istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/istio-clean-iptables/pkg/cmd/cleanup.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package cmd 16 17 import ( 18 "istio.io/istio/tools/istio-clean-iptables/pkg/config" 19 "istio.io/istio/tools/istio-iptables/pkg/builder" 20 common "istio.io/istio/tools/istio-iptables/pkg/capture" 21 types "istio.io/istio/tools/istio-iptables/pkg/config" 22 "istio.io/istio/tools/istio-iptables/pkg/constants" 23 dep "istio.io/istio/tools/istio-iptables/pkg/dependencies" 24 ) 25 26 func NewDependencies(cfg *config.Config) dep.Dependencies { 27 if cfg.DryRun { 28 return &dep.DependenciesStub{} 29 } 30 return &dep.RealDependencies{} 31 } 32 33 type IptablesCleaner struct { 34 ext dep.Dependencies 35 cfg *config.Config 36 iptV *dep.IptablesVersion 37 ipt6V *dep.IptablesVersion 38 } 39 40 func NewIptablesCleaner(cfg *config.Config, iptV, ipt6V *dep.IptablesVersion, ext dep.Dependencies) *IptablesCleaner { 41 return &IptablesCleaner{ 42 ext: ext, 43 cfg: cfg, 44 iptV: iptV, 45 ipt6V: ipt6V, 46 } 47 } 48 49 // TODO BML why are these not on the type? 50 func flushAndDeleteChains(ext dep.Dependencies, iptV *dep.IptablesVersion, table string, chains []string) { 51 for _, chain := range chains { 52 ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", table, "-F", chain) 53 ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", table, "-X", chain) 54 } 55 } 56 57 func DeleteRule(ext dep.Dependencies, iptV *dep.IptablesVersion, table string, chain string, rulespec ...string) { 58 args := append([]string{"-t", table, "-D", chain}, rulespec...) 59 ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, args...) 60 } 61 62 func removeOldChains(cfg *config.Config, ext dep.Dependencies, iptV *dep.IptablesVersion) { 63 // Remove the old TCP rules 64 for _, table := range []string{constants.NAT, constants.MANGLE} { 65 ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", table, "-D", constants.PREROUTING, "-p", constants.TCP, "-j", constants.ISTIOINBOUND) 66 } 67 ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.TCP, "-j", constants.ISTIOOUTPUT) 68 69 // Flush and delete the istio chains from NAT table. 70 chains := []string{constants.ISTIOOUTPUT, constants.ISTIOINBOUND} 71 flushAndDeleteChains(ext, iptV, constants.NAT, chains) 72 // Flush and delete the istio chains from MANGLE table. 73 chains = []string{constants.ISTIOINBOUND, constants.ISTIODIVERT, constants.ISTIOTPROXY} 74 flushAndDeleteChains(ext, iptV, constants.MANGLE, chains) 75 76 if cfg.InboundInterceptionMode == constants.TPROXY { 77 DeleteRule(ext, iptV, constants.MANGLE, constants.PREROUTING, 78 "-p", constants.TCP, "-m", "mark", "--mark", cfg.InboundTProxyMark, "-j", "CONNMARK", "--save-mark") 79 DeleteRule(ext, iptV, constants.MANGLE, constants.OUTPUT, 80 "-p", constants.TCP, "-m", "connmark", "--mark", cfg.InboundTProxyMark, "-j", "CONNMARK", "--restore-mark") 81 } 82 83 // Must be last, the others refer to it 84 chains = []string{constants.ISTIOREDIRECT, constants.ISTIOINREDIRECT} 85 flushAndDeleteChains(ext, iptV, constants.NAT, chains) 86 } 87 88 // cleanupDNSUDP removes any IPv4/v6 UDP rules. 89 // TODO BML drop `HandleDSNUDP` and friends, no real need to tread UDP rules specially 90 // or create unique abstractions for them 91 func cleanupDNSUDP(cfg *config.Config, ext dep.Dependencies, iptV, ipt6V *dep.IptablesVersion) { 92 // Remove UDP jumps from OUTPUT chain to ISTIOOUTPUT chain 93 ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT) 94 ext.RunQuietlyAndIgnore(constants.IPTables, iptV, nil, "-t", constants.RAW, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT) 95 ext.RunQuietlyAndIgnore(constants.IPTables, ipt6V, nil, "-t", constants.NAT, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT) 96 ext.RunQuietlyAndIgnore(constants.IPTables, ipt6V, nil, "-t", constants.RAW, "-D", constants.OUTPUT, "-p", constants.UDP, "-j", constants.ISTIOOUTPUT) 97 98 // Remove the old DNS UDP rules 99 if cfg.RedirectDNS { 100 ownerGroupsFilter := types.ParseInterceptFilter(cfg.OwnerGroupsInclude, cfg.OwnerGroupsExclude) 101 102 common.HandleDNSUDP(common.DeleteOps, builder.NewIptablesRuleBuilder(nil), ext, iptV, ipt6V, cfg.ProxyUID, cfg.ProxyGID, 103 cfg.DNSServersV4, cfg.DNSServersV6, cfg.CaptureAllDNS, ownerGroupsFilter) 104 } 105 } 106 107 func (c *IptablesCleaner) Run() { 108 defer func() { 109 _ = c.ext.Run(constants.IPTablesSave, c.iptV, nil) 110 _ = c.ext.Run(constants.IPTablesSave, c.ipt6V, nil) 111 }() 112 113 // clean v4/v6 114 // Remove chains (run once per v4/v6) 115 removeOldChains(c.cfg, c.ext, c.iptV) 116 removeOldChains(c.cfg, c.ext, c.ipt6V) 117 118 // Remove DNS UDP (runs for both v4 and v6 at the same time) 119 cleanupDNSUDP(c.cfg, c.ext, c.iptV, c.ipt6V) 120 }