nftables

package
v0.0.0-...-bd870d0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 12, 2021 License: Apache-2.0 Imports: 10 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	FilterInput       = "filter-input"
	FilterOutput      = "filter-output"
	FilterForward     = "filter-forward"
	K8sFilterFirewall = "k8s-filter-firewall"
	K8sFilterServices = "k8s-filter-services"
	K8sFilterForward  = "k8s-filter-forward"
	K8sFilterDoReject = "k8s-filter-do-reject"

	NatPrerouting      = "nat-prerouting"
	NatOutput          = "nat-output"
	NatPostrouting     = "nat-postrouting"
	K8sNATMarkDrop     = "k8s-nat-mark-drop"
	K8sNATDoMarkMasq   = "k8s-nat-do-mark-masq"
	K8sNATMarkMasq     = "k8s-nat-mark-masq"
	K8sNATDoMasquerade = "k8s-nat-do-masquerade"
	K8sNATServices     = "k8s-nat-services"
	K8sNATNodeports    = "k8s-nat-nodeports"
	K8sNATPostrouting  = "k8s-nat-postrouting"

	K8sNoEndpointsSet    = "no-endpoints"
	K8sNodeportSet       = "nodeports"
	K8sMarkMasqSet       = "do-mark-masq"
	K8sClusterIPSet      = "cluster-ip"
	K8sExternalIPSet     = "external-ip"
	K8sLoadbalancerIPSet = "loadbalancer-ip"

	K8sSvcPrefix = "k8s-nfproxy-svc-"
	K8sFwPrefix  = "k8s-nfproxy-fw-"
	K8sXlbPrefix = "k8s-nfproxy-xlb-"

	K8sAffinityMap = "affinity-map-"
)

Variables

This section is empty.

Functions

func AddEndpointRules 

func AddEndpointRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string,
	ipaddr string, proto v1.Protocol, port int32, serviceID string) ([]uint64, error)

AddEndpointRules defines function which creates new nftables chain, rule and if successful return rule ID.

func AddEndpointUpdateRule 

func AddEndpointUpdateRule(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, index int, svcID string, timeout int) ([]uint64, error)

AddEndpointUpdateRule creates an ednpoint chain and programs Update rule, this rules will update (refresh) endpoint entry in a Service Affinity map.

func AddServiceAffinityMap 

func AddServiceAffinityMap(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, timeout int) error

AddServiceAffinityMap creates a map used for Service's Affinity implementation. When service affinity is enabled, this map will be updated by "update/refreshed" from aging out by a rule of each aviable endpoint.

func AddServiceChains 

func AddServiceChains(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error

AddServiceChains adds a specific to service port chains k8s-nfproxy-svc-{svcID},k8s-nfproxy-fw-{svcID}, k8s-nfproxy-xlb-{svcID}

func AddServiceMatchActRule 

func AddServiceMatchActRule(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, epchains []*EPRule, ruleID uint64) ([]uint64, error)

AddServiceMatchActRule programms Service Port's MatchAct rule. This rule is inserted as a second rule (after the counter rule) in order to process packet based on the content of Service Port's Affinity map. If the map has an entry for a specific source, then traffic will be send to the same endpoint chain instead of round robin load balancing between available endpoints.

func AddToNodeportSet 

func AddToNodeportSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, port uint16, chain string) error

AddToNodeportSet adds service's port to the nodeport set

func AddToSet 

func AddToSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, addr string, port uint16,
	set string, chain string) error

AddToSet adds service's proto.ip.port to a set specified by set parameter

func DeleteChain 

func DeleteChain(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string) error

DeleteChain deletes chain associated with a service or an endpoint

func DeleteEndpointRules 

func DeleteEndpointRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ruleID []uint64) error

DeleteEndpointRules delete nftables rules associated with an endpoint and then deletes endpoint's chain

func DeleteEndpointUpdateRule 

func DeleteEndpointUpdateRule(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, updateRuleID int) error

