-
Notifications
You must be signed in to change notification settings - Fork 241
/
policymanager_linux.go
337 lines (296 loc) · 13 KB
/
policymanager_linux.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
package policies
// This file contains code for the iptables implementation of adding/removing policies.
import (
"fmt"
"github.com/Azure/azure-container-networking/npm/metrics"
"github.com/Azure/azure-container-networking/npm/util"
"github.com/Azure/azure-container-networking/npm/util/ioutil"
"k8s.io/klog"
)
const (
maxTryCount = 2
// the error message doesn't describe the error if this pattern is within the message
// this could happen if syntax is off or AZURE-NPM-INGRESS doesn't exist for -A AZURE-NPM-INGRESS -j hash(NP1) ...
unknownLineErrorPattern = "line (\\d+) failed"
// the error message describes the error if this pattern is within the message
knownLineErrorPattern = "Error occurred at line: (\\d+)"
chainSectionPrefix = "chain"
)
/*
Error handling for iptables-restore:
Currently we retry on any error and will make two tries max.
The section IDs and line error patterns are pointless currently.
Although we can eventually use them to skip a section with an error and salvage the rest of the file.
Known errors that we should retry on:
- exit status 4
- iptables: Resource temporarily unavailable.
- fork/exec /usr/sbin/iptables: resource temporarily unavailable
- Another app is currently holding the xtables lock; still 51s 0us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 41s 0us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 31s 0us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 21s 0us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 11s 0us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock; still 1s 0us time ahead to have a chance to grab the lock...
Another app is currently holding the xtables lock. Stopped waiting after 60s.
*/
func (pMgr *PolicyManager) addPolicies(networkPolicies []*NPMNetworkPolicy, _ map[string]string) error {
// 1. Add rules for the network policies and activate NPM (if necessary).
chainsToCreate := chainNames(networkPolicies)
creator := pMgr.creatorForNewNetworkPolicies(chainsToCreate, networkPolicies)
// Stop reconciling so we don't contend for iptables, and so reconcile doesn't delete chainsToCreate.
pMgr.reconcileManager.forceLock()
defer pMgr.reconcileManager.forceUnlock()
timer := metrics.StartNewTimer()
err := restore(creator)
metrics.RecordIPTablesRestoreLatency(timer, metrics.CreateOp)
if err != nil {
metrics.IncIPTablesRestoreFailures(metrics.CreateOp)
return fmt.Errorf("failed to restore iptables with updated policies. err: %w", err)
}
// 2. Make sure the new chains don't get deleted in the background
for _, chain := range chainsToCreate {
pMgr.staleChains.remove(chain)
}
return nil
}
func (pMgr *PolicyManager) removePolicy(networkPolicy *NPMNetworkPolicy, _ map[string]string) error {
chainsToDelete := chainNames([]*NPMNetworkPolicy{networkPolicy})
creator := pMgr.creatorForRemovingPolicies(chainsToDelete)
// Stop reconciling so we don't contend for iptables, and so we don't update the staleChains at the same time as reconcile()
pMgr.reconcileManager.forceLock()
defer pMgr.reconcileManager.forceUnlock()
// 1. Delete jump rules from ingress/egress chains to ingress/egress policy chains.
// We ought to delete these jump rules here in the foreground since if we add an NP back after deleting, iptables-restore --noflush can add duplicate jump rules.
deleteErr := pMgr.deleteOldJumpRulesOnRemove(networkPolicy)
if deleteErr != nil {
return fmt.Errorf("failed to delete jumps to policy chains. err: %w", deleteErr)
}
// 2. Flush the policy chains and deactivate NPM (if necessary).
timer := metrics.StartNewTimer()
restoreErr := restore(creator)
metrics.RecordIPTablesRestoreLatency(timer, metrics.DeleteOp)
if restoreErr != nil {
metrics.IncIPTablesRestoreFailures(metrics.DeleteOp)
return fmt.Errorf("failed to flush policies. err: %w", restoreErr)
}
// 3. Delete policy chains in the background.
for _, chain := range chainsToDelete {
pMgr.staleChains.add(chain)
}
return nil
}
func restore(creator *ioutil.FileCreator) error {
err := creator.RunCommandWithFile(util.IptablesRestore, util.IptablesWaitFlag, util.IptablesDefaultWaitTime, util.IptablesRestoreTableFlag, util.IptablesFilterTable, util.IptablesRestoreNoFlushFlag)
if err != nil {
return fmt.Errorf("failed to restore iptables file. err: %w", err)
}
return nil
}
// NOTE: if removing multiple policies, would need to add a isLastPolicy argument instead
func (pMgr *PolicyManager) creatorForRemovingPolicies(allChainNames []string) *ioutil.FileCreator {
creator := pMgr.newCreatorWithChains(nil)
// 1. Deactivate NPM (if necessary).
