adelorenzo/kilo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge 6b99f62877 into a9d5883a3a

Browse Source
This commit is contained in:
Alex Stockinger 2022-09-27 04:31:00 +09:00 committed by GitHub
commit 99f0e11d8c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cmd/kg/main.go
View File

@ -115,6 +115,7 @@ var (
resyncPeriod time.Duration resyncPeriod time.Duration
iptablesForwardRule bool iptablesForwardRule bool
prioritisePrivateAddr bool prioritisePrivateAddr bool
dropOtherIpIpTraffic bool
printVersion bool printVersion bool
logLevel string logLevel string
@ -145,6 +146,7 @@ func init() {
cmd.Flags().DurationVar(&resyncPeriod, "resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?") cmd.Flags().DurationVar(&resyncPeriod, "resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?")
cmd.Flags().BoolVar(&iptablesForwardRule, "iptables-forward-rules", false, "Add default accept rules to the FORWARD chain in iptables. Warning: this may break firewalls with a deny all policy and is potentially insecure!") cmd.Flags().BoolVar(&iptablesForwardRule, "iptables-forward-rules", false, "Add default accept rules to the FORWARD chain in iptables. Warning: this may break firewalls with a deny all policy and is potentially insecure!")
cmd.Flags().BoolVar(&prioritisePrivateAddr, "prioritise-private-addresses", false, "Prefer to assign a private IP address to the node's endpoint.") cmd.Flags().BoolVar(&prioritisePrivateAddr, "prioritise-private-addresses", false, "Prefer to assign a private IP address to the node's endpoint.")
cmd.Flags().BoolVar(&dropOtherIpIpTraffic, "drop-other-ipip-traffic", true, "Should Kilo drop other IP-over-IP traffic (not available in compatibility mode)?")
cmd.PersistentFlags().BoolVar(&printVersion, "version", false, "Print version and exit") cmd.PersistentFlags().BoolVar(&printVersion, "version", false, "Print version and exit")
cmd.PersistentFlags().StringVar(&logLevel, "log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels)) cmd.PersistentFlags().StringVar(&logLevel, "log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels))
@ -216,7 +218,7 @@ func runRoot(_ *cobra.Command, _ []string) error {
case "cilium": case "cilium":
enc = encapsulation.NewCilium(e) enc = encapsulation.NewCilium(e)
default: default:
enc = encapsulation.NewIPIP(e) enc = encapsulation.NewIPIP(e, dropOtherIpIpTraffic)
} }
gr := mesh.Granularity(granularity) gr := mesh.Granularity(granularity)

1
docs/kg.md
View File

@ -38,6 +38,7 @@ Flags:
--cni-path string Path to CNI config. (default "/etc/cni/net.d/10-kilo.conflist") --cni-path string Path to CNI config. (default "/etc/cni/net.d/10-kilo.conflist")
--compatibility string Should Kilo run in compatibility mode? Possible values: flannel --compatibility string Should Kilo run in compatibility mode? Possible values: flannel
--create-interface Should kilo create an interface on startup? (default true) --create-interface Should kilo create an interface on startup? (default true)
--drop-other-ipip-traffic Should Kilo drop other IP-over-IP traffic (not available in compatibility mode)? (default true)
--encapsulate string When should Kilo encapsulate packets within a location? Possible values: never, crosssubnet, always (default "always") --encapsulate string When should Kilo encapsulate packets within a location? Possible values: never, crosssubnet, always (default "always")
-h, --help help for kg -h, --help help for kg
--hostname string Hostname of the node on which this process is running. --hostname string Hostname of the node on which this process is running.

17
pkg/encapsulation/ipip.go
View File

@ -23,13 +23,14 @@ import (
) )
type ipip struct { type ipip struct {
iface int iface int
strategy Strategy strategy Strategy
dropOtherIpIpTraffic bool
} }
// NewIPIP returns an encapsulator that uses IPIP. // NewIPIP returns an encapsulator that uses IPIP.
func NewIPIP(strategy Strategy) Encapsulator { func NewIPIP(strategy Strategy, dropOtherIpIpTraffic bool) Encapsulator {
return &ipip{strategy: strategy} return &ipip{strategy: strategy, dropOtherIpIpTraffic: dropOtherIpIpTraffic}
} }
// CleanUp will remove any created IPIP devices. // CleanUp will remove any created IPIP devices.
@ -76,9 +77,11 @@ func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule {
// Accept encapsulated traffic from peers. // Accept encapsulated traffic from peers.
rules = append(rules, iptables.NewRule(iptables.GetProtocol(n.IP), "filter", "KILO-IPIP", "-s", n.String(), "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-j", "ACCEPT")) rules = append(rules, iptables.NewRule(iptables.GetProtocol(n.IP), "filter", "KILO-IPIP", "-s", n.String(), "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-j", "ACCEPT"))
} }
// Drop all other IPIP traffic. if i.dropOtherIpIpTraffic {
rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP")) // Drop all other IPIP traffic.
rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP")) rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
}
return rules return rules
} }

2
pkg/mesh/routes_test.go
View File

@ -1086,7 +1086,7 @@ func TestRoutes(t *testing.T) {
}, },
}, },
} { } {
routes, rules := tc.topology.Routes(DefaultKiloInterface, kiloIface, privIface, tunlIface, tc.local, encapsulation.NewIPIP(tc.strategy)) routes, rules := tc.topology.Routes(DefaultKiloInterface, kiloIface, privIface, tunlIface, tc.local, encapsulation.NewIPIP(tc.strategy, true))
if diff := pretty.Compare(routes, tc.routes); diff != "" { if diff := pretty.Compare(routes, tc.routes); diff != "" {
t.Errorf("test case %q: got diff: %v", tc.name, diff) t.Errorf("test case %q: got diff: %v", tc.name, diff)
} }