DeleteEndpointUpdateRule removes Update rule when Service Port's Session Affinity confiugration is removed.

func DeleteServiceAffinityMap 

func DeleteServiceAffinityMap(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error

DeleteServiceAffinityMap removes service's affinity map

func DeleteServiceChains 

func DeleteServiceChains(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string) error

DeleteServiceChains removes a specific to service port chains k8s-nfproxy-svc-{svcID},k8s-nfproxy-fw-{svcID}, k8s-nfproxy-xlb-{svcID}

func DeleteServiceRules 

func DeleteServiceRules(nfti *NFTInterface, tableFamily nftables.TableFamily, chain string, ruleID []uint64) error

DeleteServiceRules deletes nftables rules associated with a service

func GetSvcChain 

func GetSvcChain(tableFamily nftables.TableFamily, svcID string) map[nftables.TableFamily]SVCChain

GetSvcChain builds a chain map used by a specific service

func ProgramServiceEndpoints 

func ProgramServiceEndpoints(nfti *NFTInterface, tableFamily nftables.TableFamily, svcID string, epchains []*EPRule, ruleID []uint64,
	withAffinity bool, svcPortName string) ([]uint64, error)

ProgramServiceEndpoints programms endpoints to the service chain, if multiple endpoint exists, endpoint rules will be programmed for loadbalancing.

func RemoveFromNodeportSet 

func RemoveFromNodeportSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, port uint16, chain string) error

RemoveFromNodeportSet removes service's proto.ip.port from a set specified by a parameter set

func RemoveFromSet 

func RemoveFromSet(nfti *NFTInterface, tableFamily nftables.TableFamily, proto v1.Protocol, addr string, port uint16,
	set string, chain string) error

RemoveFromSet removes service's proto.ip.port from a set specified by a parameter set

Types

type EPRule 

type EPRule struct {
	Rule
	// EpIndex defines an endpoint index for a specific service port. If the service port
	// has multiple endpoints, each and point has a unique index. It is used for Service Affinity
	// implementation as endpoint's "update" rule must update only its own index.
	EpIndex       int
	WithAffinity  bool
	MaxAgeSeconds int
	ServiceID     string
}

EPRule defines Endpoint specific nftables rule, it carries endpoint specific variables in addition to common ones found in Rule struct

type EPnft 

type EPnft struct {
	Interface *NFTInterface
	Rule      map[nftables.TableFamily]*EPRule
}

EPnft defines per endpoint nftables info. This information allows manipulating rules, sets in ipv4 and ipv6 tables and chains.

type NFTInterface 

type NFTInterface struct {
	ClusterCidrIpv4 string
	ClusterCidrIpv6 string
	CIv4            nftableslib.ChainsInterface
	CIv6            nftableslib.ChainsInterface
	SIv4            nftableslib.SetsInterface
	SIv6            nftableslib.SetsInterface
	// contains filtered or unexported fields
}

NFTInterface provides interfaces to access ipv4/6 chains and ipv4/6 sets

func InitNFTables 

func InitNFTables(clusterCIDRIPv4, clusterCIDRIPv6 string) (*NFTInterface, error)

InitNFTables initializes connection to netfilter and instantiates nftables table interface

type Rule 

type Rule struct {
	Chain  string
	RuleID []uint64
}

Rule defines nftables chain name, rule and once programmed, rule id is stored in RuleID slice.

type SVCChain 

type SVCChain struct {
	Chain map[string]*Rule
}

SVCChain defines a map of chains a service uses for its rules, the key is chain names, it is combined from a chain prefix "k8s-nfproxy-svc-" or "k8s-nfproxy-fw-" and service's unique ID

type SVCnft 

type SVCnft struct {
	Interface     *NFTInterface
	Chains        map[nftables.TableFamily]SVCChain
	WithEndpoints bool
	WithAffinity  bool
	MaxAgeSeconds int
	ServiceID     string
}

SVCnft defines per IP Family nftables chains used by individual service.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.