if pMgr.isLastPolicy() {
creator.AddLine("", nil, util.IptablesFlushFlag, util.IptablesAzureChain)
}
// 2. Flush the policy chains.
for _, chainName := range allChainNames {
creator.AddLine("", nil, util.IptablesFlushFlag, chainName)
}
creator.AddLine("", nil, util.IptablesRestoreCommit)
return creator
}
// returns ingress and egress chain names for the policies
func chainNames(networkPolicies []*NPMNetworkPolicy) []string {
chainNames := make([]string, 0)
for _, networkPolicy := range networkPolicies {
hasIngress, hasEgress := networkPolicy.hasIngressAndEgress()
if hasIngress {
chainNames = append(chainNames, networkPolicy.ingressChainName())
}
if hasEgress {
chainNames = append(chainNames, networkPolicy.egressChainName())
}
}
return chainNames
}
func (pMgr *PolicyManager) newCreatorWithChains(chainNames []string) *ioutil.FileCreator {
creator := ioutil.NewFileCreator(pMgr.ioShim, maxTryCount, knownLineErrorPattern, unknownLineErrorPattern) // TODO pass an array instead of this ... thing
creator.AddLine("", nil, "*"+util.IptablesFilterTable) // specify the table
for _, chainName := range chainNames {
// add chain headers
sectionID := joinWithDash(chainSectionPrefix, chainName)
counters := "-"
creator.AddLine(sectionID, nil, ":"+chainName, "-", counters)
// TODO remove sections if we never use section-based error handling (e.g. remove the whole section)
}
return creator
}
// will make a similar func for on update eventually
func (pMgr *PolicyManager) deleteOldJumpRulesOnRemove(policy *NPMNetworkPolicy) error {
shouldDeleteIngress, shouldDeleteEgress := policy.hasIngressAndEgress()
if shouldDeleteIngress {
if err := pMgr.deleteJumpRule(policy, true); err != nil {
return err
}
}
if shouldDeleteEgress {
if err := pMgr.deleteJumpRule(policy, false); err != nil {
return err
}
}
return nil
}
func (pMgr *PolicyManager) deleteJumpRule(policy *NPMNetworkPolicy, direction UniqueDirection) error {
var specs []string
var baseChainName string
var chainName string
if direction == forIngress {
specs = ingressJumpSpecs(policy)
baseChainName = util.IptablesAzureIngressChain
chainName = policy.ingressChainName()
} else {
specs = egressJumpSpecs(policy)
baseChainName = util.IptablesAzureEgressChain
chainName = policy.egressChainName()
}
specs = append([]string{baseChainName}, specs...)
timer := metrics.StartNewTimer()
errCode, err := pMgr.runIPTablesCommand(util.IptablesDeletionFlag, specs...)
metrics.RecordIPTablesDeleteLatency(timer)
// if this actually happens (don't think it should), could use ignoreErrorsAndRunIPTablesCommand instead with: "Bad rule (does a matching rule exist in that chain?)"
if err != nil && errCode != doesNotExistErrorCode && errCode != couldntLoadTargetErrorCode {
errorString := fmt.Sprintf("failed to delete jump from %s chain to %s chain for policy %s with exit code %d", baseChainName, chainName, policy.PolicyKey, errCode)
klog.Errorf("%s. err: %s", errorString, err.Error())
return fmt.Errorf("%s. err: %w", errorString, err)
}
return nil
}
func ingressJumpSpecs(networkPolicy *NPMNetworkPolicy) []string {
chainName := networkPolicy.ingressChainName()
specs := []string{util.IptablesJumpFlag, chainName}
specs = append(specs, matchSetSpecsForNetworkPolicy(networkPolicy, DstMatch)...)
specs = append(specs, commentSpecs(networkPolicy.commentForJumpToIngress())...)
return specs
}
func egressJumpSpecs(networkPolicy *NPMNetworkPolicy) []string {
chainName := networkPolicy.egressChainName()
specs := []string{util.IptablesJumpFlag, chainName}
specs = append(specs, matchSetSpecsForNetworkPolicy(networkPolicy, SrcMatch)...)
specs = append(specs, commentSpecs(networkPolicy.commentForJumpToEgress())...)
