github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 18:00:08 +00:00
Code Issues Projects Releases Wiki Activity

pkg/proxy/nftables: rename constant names for nftable objects

Browse Source 
Signed-off-by: Daman Arora <aroradaman@gmail.com>
This commit is contained in:
Daman Arora 2024-01-21 13:12:18 +05:30
parent 80ca91c90c
commit 01d7de5464
2 changed files with 77 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/proxy/nftables/helpers_test.go
View File

@ -284,7 +284,7 @@ var sourceAddrLocalRegexp = regexp.MustCompile(`^fib saddr type local`)
var endpointVMAPRegexp = regexp.MustCompile(`^numgen random mod \d+ vmap \{(.*)\}$`) var endpointVMAPRegexp = regexp.MustCompile(`^numgen random mod \d+ vmap \{(.*)\}$`)
var endpointVMapEntryRegexp = regexp.MustCompile(`\d+ : goto (\S+)`) var endpointVMapEntryRegexp = regexp.MustCompile(`\d+ : goto (\S+)`)
var masqueradeRegexp = regexp.MustCompile(`^jump ` + kubeMarkMasqChain + `$`) var masqueradeRegexp = regexp.MustCompile(`^jump ` + markMasqChain + `$`)
var jumpRegexp = regexp.MustCompile(`^(jump|goto) (\S+)$`) var jumpRegexp = regexp.MustCompile(`^(jump|goto) (\S+)$`)
var returnRegexp = regexp.MustCompile(`^return$`) var returnRegexp = regexp.MustCompile(`^return$`)
var verdictRegexp = regexp.MustCompile(`^(drop|reject)$`) var verdictRegexp = regexp.MustCompile(`^(drop|reject)$`)

152
pkg/proxy/nftables/proxier.go
View File

@ -64,26 +64,26 @@ const (
kubeProxyTable = "kube-proxy" kubeProxyTable = "kube-proxy"
// service dispatch // service dispatch
kubeServicesChain = "services" servicesChain = "services"
kubeServiceIPsMap = "service-ips" serviceIPsMap = "service-ips"
kubeServiceNodePortsMap = "service-nodeports" serviceNodePortsMap = "service-nodeports"
// set of IPs that accept NodePort traffic // set of IPs that accept NodePort traffic
kubeNodePortIPsSet = "nodeport-ips" nodePortIPsSet = "nodeport-ips"
// handling for services with no endpoints // handling for services with no endpoints
kubeEndpointsCheckChain = "endpoints-check" endpointsCheckChain = "endpoints-check"
kubeNoEndpointServicesMap = "no-endpoint-services" noEndpointServicesMap = "no-endpoint-services"
kubeNoEndpointNodePortsMap = "no-endpoint-nodeports" noEndpointNodePortsMap = "no-endpoint-nodeports"
kubeRejectChain = "reject-chain" rejectChain = "reject-chain"
// LoadBalancerSourceRanges handling // LoadBalancerSourceRanges handling
kubeFirewallIPsMap = "firewall-ips" firewallIPsMap = "firewall-ips"
kubeFirewallCheckChain = "firewall-check" firewallCheckChain = "firewall-check"
// masquerading // masquerading
kubeMarkMasqChain = "mark-for-masquerade" markMasqChain = "mark-for-masquerade"
kubeMasqueradingChain = "masquerading" masqueradingChain = "masquerading"
) )
// internal struct for string service information // internal struct for string service information
@ -328,19 +328,19 @@ type nftablesJumpChain struct {
} }
var nftablesJumpChains = []nftablesJumpChain{ var nftablesJumpChains = []nftablesJumpChain{
// We can't jump to kubeEndpointsCheckChain from filter-prerouting like // We can't jump to endpointsCheckChain from filter-prerouting like
// kubeFirewallCheckChain because reject action is only valid in chains using the // firewallCheckChain because reject action is only valid in chains using the
// input, forward or output hooks. // input, forward or output hooks.
