forked from openshift/origin
-
Notifications
You must be signed in to change notification settings - Fork 1
/
node_iptables.go
103 lines (87 loc) · 2.95 KB
/
node_iptables.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
package plugin
import (
"fmt"
"sync"
"time"
"github.com/golang/glog"
utilwait "k8s.io/apimachinery/pkg/util/wait"
utildbus "k8s.io/kubernetes/pkg/util/dbus"
kexec "k8s.io/kubernetes/pkg/util/exec"
"k8s.io/kubernetes/pkg/util/iptables"
)
type FirewallRule struct {
table string
chain string
args []string
}
type NodeIPTables struct {
ipt iptables.Interface
clusterNetworkCIDR string
syncPeriod time.Duration
mu sync.Mutex // Protects concurrent access to syncIPTableRules()
}
func newNodeIPTables(clusterNetworkCIDR string, syncPeriod time.Duration) *NodeIPTables {
return &NodeIPTables{
ipt: iptables.New(kexec.New(), utildbus.New(), iptables.ProtocolIpv4),
clusterNetworkCIDR: clusterNetworkCIDR,
syncPeriod: syncPeriod,
}
}
func (n *NodeIPTables) Setup() error {
if err := n.syncIPTableRules(); err != nil {
return err
}
// If firewalld is running, reload will call this method
n.ipt.AddReloadFunc(func() {
if err := n.syncIPTableRules(); err != nil {
glog.Errorf("Reloading openshift iptables failed: %v", err)
}
})
go utilwait.Forever(n.syncLoop, 0)
return nil
}
// syncLoop periodically calls syncIPTableRules().
// This is expected to run as a go routine or as the main loop. It does not return.
func (n *NodeIPTables) syncLoop() {
t := time.NewTicker(n.syncPeriod)
defer t.Stop()
for {
<-t.C
glog.V(6).Infof("Periodic openshift iptables sync")
err := n.syncIPTableRules()
if err != nil {
glog.Errorf("Syncing openshift iptables failed: %v", err)
}
}
}
// syncIPTableRules syncs the cluster network cidr iptables rules.
// Called from SyncLoop() or firwalld reload()
func (n *NodeIPTables) syncIPTableRules() error {
n.mu.Lock()
defer n.mu.Unlock()
start := time.Now()
defer func() {
glog.V(4).Infof("syncIPTableRules took %v", time.Since(start))
}()
glog.V(3).Infof("Syncing openshift iptables rules")
rules := n.getStaticNodeIPTablesRules()
for _, rule := range rules {
_, err := n.ipt.EnsureRule(iptables.Prepend, iptables.Table(rule.table), iptables.Chain(rule.chain), rule.args...)
if err != nil {
return fmt.Errorf("failed to ensure rule %v exists: %v", rule, err)
}
}
return nil
}
const VXLAN_PORT = "4789"
// Get openshift iptables rules
func (n *NodeIPTables) getStaticNodeIPTablesRules() []FirewallRule {
return []FirewallRule{
{"nat", "POSTROUTING", []string{"-s", n.clusterNetworkCIDR, "-j", "MASQUERADE"}},
{"filter", "INPUT", []string{"-p", "udp", "-m", "multiport", "--dports", VXLAN_PORT, "-m", "comment", "--comment", "001 vxlan incoming", "-j", "ACCEPT"}},
{"filter", "INPUT", []string{"-i", TUN, "-m", "comment", "--comment", "traffic from SDN", "-j", "ACCEPT"}},
{"filter", "INPUT", []string{"-i", "docker0", "-m", "comment", "--comment", "traffic from docker", "-j", "ACCEPT"}},
{"filter", "FORWARD", []string{"-d", n.clusterNetworkCIDR, "-j", "ACCEPT"}},
{"filter", "FORWARD", []string{"-s", n.clusterNetworkCIDR, "-j", "ACCEPT"}},
}
}