Move name constants to separate 'chains' package, to reduce dependencies

We don't want everyone that uses the `net` package to get a transitive dependency on the Kubernetes APIs required by `npc`.
weaveworks · Jul 29, 2020 · a3c76e1 · a3c76e1
1 parent 9928ddb
commit a3c76e1
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 43 deletions.
diff --git a/common/chains/npc.go b/common/chains/npc.go
@@ -0,0 +1,12 @@
+package chains
+
+const (
+	MainChain    = "WEAVE-NPC"
+	DefaultChain = "WEAVE-NPC-DEFAULT"
+	IngressChain = "WEAVE-NPC-INGRESS"
+
+	EgressChain        = "WEAVE-NPC-EGRESS"
+	EgressDefaultChain = "WEAVE-NPC-EGRESS-DEFAULT"
+	EgressCustomChain  = "WEAVE-NPC-EGRESS-CUSTOM"
+	EgressMarkChain    = "WEAVE-NPC-EGRESS-ACCEPT"
+)
diff --git a/net/bridge.go b/net/bridge.go
@@ -14,11 +14,11 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/weaveworks/weave/common"
+	"github.com/weaveworks/weave/common/chains"
 	"github.com/weaveworks/weave/common/odp"
 	"github.com/weaveworks/weave/ipam/tracker"
 	"github.com/weaveworks/weave/net/address"
 	"github.com/weaveworks/weave/net/ipset"
-	"github.com/weaveworks/weave/npc"
 )
 
 /* This code implements three possible configurations to connect
@@ -513,12 +513,12 @@ func ConfigureIPTables(config *BridgeConfig, ips ipset.Interface) error {
 	if config.NPC {
 		// Steer traffic via the NPC.
 
-		if err = ensureChains(ipt, "filter", npc.MainChain, npc.EgressChain); err != nil {
+		if err = ensureChains(ipt, "filter", chains.MainChain, chains.EgressChain); err != nil {
 			return err
 		}
 
 		// Steer egress traffic destined to local node.
-		if err = ipt.AppendUnique("filter", "INPUT", "-i", config.WeaveBridgeName, "-j", npc.EgressChain); err != nil {
+		if err = ipt.AppendUnique("filter", "INPUT", "-i", config.WeaveBridgeName, "-j", chains.EgressChain); err != nil {
 			return err
 		}
 		fwdRules = append(fwdRules,
@@ -527,11 +527,11 @@ func ConfigureIPTables(config *BridgeConfig, ips ipset.Interface) error {
 				// ACCEPT in WEAVE-NPC-EGRESS chain
 				{"-i", config.WeaveBridgeName,
 					"-m", "comment", "--comment", "NOTE: this must go before '-j KUBE-FORWARD'",
-					"-j", npc.EgressChain},
+					"-j", chains.EgressChain},
 				// The following rules are for ingress NPC processing
 				{"-o", config.WeaveBridgeName,
 					"-m", "comment", "--comment", "NOTE: this must go before '-j KUBE-FORWARD'",
-					"-j", npc.MainChain},
+					"-j", chains.MainChain},
 				{"-o", config.WeaveBridgeName, "-m", "state", "--state", "NEW", "-j", "NFLOG", "--nflog-group", "86"},
 				{"-o", config.WeaveBridgeName, "-j", "DROP"},
 			}...)

diff --git a/npc/constants.go b/npc/constants.go
@@ -2,16 +2,7 @@ package npc
 
 const (
 	TableFilter = "filter"
-
-	MainChain    = "WEAVE-NPC"
-	DefaultChain = "WEAVE-NPC-DEFAULT"
-	IngressChain = "WEAVE-NPC-INGRESS"
-
-	EgressChain        = "WEAVE-NPC-EGRESS"
-	EgressDefaultChain = "WEAVE-NPC-EGRESS-DEFAULT"
-	EgressCustomChain  = "WEAVE-NPC-EGRESS-CUSTOM"
-	EgressMarkChain    = "WEAVE-NPC-EGRESS-ACCEPT"
-	EgressMark         = "0x40000/0x40000"
+	EgressMark  = "0x40000/0x40000"
 
 	IpsetNamePrefix = "weave-"
 

diff --git a/npc/controller.go b/npc/controller.go
@@ -12,6 +12,7 @@ import (
 	"k8s.io/client-go/kubernetes"
 
