k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/pkg/proxy/util/localdetector.go (about) 1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package util 18 19 import ( 20 netutils "k8s.io/utils/net" 21 ) 22 23 // LocalTrafficDetector generates iptables or nftables rules to detect traffic from local pods. 24 type LocalTrafficDetector interface { 25 // IsImplemented returns true if the implementation does something, false 26 // otherwise. You should not call the other methods if IsImplemented() returns 27 // false. 28 IsImplemented() bool 29 30 // IfLocal returns iptables arguments that will match traffic from a local pod. 31 IfLocal() []string 32 33 // IfNotLocal returns iptables arguments that will match traffic that is not from 34 // a local pod. 35 IfNotLocal() []string 36 37 // IfLocalNFT returns nftables arguments that will match traffic from a local pod. 38 IfLocalNFT() []string 39 40 // IfNotLocalNFT returns nftables arguments that will match traffic that is not 41 // from a local pod. 42 IfNotLocalNFT() []string 43 } 44 45 type detectLocal struct { 46 ifLocal []string 47 ifNotLocal []string 48 ifLocalNFT []string 49 ifNotLocalNFT []string 50 } 51 52 func (d *detectLocal) IsImplemented() bool { 53 return len(d.ifLocal) > 0 54 } 55 56 func (d *detectLocal) IfLocal() []string { 57 return d.ifLocal 58 } 59 60 func (d *detectLocal) IfNotLocal() []string { 61 return d.ifNotLocal 62 } 63 64 func (d *detectLocal) IfLocalNFT() []string { 65 return d.ifLocalNFT 66 } 67 68 func (d *detectLocal) IfNotLocalNFT() []string { 69 return d.ifNotLocalNFT 70 } 71 72 // NewNoOpLocalDetector returns a no-op implementation of LocalTrafficDetector. 73 func NewNoOpLocalDetector() LocalTrafficDetector { 74 return &detectLocal{} 75 } 76 77 // NewDetectLocalByCIDR returns a LocalTrafficDetector that considers traffic from the 78 // provided cidr to be from a local pod, and other traffic to be non-local. cidr is 79 // assumed to be valid. 80 func NewDetectLocalByCIDR(cidr string) LocalTrafficDetector { 81 nftFamily := "ip" 82 if netutils.IsIPv6CIDRString(cidr) { 83 nftFamily = "ip6" 84 } 85 86 return &detectLocal{ 87 ifLocal: []string{"-s", cidr}, 88 ifNotLocal: []string{"!", "-s", cidr}, 89 ifLocalNFT: []string{nftFamily, "saddr", cidr}, 90 ifNotLocalNFT: []string{nftFamily, "saddr", "!=", cidr}, 91 } 92 } 93 94 // NewDetectLocalByBridgeInterface returns a LocalTrafficDetector that considers traffic 95 // from interfaceName to be from a local pod, and traffic from other interfaces to be 96 // non-local. 97 func NewDetectLocalByBridgeInterface(interfaceName string) LocalTrafficDetector { 98 return &detectLocal{ 99 ifLocal: []string{"-i", interfaceName}, 100 ifNotLocal: []string{"!", "-i", interfaceName}, 101 ifLocalNFT: []string{"iif", interfaceName}, 102 ifNotLocalNFT: []string{"iif", "!=", interfaceName}, 103 } 104 } 105 106 // NewDetectLocalByInterfaceNamePrefix returns a LocalTrafficDetector that considers 107 // traffic from interfaces starting with interfacePrefix to be from a local pod, and 108 // traffic from other interfaces to be non-local. 109 func NewDetectLocalByInterfaceNamePrefix(interfacePrefix string) LocalTrafficDetector { 110 return &detectLocal{ 111 ifLocal: []string{"-i", interfacePrefix + "+"}, 112 ifNotLocal: []string{"!", "-i", interfacePrefix + "+"}, 113 ifLocalNFT: []string{"iif", interfacePrefix + "*"}, 114 ifNotLocalNFT: []string{"iif", "!=", interfacePrefix + "*"}, 115 } 116 }