{kubeEndpointsCheckChain, "filter-input", "ct state new"}, {endpointsCheckChain, "filter-input", "ct state new"},
{kubeEndpointsCheckChain, "filter-forward", "ct state new"}, {endpointsCheckChain, "filter-forward", "ct state new"},
{kubeEndpointsCheckChain, "filter-output", "ct state new"}, {endpointsCheckChain, "filter-output", "ct state new"},
{kubeFirewallCheckChain, "filter-prerouting", "ct state new"}, {firewallCheckChain, "filter-prerouting", "ct state new"},
{kubeFirewallCheckChain, "filter-output", "ct state new"}, {firewallCheckChain, "filter-output", "ct state new"},
{kubeServicesChain, "nat-output", ""}, {servicesChain, "nat-output", ""},
{kubeServicesChain, "nat-prerouting", ""}, {servicesChain, "nat-prerouting", ""},
{kubeMasqueradingChain, "nat-postrouting", ""}, {masqueradingChain, "nat-postrouting", ""},
} }
// ensureChain adds commands to tx to ensure that chain exists and doesn't contain // ensureChain adds commands to tx to ensure that chain exists and doesn't contain
@ -399,33 +399,33 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
} }
// Ensure all of our other "top-level" chains exist // Ensure all of our other "top-level" chains exist
for _, chain := range []string{kubeServicesChain, kubeMasqueradingChain, kubeMarkMasqChain} { for _, chain := range []string{servicesChain, masqueradingChain, markMasqChain} {
ensureChain(chain, tx, createdChains) ensureChain(chain, tx, createdChains)
} }
// Add the rules in the mark-for-masquerade and masquerading chains // Add the rules in the mark-for-masquerade and masquerading chains
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeMarkMasqChain, Chain: markMasqChain,
Rule: knftables.Concat( Rule: knftables.Concat(
"mark", "set", "mark", "or", proxier.masqueradeMark, "mark", "set", "mark", "or", proxier.masqueradeMark,
), ),
}) })
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeMasqueradingChain, Chain: masqueradingChain,
Rule: knftables.Concat( Rule: knftables.Concat(
"mark", "and", proxier.masqueradeMark, "==", "0", "mark", "and", proxier.masqueradeMark, "==", "0",
"return", "return",
), ),
}) })
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeMasqueradingChain, Chain: masqueradingChain,
Rule: knftables.Concat( Rule: knftables.Concat(
"mark", "set", "mark", "xor", proxier.masqueradeMark, "mark", "set", "mark", "xor", proxier.masqueradeMark,
), ),
}) })
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeMasqueradingChain, Chain: masqueradingChain,
Rule: "masquerade fully-random", Rule: "masquerade fully-random",
}) })
@ -433,17 +433,17 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
// rather than just "delete" when we want to ensure the set doesn't exist, because // rather than just "delete" when we want to ensure the set doesn't exist, because
// doing just "delete" would return an error if the set didn't exist.) // doing just "delete" would return an error if the set didn't exist.)
tx.Add(&knftables.Set{ tx.Add(&knftables.Set{
Name: kubeNodePortIPsSet, Name: nodePortIPsSet,
Type: ipvX_addr, Type: ipvX_addr,
Comment: ptr.To("IPs that accept NodePort traffic"), Comment: ptr.To("IPs that accept NodePort traffic"),
}) })
if proxier.nodePortAddresses.MatchAll() { if proxier.nodePortAddresses.MatchAll() {
tx.Delete(&knftables.Set{ tx.Delete(&knftables.Set{
Name: kubeNodePortIPsSet, Name: nodePortIPsSet,
}) })
} else { } else {
tx.Flush(&knftables.Set{ tx.Flush(&knftables.Set{
Name: kubeNodePortIPsSet, Name: nodePortIPsSet,
}) })
nodeIPs, err := proxier.nodePortAddresses.GetNodeIPs(proxier.networkInterfacer) nodeIPs, err := proxier.nodePortAddresses.GetNodeIPs(proxier.networkInterfacer)
if err != nil { if err != nil {
@ -455,7 +455,7 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
continue continue
} }
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Set: kubeNodePortIPsSet, Set: nodePortIPsSet,
Key: []string{ Key: []string{
ip.String(), ip.String(),
}, },
@ -465,108 +465,108 @@ func (proxier *Proxier) setupNFTables(tx *knftables.Transaction) {
// Set up "no endpoints" drop/reject handling // Set up "no endpoints" drop/reject handling
