From a3c76e141b76aebe7c2fce5baa7c3bdac53557ac Mon Sep 17 00:00:00 2001 From: Bryan Boreham Date: Tue, 29 Oct 2019 17:10:01 +0000 Subject: [PATCH] Move name constants to separate 'chains' package, to reduce dependencies We don't want everyone that uses the `net` package to get a transitive dependency on the Kubernetes APIs required by `npc`. --- common/chains/npc.go | 12 ++++++++++++ net/bridge.go | 10 +++++----- npc/constants.go | 11 +---------- npc/controller.go | 3 ++- npc/controller_test.go | 9 +++++---- npc/namespace.go | 7 ++++--- npc/rule.go | 7 ++++--- prog/weave-npc/main.go | 35 ++++++++++++++++++----------------- 8 files changed, 51 insertions(+), 43 deletions(-) create mode 100644 common/chains/npc.go diff --git a/common/chains/npc.go b/common/chains/npc.go new file mode 100644 index 0000000000..1a9b9a3ddc --- /dev/null +++ b/common/chains/npc.go @@ -0,0 +1,12 @@ +package chains + +const ( + MainChain = "WEAVE-NPC" + DefaultChain = "WEAVE-NPC-DEFAULT" + IngressChain = "WEAVE-NPC-INGRESS" + + EgressChain = "WEAVE-NPC-EGRESS" + EgressDefaultChain = "WEAVE-NPC-EGRESS-DEFAULT" + EgressCustomChain = "WEAVE-NPC-EGRESS-CUSTOM" + EgressMarkChain = "WEAVE-NPC-EGRESS-ACCEPT" +) diff --git a/net/bridge.go b/net/bridge.go index 268e70c18c..7154574ce4 100644 --- a/net/bridge.go +++ b/net/bridge.go @@ -14,11 +14,11 @@ import ( "k8s.io/apimachinery/pkg/types" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/common/odp" "github.com/weaveworks/weave/ipam/tracker" "github.com/weaveworks/weave/net/address" "github.com/weaveworks/weave/net/ipset" - "github.com/weaveworks/weave/npc" ) /* This code implements three possible configurations to connect @@ -513,12 +513,12 @@ func ConfigureIPTables(config *BridgeConfig, ips ipset.Interface) error { if config.NPC { // Steer traffic via the NPC. - if err = ensureChains(ipt, "filter", npc.MainChain, npc.EgressChain); err != nil { + if err = ensureChains(ipt, "filter", chains.MainChain, chains.EgressChain); err != nil { return err } // Steer egress traffic destined to local node. - if err = ipt.AppendUnique("filter", "INPUT", "-i", config.WeaveBridgeName, "-j", npc.EgressChain); err != nil { + if err = ipt.AppendUnique("filter", "INPUT", "-i", config.WeaveBridgeName, "-j", chains.EgressChain); err != nil { return err } fwdRules = append(fwdRules, @@ -527,11 +527,11 @@ func ConfigureIPTables(config *BridgeConfig, ips ipset.Interface) error { // ACCEPT in WEAVE-NPC-EGRESS chain {"-i", config.WeaveBridgeName, "-m", "comment", "--comment", "NOTE: this must go before '-j KUBE-FORWARD'", - "-j", npc.EgressChain}, + "-j", chains.EgressChain}, // The following rules are for ingress NPC processing {"-o", config.WeaveBridgeName, "-m", "comment", "--comment", "NOTE: this must go before '-j KUBE-FORWARD'", - "-j", npc.MainChain}, + "-j", chains.MainChain}, {"-o", config.WeaveBridgeName, "-m", "state", "--state", "NEW", "-j", "NFLOG", "--nflog-group", "86"}, {"-o", config.WeaveBridgeName, "-j", "DROP"}, }...) diff --git a/npc/constants.go b/npc/constants.go index 6c94dcc9fc..07185f2c22 100644 --- a/npc/constants.go +++ b/npc/constants.go @@ -2,16 +2,7 @@ package npc const ( TableFilter = "filter" - - MainChain = "WEAVE-NPC" - DefaultChain = "WEAVE-NPC-DEFAULT" - IngressChain = "WEAVE-NPC-INGRESS" - - EgressChain = "WEAVE-NPC-EGRESS" - EgressDefaultChain = "WEAVE-NPC-EGRESS-DEFAULT" - EgressCustomChain = "WEAVE-NPC-EGRESS-CUSTOM" - EgressMarkChain = "WEAVE-NPC-EGRESS-ACCEPT" - EgressMark = "0x40000/0x40000" + EgressMark = "0x40000/0x40000" IpsetNamePrefix = "weave-" diff --git a/npc/controller.go b/npc/controller.go index ecba6056d0..0f218e630e 100644 --- a/npc/controller.go +++ b/npc/controller.go @@ -12,6 +12,7 @@ import ( "k8s.io/client-go/kubernetes" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/net/ipset" "github.com/weaveworks/weave/npc/iptables" ) @@ -157,7 +158,7 @@ func (npc *controller) AddNetworkPolicy(obj