adelorenzo/kilo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Make dropping of other IPIP traffic optional

Browse Source
This commit is contained in:
Alex Stockinger
2022-06-28 16:12:30 +00:00
parent cb238c85a1
commit c539a8bf1c
2 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/encapsulation/ipip.go
View File

@@ -23,13 +23,14 @@ import (
)
type ipip struct {
iface int
strategy Strategy
iface int
strategy Strategy
dropOtherIpIpTraffic bool
}
// NewIPIP returns an encapsulator that uses IPIP.
func NewIPIP(strategy Strategy) Encapsulator {
return &ipip{strategy: strategy}
func NewIPIP(strategy Strategy, dropOtherIpIpTraffic bool) Encapsulator {
return &ipip{strategy: strategy, dropOtherIpIpTraffic: dropOtherIpIpTraffic}
}
// CleanUp will remove any created IPIP devices.
@@ -76,9 +77,11 @@ func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule {
// Accept encapsulated traffic from peers.
rules = append(rules, iptables.NewRule(iptables.GetProtocol(n.IP), "filter", "KILO-IPIP", "-s", n.String(), "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-j", "ACCEPT"))
}
// Drop all other IPIP traffic.
rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
if i.dropOtherIpIpTraffic {
// Drop all other IPIP traffic.
rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
}
return rules
}