From 6a9285ce21e5bb603bd345f39edd71b7bfdc2811 Mon Sep 17 00:00:00 2001 From: grampelberg Date: Thu, 14 Nov 2019 15:48:54 -0800 Subject: [PATCH 1/5] Remove chain jump rules as part of cleanup --- iptables/iptables.go | 186 ++++++++++++++++++++++++++----------------- 1 file changed, 115 insertions(+), 71 deletions(-) diff --git a/iptables/iptables.go b/iptables/iptables.go index 1841d544..7ee50fee 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -27,11 +27,15 @@ const ( // IptablesMultiportLimit specifies the maximum number of port references per single iptables command. IptablesMultiportLimit = 15 + outputChainName = "PROXY_INIT_OUTPUT" + redirectChainName = "PROXY_INIT_REDIRECT" ) var ( // ExecutionTraceID provides a unique identifier for this script's execution. ExecutionTraceID = strconv.Itoa(int(time.Now().Unix())) + + sectionDelimiter = strings.Repeat("-", 60) ) // FirewallConfiguration specifies how to configure a pod's iptables. @@ -53,32 +57,63 @@ type FirewallConfiguration struct { // https://github.com/istio/istio/blob/e83411e/pilot/docker/prepare_proxy.sh func ConfigureFirewall(firewallConfiguration FirewallConfiguration) error { - log.Printf("Tracing this script execution as [%s]\n", ExecutionTraceID) + fmt.Printf("Tracing this script execution as [%s]\n", ExecutionTraceID) - log.Println("State of iptables rules before run:") - err := executeCommand(firewallConfiguration, makeShowAllRules()) - if err != nil { - log.Println("Aborting firewall configuration") + startSection("current state") + if err := executeCommand(firewallConfiguration, makeShowAllRules()); err != nil { + fmt.Println("Aborting firewall configuration") return err } + endSection() + + startSection("cleanup") + // cleanup rules before adding new ones in + _ = executeCommand( + firewallConfiguration, + makeJumpFromChainToAnotherForAllProtocols( + IptablesOutputChainName, + outputChainName, + "install-proxy-init-prerouting", + true)) + _ = executeCommand( + firewallConfiguration, + makeJumpFromChainToAnotherForAllProtocols( + IptablesPreroutingChainName, + redirectChainName, + "install-proxy-init-prerouting", + true)) + + for _, chain := range []string{outputChainName, redirectChainName} { + _ = executeCommand(firewallConfiguration, makeFlushChain(chain)) + _ = executeCommand(firewallConfiguration, makeDeleteChain(chain)) + } + endSection() commands := make([]*exec.Cmd, 0) + startSection("configuration") + commands = addIncomingTrafficRules(commands, firewallConfiguration) commands = addOutgoingTrafficRules(commands, firewallConfiguration) - commands = append(commands, makeShowAllRules()) + endSection() - log.Println("Executing commands:") + startSection("adding rules") for _, cmd := range commands { - err := executeCommand(firewallConfiguration, cmd) - if err != nil { - log.Println("Aborting firewall configuration") + if err := executeCommand(firewallConfiguration, cmd); err != nil { + fmt.Println("Aborting firewall configuration") return err } } + + endSection() + + startSection("end state") + _ = executeCommand(firewallConfiguration, makeShowAllRules()) + endSection() + return nil } @@ -88,29 +123,25 @@ func formatComment(text string) string { return fmt.Sprintf("proxy-init/%s/%s", text, ExecutionTraceID) } -func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd { - outputChainName := "PROXY_INIT_OUTPUT" - redirectChainName := "PROXY_INIT_REDIRECT" - err := executeCommand(firewallConfiguration, makeFlushChain(outputChainName)) - if err != nil { - log.Printf("An error occurred while FLUSHING the chain in addOutgoingTrafficRules. Startup will continue, but there may be additional errors\n [error]: %v", err) - } +func startSection(text string) { + fmt.Printf("%s\n%s\n", text, sectionDelimiter) +} - err = executeCommand(firewallConfiguration, makeDeleteChain(outputChainName)) - if err != nil { - log.Printf("An error occurred while DELETING the chain in addOutgoingTrafficRules. Startup will continue, but there may be additional errors\n [error]: %v", err) - } +func endSection() { + fmt.Printf("\n\n") +} +func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd { commands = append(commands, makeCreateNewChain(outputChainName, "redirect-common-chain")) // Ignore traffic from the proxy if firewallConfiguration.ProxyUID > 0 { - log.Printf("Ignoring uid %d", firewallConfiguration.ProxyUID) + fmt.Printf("Ignoring uid %d\n", firewallConfiguration.ProxyUID) // Redirect calls originating from the proxy destined for an app container e.g. app -> proxy(outbound) -> proxy(inbound) -> app commands = append(commands, makeRedirectChainForOutgoingTraffic(outputChainName, redirectChainName, firewallConfiguration.ProxyUID, "redirect-non-loopback-local-traffic")) commands = append(commands, makeIgnoreUserID(outputChainName, firewallConfiguration.ProxyUID, "ignore-proxy-user-id")) } else { - log.Println("Not ignoring any uid") + fmt.Println("Not ignoring any uid") } // Ignore loopback @@ -118,60 +149,66 @@ func addOutgoingTrafficRules(commands []*exec.Cmd, firewallConfiguration Firewal // Ignore ports commands = addRulesForIgnoredPorts(firewallConfiguration.OutboundPortsToIgnore, outputChainName, commands) - log.Printf("Redirecting all OUTPUT to %d", firewallConfiguration.ProxyOutgoingPort) + fmt.Printf("Redirecting all OUTPUT to %d\n", firewallConfiguration.ProxyOutgoingPort) commands = append(commands, makeRedirectChainToPort(outputChainName, firewallConfiguration.ProxyOutgoingPort, "redirect-all-outgoing-to-proxy-port")) //Redirect all remaining outbound traffic to the proxy. - commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesOutputChainName, outputChainName, "install-proxy-init-output")) + commands = append( + commands, + makeJumpFromChainToAnotherForAllProtocols( + IptablesOutputChainName, + outputChainName, + "install-proxy-init-output", + false)) + return commands } func addIncomingTrafficRules(commands []*exec.Cmd, firewallConfiguration FirewallConfiguration) []*exec.Cmd { - redirectChainName := "PROXY_INIT_REDIRECT" - err := executeCommand(firewallConfiguration, makeFlushChain(redirectChainName)) - if err != nil { - log.Printf("An error occurred while FLUSHING the chain in addIncomingTrafficRules. Startup will continue, but there may be additional errors\n [error]: %v", err) - } - - err = executeCommand(firewallConfiguration, makeDeleteChain(redirectChainName)) - if err != nil { - log.Printf("An error occurred while DELETING the chain in addIncomingTrafficRules. Startup will continue, but there may be additional errors\n [error]: %v", err) - } - commands = append(commands, makeCreateNewChain(redirectChainName, "redirect-common-chain")) commands = addRulesForIgnoredPorts(firewallConfiguration.InboundPortsToIgnore, redirectChainName, commands) commands = addRulesForInboundPortRedirect(firewallConfiguration, redirectChainName, commands) //Redirect all remaining inbound traffic to the proxy. - commands = append(commands, makeJumpFromChainToAnotherForAllProtocols(IptablesPreroutingChainName, redirectChainName, "install-proxy-init-prerouting")) + commands = append( + commands, + makeJumpFromChainToAnotherForAllProtocols( + IptablesPreroutingChainName, + redirectChainName, + "install-proxy-init-prerouting", + false)) return commands } func addRulesForInboundPortRedirect(firewallConfiguration FirewallConfiguration, chainName string, commands []*exec.Cmd) []*exec.Cmd { if firewallConfiguration.Mode == RedirectAllMode { - log.Print("Will redirect all INPUT ports to proxy") + fmt.Println("Will redirect all INPUT ports to proxy") //Create a new chain for redirecting inbound and outbound traffic to the proxy port. commands = append(commands, makeRedirectChainToPort(chainName, firewallConfiguration.ProxyInboundPort, "redirect-all-incoming-to-proxy-port")) } else if firewallConfiguration.Mode == RedirectListedMode { - log.Printf("Will redirect some INPUT ports to proxy: %v", firewallConfiguration.PortsToRedirectInbound) + fmt.Printf("Will redirect some INPUT ports to proxy: %v\n", firewallConfiguration.PortsToRedirectInbound) for _, port := range firewallConfiguration.PortsToRedirectInbound { - commands = append(commands, makeRedirectChainToPortBasedOnDestinationPort(chainName, - port, - firewallConfiguration.ProxyInboundPort, - fmt.Sprintf("redirect-port-%d-to-proxy-port", port))) + commands = append( + commands, + makeRedirectChainToPortBasedOnDestinationPort( + chainName, + port, + firewallConfiguration.ProxyInboundPort, + fmt.Sprintf("redirect-port-%d-to-proxy-port", port))) } } return commands } -func addRulesForIgnoredPorts(portsToIgnore []string, chainName string, commands []*exec.Cmd) []*exec.Cmd { - for _, destinations := range makeMultiportDestinations(portsToIgnore) { - log.Printf("Will ignore port(s) %s on chain %s", destinations, chainName) - commands = append(commands, makeIgnorePorts(chainName, destinations, fmt.Sprintf("ignore-port-%s", strings.Join(destinations, ",")))) +func addRulesForIgnoredPorts(portsToIgnore []int, chainName string, commands []*exec.Cmd) []*exec.Cmd { + for _, ignoredPort := range portsToIgnore { + fmt.Printf("Will ignore port %d on chain %s\n", ignoredPort, chainName) + + commands = append(commands, makeIgnorePort(chainName, ignoredPort, fmt.Sprintf("ignore-port-%d", ignoredPort))) } return commands } @@ -207,34 +244,35 @@ func makeMultiportDestinations(portsToIgnore []string) [][]string { } func executeCommand(firewallConfiguration FirewallConfiguration, cmd *exec.Cmd) error { - originalCmd := strings.Trim(fmt.Sprintf("%v", cmd.Args), "[]") - log.Printf("> %s", originalCmd) - if firewallConfiguration.UseWaitFlag { - log.Print("Setting UseWaitFlag: iptables will wait for xtables to become available") + fmt.Println("Setting UseWaitFlag: iptables will wait for xtables to become available") cmd.Args = append(cmd.Args, "-w") } - if !firewallConfiguration.SimulateOnly { - // wrap up the cmd with nsenter if we were givin a netns - if len(firewallConfiguration.NetNs) > 0 { - netnsArg := fmt.Sprintf("--net=%s", firewallConfiguration.NetNs) - originalCmdAsArgs := strings.Split(originalCmd, " ") - nsenterArgs := []string{ - netnsArg, - } - finalArgs := append(nsenterArgs, originalCmdAsArgs...) + if firewallConfiguration.SimulateOnly { + return nil + } - log.Printf(">> nsenter %v", finalArgs) - cmd = exec.Command("nsenter", finalArgs...) - } + // wrap up the cmd with nsenter if we were givin a netns + if len(firewallConfiguration.NetNs) > 0 { + cmd.Args = append([]string{ + "nsenter", + "--net", firewallConfiguration.NetNs, + }, cmd.Args...) + } - out, err := cmd.CombinedOutput() - log.Printf("< %s\n", string(out)) - if err != nil { - return err - } + fmt.Printf(":; %s\n", strings.Trim(fmt.Sprintf("%v", cmd.Args), "[]")) + + out, err := cmd.CombinedOutput() + + if len(out) > 0 { + fmt.Printf("%s\n", out) + } + + if err != nil { + return err } + return nil } @@ -314,10 +352,16 @@ func makeRedirectChainToPortBasedOnDestinationPort(chainName string, destination "--comment", formatComment(comment)) } -func makeJumpFromChainToAnotherForAllProtocols(chainName string, targetChain string, comment string) *exec.Cmd { +func makeJumpFromChainToAnotherForAllProtocols( + chainName string, targetChain string, comment string, delete bool) *exec.Cmd { + action := "-A" + if delete { + action = "-D" + } + return exec.Command("iptables", "-t", "nat", - "-A", chainName, + action, chainName, "-j", targetChain, "-m", "comment", "--comment", formatComment(comment)) @@ -337,7 +381,7 @@ func makeRedirectChainForOutgoingTraffic(chainName string, redirectChainName str } func makeShowAllRules() *exec.Cmd { - return exec.Command("iptables", "-t", "nat", "-vnL") + return exec.Command("iptables-save") } // asDestination formats the provided `PortRange` for output in commands. From b0bd9d41168d0915b17063ebf7e0f388a3668896 Mon Sep 17 00:00:00 2001 From: Charles Pretzer Date: Fri, 17 Jul 2020 09:34:44 -0700 Subject: [PATCH 2/5] rebase with HEAD Signed-off-by: Charles Pretzer --- iptables/iptables.