Currently, Kilo _only_ supports adding firewall rules via the legacy
iptables API. This means that on systems using nftables in the host
network namespace, the namespace will be polluted and both firewall
infrastructures will be used, causing unexpected and difficult
to predict interactions. In other words, networking may not work as
expected on nftables-based systems.
This PR fixes this by using the iptables-wrappers project [0] to install
run-time detection of the in-use iptables backend.
[0] https://github.com/kubernetes-sigs/iptables-wrappers
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* migrate to golang.zx2c4.com/wireguard/wgctrl
This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor wgctrl
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* apply suggestions from code review
Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/*: use wireguard.Enpoint
This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.
Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/wireguard/conf_test.go: add tests for Endpoint
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kg/main.go: validate port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* add suggestions from review
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/mesh.go: use Equal func
Implement an Equal func for Enpoint and use it instead of comparing
strings.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kgctl/main.go: check port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor
Signed-off-by: leonnicolas <leonloechner@gmx.de>
docker: add missing fonts for rasterized graphviz output formats
add missing license header
kg: do not export handlers
use http package for status codes
keep checks for errors in a single line
simplify error message about failed invocation of dot
pass node hostname and subnet to graph handler
use SVG as default format for graph handler
register health handler with HandleFunc
add option for selecting layout to graph handler and using circo as new default
e2e: add tests for HTTP handlers
e2e: fix and simplify handler tests
add should comments to assertions
e2s: use assert_fail instead of assert _not
add missing mime-type header for graph handler
use switch/case statements for validating formats / layouts
e2e: fix handlers tests
Co-authored-by: leonnicolas <60091705+leonnicolas@users.noreply.github.com>
graph-handler: add missing font to Dockerfile
Dockerfile: remove unnecessary font
This commit leaves Noto as the only font package, as one font package is
sufficient for the container.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
The current Alpine package CDN is timing out for aarch64. This commit
updates it to another mirror. This commit also changes the channel
Alpine channel from edge to v3.12. Note: the Dockerfile overrides the
Alpine CDN settings to ensure that a mirror with support for TLS is
used.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables simultaneously managing IPv4 and IPv6 iptables
rules. This makes it possible to have peers with IPv6 allowed IPs in an
otherwise IPv4 stack and vice versa.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
The certificates for the alpine APK repositories expired today [0],
breaking builds. This switches the configured repos to ones that work.
It also changes the `main` repo to use HTTPS.
[0] uk.alpinelinux.org expired Nov 15 2019 at 02:00:31 UTC
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit changes the build-system for Kilo to create container images
for multiple architectures. This will enable running Kilo on Arm
devices, e.g. Raspberry Pis. This is accomplished using Docker
manifests.
This commit enables Kilo to work as an independent networking provider.
This is done by leveraging CNI. Kilo brings the necessary CNI plugins to
operate and takes care of all networking.
Add-on compatibility for Calico, Flannel, etc, will be re-introduced
shortly.
Lucas Servén Marín
Dave Allan
leonnicolas
Steffen Vogel
Julien Viard de Galbert
Manuel Rüger