8cadff2b79
* CNI: bump to 1.0.1 This commit bumps the declared version of CNI in the Kilo manifests to 1.0.1. This is possible with no changes to the configuration lists because our simple configuration is not affected by any of the deprecations, and there was effectively no change between 0.4.0 and 1.0.0, other than the declaration of a stable API. Similarly, this commit also bumps the version of the CNI library and the plugins package. Bumping to CNI 1.0.0 will help ensure that Kilo stays compatible with container runtimes in the future. Signed-off-by: Lucas Servén Marín <lserven@gmail.com> * vendor: revendor Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
455 lines
16 KiB
Go
455 lines
16 KiB
Go
package netlink
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/binary"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
|
|
"github.com/vishvananda/netlink/nl"
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
// ConntrackTableType Conntrack table for the netlink operation
|
|
type ConntrackTableType uint8
|
|
|
|
const (
|
|
// ConntrackTable Conntrack table
|
|
// https://github.com/torvalds/linux/blob/master/include/uapi/linux/netfilter/nfnetlink.h -> #define NFNL_SUBSYS_CTNETLINK 1
|
|
ConntrackTable = 1
|
|
// ConntrackExpectTable Conntrack expect table
|
|
// https://github.com/torvalds/linux/blob/master/include/uapi/linux/netfilter/nfnetlink.h -> #define NFNL_SUBSYS_CTNETLINK_EXP 2
|
|
ConntrackExpectTable = 2
|
|
)
|
|
|
|
const (
|
|
// backward compatibility with golang 1.6 which does not have io.SeekCurrent
|
|
seekCurrent = 1
|
|
)
|
|
|
|
// InetFamily Family type
|
|
type InetFamily uint8
|
|
|
|
// -L [table] [options] List conntrack or expectation table
|
|
// -G [table] parameters Get conntrack or expectation
|
|
|
|
// -I [table] parameters Create a conntrack or expectation
|
|
// -U [table] parameters Update a conntrack
|
|
// -E [table] [options] Show events
|
|
|
|
// -C [table] Show counter
|
|
// -S Show statistics
|
|
|
|
// ConntrackTableList returns the flow list of a table of a specific family
|
|
// conntrack -L [table] [options] List conntrack or expectation table
|
|
func ConntrackTableList(table ConntrackTableType, family InetFamily) ([]*ConntrackFlow, error) {
|
|
return pkgHandle.ConntrackTableList(table, family)
|
|
}
|
|
|
|
// ConntrackTableFlush flushes all the flows of a specified table
|
|
// conntrack -F [table] Flush table
|
|
// The flush operation applies to all the family types
|
|
func ConntrackTableFlush(table ConntrackTableType) error {
|
|
return pkgHandle.ConntrackTableFlush(table)
|
|
}
|
|
|
|
// ConntrackDeleteFilter deletes entries on the specified table on the base of the filter
|
|
// conntrack -D [table] parameters Delete conntrack or expectation
|
|
func ConntrackDeleteFilter(table ConntrackTableType, family InetFamily, filter CustomConntrackFilter) (uint, error) {
|
|
return pkgHandle.ConntrackDeleteFilter(table, family, filter)
|
|
}
|
|
|
|
// ConntrackTableList returns the flow list of a table of a specific family using the netlink handle passed
|
|
// conntrack -L [table] [options] List conntrack or expectation table
|
|
func (h *Handle) ConntrackTableList(table ConntrackTableType, family InetFamily) ([]*ConntrackFlow, error) {
|
|
res, err := h.dumpConntrackTable(table, family)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Deserialize all the flows
|
|
var result []*ConntrackFlow
|
|
for _, dataRaw := range res {
|
|
result = append(result, parseRawData(dataRaw))
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
// ConntrackTableFlush flushes all the flows of a specified table using the netlink handle passed
|
|
// conntrack -F [table] Flush table
|
|
// The flush operation applies to all the family types
|
|
func (h *Handle) ConntrackTableFlush(table ConntrackTableType) error {
|
|
req := h.newConntrackRequest(table, unix.AF_INET, nl.IPCTNL_MSG_CT_DELETE, unix.NLM_F_ACK)
|
|
_, err := req.Execute(unix.NETLINK_NETFILTER, 0)
|
|
return err
|
|
}
|
|
|
|
// ConntrackDeleteFilter deletes entries on the specified table on the base of the filter using the netlink handle passed
|
|
// conntrack -D [table] parameters Delete conntrack or expectation
|
|
func (h *Handle) ConntrackDeleteFilter(table ConntrackTableType, family InetFamily, filter CustomConntrackFilter) (uint, error) {
