-
Notifications
You must be signed in to change notification settings - Fork 2.7k
/
cell.go
95 lines (81 loc) · 3.39 KB
/
cell.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Cilium
package iptables
import (
"github.com/spf13/pflag"
"github.com/cilium/cilium/pkg/cidr"
"github.com/cilium/cilium/pkg/hive/cell"
"github.com/cilium/cilium/pkg/option"
"github.com/cilium/cilium/pkg/time"
)
var Cell = cell.Module(
"iptables",
"Handle iptables-related configuration for Cilium",
cell.Config(defaultConfig),
cell.ProvidePrivate(func(
cfg *option.DaemonConfig,
) SharedConfig {
return SharedConfig{
TunnelingEnabled: cfg.TunnelingEnabled(),
NodeIpsetNeeded: cfg.NodeIpsetNeeded(),
Devices: cfg.GetDevices(),
IptablesMasqueradingIPv4Enabled: cfg.IptablesMasqueradingIPv4Enabled(),
IptablesMasqueradingIPv6Enabled: cfg.IptablesMasqueradingIPv6Enabled(),
IPv4NativeRoutingCIDR: cfg.GetIPv4NativeRoutingCIDR(),
EnableIPv4: cfg.EnableIPv4,
EnableIPv6: cfg.EnableIPv6,
EnableXTSocketFallback: cfg.EnableXTSocketFallback,
EnableBPFTProxy: cfg.EnableBPFTProxy,
InstallNoConntrackIptRules: cfg.InstallNoConntrackIptRules,
EnableEndpointRoutes: cfg.EnableEndpointRoutes,
IPAM: cfg.IPAM,
EnableIPSec: cfg.EnableIPSec,
MasqueradeInterfaces: cfg.MasqueradeInterfaces,
EnableMasqueradeRouteSource: cfg.EnableMasqueradeRouteSource,
EnableL7Proxy: cfg.EnableL7Proxy,
}
}),
cell.Provide(newIptablesManager),
)
type Config struct {
// IPTablesLockTimeout defines the "-w" iptables option when the
// iptables CLI is directly invoked from the Cilium agent.
IPTablesLockTimeout time.Duration
// DisableIptablesFeederRules specifies which chains will be excluded
// when installing the feeder rules
DisableIptablesFeederRules []string
// IPTablesRandomFully defines the "--random-fully" iptables option when the
// iptables CLI is directly invoked from the Cilium agent.
IPTablesRandomFully bool
// PrependIptablesChains, when enabled, prepends custom iptables chains instead of appending.
PrependIptablesChains bool
}
var defaultConfig = Config{
IPTablesLockTimeout: 5 * time.Second,
PrependIptablesChains: true,
}
func (def Config) Flags(flags *pflag.FlagSet) {
flags.Duration("iptables-lock-timeout", def.IPTablesLockTimeout, "Time to pass to each iptables invocation to wait for xtables lock acquisition")
flags.StringSlice("disable-iptables-feeder-rules", def.DisableIptablesFeederRules, "Chains to ignore when installing feeder rules.")
flags.Bool("iptables-random-fully", def.IPTablesRandomFully, "Set iptables flag random-fully on masquerading rules")
flags.Bool("prepend-iptables-chains", def.PrependIptablesChains, "Prepend custom iptables chains instead of appending")
}
type SharedConfig struct {
TunnelingEnabled bool
NodeIpsetNeeded bool
Devices []string
IptablesMasqueradingIPv4Enabled bool
IptablesMasqueradingIPv6Enabled bool
IPv4NativeRoutingCIDR *cidr.CIDR
EnableIPv4 bool
EnableIPv6 bool
EnableXTSocketFallback bool
EnableBPFTProxy bool
InstallNoConntrackIptRules bool
EnableEndpointRoutes bool
IPAM string
EnableIPSec bool
MasqueradeInterfaces []string
EnableMasqueradeRouteSource bool
EnableL7Proxy bool
}