istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/istio-iptables/pkg/constants/constants.go (about) 1 // Copyright Istio Authors 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package constants 16 17 import ( 18 "time" 19 20 "istio.io/istio/pkg/env" 21 ) 22 23 // iptables tables 24 const ( 25 MANGLE = "mangle" 26 NAT = "nat" 27 FILTER = "filter" 28 RAW = "raw" 29 ) 30 31 // Built-in iptables chains 32 const ( 33 INPUT = "INPUT" 34 OUTPUT = "OUTPUT" 35 FORWARD = "FORWARD" 36 PREROUTING = "PREROUTING" 37 POSTROUTING = "POSTROUTING" 38 ) 39 40 var BuiltInChainsMap = map[string]struct{}{ 41 INPUT: {}, 42 OUTPUT: {}, 43 FORWARD: {}, 44 PREROUTING: {}, 45 POSTROUTING: {}, 46 } 47 48 // Constants used for generating iptables commands 49 const ( 50 TCP = "tcp" 51 UDP = "udp" 52 53 TPROXY = "TPROXY" 54 RETURN = "RETURN" 55 ACCEPT = "ACCEPT" 56 REDIRECT = "REDIRECT" 57 MARK = "MARK" 58 CT = "CT" 59 DROP = "DROP" 60 ) 61 62 const ( 63 // IPVersionSpecific is used as an input to rules that will be replaced with an ip version (v4/v6) 64 // specific value 65 IPVersionSpecific = "PLACEHOLDER_IP_VERSION_SPECIFIC" 66 ) 67 68 // iptables chains 69 const ( 70 ISTIOOUTPUT = "ISTIO_OUTPUT" 71 ISTIOINBOUND = "ISTIO_INBOUND" 72 ISTIODIVERT = "ISTIO_DIVERT" 73 ISTIOTPROXY = "ISTIO_TPROXY" 74 ISTIOREDIRECT = "ISTIO_REDIRECT" 75 ISTIOINREDIRECT = "ISTIO_IN_REDIRECT" 76 ) 77 78 // Constants used in cobra/viper CLI 79 const ( 80 InboundInterceptionMode = "istio-inbound-interception-mode" 81 InboundTProxyMark = "istio-inbound-tproxy-mark" 82 InboundTProxyRouteTable = "istio-inbound-tproxy-route-table" 83 InboundPorts = "istio-inbound-ports" 84 LocalExcludePorts = "istio-local-exclude-ports" 85 ExcludeInterfaces = "istio-exclude-interfaces" 86 ServiceCidr = "istio-service-cidr" 87 ServiceExcludeCidr = "istio-service-exclude-cidr" 88 OutboundPorts = "istio-outbound-ports" 89 LocalOutboundPortsExclude = "istio-local-outbound-ports-exclude" 90 EnvoyPort = "envoy-port" 91 InboundCapturePort = "inbound-capture-port" 92 InboundTunnelPort = "inbound-tunnel-port" 93 ProxyUID = "proxy-uid" 94 ProxyGID = "proxy-gid" 95 KubeVirtInterfaces = "kube-virt-interfaces" 96 DryRun = "dry-run" 97 TraceLogging = "iptables-trace-logging" 98 RestoreFormat = "restore-format" 99 SkipRuleApply = "skip-rule-apply" 100 RunValidation = "run-validation" 101 IptablesProbePort = "iptables-probe-port" 102 ProbeTimeout = "probe-timeout" 103 RedirectDNS = "redirect-dns" 104 DropInvalid = "drop-invalid" 105 DualStack = "dual-stack" 106 CaptureAllDNS = "capture-all-dns" 107 NetworkNamespace = "network-namespace" 108 CNIMode = "cni-mode" 109 ) 110 111 // Environment variables that deliberately have no equivalent command-line flags. 112 // 113 // The variables are defined as env.Var for documentation purposes. 114 // 115 // Use viper to resolve the value of the environment variable. 116 var ( 117 HostIPv4LoopbackCidr = env.Register("ISTIO_OUTBOUND_IPV4_LOOPBACK_CIDR", "127.0.0.1/32", 118 `IPv4 CIDR range used to identify outbound traffic on loopback interface intended for application container`) 119 120 OwnerGroupsInclude = env.Register("ISTIO_OUTBOUND_OWNER_GROUPS", "*", 121 `Comma separated list of groups whose outgoing traffic is to be redirected to Envoy. 122 A group can be specified either by name or by a numeric GID. 123 The wildcard character "*" can be used to configure redirection of traffic from all groups.`) 124 125 OwnerGroupsExclude = env.Register("ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE", "", 126 `Comma separated list of groups whose outgoing traffic is to be excluded from redirection to Envoy. 127 A group can be specified either by name or by a numeric GID. 128 Only applies when traffic from all groups (i.e. "*") is being redirected to Envoy.`) 129 130 IstioInboundInterceptionMode = env.Register("INBOUND_INTERCEPTION_MODE", "", 131 `The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"`) 132 133 IstioInboundTproxyMark = env.Register("INBOUND_TPROXY_MARK", "", 134 ``) 135 ) 136 137 const ( 138 DefaultProxyUID = "1337" 139 DefaultProxyUIDInt = int64(1337) 140 ) 141 142 // Constants used in environment variables 143 const ( 144 EnvoyUser = "ENVOY_USER" 145 ) 146 147 // Constants for syscall 148 const ( 149 // sys/socket.h 150 SoOriginalDst = 80 151 ) 152 153 const ( 154 DefaultIptablesProbePortUint = 15002 155 DefaultProbeTimeout = 5 * time.Second 156 ) 157 158 const ( 159 ValidationContainerName = "istio-validation" 160 ValidationErrorCode = 126 161 ) 162 163 // DNS ports 164 const ( 165 IstioAgentDNSListenerPort = "15053" 166 ) 167 168 // type of iptables operation/command to run, as an enum 169 // the implementation will choose the correct underlying binary, 170 // so callers should just use these enums to indicate what they want to do. 171 type IptablesCmd int 172 173 const ( 174 IPTables IptablesCmd = iota 175 IPTablesSave IptablesCmd = iota 176 IPTablesRestore IptablesCmd = iota 177 )