adelorenzo/kilo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge 6b99f62877 into a9d5883a3a

Browse Source
This commit is contained in:
Alex Stockinger
2022-09-27 04:31:00 +09:00
committed by GitHub
parent a9d5883a3a 6b99f62877
commit 99f0e11d8c
4 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/encapsulation/ipip.go
View File

@@ -23,13 +23,14 @@ import (
)
type ipip struct {
iface int
strategy Strategy
iface int
strategy Strategy
dropOtherIpIpTraffic bool
}
// NewIPIP returns an encapsulator that uses IPIP.
func NewIPIP(strategy Strategy) Encapsulator {
return &ipip{strategy: strategy}
func NewIPIP(strategy Strategy, dropOtherIpIpTraffic bool) Encapsulator {
return &ipip{strategy: strategy, dropOtherIpIpTraffic: dropOtherIpIpTraffic}
}
// CleanUp will remove any created IPIP devices.
@@ -76,9 +77,11 @@ func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule {
// Accept encapsulated traffic from peers.
rules = append(rules, iptables.NewRule(iptables.GetProtocol(n.IP), "filter", "KILO-IPIP", "-s", n.String(), "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-j", "ACCEPT"))
}
// Drop all other IPIP traffic.
rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
if i.dropOtherIpIpTraffic {
// Drop all other IPIP traffic.
rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
}
return rules
}

2
pkg/mesh/routes_test.go
View File

@@ -1086,7 +1086,7 @@ func TestRoutes(t *testing.T) {
},
},
} {
routes, rules := tc.topology.Routes(DefaultKiloInterface, kiloIface, privIface, tunlIface, tc.local, encapsulation.NewIPIP(tc.strategy))
routes, rules := tc.topology.Routes(DefaultKiloInterface, kiloIface, privIface, tunlIface, tc.local, encapsulation.NewIPIP(tc.strategy, true))
if diff := pretty.Compare(routes, tc.routes); diff != "" {
t.Errorf("test case %q: got diff: %v", tc.name, diff)
}