Skip to content

NPM adhering to both ingress and egress rules #765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Jan 25, 2021
Merged

NPM adhering to both ingress and egress rules #765

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
1efc408
first pass trying to return instead of accept
vakalapa Jan 5, 2021
52edda4
Adding initial marking capability
vakalapa Jan 7, 2021
245bf1d
Adding accept on ingress and egress marks
vakalapa Jan 11, 2021
98bb6de
Correcting an ingress marker
vakalapa Jan 13, 2021
843793d
Correcting unit test cases to show the appropriate markers
vakalapa Jan 13, 2021
6a8d44f
Correcting a comment
vakalapa Jan 20, 2021
b52c0ec
Addressing comments
vakalapa Jan 23, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
247 changes: 246 additions & 1 deletion npm/iptm/iptm.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
package iptm

import (
"fmt"
"os"
"os/exec"
"strconv"
Expand Down Expand Up @@ -114,11 +115,65 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
}
}

// Insert a RETURN on MARK rule for INGRESS in in AZURE-NPM-INGRESS-PORT chain
entry.Chain = util.IptablesAzureIngressPortChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesReturn,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureIngressMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("RETURN-on-INGRESS-mark-%s", util.IptablesAzureIngressMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesInsertionFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add default RETURN on INGRESS mark in AZURE-NPM-INGRESS-PORT chain.")
return err
}
}

// Create AZURE-NPM-INGRESS-FROM chain.
if err = iptMgr.AddChain(util.IptablesAzureIngressFromChain); err != nil {
return err
}

// Insert a RETURN on MARK rule for INGRESS in in AZURE-NPM-INGRESS-FROM chain
entry.Chain = util.IptablesAzureIngressFromChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesReturn,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureIngressMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("RETURN-on-INGRESS-mark-%s", util.IptablesAzureIngressMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesInsertionFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add default RETURN on INGRESS mark in AZURE-NPM-INGRESS-FROM chain.")
return err
}
}

// Create AZURE-NPM-EGRESS-PORT chain.
if err := iptMgr.AddChain(util.IptablesAzureEgressPortChain); err != nil {
return err
Expand All @@ -135,7 +190,61 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
if !exists {
iptMgr.OperationFlag = util.IptablesAppendFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add AZURE-NPM-INGRESS-PORT chain to AZURE-NPM chain.")
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add AZURE-NPM-EGRESS-PORT chain to AZURE-NPM chain.")
return err
}
}

// Insert a RETURN on MARK rule for EGRESS in AZURE-NPM-EGRESS-PORT
entry.Chain = util.IptablesAzureEgressPortChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesReturn,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureEgressMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("RETURN-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesInsertionFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add default RETURN on EGRESS mark in AZURE-NPM-EGRESS-PORT chain.")
return err
}
}

// Insert a RETURN on MARK rule for EGRESS + INGRESS in AZURE-NPM-EGRESS-PORT
entry.Chain = util.IptablesAzureEgressPortChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesReturn,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureAcceptMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("RETURN-on-EGRESS-and-INGRESS-mark-%s", util.IptablesAzureAcceptMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesInsertionFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add default RETURN on EGRESS and INGRESS mark in AZURE-NPM-EGRESS-PORT chain.")
return err
}
}
Expand All @@ -150,6 +259,142 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
return err
}

// Insert a RETURN on MARK rule for EGRESS in AZURE-NPM-EGRESS-TO
entry.Chain = util.IptablesAzureEgressToChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesReturn,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureEgressMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("RETURN-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesInsertionFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add default RETURN on EGRESS mark in AZURE-NPM-EGRESS-TO chain.")
return err
}
}

// Insert a RETURN on MARK rule for EGRESS + INGRESS in AZURE-NPM-EGRESS-TO
entry.Chain = util.IptablesAzureEgressToChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesReturn,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureAcceptMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("RETURN-on-EGRESS-and-INGRESS-mark-%s", util.IptablesAzureAcceptMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesInsertionFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add default RETURN on EGRESS and INGRESS mark in AZURE-NPM-EGRESS-TO chain.")
return err
}
}

// TODO move this in to a function for readability
// Insert a ACCEPT rule for INGRESS-and-EGRESS marked packets
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesAccept,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureAcceptMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("ACCEPT-on-INGRESS-and-EGRESS-mark-%s", util.IptablesAzureAcceptMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesAppendFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add marked ACCEPT rule to AZURE-NPM chain.")
return err
}
}

// Insert a ACCEPT rule for INGRESS marked packets
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesAccept,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureIngressMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("ACCEPT-on-INGRESS-mark-%s", util.IptablesAzureIngressMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesAppendFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add marked ACCEPT rule for INGRESS mark to AZURE-NPM chain.")
return err
}
}

// Insert a ACCEPT rule for EGRESS marked packets
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{
util.IptablesJumpFlag,
util.IptablesAccept,
util.IptablesModuleFlag,
util.IptablesMarkVerb,
util.IptablesMarkFlag,
util.IptablesAzureEgressMarkHex,
util.IptablesModuleFlag,
util.IptablesCommentModuleFlag,
util.IptablesCommentFlag,
fmt.Sprintf("ACCEPT-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex),
}
exists, err = iptMgr.Exists(entry)
if err != nil {
return err
}

if !exists {
iptMgr.OperationFlag = util.IptablesAppendFlag
if _, err := iptMgr.Run(entry); err != nil {
metrics.SendErrorLogAndMetric(util.IptmID, "Error: failed to add marked ACCEPT rule for EGRESS mark to AZURE-NPM chain.")
return err
}
}

// Append AZURE-NPM-TARGET-SETS chain to AZURE-NPM chain.
entry.Chain = util.IptablesAzureChain
entry.Specs = []string{util.IptablesJumpFlag, util.IptablesAzureTargetSetsChain}
Expand Down
Loading