tx.Add(&knftables.Map{ tx.Add(&knftables.Map{
Name: kubeNoEndpointServicesMap, Name: noEndpointServicesMap,
Type: ipvX_addr + " . inet_proto . inet_service : verdict", Type: ipvX_addr + " . inet_proto . inet_service : verdict",
Comment: ptr.To("vmap to drop or reject packets to services with no endpoints"), Comment: ptr.To("vmap to drop or reject packets to services with no endpoints"),
}) })
tx.Add(&knftables.Map{ tx.Add(&knftables.Map{
Name: kubeNoEndpointNodePortsMap, Name: noEndpointNodePortsMap,
Type: "inet_proto . inet_service : verdict", Type: "inet_proto . inet_service : verdict",
Comment: ptr.To("vmap to drop or reject packets to service nodeports with no endpoints"), Comment: ptr.To("vmap to drop or reject packets to service nodeports with no endpoints"),
}) })
tx.Add(&knftables.Chain{ tx.Add(&knftables.Chain{
Name: kubeRejectChain, Name: rejectChain,
Comment: ptr.To("helper for @no-endpoint-services / @no-endpoint-nodeports"), Comment: ptr.To("helper for @no-endpoint-services / @no-endpoint-nodeports"),
}) })
tx.Flush(&knftables.Chain{ tx.Flush(&knftables.Chain{
Name: kubeRejectChain, Name: rejectChain,
}) })
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeRejectChain, Chain: rejectChain,
Rule: "reject", Rule: "reject",
}) })
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeEndpointsCheckChain, Chain: endpointsCheckChain,
Rule: knftables.Concat( Rule: knftables.Concat(
ipX, "daddr", ".", "meta l4proto", ".", "th dport", ipX, "daddr", ".", "meta l4proto", ".", "th dport",
"vmap", "@", kubeNoEndpointServicesMap, "vmap", "@", noEndpointServicesMap,
), ),
}) })
if proxier.nodePortAddresses.MatchAll() { if proxier.nodePortAddresses.MatchAll() {
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeEndpointsCheckChain, Chain: endpointsCheckChain,
Rule: knftables.Concat( Rule: knftables.Concat(
"fib daddr type local", "fib daddr type local",
noLocalhost, noLocalhost,
"meta l4proto . th dport", "meta l4proto . th dport",
"vmap", "@", kubeNoEndpointNodePortsMap, "vmap", "@", noEndpointNodePortsMap,
), ),
}) })
} else { } else {
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeEndpointsCheckChain, Chain: endpointsCheckChain,
Rule: knftables.Concat( Rule: knftables.Concat(
ipX, "daddr", "@", kubeNodePortIPsSet, ipX, "daddr", "@", nodePortIPsSet,
"meta l4proto . th dport", "meta l4proto . th dport",
"vmap", "@", kubeNoEndpointNodePortsMap, "vmap", "@", noEndpointNodePortsMap,
), ),
}) })
} }
// Set up LoadBalancerSourceRanges firewalling // Set up LoadBalancerSourceRanges firewalling
tx.Add(&knftables.Map{ tx.Add(&knftables.Map{
Name: kubeFirewallIPsMap, Name: firewallIPsMap,
Type: ipvX_addr + " . inet_proto . inet_service : verdict", Type: ipvX_addr + " . inet_proto . inet_service : verdict",
Comment: ptr.To("destinations that are subject to LoadBalancerSourceRanges"), Comment: ptr.To("destinations that are subject to LoadBalancerSourceRanges"),
}) })
ensureChain(kubeFirewallCheckChain, tx, createdChains) ensureChain(firewallCheckChain, tx, createdChains)
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeFirewallCheckChain, Chain: firewallCheckChain,
Rule: knftables.Concat( Rule: knftables.Concat(
ipX, "daddr", ".", "meta l4proto", ".", "th dport", ipX, "daddr", ".", "meta l4proto", ".", "th dport",
"vmap", "@", kubeFirewallIPsMap, "vmap", "@", firewallIPsMap,
), ),
}) })
// Set up service dispatch // Set up service dispatch
tx.Add(&knftables.Map{ tx.Add(&knftables.Map{
Name: kubeServiceIPsMap, Name: serviceIPsMap,
Type: ipvX_addr + " . inet_proto . inet_service : verdict", Type: ipvX_addr + " . inet_proto . inet_service : verdict",
Comment: ptr.To("ClusterIP, ExternalIP and LoadBalancer IP traffic"), Comment: ptr.To("ClusterIP, ExternalIP and LoadBalancer IP traffic"),
}) })
tx.Add(&knftables.Map{ tx.Add(&knftables.Map{
Name: kubeServiceNodePortsMap, Name: serviceNodePortsMap,
Type: "inet_proto . inet_service : verdict", Type: "inet_proto . inet_service : verdict",
Comment: ptr.To("NodePort traffic"), Comment: ptr.To("NodePort traffic"),
}) })
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeServicesChain, Chain: servicesChain,