 	"github.com/weaveworks/weave/common"
+	"github.com/weaveworks/weave/common/chains"
 	"github.com/weaveworks/weave/net/ipset"
 	"github.com/weaveworks/weave/npc/iptables"
 )
@@ -157,7 +158,7 @@ func (npc *controller) AddNetworkPolicy(obj interface{}) error {
 		}
 		if egressNetworkPolicy {
 			npc.defaultEgressDrop = true
-			if err := npc.ipt.Append(TableFilter, EgressChain,
+			if err := npc.ipt.Append(TableFilter, chains.EgressChain,
 				"-m", "mark", "!", "--mark", EgressMark, "-j", "DROP"); err != nil {
 				npc.defaultEgressDrop = false
 				return fmt.Errorf("Failed to add iptable rule to drop egress traffic from the pods by default due to %s", err.Error())

diff --git a/npc/controller_test.go b/npc/controller_test.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
+	"github.com/weaveworks/weave/common/chains"
 	"github.com/weaveworks/weave/net/ipset"
 	coreapi "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
@@ -582,8 +583,8 @@ func TestEgressPolicyWithIPBlock(t *testing.T) {
 	require.True(t, m.entriesExist(exceptIPSetName, "192.168.48.2/32"))
 
 	// Each egress rule is represented as two iptables rules (-J MARK and -J RETURN).
-	require.Equal(t, 2, len(ipt.rules[EgressCustomChain]))
-	for rule := range ipt.rules[EgressCustomChain] {
+	require.Equal(t, 2, len(ipt.rules[chains.EgressCustomChain]))
+	for rule := range ipt.rules[chains.EgressCustomChain] {
 		require.Contains(t, rule, "-d 192.168.48.0/24 -m set ! --match-set "+exceptIPSetName+" dst")
 	}
 
@@ -690,8 +691,8 @@ func TestIngressPolicyWithIPBlockAndPortSpecified(t *testing.T) {
 	require.Equal(t, 1, len(m.sets[runBarIPSetName].subSets))
 	require.True(t, m.entriesExist(runBarIPSetName, barPodIP))
 
-	require.Equal(t, 1, len(ipt.rules[IngressChain]))
-	for rule := range ipt.rules[IngressChain] {
+	require.Equal(t, 1, len(ipt.rules[chains.IngressChain]))
+	for rule := range ipt.rules[chains.IngressChain] {
 		require.Contains(t, rule, "-s 192.168.48.4/32 -m set --match-set "+runBarIPSetName+" dst --dport 80")
 	}
 }
diff --git a/npc/namespace.go b/npc/namespace.go
@@ -12,6 +12,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 
 	"github.com/weaveworks/weave/common"
+	"github.com/weaveworks/weave/common/chains"
 	"github.com/weaveworks/weave/net/ipset"
 	"github.com/weaveworks/weave/npc/iptables"
 )
@@ -455,12 +456,12 @@ func (ns *ns) updateDefaultAllowIPSetEntry(oldObj, newObj *coreapi.Pod, ipsetNam
 
 func bypassRules(namespace string, ingress, egress ipset.Name) map[string][][]string {
 	return map[string][][]string{
-		DefaultChain: {
+		chains.DefaultChain: {
 			{"-m", "set", "--match-set", string(ingress), "dst", "-j", "ACCEPT",
 				"-m", "comment", "--comment", "DefaultAllow ingress isolation for namespace: " + namespace},
 		},
-		EgressDefaultChain: {
-			{"-m", "set", "--match-set", string(egress), "src", "-j", EgressMarkChain,
+		chains.EgressDefaultChain: {
+			{"-m", "set", "--match-set", string(egress), "src", "-j", chains.EgressMarkChain,
 				"-m", "comment", "--comment", "DefaultAllow egress isolation for namespace: " + namespace},
 			{"-m", "set", "--match-set", string(egress), "src", "-j", "RETURN",
 				"-m", "comment", "--comment", "DefaultAllow egress isolation for namespace: " + namespace},

diff --git a/npc/rule.go b/npc/rule.go
@@ -8,6 +8,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 
 	"github.com/weaveworks/weave/common"
+	"github.com/weaveworks/weave/common/chains"
 	"github.com/weaveworks/weave/npc/iptables"
 )
 
@@ -55,9 +56,9 @@ func newRuleSpec(policyType policyType, proto *string, srcHost, dstHost ruleHost
 
 func (spec *ruleSpec) iptChain() string {
 	if spec.policyType == policyTypeEgress {
-		return EgressCustomChain
+		return chains.EgressCustomChain
 	}
-	return IngressChain
+	return chains.IngressChain
 }
 
 func (spec *ruleSpec) iptRuleSpecs() [][]string {
@@ -71,7 +72,7 @@ func (spec *ruleSpec) iptRuleSpecs() [][]string {
 	// policyTypeEgress
 	ruleMark := make([]string, len(spec.args))
 	copy(ruleMark, spec.args)
-	ruleMark = append(ruleMark, "-j", EgressMarkChain)
+	ruleMark = append(ruleMark, "-j", chains.EgressMarkChain)
 	ruleReturn := make([]string, len(spec.args))
 	copy(ruleReturn, spec.args)
 	ruleReturn = append(ruleReturn, "-j", "RETURN")

diff --git a/prog/weave-npc/main.go b/prog/weave-npc/main.go
@@ -17,6 +17,7 @@ import (
 	"k8s.io/client-go/tools/cache"
 