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/iptables/iptables.go b/iptables/iptables.go index 7ee50fee..4d611ae2 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -204,11 +204,11 @@ func addRulesForInboundPortRedirect(firewallConfiguration FirewallConfiguration, return commands } -func addRulesForIgnoredPorts(portsToIgnore []int, chainName string, commands []*exec.Cmd) []*exec.Cmd { - for _, ignoredPort := range portsToIgnore { - fmt.Printf("Will ignore port %d on chain %s\n", ignoredPort, chainName) +func addRulesForIgnoredPorts(portsToIgnore []string, chainName string, commands []*exec.Cmd) []*exec.Cmd { + for _, destinations := range makeMultiportDestinations(portsToIgnore) { + fmt.Printf("Will ignore port %d on chain %s\n", destinations, chainName) - commands = append(commands, makeIgnorePort(chainName, ignoredPort, fmt.Sprintf("ignore-port-%d", ignoredPort))) + commands = append(commands, makeIgnorePorts(chainName, destinations, fmt.Sprintf("ignore-port-%d", strings.Join(destinations, ",")))) } return commands } From 82bb24caa1561200d89f9cacef4634da89bc0273 Mon Sep 17 00:00:00 2001 From: Charles Pretzer Date: Fri, 17 Jul 2020 09:58:50 -0700 Subject: [PATCH 3/5] fix lint Signed-off-by: Charles Pretzer --- iptables/iptables.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iptables/iptables.go b/iptables/iptables.go index 4d611ae2..7eba4338 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -206,9 +206,9 @@ func addRulesForInboundPortRedirect(firewallConfiguration FirewallConfiguration, func addRulesForIgnoredPorts(portsToIgnore []string, chainName string, commands []*exec.Cmd) []*exec.Cmd { for _, destinations := range makeMultiportDestinations(portsToIgnore) { - fmt.Printf("Will ignore port %d on chain %s\n", destinations, chainName) + fmt.Printf("Will ignore port %s on chain %s\n", destinations, chainName) - commands = append(commands, makeIgnorePorts(chainName, destinations, fmt.Sprintf("ignore-port-%d", strings.Join(destinations, ",")))) + commands = append(commands, makeIgnorePorts(chainName, destinations, fmt.Sprintf("ignore-port-%s", strings.Join(destinations, ",")))) } return commands } From 0541874aebc9ce31cb7e9233d84dcb035887b073 Mon Sep 17 00:00:00 2001 From: Charles Pretzer Date: Thu, 23 Jul 2020 11:09:13 -0700 Subject: [PATCH 4/5] Remove cleanup section, per PR feedback Signed-off-by: Charles Pretzer --- iptables/iptables.go | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/iptables/iptables.go b/iptables/iptables.go index 7eba4338..a6c9fdee 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -66,29 +66,6 @@ func ConfigureFirewall(firewallConfiguration FirewallConfiguration) error { } endSection() - startSection("cleanup") - // cleanup rules before adding new ones in - _ = executeCommand( - firewallConfiguration, - makeJumpFromChainToAnotherForAllProtocols( - IptablesOutputChainName, - outputChainName, - "install-proxy-init-prerouting", - true)) - _ = executeCommand( - firewallConfiguration, - makeJumpFromChainToAnotherForAllProtocols( - IptablesPreroutingChainName, - redirectChainName, - "install-proxy-init-prerouting", - true)) - - for _, chain := range []string{outputChainName, redirectChainName} { - _ = executeCommand(firewallConfiguration, makeFlushChain(chain)) - _ = executeCommand(firewallConfiguration, makeDeleteChain(chain)) - } - endSection() - commands := make([]*exec.Cmd, 0) startSection("configuration") From f93777735fee251af16834a783e0361bbf596137 Mon Sep 17 00:00:00 2001 From: Charles Pretzer Date: Thu, 23 Jul 2020 13:54:37 -0700 Subject: [PATCH 5/5] fixing lint Signed-off-by: Charles Pretzer --- iptables/iptables.go | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/iptables/iptables.go b/iptables/iptables.go index a6c9fdee..77b1adbb 100644 --- a/iptables/iptables.go +++ b/iptables/iptables.go @@ -272,18 +272,6 @@ func makeCreateNewChain(name string, comment string) *exec.Cmd { "--comment", formatComment(comment)) } -func makeFlushChain(name string) *exec.Cmd { - return exec.Command("iptables", - "-t", "nat", - "-F", name) -} - -func makeDeleteChain(name string) *exec.Cmd { - return exec.Command("iptables", - "-t", "nat", - "-X", name) -} - func makeRedirectChainToPort(chainName string, portToRedirect int, comment string) *exec.Cmd { return exec.Command("iptables", "-t", "nat",