pkg/iptables: clean up, remove NAT
This commit cleans up the iptables package to allow other packages to create rules. This commit also removes all NAT from Kilo. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit is contained in:
Lucas Servén Marín
@@ -68,6 +68,7 @@ func (m *Mesh) updateCNIConfig() {
|
||||
level.Info(m.logger).Log("msg", "CIDR in CNI file is not empty; overwriting", "old", cidr.String(), "new", n.Subnet.String())
|
||||
}
|
||||
|
||||
level.Info(m.logger).Log("msg", "setting CIDR in CNI file", "CIDR", n.Subnet.String())
|
||||
if err := setCIDRInCNI(m.cniPath, n.Subnet); err != nil {
|
||||
level.Warn(m.logger).Log("msg", "failed to set CIDR in CNI file", "err", err.Error())
|
||||
}
|
||||
|
||||
@@ -605,12 +605,13 @@ func (m *Mesh) applyTopology() {
|
||||
return
|
||||
}
|
||||
rules := iptables.ForwardRules(m.subnet)
|
||||
var peerCIDRs []*net.IPNet
|
||||
for _, p := range peers {
|
||||
rules = append(rules, iptables.ForwardRules(p.AllowedIPs...)...)
|
||||
peerCIDRs = append(peerCIDRs, p.AllowedIPs...)
|
||||
// Finx the Kilo interface name.
|
||||
link, err := linkByIndex(m.kiloIface)
|
||||
if err != nil {
|
||||
level.Error(m.logger).Log("error", err)
|
||||
m.errorCounter.WithLabelValues("apply").Inc()
|
||||
return
|
||||
}
|
||||
rules = append(rules, iptables.MasqueradeRules(m.subnet, oneAddressCIDR(t.privateIP.IP), nodes[m.hostname].Subnet, t.RemoteSubnets(), peerCIDRs)...)
|
||||
// If we are handling local routes, ensure the local
|
||||
// tunnel has an IP address and IPIP traffic is allowed.
|
||||
if m.enc.Strategy() != encapsulation.Never && m.local {
|
||||
@@ -644,12 +645,6 @@ func (m *Mesh) applyTopology() {
|
||||
m.errorCounter.WithLabelValues("apply").Inc()
|
||||
return
|
||||
}
|
||||
link, err := linkByIndex(m.kiloIface)
|
||||
if err != nil {
|
||||
level.Error(m.logger).Log("error", err)
|
||||
m.errorCounter.WithLabelValues("apply").Inc()
|
||||
return
|
||||
}
|
||||
oldConf, err := wireguard.ShowConf(link.Attrs().Name)
|
||||
if err != nil {
|
||||
level.Error(m.logger).Log("error", err)
|
||||
|
||||
@@ -163,18 +163,6 @@ func NewTopology(nodes map[string]*Node, peers map[string]*Peer, granularity Gra
|
||||
return &t, nil
|
||||
}
|
||||
|
||||
// RemoteSubnets identifies the subnets of the hosts in segments different than the host's.
|
||||
func (t *Topology) RemoteSubnets() []*net.IPNet {
|
||||
var remote []*net.IPNet
|
||||
for _, s := range t.segments {
|
||||
if s == nil || s.location == t.location {
|
||||
continue
|
||||
}
|
||||
remote = append(remote, s.cidrs...)
|
||||
}
|
||||
return remote
|
||||
}
|
||||
|
||||
// Routes generates a slice of routes for a given Topology.
|
||||
func (t *Topology) Routes(kiloIface, privIface, tunlIface int, local bool, enc encapsulation.Encapsulator) []*netlink.Route {
|
||||
var routes []*netlink.Route
|
||||
|
||||
Reference in New Issue
Block a user