Rule: knftables.Concat( Rule: knftables.Concat(
ipX, "daddr", ".", "meta l4proto", ".", "th dport", ipX, "daddr", ".", "meta l4proto", ".", "th dport",
"vmap", "@", kubeServiceIPsMap, "vmap", "@", serviceIPsMap,
), ),
}) })
if proxier.nodePortAddresses.MatchAll() { if proxier.nodePortAddresses.MatchAll() {
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeServicesChain, Chain: servicesChain,
Rule: knftables.Concat( Rule: knftables.Concat(
"fib daddr type local", "fib daddr type local",
noLocalhost, noLocalhost,
"meta l4proto . th dport", "meta l4proto . th dport",
"vmap", "@", kubeServiceNodePortsMap, "vmap", "@", serviceNodePortsMap,
), ),
}) })
} else { } else {
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: kubeServicesChain, Chain: servicesChain,
Rule: knftables.Concat( Rule: knftables.Concat(
ipX, "daddr @nodeport-ips", ipX, "daddr @nodeport-ips",
"meta l4proto . th dport", "meta l4proto . th dport",
"vmap", "@", kubeServiceNodePortsMap, "vmap", "@", serviceNodePortsMap,
), ),
}) })
} }
@ -956,19 +956,19 @@ func (proxier *Proxier) syncProxyRules() {
// We currently fully-rebuild our sets and maps on each resync // We currently fully-rebuild our sets and maps on each resync
tx.Flush(&knftables.Map{ tx.Flush(&knftables.Map{
Name: kubeFirewallIPsMap, Name: firewallIPsMap,
}) })
tx.Flush(&knftables.Map{ tx.Flush(&knftables.Map{
Name: kubeNoEndpointServicesMap, Name: noEndpointServicesMap,
}) })
tx.Flush(&knftables.Map{ tx.Flush(&knftables.Map{
Name: kubeNoEndpointNodePortsMap, Name: noEndpointNodePortsMap,
}) })
tx.Flush(&knftables.Map{ tx.Flush(&knftables.Map{
Name: kubeServiceIPsMap, Name: serviceIPsMap,
}) })
tx.Flush(&knftables.Map{ tx.Flush(&knftables.Map{
Name: kubeServiceNodePortsMap, Name: serviceNodePortsMap,
}) })
// Accumulate service/endpoint chains and affinity sets to keep. // Accumulate service/endpoint chains and affinity sets to keep.
@ -1074,8 +1074,8 @@ func (proxier *Proxier) syncProxyRules() {
// generate any chains in the "nat" table for the service; only // generate any chains in the "nat" table for the service; only
// rules in the "filter" table rejecting incoming packets for // rules in the "filter" table rejecting incoming packets for
// the service's IPs. // the service's IPs.
internalTrafficFilterVerdict = fmt.Sprintf("goto %s", kubeRejectChain) internalTrafficFilterVerdict = fmt.Sprintf("goto %s", rejectChain)
externalTrafficFilterVerdict = fmt.Sprintf("goto %s", kubeRejectChain) externalTrafficFilterVerdict = fmt.Sprintf("goto %s", rejectChain)
} else { } else {
if !hasInternalEndpoints { if !hasInternalEndpoints {
// The internalTrafficPolicy is "Local" but there are no local // The internalTrafficPolicy is "Local" but there are no local
@ -1097,7 +1097,7 @@ func (proxier *Proxier) syncProxyRules() {
// Capture the clusterIP. // Capture the clusterIP.
if hasInternalEndpoints { if hasInternalEndpoints {
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeServiceIPsMap, Map: serviceIPsMap,
Key: []string{ Key: []string{
svcInfo.ClusterIP().String(), svcInfo.ClusterIP().String(),
protocol, protocol,
@ -1110,7 +1110,7 @@ func (proxier *Proxier) syncProxyRules() {
} else { } else {
// No endpoints. // No endpoints.
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeNoEndpointServicesMap, Map: noEndpointServicesMap,
Key: []string{ Key: []string{
svcInfo.ClusterIP().String(), svcInfo.ClusterIP().String(),
protocol, protocol,
@ -1129,7 +1129,7 @@ func (proxier *Proxier) syncProxyRules() {
// Send traffic bound for external IPs to the "external // Send traffic bound for external IPs to the "external
// destinations" chain. // destinations" chain.
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeServiceIPsMap, Map: serviceIPsMap,
Key: []string{ Key: []string{
externalIP.String(), externalIP.String(),
protocol, protocol,
@ -1145,7 +1145,7 @@ func (proxier *Proxier) syncProxyRules() {
// external traffic (DROP anything that didn't get // external traffic (DROP anything that didn't get
// short-circuited by the EXT chain.) // short-circuited by the EXT chain.)
