github.com/cilium/cilium@v1.16.2/pkg/datapath/iptables/cell.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package iptables 5 6 import ( 7 "github.com/cilium/hive/cell" 8 "github.com/spf13/pflag" 9 10 "github.com/cilium/cilium/pkg/datapath/iptables/ipset" 11 "github.com/cilium/cilium/pkg/option" 12 "github.com/cilium/cilium/pkg/time" 13 ) 14 15 var Cell = cell.Module( 16 "iptables", 17 "Handle iptables-related configuration for Cilium", 18 19 // Manage "cilium_node_set_v4" and "cilium_node_set_v6" kernel IP sets to 20 // collect IPv4 and IPv6 node addresses (respectively) and exclude traffic to 21 // those IPs from being masqueraded. 22 ipset.Cell, 23 24 cell.Config(defaultConfig), 25 cell.ProvidePrivate(func( 26 cfg *option.DaemonConfig, 27 ) SharedConfig { 28 return SharedConfig{ 29 TunnelingEnabled: cfg.TunnelingEnabled(), 30 NodeIpsetNeeded: cfg.NodeIpsetNeeded(), 31 IptablesMasqueradingIPv4Enabled: cfg.IptablesMasqueradingIPv4Enabled(), 32 IptablesMasqueradingIPv6Enabled: cfg.IptablesMasqueradingIPv6Enabled(), 33 34 EnableIPv4: cfg.EnableIPv4, 35 EnableIPv6: cfg.EnableIPv6, 36 EnableXTSocketFallback: cfg.EnableXTSocketFallback, 37 EnableBPFTProxy: cfg.EnableBPFTProxy, 38 InstallNoConntrackIptRules: cfg.InstallNoConntrackIptRules, 39 EnableEndpointRoutes: cfg.EnableEndpointRoutes, 40 IPAM: cfg.IPAM, 41 EnableIPSec: cfg.EnableIPSec, 42 MasqueradeInterfaces: cfg.MasqueradeInterfaces, 43 EnableMasqueradeRouteSource: cfg.EnableMasqueradeRouteSource, 44 EnableL7Proxy: cfg.EnableL7Proxy, 45 InstallIptRules: cfg.InstallIptRules, 46 } 47 }), 48 cell.Provide(newIptablesManager), 49 ) 50 51 type Config struct { 52 // IPTablesLockTimeout defines the "-w" iptables option when the 53 // iptables CLI is directly invoked from the Cilium agent. 54 IPTablesLockTimeout time.Duration 55 56 // DisableIptablesFeederRules specifies which chains will be excluded 57 // when installing the feeder rules 58 DisableIptablesFeederRules []string 59 60 // IPTablesRandomFully defines the "--random-fully" iptables option when the 61 // iptables CLI is directly invoked from the Cilium agent. 62 IPTablesRandomFully bool 63 64 // PrependIptablesChains, when enabled, prepends custom iptables chains instead of appending. 65 PrependIptablesChains bool 66 } 67 68 var defaultConfig = Config{ 69 IPTablesLockTimeout: 5 * time.Second, 70 PrependIptablesChains: true, 71 } 72 73 func (def Config) Flags(flags *pflag.FlagSet) { 74 flags.Duration("iptables-lock-timeout", def.IPTablesLockTimeout, "Time to pass to each iptables invocation to wait for xtables lock acquisition") 75 flags.StringSlice("disable-iptables-feeder-rules", def.DisableIptablesFeederRules, "Chains to ignore when installing feeder rules.") 76 flags.Bool("iptables-random-fully", def.IPTablesRandomFully, "Set iptables flag random-fully on masquerading rules") 77 flags.Bool("prepend-iptables-chains", def.PrependIptablesChains, "Prepend custom iptables chains instead of appending") 78 } 79 80 type SharedConfig struct { 81 TunnelingEnabled bool 82 NodeIpsetNeeded bool 83 IptablesMasqueradingIPv4Enabled bool 84 IptablesMasqueradingIPv6Enabled bool 85 86 EnableIPv4 bool 87 EnableIPv6 bool 88 EnableXTSocketFallback bool 89 EnableBPFTProxy bool 90 InstallNoConntrackIptRules bool 91 EnableEndpointRoutes bool 92 IPAM string 93 EnableIPSec bool 94 MasqueradeInterfaces []string 95 EnableMasqueradeRouteSource bool 96 EnableL7Proxy bool 97 InstallIptRules bool 98 }