istio.io/istio@v0.0.0-20240520182934-d79c90f27776/cni/pkg/plugin/sidecar_iptables_linux.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  // This is a sample chained plugin that supports multiple CNI versions. It
    16  // parses prevResult according to the cniVersion
    17  package plugin
    18  
    19  import (
    20  	"fmt"
    21  
    22  	"github.com/containernetworking/plugins/pkg/ns"
    23  
    24  	"istio.io/istio/pkg/log"
    25  	"istio.io/istio/tools/istio-iptables/pkg/cmd"
    26  	"istio.io/istio/tools/istio-iptables/pkg/config"
    27  	"istio.io/istio/tools/istio-iptables/pkg/dependencies"
    28  )
    29  
    30  // getNs is a unit test override variable for interface create.
    31  var getNs = ns.GetNS
    32  
    33  // Program defines a method which programs iptables based on the parameters
    34  // provided in Redirect.
    35  func (ipt *iptables) Program(podName, netns string, rdrct *Redirect) error {
    36  	cfg := config.DefaultConfig()
    37  	cfg.CNIMode = true
    38  	cfg.NetworkNamespace = netns
    39  	cfg.ProxyPort = rdrct.targetPort
    40  	cfg.ProxyUID = rdrct.noRedirectUID
    41  	cfg.ProxyGID = rdrct.noRedirectGID
    42  	cfg.InboundInterceptionMode = rdrct.redirectMode
    43  	cfg.OutboundIPRangesInclude = rdrct.includeIPCidrs
    44  	cfg.InboundPortsExclude = rdrct.excludeInboundPorts
    45  	cfg.InboundPortsInclude = rdrct.includeInboundPorts
    46  	cfg.ExcludeInterfaces = rdrct.excludeInterfaces
    47  	cfg.OutboundPortsExclude = rdrct.excludeOutboundPorts
    48  	cfg.OutboundPortsInclude = rdrct.includeOutboundPorts
    49  	cfg.OutboundIPRangesExclude = rdrct.excludeIPCidrs
    50  	cfg.KubeVirtInterfaces = rdrct.kubevirtInterfaces
    51  	cfg.DryRun = dependencies.DryRunFilePath.Get() != ""
    52  	cfg.RedirectDNS = rdrct.dnsRedirect
    53  	cfg.CaptureAllDNS = rdrct.dnsRedirect
    54  	cfg.DropInvalid = rdrct.invalidDrop
    55  	cfg.DualStack = rdrct.dualStack
    56  	if err := cfg.FillConfigFromEnvironment(); err != nil {
    57  		return err
    58  	}
    59  
    60  	netNs, err := getNs(netns)
    61  	if err != nil {
    62  		err = fmt.Errorf("failed to open netns %q: %s", netns, err)
    63  		return err
    64  	}
    65  	defer netNs.Close()
    66  
    67  	return netNs.Do(func(_ ns.NetNS) error {
    68  		log.Infof("============= Start iptables configuration for %v =============", podName)
    69  		defer log.Infof("============= End iptables configuration for %v =============", podName)
    70  		return cmd.ProgramIptables(cfg)
    71  	})
    72  }