return specs
}
func (pMgr *PolicyManager) creatorForNewNetworkPolicies(policyChains []string, networkPolicies []*NPMNetworkPolicy) *ioutil.FileCreator {
creator := pMgr.newCreatorWithChains(policyChains)
// 1. Activate NPM if necessary
if pMgr.isFirstPolicy() {
creator.AddLine("", nil, util.IptablesFlushFlag, util.IptablesAzureChain) // flush just in case there are old rules
creator.AddLine("", nil, util.IptablesAppendFlag, util.IptablesAzureChain, util.IptablesJumpFlag, util.IptablesAzureIngressChain)
creator.AddLine("", nil, util.IptablesAppendFlag, util.IptablesAzureChain, util.IptablesJumpFlag, util.IptablesAzureEgressChain)
creator.AddLine("", nil, util.IptablesAppendFlag, util.IptablesAzureChain, util.IptablesJumpFlag, util.IptablesAzureAcceptChain)
}
// 2. Add all rules for the network policies
ingressJumpLineNumber := 1
egressJumpLineNumber := 1
for _, networkPolicy := range networkPolicies {
// 2.1 add all rules for the policy chain(s)
writeNetworkPolicyRules(creator, networkPolicy)
// 2.2 add jump rule(s) to the policy chain(s)
hasIngress, hasEgress := networkPolicy.hasIngressAndEgress()
if hasIngress {
ingressJumpSpecs := insertSpecs(util.IptablesAzureIngressChain, ingressJumpLineNumber, ingressJumpSpecs(networkPolicy))
creator.AddLine("", nil, ingressJumpSpecs...) // TODO error handler
ingressJumpLineNumber++
}
if hasEgress {
egressJumpSpecs := insertSpecs(util.IptablesAzureEgressChain, egressJumpLineNumber, egressJumpSpecs(networkPolicy))
creator.AddLine("", nil, egressJumpSpecs...) // TODO error handler
egressJumpLineNumber++
}
}
creator.AddLine("", nil, util.IptablesRestoreCommit)
return creator
}
// write rules for the policy chain(s)
func writeNetworkPolicyRules(creator *ioutil.FileCreator, networkPolicy *NPMNetworkPolicy) {
for _, aclPolicy := range networkPolicy.ACLs {
var chainName string
var actionSpecs []string
if aclPolicy.hasIngress() {
chainName = networkPolicy.ingressChainName()
if aclPolicy.Target == Allowed {
actionSpecs = []string{util.IptablesJumpFlag, util.IptablesAzureIngressAllowMarkChain}
} else {
actionSpecs = setMarkSpecs(util.IptablesAzureIngressDropMarkHex)
}
} else {
chainName = networkPolicy.egressChainName()
if aclPolicy.Target == Allowed {
actionSpecs = []string{util.IptablesJumpFlag, util.IptablesAzureAcceptChain}
} else {
actionSpecs = setMarkSpecs(util.IptablesAzureEgressDropMarkHex)
}
}
line := []string{"-A", chainName}
line = append(line, actionSpecs...)
line = append(line, iptablesRuleSpecs(aclPolicy)...)
creator.AddLine("", nil, line...) // TODO add error handler
}
}
func iptablesRuleSpecs(aclPolicy *ACLPolicy) []string {
specs := make([]string, 0)
if aclPolicy.Protocol != UnspecifiedProtocol {
specs = append(specs, util.IptablesProtFlag, string(aclPolicy.Protocol))
}
specs = append(specs, dstPortSpecs(aclPolicy.DstPorts)...)
specs = append(specs, matchSetSpecsFromSetInfo(aclPolicy.SrcList)...)
specs = append(specs, matchSetSpecsFromSetInfo(aclPolicy.DstList)...)
specs = append(specs, commentSpecs(aclPolicy.comment())...)
return specs
}
func dstPortSpecs(portRange Ports) []string {
if portRange.Port == 0 && portRange.EndPort == 0 {
return []string{}
}
return []string{util.IptablesDstPortFlag, portRange.toIPTablesString()}
}
func matchSetSpecsForNetworkPolicy(networkPolicy *NPMNetworkPolicy, matchType MatchType) []string {
specs := make([]string, 0, maxLengthForMatchSetSpecs*len(networkPolicy.PodSelectorList))
matchString := matchType.toIPTablesString()
for _, setInfo := range networkPolicy.PodSelectorList {
specs = append(specs, setInfo.matchSetSpecs(matchString)...)
}
return specs
}
func matchSetSpecsFromSetInfo(setInfoList []SetInfo) []string {
specs := make([]string, 0, maxLengthForMatchSetSpecs*len(setInfoList))
for _, setInfo := range setInfoList {
matchString := setInfo.MatchType.toIPTablesString()
specs = append(specs, setInfo.matchSetSpecs(matchString)...)
}
return specs
}
func setMarkSpecs(mark string) []string {
return []string{
util.IptablesJumpFlag,
util.IptablesMark,
util.IptablesSetMarkFlag,
mark,
}
}
func commentSpecs(comment string) []string {
return []string{
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
comment,
}
}
func insertSpecs(chainName string, index int, specs []string) []string {
indexString := fmt.Sprint(index)
insertSpecs := []string{util.IptablesInsertionFlag, chainName, indexString}
return append(insertSpecs, specs...)
}
func joinWithDash(prefix, item string) string {
return fmt.Sprintf("%s-%s", prefix, item)
}