Commit Graph

11 Commits

Author SHA1 Message Date
Lucas Servén Marín
9b19bbe69c
pkg/iptables: remove nil rules from list on error
Previously, when `deleteFromIndex` exited early due to an error, nil
rules would be left in the controller's list of rules, which could
provoke a panic on the next reconciliation. This commit ensures that nil
rules are removed before an early exit.

Fixes: #51

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-11 22:50:01 +02:00
Lucas Servén Marín
b668c1ec3e
pkg/iptables: enable simultaneous ipv4 and ipv6
This commit enables simultaneously managing IPv4 and IPv6 iptables
rules. This makes it possible to have peers with IPv6 allowed IPs in an
otherwise IPv4 stack and vice versa.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-12 16:07:48 +01:00
Lucas Servén Marín
7051b9fe29
pkg/mesh: enable outgoing NAT to WAN
This commit enables NAT-ing packets outgoing to the WAN from both the
Pod subnet as well as from peers. This means that Pods can access the
Internet and that peers can use the Kilo mesh as a gateway to the
Internet.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 18:45:01 +01:00
Lucas Servén Marín
8908cf19cb
pkg/iptables: re-organize rules
This commit better organizes the location of iptables rules. This is
made possible by exposing two new funcs, `NewRule` and `NewChain`.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 16:57:09 +01:00
Lucas Servén Marín
4857d10da1
pkg/iptables: clean up, remove NAT
This commit cleans up the iptables package to allow other packages to
create rules.

This commit also removes all NAT from Kilo.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 21:23:23 +01:00
Lucas Servén Marín
4febbdbfe5
pkg/iptables: fix out of bounds err
This fixes two bugs in the iptables package that can cause out of bounds
errors.

Fixes: #22

Thanks to @SerialVelocity for reporting.
2019-09-27 11:10:55 +02:00
Lucas Servén Marín
e83db17d88
pkg/iptables: add rules in correct order
This commit takes a big step towards ensuring that iptables rules are
always kept in the correct order. Specifically, when re-setting a a
ruleset, any time a rule is missing, that rule and all following rules
are re-added to ensure that from that index onwards all rules are in the
right order. Similarly, when reconciling an existing ruleset against the
backend, if a rule is missing, that rule an all following rules are
re-added.

This change does not guarantee that the order of rules in the backend
is correct. Unless an actor is modifying the order of rules in iptables,
all rules created by Kilo should now be kept in the correct order.

Fixes: #19
2019-09-25 13:23:31 +02:00
Lucas Servén Marín
cd6eeeb1e7
pkg/{encapsulation,mesh}: abstract encapsulation
This commit abstracts away encapsulation to more easily allow for
different types of encapsulation or compatibility with other networking
solutions.
2019-05-13 18:30:03 +02:00
Lucas Servén Marín
b3a3c37e0a
*: add complete CNI support
This commit enables Kilo to work as an independent networking provider.
This is done by leveraging CNI. Kilo brings the necessary CNI plugins to
operate and takes care of all networking.

Add-on compatibility for Calico, Flannel, etc, will be re-introduced
shortly.
2019-05-07 01:49:59 +02:00
Lucas Servén Marín
2425a06cd8
*: add peer VPN support
This commit adds support for defining arbitrary peers that should have
access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 12:53:44 +02:00
Lucas Serven
e989f0a25f
init 2019-01-18 02:50:10 +01:00