-
Notifications
You must be signed in to change notification settings - Fork 229
/
const.go
251 lines (218 loc) · 9.37 KB
/
const.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
// Copyright 2018 Microsoft. All rights reserved.
// MIT License
package util
// kubernetes related constants.
const (
KubeSystemFlag string = "kube-system"
KubePodTemplateHashFlag string = "pod-template-hash"
KubeAllPodsFlag string = "all-pod"
KubeAllNamespacesFlag string = "all-namespaces"
KubeAppFlag string = "k8s-app"
KubeProxyFlag string = "kube-proxy"
KubePodStatusFailedFlag string = "Failed"
KubePodStatusSucceededFlag string = "Succeeded"
KubePodStatusUnknownFlag string = "Unknown"
// The version of k8s that accept "AND" between namespaceSelector and podSelector is "1.11"
k8sMajorVerForNewPolicyDef string = "1"
k8sMinorVerForNewPolicyDef string = "11"
)
// iptables related constants.
const (
PlaceAzureChainAfterKubeServices = false
PlaceAzureChainFirst = true
Iptables string = "iptables"
Ip6tables string = "ip6tables" //nolint (avoid warning to capitalize this p)
IptablesSave string = "iptables-save"
IptablesRestore string = "iptables-restore"
IptablesRestoreNoFlushFlag string = "--noflush"
IptablesRestoreTableFlag string = "-T"
IptablesRestoreCommit string = "COMMIT"
IptablesConfigFile string = "/var/log/iptables.conf"
IptablesTestConfigFile string = "/var/log/iptables-test.conf"
IptablesLockFile string = "/run/xtables.lock"
IptablesChainCreationFlag string = "-N"
IptablesInsertionFlag string = "-I"
IptablesAppendFlag string = "-A"
IptablesDeletionFlag string = "-D"
IptablesFlushFlag string = "-F"
IptablesCheckFlag string = "-C"
IptablesDestroyFlag string = "-X"
IptablesJumpFlag string = "-j"
IptablesWaitFlag string = "-w"
IptablesDefaultWaitTime string = "60"
IptablesAccept string = "ACCEPT"
IptablesReject string = "REJECT"
IptablesDrop string = "DROP"
IptablesReturn string = "RETURN"
IptablesMark string = "MARK"
IptablesSrcFlag string = "src"
IptablesDstFlag string = "dst"
IptablesNamedPortFlag string = "dst,dst"
IptablesNotFlag string = "!"
IptablesProtFlag string = "-p"
IptablesSFlag string = "-s"
IptablesDFlag string = "-d"
IptablesDstPortFlag string = "--dport"
IptablesSrcPortFlag string = "--sport"
IptablesModuleFlag string = "-m"
IptablesSetModuleFlag string = "set"
IptablesMatchSetFlag string = "--match-set"
IptablesSetMarkFlag string = "--set-mark"
IptablesMarkFlag string = "--mark"
IptablesMarkVerb string = "mark"
IptablesStateModuleFlag string = "state"
IptablesStateFlag string = "--state"
IptablesCtstateModuleFlag string = "conntrack" // state module is obsolete: https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state
IptablesCtstateFlag string = "--ctstate"
IptablesMultiportFlag string = "multiport"
IptablesRelatedState string = "RELATED"
IptablesEstablishedState string = "ESTABLISHED"
IptablesNewState string = "NEW"
IptablesFilterTable string = "filter"
IptablesCommentModuleFlag string = "comment"
IptablesCommentFlag string = "--comment"
IptablesAddCommentFlag
IptablesTableFlag string = "-t"
IptablesListFlag string = "-L"
IptablesNumericFlag string = "-n"
IptablesLineNumbersFlag string = "--line-numbers"
IptablesKubeServicesChain string = "KUBE-SERVICES"
IptablesForwardChain string = "FORWARD"
IptablesInputChain string = "INPUT"
IptablesAzureChain string = "AZURE-NPM"
IptablesAzureAcceptChain string = "AZURE-NPM-ACCEPT"
IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM"
IptablesAzureIngressChain string = "AZURE-NPM-INGRESS"
IptablesAzureIngressAllowMarkChain string = "AZURE-NPM-INGRESS-ALLOW-MARK"
IptablesAzureEgressChain string = "AZURE-NPM-EGRESS"
// Chains used in NPM v1
IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT"
IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM"
IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT"
IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO"
IptablesAzureIngressDropsChain string = "AZURE-NPM-INGRESS-DROPS"
IptablesAzureEgressDropsChain string = "AZURE-NPM-EGRESS-DROPS"
// NPM v2 Chains
IptablesAzureIngressPolicyChainPrefix string = "AZURE-NPM-INGRESS"
IptablesAzureEgressPolicyChainPrefix string = "AZURE-NPM-EGRESS"
// Below chain exists only in NPM before v1.2.6
IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS"
// Below chain existing only in NPM before v1.2.7
IptablesAzureIngressWrongDropsChain string = "AZURE-NPM-INRGESS-DROPS"
// Below chains exists only for before Azure-NPM:v1.0.27
// and should be removed after a baking period.
