github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/rules.go

github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/rules.go (about)

     1  // +build !windows,!rhel6
     2  
     3  package iptablesctrl
     4  
     5  import (
     6  	"strconv"
     7  
     8  	markconstants "go.aporeto.io/enforcerd/trireme-lib/utils/constants"
     9  )
    10  
    11  var enforcerCgroupMark = strconv.Itoa(markconstants.EnforcerCgroupMark)
    12  
    13  var triremChains = `
    14  {{if isLocalServer}}
    15  -t {{.MangleTable}} -N {{.HostInput}}
    16  -t {{.MangleTable}} -N {{.HostOutput}}
    17  -t {{.MangleTable}} -N {{.NetworkSvcInput}}
    18  -t {{.MangleTable}} -N {{.NetworkSvcOutput}}
    19  -t {{.MangleTable}} -N {{.TriremeInput}}
    20  -t {{.MangleTable}} -N {{.TriremeOutput}}
    21  {{end}}
    22  -t {{.MangleTable}} -N {{.NfqueueOutput}}
    23  -t {{.MangleTable}} -N {{.NfqueueInput}}
    24  -t {{.MangleTable}} -N {{.MangleProxyAppChain}}
    25  -t {{.MangleTable}} -N {{.MainAppChain}}
    26  -t {{.MangleTable}} -N {{.MainNetChain}}
    27  -t {{.MangleTable}} -N {{.MangleProxyNetChain}}
    28  -t {{.NatTable}} -N {{.NatProxyAppChain}}
    29  -t {{.NatTable}} -N {{.NatProxyNetChain}}
    30  {{if isIstioEnabled}}
    31  -t {{.MangleTable}} -N {{.IstioChain}}
    32  {{end}}
    33  `
    34  
    35  var globalRules = `
    36  
    37  {{.MangleTable}} {{.NfqueueInput}} -j HMARK --hmark-tuple dport,sport --hmark-mod {{.NumNFQueues}} --hmark-offset {{.DefaultInputMark}} --hmark-rnd 0xdeadbeef
    38  
    39  {{range $index,$queuenum := .NFQueues}}
    40  {{$.MangleTable}} {{$.NfqueueInput}} -m mark --mark {{getInputMark}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
    41  {{end}}
    42  
    43  {{.MangleTable}} {{.NfqueueOutput}} -j HMARK --hmark-tuple sport,dport --hmark-mod {{.NumNFQueues}} --hmark-offset 0 --hmark-rnd 0xdeadbeef
    44  
    45  {{range $index,$queuenum := .NFQueues}}
    46  {{$.MangleTable}} {{$.NfqueueOutput}} -m mark --mark {{getOutputMark}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
    47  {{end}}
    48  
    49  {{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}}
    50  {{.MangleTable}} {{.MainNetChain}} -j {{ .MangleProxyNetChain }}
    51  
    52  {{/* tcp rules */}}
    53  
    54  {{.MangleTable}} {{.MainNetChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
    55  {{.MangleTable}} {{.MainNetChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j ACCEPT
    56  {{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultExternalConnmark}} -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j ACCEPT
    57  {{.MangleTable}} {{$.MainNetChain}} -m set --match-set {{$.TargetTCPNetSet}} src -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j {{.NfqueueInput}}
    58  
    59  {{/* tcp rules ends */}}
    60  
    61  {{/* udp rules */}}
    62  
    63  {{.MangleTable}} {{$.MainNetChain}} -p udp -m string --string {{$.UDPSignature}} --algo bm --to 65535 -j {{.NfqueueInput}}
    64  {{.MangleTable}} {{.MainNetChain}} -p udp -m connmark --mark {{.DefaultDropConnmark}} -m comment --comment "Drop UDP ACL" -j DROP 
    65  {{.MangleTable}} {{.MainNetChain}} -m connmark --mark {{.DefaultConnmark}} -p udp -j ACCEPT
    66  
    67  {{/* udp rules ends */}}
    68  
    69  {{if isLocalServer}}
    70  {{.MangleTable}} {{.MainNetChain}} -j {{.TriremeInput}}
    71  {{.MangleTable}} {{.MainNetChain}} -j {{.NetworkSvcInput}}
    72  {{.MangleTable}} {{.MainNetChain}} -j {{.HostInput}}
    73  {{end}}
    74  
    75  {{if isIstioEnabled}}
    76  {{.MangleTable}} OUTPUT -j {{.IstioChain}}
    77  {{.MangleTable}} {{.MainNetChain}} -p tcp --dport {{IstioRedirPort}} -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j ACCEPT
    78  {{end}}
    79  {{.MangleTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.MainAppChain}}
    80  
    81  {{.MangleTable}} {{.MainAppChain}} -m mark --mark {{.PacketMarkToSetConnmark}} -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
    82  {{.MangleTable}} {{.MainAppChain}} -p tcp -m mark --mark {{.PacketMarkToSetConnmark}} -j ACCEPT
