Головна сторінка Огляд Довідка
Увійти
akillibulut
/
kilo
дзеркало https://github.com/squat/kilo
2
0
Відгалуження 0
Файли Проблеми 0 Wiki
Переглянути джерело

pkg/iptables: re-organize rules

This commit better organizes the location of iptables rules. This is
made possible by exposing two new funcs, `NewRule` and `NewChain`.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Lucas Servén Marín 6 роки тому
батько
f6549185cf
коміт
8908cf19cb
2 змінених файлів з 21 додано та 17 видалено
Розділений вигляд Показати статистику Diff
  1. 11 1
      pkg/encapsulation/ipip.go
  2. 10 16
      pkg/iptables/iptables.go

+ 11 - 1
pkg/encapsulation/ipip.go
Переглянути файл 

@@ -66,7 +66,17 @@ func (i *ipip) Init(base int) error {
 
 // Rules returns a set of iptables rules that are necessary
 
 // when traffic between nodes must be encapsulated.
 
 func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule {
 
-	return iptables.IPIPRules(nodes)
 
+	var rules []iptables.Rule
 
+	rules = append(rules, iptables.NewChain("filter", "KILO-IPIP"))
 
+	rules = append(rules, iptables.NewRule("filter", "INPUT", "-m", "comment", "--comment", "Kilo: jump to IPIP chain", "-p", "4", "-j", "KILO-IPIP"))
 
+	for _, n := range nodes {
 
+		// Accept encapsulated traffic from peers.
 
+		rules = append(rules, iptables.NewRule("filter", "KILO-IPIP", "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-s", n.IP.String(), "-j", "ACCEPT"))
 
+	}
 
+	// Drop all other IPIP traffic.
 
+	rules = append(rules, iptables.NewRule("filter", "INPUT", "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-p", "4", "-j", "DROP"))
 
+
 
+	return rules
 
 }
 
 
 // Set sets the IP address of the IPIP interface.

+ 10 - 16
pkg/iptables/iptables.go
Переглянути файл 

@@ -49,6 +49,11 @@ type rule struct {
 
 	spec  []string
 
 }
 
 
+// NewRule creates a new iptables rule in the given table and chain.
 
+func NewRule(table, chain string, spec ...string) Rule {
 
+	return &rule{table, chain, spec}
 
+}
 
+
 
 func (r *rule) Add(client Client) error {
 
 	if err := client.AppendUnique(r.table, r.chain, r.spec...); err != nil {
 
 		return fmt.Errorf("failed to add iptables rule: %v", err)
 
@@ -80,6 +85,11 @@ type chain struct {
 
 	chain string
 
 }
 
 
+// NewChain creates a new iptables chain in the given table.
 
+func NewChain(table, name string) Rule {
 
+	return &chain{table, name}
 
+}
 
+
 
 func (c *chain) Add(client Client) error {
 
 	if err := client.ClearChain(c.table, c.chain); err != nil {
 
 		return fmt.Errorf("failed to add iptables chain: %v", err)
 
@@ -263,22 +273,6 @@ func (c *Controller) CleanUp() error {
 
 	return c.deleteFromIndex(0, &c.rules)
 
 }
 
 
-// IPIPRules returns a set of iptables rules that are necessary
 
-// when traffic between nodes must be encapsulated with IPIP.
 
-func IPIPRules(nodes []*net.IPNet) []Rule {
 
-	var rules []Rule
 
-	rules = append(rules, &chain{"filter", "KILO-IPIP"})
 
-	rules = append(rules, &rule{"filter", "INPUT", []string{"-m", "comment", "--comment", "Kilo: jump to IPIP chain", "-p", "4", "-j", "KILO-IPIP"}})
 
-	for _, n := range nodes {
 
-		// Accept encapsulated traffic from peers.
 
-		rules = append(rules, &rule{"filter", "KILO-IPIP", []string{"-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-s", n.IP.String(), "-j", "ACCEPT"}})
 
-	}
 
-	// Drop all other IPIP traffic.
 
-	rules = append(rules, &rule{"filter", "INPUT", []string{"-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-p", "4", "-j", "DROP"}})
 
-
 
-	return rules
 
-}
 
-
 
 // ForwardRules returns a set of iptables rules that are necessary
 
 // when traffic must be forwarded for the overlay.
 
 func ForwardRules(subnets ...*net.IPNet) []Rule {