github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/rules_windows.go

github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/rules_windows.go (about)

     1  // +build windows
     2  
     3  package iptablesctrl
     4  
     5  var triremChains = `
     6  -t OUTPUT  -N GlobalRules-OUTPUT
     7  -t INPUT   -N GlobalRules-INPUT
     8  -t OUTPUT  -N ProcessRules-OUTPUT
     9  -t INPUT   -N ProcessRules-INPUT
    10  -t OUTPUT  -N HostSvcRules-OUTPUT
    11  -t INPUT   -N HostSvcRules-INPUT
    12  -t OUTPUT  -N HostPU-OUTPUT
    13  -t INPUT   -N HostPU-INPUT
    14  `
    15  
    16  // When enforcerd is managed by cns-agent, its parent is mgr and its grandparent is boot
    17  // -cns-agent-boot
    18  //   |----cns-agent-mgr
    19  //         |----enforcerd
    20  // However, when mgr is updated, it will be respawned with a new pid and enforcerd will no longer
    21  // have a parent
    22  // -cns-agent-boot
    23  //   |----cns-agent-mgr
    24  // -enforcerd
    25  // We need to allow this new mgr to communicate with the API server too, so we can allow
    26  // cns-agent-boot and its children, in order to satisfy this.
    27  // Note also that any currently active mgr pid needs to be explicitly added as its own rule here.
    28  
    29  // globalRules are the rules not tied to a PU chain.
    30  var globalRules = `
    31  INPUT  GlobalRules-INPUT  -m set --match-set {{.ExclusionsSet}} srcIP -j ACCEPT_ONCE
    32  OUTPUT GlobalRules-OUTPUT -m set --match-set {{.ExclusionsSet}} dstIP -j ACCEPT_ONCE
    33  {{if isIPv4}}
    34  INPUT  GlobalRules-INPUT  -m owner --pid-owner {{EnforcerPID}} -j ACCEPT
    35  OUTPUT GlobalRules-OUTPUT -m owner --pid-owner {{EnforcerPID}} -j ACCEPT
    36  {{if isManagedByCnsAgentManager}}
    37  INPUT  GlobalRules-INPUT  -m owner --pid-owner {{CnsAgentBootPID}} --pid-children -j ACCEPT
    38  OUTPUT GlobalRules-OUTPUT -m owner --pid-owner {{CnsAgentBootPID}} --pid-children -j ACCEPT
    39  INPUT  GlobalRules-INPUT  -m owner --pid-owner {{CnsAgentMgrPID}} -j ACCEPT
    40  OUTPUT GlobalRules-OUTPUT -m owner --pid-owner {{CnsAgentMgrPID}} -j ACCEPT
    41  {{end}}
    42  {{if enableDNSProxy}}
    43  INPUT  GlobalRules-INPUT  -p udp --sports 53 -m set --match-set {{windowsDNSServerName}} srcIP -j NFQUEUE_FORCE -j MARK 83
    44  {{end}}
    45  {{end}}
    46  {{if needICMP}}
    47  OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 133/0 -j ACCEPT
    48  OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 134/0 -j ACCEPT
    49  OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 135/0 -j ACCEPT
    50  OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 136/0 -j ACCEPT
    51  OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 141/0 -j ACCEPT
    52  OUTPUT GlobalRules-OUTPUT -p icmpv6 --icmp-type 142/0 -j ACCEPT
    53  INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 133/0 -j ACCEPT
    54  INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 134/0 -j ACCEPT
    55  INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 135/0 -j ACCEPT
    56  INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 136/0 -j ACCEPT
    57  INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 141/0 -j ACCEPT
    58  INPUT  GlobalRules-INPUT -p icmpv6 --icmp-type 142/0 -j ACCEPT
    59  {{end}}
    60  
    61  `
    62  var istioChainTemplate = ``
    63  var proxyDNSChainTemplate = ``
    64  
    65  // cgroupCaptureTemplate are the list of iptables commands that will hook traffic and send it to a PU specific
    66  // chain. The hook method depends on the type of PU.