    83  
    84  {{/* enforcer rules */}}
    85  {{.MangleTable}} {{.MainAppChain}}  -p udp --dport 53 -m mark --mark 0x40 -m cgroup --cgroup ` + enforcerCgroupMark + ` -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
    86  {{.MangleTable}} {{.MainAppChain}}  -p udp --dport 53 -m mark --mark 0x40 -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
    87  {{/* enforcer rules ends */}}
    88  
    89  
    90  {{.MangleTable}} {{.MainAppChain}} -j {{.MangleProxyAppChain}}
    91  {{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultExternalConnmark}} -j ACCEPT
    92  {{.MangleTable}} {{.MainAppChain}} -p udp -m connmark --mark {{.DefaultDropConnmark}} -m comment --comment "Drop UDP ACL" -j DROP
    93  {{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p tcp ! --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK  -j ACCEPT
    94  {{.MangleTable}} {{.MainAppChain}} -m connmark --mark {{.DefaultConnmark}} -p udp -j ACCEPT
    95  {{.MangleTable}} {{.MainAppChain}} -m mark --mark {{.RawSocketMark}} -j ACCEPT
    96  {{$.MangleTable}} {{$.MainAppChain}} -p tcp -m tcp --tcp-flags FIN,RST,URG,PSH,SYN,ACK SYN,ACK -j {{.NfqueueOutput}}
    97  
    98  {{if isLocalServer}}
    99  {{.MangleTable}} {{.MainAppChain}} -j {{.TriremeOutput}}
   100  {{.MangleTable}} {{.MainAppChain}} -j {{.NetworkSvcOutput}}
   101  {{.MangleTable}} {{.MainAppChain}} -j {{.HostOutput}}
   102  {{end}}
   103  
   104  {{.MangleTable}} {{.MangleProxyAppChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT
   105  {{.MangleTable}} {{.MangleProxyNetChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT
   106  
   107  {{/* Using RETURN instead of ACCEPT because ACCEPT skips k8s DNS NAT rules */}}
   108  {{.NatTable}} {{.NatProxyAppChain}} -m mark --mark {{.ProxyMark}} -j RETURN
   109  {{.NatTable}} {{.NatProxyNetChain}} -m mark --mark {{.ProxyMark}} -j ACCEPT
   110  `
   111  
   112  // cgroupCaptureTemplate are the list of iptables commands that will hook traffic and send it to a PU specific
   113  // chain. The hook method depends on the type of PU.
   114  var cgroupCaptureTemplate = `
   115  
   116  {{if isTCPPorts}}
   117  {{.MangleTable}} {{.NetSection}} -p tcp -m multiport --destination-ports {{.TCPPorts}} -m comment --comment PU-Chain -j {{.NetChain}}
   118  {{else}}
   119  {{.MangleTable}} {{.NetSection}} -p tcp -m set --match-set {{.TCPPortSet}} dst -m comment --comment PU-Chain -j {{.NetChain}}
   120  {{end}}
   121  
   122  {{if isHostPU}}
   123  {{/* UDP response traffic needs to be accepted */}}
   124  {{.MangleTable}} {{.NetSection}} -p udp -m udp -m state --state ESTABLISHED -m connmark ! --mark {{.DefaultHandShakeMark}} -j ACCEPT
   125  {{/* Traffic to systemd resolver/dnsmasq gets accepted */}}
   126  {{.MangleTable}} {{.NetSection}} -p udp -m udp --dport 53 -j ACCEPT
   127  {{.MangleTable}} {{.NetSection}} -m comment --comment PU-Chain -j {{.NetChain}}
   128  {{end}}
   129  
   130  {{if isUDPPorts}}
   131  {{.MangleTable}} {{.NetSection}} -p udp -m multiport --destination-ports {{.UDPPorts}} -m comment --comment PU-Chain -j {{.NetChain}}
   132  {{end}}
   133  
   134  {{if isHostPU}}
   135  {{.MangleTable}} {{.AppSection}} -m cgroup ! --cgroup ` + enforcerCgroupMark + ` -m comment --comment PU-Chain -j MARK --set-mark {{.Mark}}
   136  {{.MangleTable}} {{.AppSection}} -m mark --mark {{.Mark}} -m comment --comment PU-Chain -j {{.AppChain}}
   137  {{else}}
   138  {{.MangleTable}} {{.AppSection}} -m cgroup --cgroup {{.Mark}} -m comment --comment PU-Chain -j MARK --set-mark {{.Mark}}
   139  {{.MangleTable}} {{.AppSection}} -m mark --mark {{.Mark}} -m comment --comment PU-Chain -j {{.AppChain}}
   140  {{end}}
   141  
   142  {{if isHostPU}}
   143  {{if isIPV6Enabled}}
   144  {{.MangleTable}} {{.AppSection}} -p icmpv6 -j {{.AppChain}}
   145  {{else}}
   146  {{.MangleTable}} {{.AppSection}} -p icmp -j {{.AppChain}}
   147  {{end}}
   148  {{end}}
   149  `
   150  
   151  // containerChainTemplate will hook traffic towards the container specific chains.
