adelorenzo/kilo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pkg/iptables: re-organize rules

Browse Source 
This commit better organizes the location of iptables rules. This is
made possible by exposing two new funcs, `NewRule` and `NewChain`.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit is contained in:
Lucas Servén Marín
2020-03-06 16:57:05 +01:00
parent f6549185cf
commit 8908cf19cb
2 changed files with 21 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/encapsulation/ipip.go
View File

@@ -66,7 +66,17 @@ func (i *ipip) Init(base int) error {
// Rules returns a set of iptables rules that are necessary
// when traffic between nodes must be encapsulated.
func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule {
return iptables.IPIPRules(nodes)
var rules []iptables.Rule
rules = append(rules, iptables.NewChain("filter", "KILO-IPIP"))
rules = append(rules, iptables.NewRule("filter", "INPUT", "-m", "comment", "--comment", "Kilo: jump to IPIP chain", "-p", "4", "-j", "KILO-IPIP"))
for _, n := range nodes {
// Accept encapsulated traffic from peers.
rules = append(rules, iptables.NewRule("filter", "KILO-IPIP", "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-s", n.IP.String(), "-j", "ACCEPT"))
}
// Drop all other IPIP traffic.
rules = append(rules, iptables.NewRule("filter", "INPUT", "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-p", "4", "-j", "DROP"))
return rules
}
// Set sets the IP address of the IPIP interface.