interface{}) error { } if egressNetworkPolicy { npc.defaultEgressDrop = true - if err := npc.ipt.Append(TableFilter, EgressChain, + if err := npc.ipt.Append(TableFilter, chains.EgressChain, "-m", "mark", "!", "--mark", EgressMark, "-j", "DROP"); err != nil { npc.defaultEgressDrop = false return fmt.Errorf("Failed to add iptable rule to drop egress traffic from the pods by default due to %s", err.Error()) diff --git a/npc/controller_test.go b/npc/controller_test.go index 618e453c7e..07e8ec594a 100644 --- a/npc/controller_test.go +++ b/npc/controller_test.go @@ -8,6 +8,7 @@ import ( "github.com/pkg/errors" "github.com/stretchr/testify/require" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/net/ipset" coreapi "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" @@ -582,8 +583,8 @@ func TestEgressPolicyWithIPBlock(t *testing.T) { require.True(t, m.entriesExist(exceptIPSetName, "192.168.48.2/32")) // Each egress rule is represented as two iptables rules (-J MARK and -J RETURN). - require.Equal(t, 2, len(ipt.rules[EgressCustomChain])) - for rule := range ipt.rules[EgressCustomChain] { + require.Equal(t, 2, len(ipt.rules[chains.EgressCustomChain])) + for rule := range ipt.rules[chains.EgressCustomChain] { require.Contains(t, rule, "-d 192.168.48.0/24 -m set ! --match-set "+exceptIPSetName+" dst") } @@ -690,8 +691,8 @@ func TestIngressPolicyWithIPBlockAndPortSpecified(t *testing.T) { require.Equal(t, 1, len(m.sets[runBarIPSetName].subSets)) require.True(t, m.entriesExist(runBarIPSetName, barPodIP)) - require.Equal(t, 1, len(ipt.rules[IngressChain])) - for rule := range ipt.rules[IngressChain] { + require.Equal(t, 1, len(ipt.rules[chains.IngressChain])) + for rule := range ipt.rules[chains.IngressChain] { require.Contains(t, rule, "-s 192.168.48.4/32 -m set --match-set "+runBarIPSetName+" dst --dport 80") } } diff --git a/npc/namespace.go b/npc/namespace.go index 6423b4cdf9..8a9dcfb75f 100644 --- a/npc/namespace.go +++ b/npc/namespace.go @@ -12,6 +12,7 @@ import ( "k8s.io/apimachinery/pkg/util/uuid" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/net/ipset" "github.com/weaveworks/weave/npc/iptables" ) @@ -455,12 +456,12 @@ func (ns *ns) updateDefaultAllowIPSetEntry(oldObj, newObj *coreapi.Pod, ipsetNam func bypassRules(namespace string, ingress, egress ipset.Name) map[string][][]string { return map[string][][]string{ - DefaultChain: { + chains.DefaultChain: { {"-m", "set", "--match-set", string(ingress), "dst", "-j", "ACCEPT", "-m", "comment", "--comment", "DefaultAllow ingress isolation for namespace: " + namespace}, }, - EgressDefaultChain: { - {"-m", "set", "--match-set", string(egress), "src", "-j", EgressMarkChain, + chains.EgressDefaultChain: { + {"-m", "set", "--match-set", string(egress), "src", "-j", chains.EgressMarkChain, "-m", "comment", "--comment", "DefaultAllow egress isolation for namespace: " + namespace}, {"-m", "set", "--match-set", string(egress), "src", "-j", "RETURN", "-m", "comment", "--comment", "DefaultAllow egress isolation for namespace: " + namespace}, diff --git a/npc/rule.go b/npc/rule.go index 1edee7701e..79589da18b 100644 --- a/npc/rule.go +++ b/npc/rule.go @@ -8,6 +8,7 @@ import ( "k8s.io/apimachinery/pkg/types" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/npc/iptables" ) @@ -55,9 +56,9 @@ func newRuleSpec(policyType policyType, proto *string, srcHost, dstHost ruleHost func (spec *ruleSpec) iptChain() string { if spec.policyType == policyTypeEgress { - return EgressCustomChain + return chains.EgressCustomChain } - return IngressChain + return chains.IngressChain } func (spec *ruleSpec) iptRuleSpecs() [][]string { @@ -71,7 +72,7 @@ func (spec *ruleSpec) iptRuleSpecs() [][]string { // policyTypeEgress ruleMark := make([]string, len(spec.args)) copy(ruleMark, spec.args) - ruleMark = append(ruleMark, "-j", EgressMarkChain) + ruleMark = append(ruleMark, "-j", chains.EgressMarkChain) ruleReturn := make([]string, len(spec.args)) copy(ruleReturn, spec.args) ruleReturn = append(ruleReturn, "-j", "RETURN") diff --git a/prog/weave-npc/main.go b/prog/weave-npc/main.go index 22e4e556a5..ab6ffebae2 100644 --- a/prog/weave-npc/main.go +++ b/prog/weave-npc/main.go @@ -17,6 +17,7 @@ import ( "k8s.io/client-go/tools/cache" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/net" "github.com/weaveworks/weave/net/ipset" "github.com/weaveworks/weave/npc" @@ -52,27 +53,27 @@ func makeController(getter cache.Getter, resource string, func resetIPTables(ipt *iptables.IPTables) error { // Flush chains first so there are no refs to extant ipsets - if err := ipt.ClearChain(npc.TableFilter, npc.IngressChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.IngressChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.DefaultChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.DefaultChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.MainChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.MainChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.EgressMarkChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.EgressMarkChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.EgressCustomChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.EgressCustomChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.EgressDefaultChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.EgressDefaultChain); err != nil { return err } @@ -121,35 +122,35 @@ func resetIPSets(ips ipset.Interface) error { func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error { // Configure main chain static rules - if err := ipt.Append(npc.TableFilter, npc.MainChain, + if err := ipt.Append(npc.TableFilter, chains.MainChain, "-m", "state", "--state", "RELATED,ESTABLISHED", "-j", "ACCEPT"); err != nil { return err } if allowMcast { - if err := ipt.Append(npc.TableFilter, npc.MainChain, + if err := ipt.Append(npc.TableFilter, chains.MainChain, "-d", "224.0.0.0/4", "-j", "ACCEPT"); err != nil { return err } } // If the destination address is not any of the local pods, let it through - if err := ipt.Append(npc.TableFilter, npc.MainChain, + if err := ipt.Append(npc.TableFilter, chains.MainChain, "-m", "physdev", "--physdev-is-bridged", "--physdev-out="+bridgePortName, "-j", "ACCEPT"); err != nil { return err } - if err := ipt.Append(npc.TableFilter, npc.MainChain, - "-m", "state", "--state", "NEW", "-j", string(npc.DefaultChain)); err != nil { + if err := ipt.Append(npc.TableFilter, chains.MainChain, + "-m", "state", "--state", "NEW", "-j", chains.DefaultChain); err != nil { return err } - if err := ipt.Append(npc.TableFilter, npc.MainChain, - "-m", "state", "--state", "NEW", "-j", string(npc.IngressChain)); err != nil { + if err := ipt.Append(npc.TableFilter, chains.MainChain, + "-m", "state", "--state", "NEW", "-j", chains.IngressChain); err != nil { return err } - if err := ipt.Append(npc.TableFilter, npc.EgressMarkChain, + if err := ipt.Append(npc.TableFilter, chains.EgressMarkChain, "-j", "MARK", "--set-xmark", npc.EgressMark); err != nil { return err } @@ -187,11 +188,11 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error { ruleSpecs = append(ruleSpecs, []string{"-d", "224.0.0.0/4", "-j", "RETURN"}) } ruleSpecs = append(ruleSpecs, [][]string{ - {"-m", "state", "--state", "NEW", "-j", string(npc.EgressDefaultChain)}, - {"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", string(npc.EgressCustomChain)}, + {"-m", "state", "--state", "NEW", "-j", chains.EgressDefaultChain}, + {"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", chains.EgressCustomChain}, {"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", "NFLOG", "--nflog-group", "86"}, }...) - if err := net.AddChainWithRules(ipt, npc.TableFilter, npc.EgressChain, ruleSpecs); err != nil { + if err := net.AddChainWithRules(ipt, npc.TableFilter, chains.EgressChain, ruleSpecs); err != nil { return err }