github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/legacyacls.go (about) 1 package iptablesctrl 2 3 // legacyProxyRules creates all the proxy specific rules. 4 import ( 5 "text/template" 6 7 "go.aporeto.io/trireme-lib/common" 8 "go.aporeto.io/trireme-lib/policy" 9 "go.uber.org/zap" 10 ) 11 12 // This refers to the pu chain rules for pus in older distros like RH 6.9/Ubuntu 14.04. The rules 13 // consider source ports to identify packets from the process. 14 func (i *iptables) legacyPuChainRules(contextID, appChain string, netChain string, mark string, tcpPorts, udpPorts string, proxyPort string, proxyPortSetName string, 15 appSection, netSection string, puType common.PUType, dnsProxyPort string, dnsServerIP string) [][]string { 16 17 iptableCgroupSection := appSection 18 iptableNetSection := netSection 19 rules := [][]string{} 20 21 if tcpPorts != "0" { 22 rules = append(rules, [][]string{ 23 { 24 appPacketIPTableContext, 25 iptableCgroupSection, 26 "-p", tcpProto, 27 "-m", "multiport", 28 "--source-ports", tcpPorts, 29 "-m", "comment", "--comment", "Server-specific-chain", 30 "-j", "MARK", "--set-mark", mark, 31 }, 32 { 33 appPacketIPTableContext, 34 iptableCgroupSection, 35 "-p", tcpProto, 36 "-m", "multiport", 37 "--source-ports", tcpPorts, 38 "-m", "comment", "--comment", "Server-specific-chain", 39 "-j", appChain, 40 }, 41 { 42 netPacketIPTableContext, 43 iptableNetSection, 44 "-p", tcpProto, 45 "-m", "multiport", 46 "--destination-ports", tcpPorts, 47 "-m", "comment", "--comment", "Container-specific-chain", 48 "-j", netChain, 49 }}...) 50 } 51 52 if udpPorts != "0" { 53 rules = append(rules, [][]string{ 54 { 55 appPacketIPTableContext, 56 iptableCgroupSection, 57 "-p", udpProto, 58 "-m", "multiport", 59 "--source-ports", udpPorts, 60 "-m", "comment", "--comment", "Server-specific-chain", 61 "-j", "MARK", "--set-mark", mark, 62 }, 63 { 64 appPacketIPTableContext, 65 iptableCgroupSection, 66 "-p", udpProto, "-m", "mark", "--mark", mark, 67 "-m", "addrtype", "--src-type", "LOCAL", 68 "-m", "addrtype", "--dst-type", "LOCAL", 69 "-m", "state", "--state", "NEW", 70 "-j", "NFLOG", "--nflog-group", "10", 71 "--nflog-prefix", policy.DefaultAcceptLogPrefix(contextID), 72 }, 73 { 74 appPacketIPTableContext, 75 iptableCgroupSection, 76 "-m", "comment", "--comment", "traffic-same-pu", 77 "-p", udpProto, "-m", "mark", "--mark", mark, 78 "-m", "addrtype", "--src-type", "LOCAL", 79 "-m", "addrtype", "--dst-type", "LOCAL", 80 "-j", "ACCEPT", 81 }, 82 { 83 appPacketIPTableContext, 84 iptableCgroupSection, 85 "-p", udpProto, 86 "-m", "multiport", 87 "--source-ports", udpPorts, 88 "-m", "comment", "--comment", "Server-specific-chain", 89 "-j", appChain, 90 }, 91 { 92 netPacketIPTableContext, 93 iptableNetSection, 94 "-m", "comment", "--comment", "traffic-same-pu", 95 "-p", udpProto, "-m", "mark", "--mark", mark, 96 "-m", "addrtype", "--src-type", "LOCAL", 97 "-m", "addrtype", "--dst-type", "LOCAL", 98 "-j", "ACCEPT", 99 }, 100 { 101 netPacketIPTableContext, 102 iptableNetSection, 103 "-p", udpProto, 104 "-m", "multiport", 105 "--destination-ports", udpPorts, 106 "-m", "comment", "--comment", "Container-specific-chain", 107 "-j", netChain, 108 }}...) 109 } 110 111 if puType == common.HostPU { 112 // Add a capture all traffic rule for host pu. This traps all traffic going out 113 // of the box. 114 115 rules = append(rules, []string{ 116 appPacketIPTableContext, 117 iptableCgroupSection, 118 "-m", "comment", "--comment", "capture all outgoing traffic", 119 "-j", appChain, 120 }) 121 } 122 123 return append(rules, i.legacyProxyRules(tcpPorts, proxyPort, proxyPortSetName, mark, dnsProxyPort, dnsServerIP)...) 124 } 125 126 func (i *iptables) legacyProxyRules(tcpPorts string, proxyPort string, proxyPortSetName string, cgroupMark string, dnsProxyPort string, dnsServerIP string) [][]string { 127 destSetName, srvSetName := i.getSetNames(proxyPortSetName) 128 129 aclInfo := ACLInfo{ 130 MangleTable: appPacketIPTableContext, 131 NatTable: appProxyIPTableContext, 132 MangleProxyAppChain: proxyOutputChain, 133 MangleProxyNetChain: proxyInputChain, 134 NatProxyNetChain: natProxyInputChain, 135 NatProxyAppChain: natProxyOutputChain, 136 CgroupMark: cgroupMark, 137 DestIPSet: destSetName, 138 SrvIPSet: srvSetName, 139 ProxyPort: proxyPort, 140 ProxyMark: proxyMark, 141 TCPPorts: tcpPorts, 142 DNSProxyPort: dnsProxyPort, 143 DNSServerIP: dnsServerIP, 144 } 145 146 tmpl := template.Must(template.New(legacyProxyRules).Funcs(template.FuncMap{ 147 "isCgroupSet": func() bool { 148 return cgroupMark != "" 149 }, 150 "enableDNSProxy": func() bool { 151 return dnsServerIP != "" 152 }, 153 }).Parse(legacyProxyRules)) 154 155 rules, err := extractRulesFromTemplate(tmpl, aclInfo) 156 if err != nil { 157 zap.L().Warn("unable to extract rules", zap.Error(err)) 158 } 159 return rules 160 }