Make dropping of other IPIP traffic optional
This commit is contained in:
parent
cb238c85a1
commit
c539a8bf1c
@ -115,6 +115,7 @@ var (
|
|||||||
resyncPeriod time.Duration
|
resyncPeriod time.Duration
|
||||||
iptablesForwardRule bool
|
iptablesForwardRule bool
|
||||||
prioritisePrivateAddr bool
|
prioritisePrivateAddr bool
|
||||||
|
dropOtherIpIpTraffic bool
|
||||||
|
|
||||||
printVersion bool
|
printVersion bool
|
||||||
logLevel string
|
logLevel string
|
||||||
@ -145,6 +146,7 @@ func init() {
|
|||||||
cmd.Flags().DurationVar(&resyncPeriod, "resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?")
|
cmd.Flags().DurationVar(&resyncPeriod, "resync-period", 30*time.Second, "How often should the Kilo controllers reconcile?")
|
||||||
cmd.Flags().BoolVar(&iptablesForwardRule, "iptables-forward-rules", false, "Add default accept rules to the FORWARD chain in iptables. Warning: this may break firewalls with a deny all policy and is potentially insecure!")
|
cmd.Flags().BoolVar(&iptablesForwardRule, "iptables-forward-rules", false, "Add default accept rules to the FORWARD chain in iptables. Warning: this may break firewalls with a deny all policy and is potentially insecure!")
|
||||||
cmd.Flags().BoolVar(&prioritisePrivateAddr, "prioritise-private-addresses", false, "Prefer to assign a private IP address to the node's endpoint.")
|
cmd.Flags().BoolVar(&prioritisePrivateAddr, "prioritise-private-addresses", false, "Prefer to assign a private IP address to the node's endpoint.")
|
||||||
|
cmd.Flags().BoolVar(&dropOtherIpIpTraffic, "drop-other-ipip-traffic", true, "Drop other IP-over-IP traffic (not available in compatibility mode).")
|
||||||
|
|
||||||
cmd.PersistentFlags().BoolVar(&printVersion, "version", false, "Print version and exit")
|
cmd.PersistentFlags().BoolVar(&printVersion, "version", false, "Print version and exit")
|
||||||
cmd.PersistentFlags().StringVar(&logLevel, "log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels))
|
cmd.PersistentFlags().StringVar(&logLevel, "log-level", logLevelInfo, fmt.Sprintf("Log level to use. Possible values: %s", availableLogLevels))
|
||||||
@ -216,7 +218,7 @@ func runRoot(_ *cobra.Command, _ []string) error {
|
|||||||
case "cilium":
|
case "cilium":
|
||||||
enc = encapsulation.NewCilium(e)
|
enc = encapsulation.NewCilium(e)
|
||||||
default:
|
default:
|
||||||
enc = encapsulation.NewIPIP(e)
|
enc = encapsulation.NewIPIP(e, dropOtherIpIpTraffic)
|
||||||
}
|
}
|
||||||
|
|
||||||
gr := mesh.Granularity(granularity)
|
gr := mesh.Granularity(granularity)
|
||||||
|
@ -25,11 +25,12 @@ import (
|
|||||||
type ipip struct {
|
type ipip struct {
|
||||||
iface int
|
iface int
|
||||||
strategy Strategy
|
strategy Strategy
|
||||||
|
dropOtherIpIpTraffic bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewIPIP returns an encapsulator that uses IPIP.
|
// NewIPIP returns an encapsulator that uses IPIP.
|
||||||
func NewIPIP(strategy Strategy) Encapsulator {
|
func NewIPIP(strategy Strategy, dropOtherIpIpTraffic bool) Encapsulator {
|
||||||
return &ipip{strategy: strategy}
|
return &ipip{strategy: strategy, dropOtherIpIpTraffic: dropOtherIpIpTraffic}
|
||||||
}
|
}
|
||||||
|
|
||||||
// CleanUp will remove any created IPIP devices.
|
// CleanUp will remove any created IPIP devices.
|
||||||
@ -76,9 +77,11 @@ func (i *ipip) Rules(nodes []*net.IPNet) []iptables.Rule {
|
|||||||
// Accept encapsulated traffic from peers.
|
// Accept encapsulated traffic from peers.
|
||||||
rules = append(rules, iptables.NewRule(iptables.GetProtocol(n.IP), "filter", "KILO-IPIP", "-s", n.String(), "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-j", "ACCEPT"))
|
rules = append(rules, iptables.NewRule(iptables.GetProtocol(n.IP), "filter", "KILO-IPIP", "-s", n.String(), "-m", "comment", "--comment", "Kilo: allow IPIP traffic", "-j", "ACCEPT"))
|
||||||
}
|
}
|
||||||
|
if i.dropOtherIpIpTraffic {
|
||||||
// Drop all other IPIP traffic.
|
// Drop all other IPIP traffic.
|
||||||
rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
|
rules = append(rules, iptables.NewIPv4Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
|
||||||
rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
|
rules = append(rules, iptables.NewIPv6Rule("filter", "INPUT", "-p", proto, "-m", "comment", "--comment", "Kilo: reject other IPIP traffic", "-j", "DROP"))
|
||||||
|
}
|
||||||
|
|
||||||
return rules
|
return rules
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user