forked from openservicemesh/osm
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathiptables.go
115 lines (89 loc) · 5.06 KB
/
iptables.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
package injector
import (
"fmt"
"strconv"
"strings"
"github.com/openservicemesh/osm/pkg/constants"
)
// iptablesRedirectionChains is the list of iptables chains created for traffic redirection via the proxy sidecar
var iptablesRedirectionChains = []string{
// Chain to intercept inbound traffic
"iptables -t nat -N PROXY_INBOUND",
// Chain to redirect inbound traffic to the proxy
"iptables -t nat -N PROXY_IN_REDIRECT",
// Chain to intercept outbound traffic
"iptables -t nat -N PROXY_OUTPUT",
// Chain to redirect outbound traffic to the proxy
"iptables -t nat -N PROXY_REDIRECT",
}
// iptablesOutboundStaticRules is the list of iptables rules related to outbound traffic interception and redirection
var iptablesOutboundStaticRules = []string{
// Redirects outbound TCP traffic hitting PROXY_REDIRECT chain to Envoy's outbound listener port
fmt.Sprintf("iptables -t nat -A PROXY_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyOutboundListenerPort),
// Traffic to the Proxy Admin port flows to the Proxy -- not redirected
fmt.Sprintf("iptables -t nat -A PROXY_REDIRECT -p tcp --dport %d -j ACCEPT", constants.EnvoyAdminPort),
// For outbound TCP traffic jump from OUTPUT chain to PROXY_OUTPUT chain
"iptables -t nat -A OUTPUT -p tcp -j PROXY_OUTPUT",
// TODO(#1266): Redirect app back calls to itself using PROXY_UID
// Don't redirect Envoy traffic back to itself, return it to the next chain for processing
fmt.Sprintf("iptables -t nat -A PROXY_OUTPUT -m owner --uid-owner %d -j RETURN", constants.EnvoyUID),
// Skip localhost traffic, doesn't need to be routed via the proxy
"iptables -t nat -A PROXY_OUTPUT -d 127.0.0.1/32 -j RETURN",
// Redirect remaining outbound traffic to Envoy
"iptables -t nat -A PROXY_OUTPUT -j PROXY_REDIRECT",
}
// iptablesInboundStaticRules is the list of iptables rules related to inbound traffic interception and redirection
var iptablesInboundStaticRules = []string{
// Redirects inbound TCP traffic hitting the PROXY_IN_REDIRECT chain to Envoy's inbound listener port
fmt.Sprintf("iptables -t nat -A PROXY_IN_REDIRECT -p tcp -j REDIRECT --to-port %d", constants.EnvoyInboundListenerPort),
// For inbound traffic jump from PREROUTING chain to PROXY_INBOUND chain
"iptables -t nat -A PREROUTING -p tcp -j PROXY_INBOUND",
// Skip metrics query traffic being directed to Envoy's inbound prometheus listener port
fmt.Sprintf("iptables -t nat -A PROXY_INBOUND -p tcp --dport %d -j RETURN", constants.EnvoyPrometheusInboundListenerPort),
// Skip inbound health probes; These ports will be explicitly handled by listeners configured on the
// Envoy proxy IF any health probes have been configured in the Pod Spec.
// TODO(draychev): Do not add these if no health probes have been defined (https://github.com/openservicemesh/osm/issues/2243)
fmt.Sprintf("iptables -t nat -A PROXY_INBOUND -p tcp --dport %d -j RETURN", livenessProbePort),
fmt.Sprintf("iptables -t nat -A PROXY_INBOUND -p tcp --dport %d -j RETURN", readinessProbePort),
fmt.Sprintf("iptables -t nat -A PROXY_INBOUND -p tcp --dport %d -j RETURN", startupProbePort),
// Redirect remaining inbound traffic to Envoy
"iptables -t nat -A PROXY_INBOUND -p tcp -j PROXY_IN_REDIRECT",
}
// generateIptablesCommands generates a list of iptables commands to set up sidecar interception and redirection
func generateIptablesCommands(outboundIPRangeExclusionList []string, outboundPortExclusionList []int, inboundPortExclusionList []int) []string {
var cmd []string
// 1. Create redirection chains
cmd = append(cmd, iptablesRedirectionChains...)
// 2. Create outbound rules
cmd = append(cmd, iptablesOutboundStaticRules...)
// 3. Create inbound rules
cmd = append(cmd, iptablesInboundStaticRules...)
// 4. Create dynamic outbound ip ranges exclusion rules
for _, cidr := range outboundIPRangeExclusionList {
// *Note: it is important to use the insert option '-I' instead of the append option '-A' to ensure the exclusion
// rules take precedence over the static redirection rules. Iptables rules are evaluated in order.
rule := fmt.Sprintf("iptables -t nat -I PROXY_OUTPUT -d %s -j RETURN", cidr)
cmd = append(cmd, rule)
}
// 5. Create dynamic outbound ports exclusion rules
if len(outboundPortExclusionList) > 0 {
var portExclusionListStr []string
for _, port := range outboundPortExclusionList {
portExclusionListStr = append(portExclusionListStr, strconv.Itoa(port))
}
outboundPortsToExclude := strings.Join(portExclusionListStr, ",")
rule := fmt.Sprintf("iptables -t nat -I PROXY_OUTPUT -p tcp --match multiport --dports %s -j RETURN", outboundPortsToExclude)
cmd = append(cmd, rule)
}
// 6. Create dynamic inbound ports exclusion rules
if len(inboundPortExclusionList) > 0 {
var portExclusionListStr []string
for _, port := range inboundPortExclusionList {
portExclusionListStr = append(portExclusionListStr, strconv.Itoa(port))
}
inboundPortsToExclude := strings.Join(portExclusionListStr, ",")
rule := fmt.Sprintf("iptables -t nat -I PROXY_INBOUND -p tcp --match multiport --dports %s -j RETURN", inboundPortsToExclude)
cmd = append(cmd, rule)
}
return cmd
}