   152  var containerChainTemplate = `
   153  {{.MangleTable}} {{.AppSection}} -m comment --comment Container-specific-chain -j {{.AppChain}}
   154  {{.MangleTable}} {{.NetSection}} -m comment --comment Container-specific-chain -j {{.NetChain}}`
   155  
   156  var istioChainTemplate = `
   157  {{.MangleTable}} {{.IstioChain}} -p tcp -m owner ! --uid-owner {{IstioUID}} -j ACCEPT
   158  {{.MangleTable}} {{.IstioChain}} -p tcp -m owner --uid-owner {{IstioUID}} -m addrtype --dst-type LOCAL -m addrtype --src-type LOCAL -j CONNMARK --set-mark {{.DefaultExternalConnmark}}
   159  {{.MangleTable}} {{.IstioChain}} -p tcp -m owner --uid-owner {{IstioUID}} -m addrtype --dst-type LOCAL -j ACCEPT`
   160  
   161  var acls = `
   162  {{range .RejectObserveContinue}}
   163  {{joinRule .}}
   164  {{end}}
   165  
   166  {{range .RejectNotObserved}}
   167  {{joinRule .}}
   168  {{end}}
   169  
   170  {{range .RejectObserveApply}}
   171  {{joinRule .}}
   172  {{end}}
   173  
   174  {{range .AcceptObserveContinue}}
   175  {{joinRule .}}
   176  {{end}}
   177  
   178  {{range .AcceptNotObserved}}
   179  {{joinRule .}}
   180  {{end}}
   181  
   182  {{range .AcceptObserveApply}}
   183  {{joinRule .}}
   184  {{end}}
   185  
   186  {{range .ReverseRules}}
   187  {{joinRule .}}
   188  {{end}}
   189  `
   190  
   191  var preNetworkACLRuleTemplate = `
   192  {{/* matches syn and ack packets */}}
   193  {{$.MangleTable}} {{$.NetChain}} -p tcp -m tcp --tcp-option 34 -m tcp --tcp-flags FIN,RST,URG,PSH NONE -j {{.NfqueueInput}}
   194  `
   195  
   196  // packetCaptureTemplate are the rules that trap traffic towards the user space.
   197  var packetCaptureTemplate = `
   198  {{if needICMP}}
   199  {{.MangleTable}} {{.AppChain}} -p icmpv6 -m bpf --bytecode "{{.ICMPv6Allow}}" -j ACCEPT
   200  {{end}}
   201  
   202  {{if isNotContainerPU}}
   203  
   204  {{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT
   205  {{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -j HMARK --hmark-tuple sport,dport --hmark-mod {{.NumNFQueues}} --hmark-offset {{packetMark}} --hmark-rnd 0xdeadbeef
   206  {{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -j HMARK --hmark-tuple sport,dport --hmark-mod {{.NumNFQueues}} --hmark-offset {{packetMark}} --hmark-rnd 0xdeadbeef
   207  
   208  {{range $index,$queuenum := .NFQueues}}
   209  {{$.MangleTable}} {{$.AppChain}} -m mark --mark {{getOutputMark}} -j NFQUEUE --queue-num {{$queuenum}} --queue-bypass
   210  {{end}}
   211  
   212  {{else}}
   213  {{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -m tcp --tcp-flags FIN FIN -j ACCEPT
   214  {{$.MangleTable}} {{$.AppChain}} -m set --match-set {{$.TargetTCPNetSet}} dst -p tcp -j {{.NfqueueOutput}}
   215  {{$.MangleTable}} {{$.AppChain}} -p udp -m set --match-set {{$.TargetUDPNetSet}} dst -j {{.NfqueueOutput}}
   216  {{end}}
   217  
   218  {{.MangleTable}} {{.AppChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT
   219  
   220  {{.MangleTable}} {{.AppChain}} -p udp -m state --state ESTABLISHED -m comment --comment UDP-Established-Connections -j ACCEPT
   221  
   222  {{range appAnyRules}}
   223  {{joinRule .}}
   224  {{end}}
   225  {{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -m state --state NEW -j NFLOG  --nflog-group 10 --nflog-prefix {{.AppNFLOGPrefix}}
   226  {{if isAppDrop}}
   227  {{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -m state ! --state NEW -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGDropPacketLogPrefix}}
   228  {{end}}
   229  {{.MangleTable}} {{.AppChain}} -d {{.DefaultIP}} -j {{.AppDefaultAction}}
   230  
   231  {{if needICMP}}
