "-m", "mark", "--mark", cfg.PacketMark, 121 "-m", "addrtype", "--src-type", "LOCAL", 122 "-m", "addrtype", "--dst-type", "LOCAL", 123 "-j", "ACCEPT", 124 }, 125 { 126 netPacketIPTableContext, 127 iptableNetSection, 128 "-p", udpProto, 129 "-m", "multiport", 130 "--destination-ports", cfg.UDPPorts, 131 "-m", "comment", "--comment", "Container-specific-chain", 132 "-j", cfg.NetChain, 133 }}...) 134 } 135 136 if cfg.PUType == common.HostPU { 137 // Add a capture all traffic rule for host pu. This traps all traffic going out 138 // of the box. 139 140 rules = append(rules, []string{ 141 appPacketIPTableContext, 142 iptableCgroupSection, 143 "-m", "comment", "--comment", "capture all outgoing traffic", 144 "-j", cfg.AppChain, 145 }) 146 rules = append(rules, []string{ 147 netPacketIPTableContext, 148 iptableNetSection, 149 "-m", "comment", "--comment", "capture all outgoing traffic", 150 "-j", cfg.NetChain, 151 }) 152 } 153 154 return append(rules, i.legacyProxyRules(cfg.TCPPorts, cfg.ProxyPort, cfg.DestIPSet, cfg.SrvIPSet, cfg.PacketMark, cfg.DNSProxyPort, cfg.DNSServerIP)...), true 155 } 156 157 func (i *iptables) legacyProxyRules(tcpPorts, proxyPort, destSetName, srvSetName, cgroupMark, dnsProxyPort, dnsServerIP string) [][]string { 158 159 aclInfo := ACLInfo{ 160 MangleTable: appPacketIPTableContext, 161 NatTable: appProxyIPTableContext, 162 MangleProxyAppChain: proxyOutputChain, 163 MangleProxyNetChain: proxyInputChain, 164 NatProxyNetChain: natProxyInputChain, 165 NatProxyAppChain: natProxyOutputChain, 166 CgroupMark: cgroupMark, 167 DestIPSet: destSetName, 168 SrvIPSet: srvSetName, 169 ProxyPort: proxyPort, 170 ProxyMark: constants.ProxyMark, 171 TCPPorts: tcpPorts, 172 DNSProxyPort: dnsProxyPort, 173 DNSServerIP: dnsServerIP, 174 } 175 176 tmpl := template.Must(template.New(legacyProxyRules).Funcs(template.FuncMap{ 177 "isCgroupSet": func() bool { 178 return cgroupMark != "" 179 }, 180 "enableDNSProxy": func() bool { 181 return dnsServerIP != "" 182 }, 183 }).Parse(legacyProxyRules)) 184 185 rules, err := extractRulesFromTemplate(tmpl, aclInfo) 186 if err != nil { 187 zap.L().Warn("unable to extract rules", zap.Error(err)) 188 } 189 return rules 190 }