 	"github.com/weaveworks/weave/common"
+	"github.com/weaveworks/weave/common/chains"
 	"github.com/weaveworks/weave/net"
 	"github.com/weaveworks/weave/net/ipset"
 	"github.com/weaveworks/weave/npc"
@@ -52,27 +53,27 @@ func makeController(getter cache.Getter, resource string,
 
 func resetIPTables(ipt *iptables.IPTables) error {
 	// Flush chains first so there are no refs to extant ipsets
-	if err := ipt.ClearChain(npc.TableFilter, npc.IngressChain); err != nil {
+	if err := ipt.ClearChain(npc.TableFilter, chains.IngressChain); err != nil {
 		return err
 	}
 
-	if err := ipt.ClearChain(npc.TableFilter, npc.DefaultChain); err != nil {
+	if err := ipt.ClearChain(npc.TableFilter, chains.DefaultChain); err != nil {
 		return err
 	}
 
-	if err := ipt.ClearChain(npc.TableFilter, npc.MainChain); err != nil {
+	if err := ipt.ClearChain(npc.TableFilter, chains.MainChain); err != nil {
 		return err
 	}
 
-	if err := ipt.ClearChain(npc.TableFilter, npc.EgressMarkChain); err != nil {
+	if err := ipt.ClearChain(npc.TableFilter, chains.EgressMarkChain); err != nil {
 		return err
 	}
 
-	if err := ipt.ClearChain(npc.TableFilter, npc.EgressCustomChain); err != nil {
+	if err := ipt.ClearChain(npc.TableFilter, chains.EgressCustomChain); err != nil {
 		return err
 	}
 
-	if err := ipt.ClearChain(npc.TableFilter, npc.EgressDefaultChain); err != nil {
+	if err := ipt.ClearChain(npc.TableFilter, chains.EgressDefaultChain); err != nil {
 		return err
 	}
 
@@ -121,35 +122,35 @@ func resetIPSets(ips ipset.Interface) error {
 
 func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error {
 	// Configure main chain static rules
-	if err := ipt.Append(npc.TableFilter, npc.MainChain,
+	if err := ipt.Append(npc.TableFilter, chains.MainChain,
 		"-m", "state", "--state", "RELATED,ESTABLISHED", "-j", "ACCEPT"); err != nil {
 		return err
 	}
 
 	if allowMcast {
-		if err := ipt.Append(npc.TableFilter, npc.MainChain,
+		if err := ipt.Append(npc.TableFilter, chains.MainChain,
 			"-d", "224.0.0.0/4", "-j", "ACCEPT"); err != nil {
 			return err
 		}
 	}
 
 	// If the destination address is not any of the local pods, let it through
-	if err := ipt.Append(npc.TableFilter, npc.MainChain,
+	if err := ipt.Append(npc.TableFilter, chains.MainChain,
 		"-m", "physdev", "--physdev-is-bridged", "--physdev-out="+bridgePortName, "-j", "ACCEPT"); err != nil {
 		return err
 	}
 
-	if err := ipt.Append(npc.TableFilter, npc.MainChain,
-		"-m", "state", "--state", "NEW", "-j", string(npc.DefaultChain)); err != nil {
+	if err := ipt.Append(npc.TableFilter, chains.MainChain,
+		"-m", "state", "--state", "NEW", "-j", chains.DefaultChain); err != nil {
 		return err
 	}
 
-	if err := ipt.Append(npc.TableFilter, npc.MainChain,
-		"-m", "state", "--state", "NEW", "-j", string(npc.IngressChain)); err != nil {
+	if err := ipt.Append(npc.TableFilter, chains.MainChain,
+		"-m", "state", "--state", "NEW", "-j", chains.IngressChain); err != nil {
 		return err
 	}
 
-	if err := ipt.Append(npc.TableFilter, npc.EgressMarkChain,
+	if err := ipt.Append(npc.TableFilter, chains.EgressMarkChain,
 		"-j", "MARK", "--set-xmark", npc.EgressMark); err != nil {
 		return err
 	}
@@ -187,11 +188,11 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error {
 		ruleSpecs = append(ruleSpecs, []string{"-d", "224.0.0.0/4", "-j", "RETURN"})
 	}
 	ruleSpecs = append(ruleSpecs, [][]string{
-		{"-m", "state", "--state", "NEW", "-j", string(npc.EgressDefaultChain)},
-		{"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", string(npc.EgressCustomChain)},
+		{"-m", "state", "--state", "NEW", "-j", chains.EgressDefaultChain},
+		{"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", chains.EgressCustomChain},
 		{"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", "NFLOG", "--nflog-group", "86"},
 	}...)
-	if err := net.AddChainWithRules(ipt, npc.TableFilter, npc.EgressChain, ruleSpecs); err != nil {
+	if err := net.AddChainWithRules(ipt, npc.TableFilter, chains.EgressChain, ruleSpecs); err != nil {
 		return err
 	}