    67  var cgroupCaptureTemplate = `
    68  
    69  INPUT  {{.NetChain}} -p udp -m string --string {{.UDPSignature}} --offset 4 -j NFQUEUE -j MARK {{.PacketMark}}
    70  INPUT  {{.NetChain}} -p udp -m string --string {{.UDPSignature}} --offset 6 -j NFQUEUE -j MARK {{.PacketMark}}
    71  OUTPUT {{.AppChain}} -p tcp --tcp-flags 18,18 -j NFQUEUE -j MARK {{.PacketMark}}
    72  INPUT  {{.NetChain}} -p tcp --tcp-flags 18,18 -m set --match-set {{.TargetTCPNetSet}} srcIP -j NFQUEUE -j MARK {{.PacketMark}}
    73  {{if isHostPU}}
    74  OUTPUT HostPU-OUTPUT -p tcp -m set --match-set {{.TargetTCPNetSet}} dstIP -m set --match-set {{.DestIPSet}} dstIP,dstPort -j REDIRECT  --to-ports {{.ProxyPort}}
    75  INPUT  HostPU-INPUT  -p tcp -m set --match-set {{.SrvIPSet}} dstPort -j REDIRECT --to-ports {{.ProxyPort}}
    76  OUTPUT HostPU-OUTPUT -j {{.AppChain}}
    77  INPUT  HostPU-INPUT  -j {{.NetChain}}
    78  {{else}}
    79  {{if isProcessPU}}
    80  OUTPUT ProcessRules-OUTPUT -j {{.AppChain}} -m owner --pid-owner {{.ContextID}} --pid-childrenonly
    81  INPUT  ProcessRules-INPUT  -j {{.NetChain}} -m owner --pid-owner {{.ContextID}} --pid-childrenonly
    82  {{else}}
    83  {{if isTCPPorts}}
    84  OUTPUT HostSvcRules-OUTPUT -p tcp --dports {{.TCPPorts}} -j {{.AppChain}}
    85  INPUT  HostSvcRules-INPUT  -p tcp --sports {{.TCPPorts}} -j {{.NetChain}}
    86  {{end}}
    87  {{if isUDPPorts}}
    88  OUTPUT HostSvcRules-OUTPUT -p udp --dports {{.UDPPorts}} -j {{.AppChain}}
    89  INPUT  HostSvcRules-INPUT  -p udp --sports {{.UDPPorts}} -j {{.NetChain}}
    90  {{end}}
    91  {{end}}
    92  {{end}}
    93  `
    94  
    95  // containerChainTemplate will hook traffic towards the container specific chains.
    96  var containerChainTemplate = ``
    97  
    98  var acls = `
    99  {{range .RejectObserveContinue}}
   100  {{joinRule .}}
   101  {{end}}
   102  
   103  {{range .RejectNotObserved}}
   104  {{joinRule .}}
   105  {{end}}
   106  
   107  {{range .RejectObserveApply}}
   108  {{joinRule .}}
   109  {{end}}
   110  
   111  {{range .AcceptObserveContinue}}
   112  {{joinRule .}}
   113  {{end}}
   114  
   115  {{range .AcceptNotObserved}}
   116  {{joinRule .}}
   117  {{end}}
   118  
   119  {{range .AcceptObserveApply}}
   120  {{joinRule .}}
   121  {{end}}
   122  
   123  {{range .ReverseRules}}
   124  {{joinRule .}}
   125  {{end}}
   126  `
   127  
   128  var preNetworkACLRuleTemplate = `
   129  {{/* matches syn and ack packets FIN,RST,URG,PSH NONE */}}
   130  INPUT  {{.NetChain}} -p tcp --tcp-flags 45,0 --tcp-option 34 -j NFQUEUE MARK {{.PacketMark}}
   131  `
   132  
   133  // packetCaptureTemplate are the rules that trap traffic towards the user space.
   134  // windows uses it as a final deny-all.
   135  var packetCaptureTemplate = `
   136  OUTPUT {{.AppChain}} -p tcp --tcp-flags 1,1 -m set --match-set {{.TargetTCPNetSet}} dstIP -j ACCEPT
   137  OUTPUT {{.AppChain}} -p tcp -m set --match-set {{.TargetTCPNetSet}} dstIP -j NFQUEUE -j MARK {{.PacketMark}}
   138  OUTPUT {{.AppChain}} -p udp -m set --match-set {{.TargetUDPNetSet}} dstIP -j NFQUEUE -j MARK {{.PacketMark}}
   139  INPUT  {{.NetChain}} -p tcp --tcp-flags 2,0 -j NFQUEUE -j MARK {{.PacketMark}}
   140  {{range appAnyRules}}
   141  {{joinRule .}}
   142  {{end}}
   143  {{range netAnyRules}}
   144  {{joinRule .}}
   145  {{end}}
   146  {{range appAnyRules}}
   147  {{joinRule .}}
   148  {{end}}
   149  {{range netAnyRules}}
   150  {{joinRule .}}
   151  {{end}}
   152  {{if isAppDrop}}
   153  OUTPUT {{.AppChain}} -m set --match-set {{windowsAllIpsetName}} dstIP -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGDropPacketLogPrefix}}
   154  {{end}}
   155  OUTPUT {{.AppChain}} -m set --match-set {{windowsAllIpsetName}} dstIP -j {{.AppDefaultAction}} -j NFLOG --nflog-group 10 --nflog-prefix {{.AppNFLOGPrefix}}
   156  {{if isNetDrop}}
   157  INPUT  {{.NetChain}} -m set --match-set {{windowsAllIpsetName}} srcIP -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGDropPacketLogPrefix}}
   158  {{end}}
   159  INPUT  {{.NetChain}} -m set --match-set {{windowsAllIpsetName}} srcIP -j {{.NetDefaultAction}} -j NFLOG --nflog-group 11 --nflog-prefix {{.NetNFLOGPrefix}}
   160  `
   161  
   162  var proxyChainTemplate = ``
   163  
   164  var globalHooks = ``