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeNoEndpointServicesMap, Map: noEndpointServicesMap,
Key: []string{ Key: []string{
externalIP.String(), externalIP.String(),
protocol, protocol,
@ -1197,7 +1197,7 @@ func (proxier *Proxier) syncProxyRules() {
for _, lbip := range svcInfo.LoadBalancerVIPs() { for _, lbip := range svcInfo.LoadBalancerVIPs() {
if hasEndpoints { if hasEndpoints {
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeServiceIPsMap, Map: serviceIPsMap,
Key: []string{ Key: []string{
lbip.String(), lbip.String(),
protocol, protocol,
@ -1211,7 +1211,7 @@ func (proxier *Proxier) syncProxyRules() {
if usesFWChain { if usesFWChain {
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeFirewallIPsMap, Map: firewallIPsMap,
Key: []string{ Key: []string{
lbip.String(), lbip.String(),
protocol, protocol,
@ -1230,7 +1230,7 @@ func (proxier *Proxier) syncProxyRules() {
// by the EXT chain.) // by the EXT chain.)
for _, lbip := range svcInfo.LoadBalancerVIPs() { for _, lbip := range svcInfo.LoadBalancerVIPs() {
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeNoEndpointServicesMap, Map: noEndpointServicesMap,
Key: []string{ Key: []string{
lbip.String(), lbip.String(),
protocol, protocol,
@ -1251,7 +1251,7 @@ func (proxier *Proxier) syncProxyRules() {
// worse, nodeports are not subect to loadBalancerSourceRanges, // worse, nodeports are not subect to loadBalancerSourceRanges,
// and we can't change that. // and we can't change that.
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeServiceNodePortsMap, Map: serviceNodePortsMap,
Key: []string{ Key: []string{
protocol, protocol,
strconv.Itoa(svcInfo.NodePort()), strconv.Itoa(svcInfo.NodePort()),
@ -1266,7 +1266,7 @@ func (proxier *Proxier) syncProxyRules() {
// external traffic (DROP anything that didn't get // external traffic (DROP anything that didn't get
// short-circuited by the EXT chain.) // short-circuited by the EXT chain.)
tx.Add(&knftables.Element{ tx.Add(&knftables.Element{
Map: kubeNoEndpointNodePortsMap, Map: noEndpointNodePortsMap,
Key: []string{ Key: []string{
protocol, protocol,
strconv.Itoa(svcInfo.NodePort()), strconv.Itoa(svcInfo.NodePort()),
@ -1287,7 +1287,7 @@ func (proxier *Proxier) syncProxyRules() {
Rule: knftables.Concat( Rule: knftables.Concat(
ipX, "daddr", svcInfo.ClusterIP(), ipX, "daddr", svcInfo.ClusterIP(),
protocol, "dport", svcInfo.Port(), protocol, "dport", svcInfo.Port(),
"jump", kubeMarkMasqChain, "jump", markMasqChain,
), ),
}) })
} else if proxier.localDetector.IsImplemented() { } else if proxier.localDetector.IsImplemented() {
@ -1302,7 +1302,7 @@ func (proxier *Proxier) syncProxyRules() {
ipX, "daddr", svcInfo.ClusterIP(), ipX, "daddr", svcInfo.ClusterIP(),
protocol, "dport", svcInfo.Port(), protocol, "dport", svcInfo.Port(),
proxier.localDetector.IfNotLocalNFT(), proxier.localDetector.IfNotLocalNFT(),
"jump", kubeMarkMasqChain, "jump", markMasqChain,
), ),
}) })
} }
@ -1319,7 +1319,7 @@ func (proxier *Proxier) syncProxyRules() {
tx.Add(&knftables.Rule{ tx.Add(&knftables.Rule{
Chain: externalTrafficChain, Chain: externalTrafficChain,
Rule: knftables.Concat( Rule: knftables.Concat(
"jump", kubeMarkMasqChain, "jump", markMasqChain,
), ),
}) })
} else { } else {
@ -1348,7 +1348,7 @@ func (proxier *Proxier) syncProxyRules() {
Chain: externalTrafficChain, Chain: externalTrafficChain,
Rule: knftables.Concat( Rule: knftables.Concat(
"fib", "saddr", "type", "local", "fib", "saddr", "type", "local",
"jump", kubeMarkMasqChain, "jump", markMasqChain,
), ),
Comment: ptr.To("masquerade local traffic"), Comment: ptr.To("masquerade local traffic"),
}) })
@ -1441,7 +1441,7 @@ func (proxier *Proxier) syncProxyRules() {
Chain: endpointChain, Chain: endpointChain,
Rule: knftables.Concat( Rule: knftables.Concat(
ipX, "saddr", epInfo.IP(), ipX, "saddr", epInfo.IP(),
"jump", kubeMarkMasqChain, "jump", markMasqChain,
), ),
}) })