IptablesAzureIngressFromNsChain string = "AZURE-NPM-INGRESS-FROM-NS"
IptablesAzureIngressFromPodChain string = "AZURE-NPM-INGRESS-FROM-POD"
IptablesAzureEgressToNsChain string = "AZURE-NPM-EGRESS-TO-NS"
IptablesAzureEgressToPodChain string = "AZURE-NPM-EGRESS-TO-POD"
// Below are the skb->mark NPM will use for different criteria
// for V1
IptablesAzureClearMarkHex string = "0x0"
// for v2, deprecated
IptablesAzureClearMarkHexV2 string = "0x0/0xE00"
// marks in NPM v2
// NPM uses the 3rd word of the 32-bit mark for the purpose of
// identifying the traffic direction and decision making.
// NPM uses 9th, 10th and 11th bit for marking
IptablesAzureIngressAllowMarkHex string = "0x200/0x200"
IptablesAzureIngressDropMarkHex string = "0x400/0x400"
IptablesAzureEgressDropMarkHex string = "0x800/0x800"
// marks in NPM v1
IptablesAzureIngressMarkHex string = "0x2000"
// IptablesAzureEgressXMarkHex is used for us to not override but append to the existing MARK
// https://unix.stackexchange.com/a/283455 comment contains the explanation on
// MARK manipulations with offset.
IptablesAzureEgressXMarkHex string = "0x1000/0x1000"
// IptablesAzureEgressMarkHex is for checking the absolute value of the mark
IptablesAzureEgressMarkHex string = "0x1000"
IptablesAzureAcceptMarkHex string = "0x3000"
)
// ipset related constants.
const (
Ipset string = "ipset"
IpsetSaveFlag string = "save"
IpsetRestoreFlag string = "restore"
IpsetConfigFile string = "/var/log/ipset.conf"
IpsetTestConfigFile string = "/var/log/ipset-test.conf"
IpsetCreationFlag string = "-N"
IpsetAppendFlag string = "-A"
IpsetDeletionFlag string = "-D"
IpsetFlushFlag string = "-F"
IpsetDestroyFlag string = "-X"
IpsetExistFlag string = "-exist"
IpsetFileFlag string = "-file"
IPsetCheckListFlag string = "list"
IpsetTestFlag string = "test"
IpsetSetGenericFlag string = "setgeneric" // not used in ipset commands, used as an internal identifier for nethash/hash:ip,port
IpsetSetListFlag string = "setlist"
IpsetNetHashFlag string = "nethash"
IpsetIPPortHashFlag string = "hash:ip,port"
IpsetUDPFlag string = "udp:"
IpsetSCTPFlag string = "sctp:"
IpsetTCPFlag string = "tcp:"
IpsetLabelDelimter string = ":"
AzureNpmFlag string = "azure-npm"
AzureNpmPrefix string = "azure-npm-"
IpsetMaxelemName string = "maxelem" // todo, what's using this?
IpsetMaxelemNum string = "4294967295"
IpsetNomatch string = "nomatch"
// Prefixes for ipsets
NamedPortIPSetPrefix string = "namedport:"
NamespacePrefix string = "ns-"
NamespaceLabelPrefix string = "nslabel-"
PodLabelPrefix string = "podlabel-"
CIDRPrefix string = "cidr-"
NestedLabelPrefix string = "nestedlabel-"
EmptySetPrefix string = "empty-"
NegationPrefix string = "not-"
SetPolicyDelimiter string = ","
)
const (
BashCommand string = "bash"
BashCommandFlag string = "-c"
)
// NPM telemetry constants.
const (
AddNamespaceEvent string = "Add Namespace"
UpdateNamespaceEvent string = "Update Namespace"
DeleteNamespaceEvent string = "Delete Namespace"
AddPodEvent string = "Add Pod"
UpdatePodEvent string = "Update Pod"
DeletePodEvent string = "Delete Pod"
AddNetworkPolicyEvent string = "Add network policy"
UpdateNetworkPolicyEvent string = "Update network policy"
DeleteNetworkPolicyEvent string = "Delete network policy"
ErrorMetric string = "ErrorMetric"
PackageName string = "PackageName"
FunctionName string = "FunctionName"
ErrorCode string = "ErrorCode"
// Default batch size in AI telemetry
// Defined here https://docs.microsoft.com/en-us/azure/azure-monitor/app/pricing
BatchSizeInBytes int = 32768
BatchIntervalInSecs int = 30
RefreshTimeoutInSecs int = 15
GetEnvRetryCount int = 5
GetEnvRetryWaitTimeInSecs int = 3
AiInitializeRetryCount int = 3
AiInitializeRetryInMin int = 1
DebugMode bool = true
ErrorValue float64 = 1
)
// AzureNetworkName is the default network Azure CNI creates
const AzureNetworkName = "azure"
// These ID represents where did the error log generate from.
// It's for better query purpose. In Kusto these value are used in
// OperationID column
const (
NpmID int = iota + 1
IpsmID // ipsetmanager in v2
IptmID // policymanager in v2
NSID
PodID
NetpolID
UtilID
DaemonID
ControllerID
DaemonDataplaneID // for v2
FanOutServerID // for v2
)