adelorenzo/kilo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Cleaned up rule logs

Browse Source
This commit is contained in:
Paulo Nascimento 2021-03-20 18:23:32 -03:00
parent ea65cb7401
commit 0c73ed60f4
2 changed files with 3 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pkg/mesh/mesh.go
View File

@ -489,7 +489,7 @@ func (m *Mesh) applyTopology() {
m.errorCounter.WithLabelValues("apply").Inc() m.errorCounter.WithLabelValues("apply").Inc()
return return
} }
ipRules := t.Rules(m.cni, m.logger) ipRules := t.Rules(m.cni)
// If we are handling local routes, ensure the local // If we are handling local routes, ensure the local
// tunnel has an IP address and IPIP traffic is allowed. // tunnel has an IP address and IPIP traffic is allowed.
if m.enc.Strategy() != encapsulation.Never && m.local { if m.enc.Strategy() != encapsulation.Never && m.local {

16
pkg/mesh/routes.go
View File

@ -17,8 +17,6 @@
package mesh package mesh
import ( import (
"github.com/go-kit/kit/log"
"github.com/go-kit/kit/log/level"
"net" "net"
"github.com/vishvananda/netlink" "github.com/vishvananda/netlink"
@ -222,7 +220,7 @@ func encapsulateRoute(route *netlink.Route, encapsulate encapsulation.Strategy,
} }
// Rules returns the iptables rules required by the local node. // Rules returns the iptables rules required by the local node.
func (t *Topology) Rules(cni bool, logger log.Logger) []iptables.Rule { func (t *Topology) Rules(cni bool) []iptables.Rule {
var rules []iptables.Rule var rules []iptables.Rule
rules = append(rules, iptables.NewIPv4Chain("nat", "KILO-NAT")) rules = append(rules, iptables.NewIPv4Chain("nat", "KILO-NAT"))
rules = append(rules, iptables.NewIPv6Chain("nat", "KILO-NAT")) rules = append(rules, iptables.NewIPv6Chain("nat", "KILO-NAT"))
@ -232,17 +230,7 @@ func (t *Topology) Rules(cni bool, logger log.Logger) []iptables.Rule {
for _, s := range t.segments { for _, s := range t.segments {
rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(s.wireGuardIP)), "nat", "KILO-NAT", "-d", oneAddressCIDR(s.wireGuardIP).String(), "-m", "comment", "--comment", "Kilo: do not NAT packets destined for WireGuared IPs", "-j", "RETURN")) rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(s.wireGuardIP)), "nat", "KILO-NAT", "-d", oneAddressCIDR(s.wireGuardIP).String(), "-m", "comment", "--comment", "Kilo: do not NAT packets destined for WireGuared IPs", "-j", "RETURN"))
for _, aip := range s.allowedIPs { for _, aip := range s.allowedIPs {
var proto = iptables.GetProtocol(len(aip.IP)) rules = append(rules, iptables.NewRule(iptables.GetProtocol(len(aip.IP)), "nat", "KILO-NAT", "-d", aip.String(), "-m", "comment", "--comment", "Kilo: do not NAT packets destined for known IPs", "-j", "RETURN"))
rules = append(rules, iptables.NewRule(proto, "nat", "KILO-NAT", "-d", aip.String(), "-m", "comment", "--comment", "Kilo: do not NAT packets destined for known IPs", "-j", "RETURN"))
var protocolName = "ipv4"
if proto == iptables.ProtocolIPv6 {
protocolName = "ipv6"
}
level.Debug(logger).Log("msg", "Firewall NAT rule created.", "AIP", aip, "Protocol", protocolName)
} }
} }
for _, p := range t.peers { for _, p := range t.peers {