   232  {{.MangleTable}} {{.NetChain}} -p icmpv6 -m bpf --bytecode "{{.ICMPv6Allow}}" -j ACCEPT
   233  {{end}}
   234  
   235  
   236  {{.MangleTable}} {{.NetChain}} -p tcp -m set --match-set {{$.TargetTCPNetSet}} src -m tcp --tcp-flags SYN NONE -j {{.NfqueueInput}}
   237  {{.MangleTable}} {{.NetChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} src --match limit --limit 1000/s -j {{.NfqueueInput}}
   238  
   239  {{.MangleTable}} {{.NetChain}} -p tcp -m state --state ESTABLISHED -m comment --comment TCP-Established-Connections -j ACCEPT
   240  
   241  {{range netAnyRules}}
   242  {{joinRule .}}
   243  {{end}}
   244  
   245  {{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -m state --state NEW -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGPrefix}}
   246  {{if isNetDrop}}
   247  {{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -m state ! --state NEW -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGDropPacketLogPrefix}}
   248  {{end}}
   249  {{.MangleTable}} {{.NetChain}} -s {{.DefaultIP}} -j {{.NetDefaultAction}}
   250  `
   251  
   252  var proxyDNSChainTemplate = `
   253  {{if enableDNSProxy}}
   254  {{.MangleTable}} {{.MangleProxyAppChain}} -p udp -m udp --sport {{.DNSProxyPort}} -j ACCEPT
   255  {{.MangleTable}} {{.MangleProxyNetChain}} -p udp -m udp --dport {{.DNSProxyPort}} -j ACCEPT
   256  {{if isCgroupSet}}
   257  {{.NatTable}} {{.NatProxyAppChain}} -d {{.DNSServerIP}} -p udp --dport 53 -m mark ! --mark {{.ProxyMark}} -m cgroup --cgroup {{.CgroupMark}} -j CONNMARK --save-mark
   258  {{.NatTable}} {{.NatProxyAppChain}} -d {{.DNSServerIP}} -p udp --dport 53 -m mark ! --mark {{.ProxyMark}} -m cgroup --cgroup {{.CgroupMark}} -j REDIRECT --to-ports {{.DNSProxyPort}}
   259  {{else}}
   260  {{.NatTable}} {{.NatProxyAppChain}} -d {{.DNSServerIP}} -p udp --dport 53 -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.DNSProxyPort}}
   261  {{end}}
   262  {{end}}
   263  `
   264  var proxyChainTemplate = `
   265  {{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m tcp --sport {{.ProxyPort}} -j ACCEPT
   266  {{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m set --match-set {{.SrvIPSet}} src -j ACCEPT
   267  {{.MangleTable}} {{.MangleProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -j ACCEPT
   268  
   269  {{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m set --match-set {{.DestIPSet}} src,src -j ACCEPT
   270  {{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m set --match-set {{.SrvIPSet}} src -m addrtype --src-type LOCAL -j ACCEPT
   271  {{.MangleTable}} {{.MangleProxyNetChain}} -p tcp -m tcp --dport {{.ProxyPort}} -j ACCEPT
   272  
   273  {{if isCgroupSet}}
   274  {{.NatTable}} {{.NatProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -m cgroup --cgroup {{.CgroupMark}} -j REDIRECT --to-ports {{.ProxyPort}}
   275  {{else}}
   276  {{.NatTable}} {{.NatProxyAppChain}} -p tcp -m set --match-set {{.DestIPSet}} dst,dst -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.ProxyPort}}
   277  {{end}}
   278  {{.NatTable}} {{.NatProxyNetChain}} -p tcp -m set --match-set {{.SrvIPSet}} dst -m mark ! --mark {{.ProxyMark}} -j REDIRECT --to-ports {{.ProxyPort}}`
   279  
   280  var globalHooks = `
   281  {{.MangleTable}} INPUT -m set ! --match-set {{.ExclusionsSet}} src -j {{.MainNetChain}}
   282  {{.MangleTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.MainAppChain}}
   283  {{.NatTable}} PREROUTING -p tcp -m addrtype --dst-type LOCAL -m set ! --match-set {{.ExclusionsSet}} src -j {{.NatProxyNetChain}}
   284  {{.NatTable}} OUTPUT -m set ! --match-set {{.ExclusionsSet}} dst -j {{.NatProxyAppChain}}
   285  `