|
|
res, err := h.dumpConntrackTable(table, family)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
|
|
var matched uint
|
|
for _, dataRaw := range res {
|
|
flow := parseRawData(dataRaw)
|
|
if match := filter.MatchConntrackFlow(flow); match {
|
|
req2 := h.newConntrackRequest(table, family, nl.IPCTNL_MSG_CT_DELETE, unix.NLM_F_ACK)
|
|
// skip the first 4 byte that are the netfilter header, the newConntrackRequest is adding it already
|
|
req2.AddRawData(dataRaw[4:])
|
|
req2.Execute(unix.NETLINK_NETFILTER, 0)
|
|
matched++
|
|
}
|
|
}
|
|
|
|
return matched, nil
|
|
}
|
|
|
|
func (h *Handle) newConntrackRequest(table ConntrackTableType, family InetFamily, operation, flags int) *nl.NetlinkRequest {
|
|
// Create the Netlink request object
|
|
req := h.newNetlinkRequest((int(table)<<8)|operation, flags)
|
|
// Add the netfilter header
|
|
msg := &nl.Nfgenmsg{
|
|
NfgenFamily: uint8(family),
|
|
Version: nl.NFNETLINK_V0,
|
|
ResId: 0,
|
|
}
|
|
req.AddData(msg)
|
|
return req
|
|
}
|
|
|
|
func (h *Handle) dumpConntrackTable(table ConntrackTableType, family InetFamily) ([][]byte, error) {
|
|
req := h.newConntrackRequest(table, family, nl.IPCTNL_MSG_CT_GET, unix.NLM_F_DUMP)
|
|
return req.Execute(unix.NETLINK_NETFILTER, 0)
|
|
}
|
|
|
|
// The full conntrack flow structure is very complicated and can be found in the file:
|
|
// http://git.netfilter.org/libnetfilter_conntrack/tree/include/internal/object.h
|
|
// For the time being, the structure below allows to parse and extract the base information of a flow
|
|
type ipTuple struct {
|
|
Bytes uint64
|
|
DstIP net.IP
|
|
DstPort uint16
|
|
Packets uint64
|
|
Protocol uint8
|
|
SrcIP net.IP
|
|
SrcPort uint16
|
|
}
|
|
|
|
type ConntrackFlow struct {
|
|
FamilyType uint8
|
|
Forward ipTuple
|
|
Reverse ipTuple
|
|
Mark uint32
|
|
}
|
|
|
|
func (s *ConntrackFlow) String() string {
|
|
// conntrack cmd output:
|
|
// udp 17 src=127.0.0.1 dst=127.0.0.1 sport=4001 dport=1234 packets=5 bytes=532 [UNREPLIED] src=127.0.0.1 dst=127.0.0.1 sport=1234 dport=4001 packets=10 bytes=1078 mark=0
|
|
return fmt.Sprintf("%s\t%d src=%s dst=%s sport=%d dport=%d packets=%d bytes=%d\tsrc=%s dst=%s sport=%d dport=%d packets=%d bytes=%d mark=%d",
|
|
nl.L4ProtoMap[s.Forward.Protocol], s.Forward.Protocol,
|
|
s.Forward.SrcIP.String(), s.Forward.DstIP.String(), s.Forward.SrcPort, s.Forward.DstPort, s.Forward.Packets, s.Forward.Bytes,
|
|
s.Reverse.SrcIP.String(), s.Reverse.DstIP.String(), s.Reverse.SrcPort, s.Reverse.DstPort, s.Reverse.Packets, s.Reverse.Bytes,
|
|
s.Mark)
|
|
}
|
|
|
|
// This method parse the ip tuple structure
|
|
// The message structure is the following:
|
|
// <len, [CTA_IP_V4_SRC|CTA_IP_V6_SRC], 16 bytes for the IP>
|
|
// <len, [CTA_IP_V4_DST|CTA_IP_V6_DST], 16 bytes for the IP>
|
|
// <len, NLA_F_NESTED|nl.CTA_TUPLE_PROTO, 1 byte for the protocol, 3 bytes of padding>
|
|
// <len, CTA_PROTO_SRC_PORT, 2 bytes for the source port, 2 bytes of padding>
|
|
// <len, CTA_PROTO_DST_PORT, 2 bytes for the source port, 2 bytes of padding>
|
|
func parseIpTuple(reader *bytes.Reader, tpl *ipTuple) uint8 {
|
|
for i := 0; i < 2; i++ {
|
|
_, t, _, v := parseNfAttrTLV(reader)
|
|
switch t {
|
|
case nl.CTA_IP_V4_SRC, nl.CTA_IP_V6_SRC:
|
|
tpl.SrcIP = v
|
|
case nl.CTA_IP_V4_DST, nl.CTA_IP_V6_DST:
|
|
tpl.DstIP = v
|
|
}
|
|
}
|
|
// Skip the next 4 bytes nl.NLA_F_NESTED|nl.CTA_TUPLE_PROTO
|
|
reader.Seek(4, seekCurrent)
|
|
_, t, _, v := parseNfAttrTLV(reader)
|
|
if t == nl.CTA_PROTO_NUM {
|
|
tpl.Protocol = uint8(v[0])
|
|
}
|
|
// Skip some padding 3 bytes
|
|
reader.Seek(3, seekCurrent)
|
|
for i := 0; i < 2; i++ {
|
|
_, t, _ := parseNfAttrTL(reader)
|
|
switch t {
|
|
case nl.CTA_PROTO_SRC_PORT:
|
|
parseBERaw16(reader, &tpl.SrcPort)
|
|
case nl.CTA_PROTO_DST_PORT:
|
|
parseBERaw16(reader, &tpl.DstPort)
|
|
}
|
|
// Skip some padding 2 byte
|
|
reader.Seek(2, seekCurrent)
|
|
}
|
|
return tpl.Protocol
|
|
}
|
|
|
|
func parseNfAttrTLV(r *bytes.Reader) (isNested bool, attrType, len uint16, value []byte) {
|
|
isNested, attrType, len = parseNfAttrTL(r)
|
|
|
|
value = make([]byte, len)
|
|
binary.Read(r, binary.BigEndian, &value)
|
|
return isNested, attrType, len, value
|
|
}
|
|
|
|
func parseNfAttrTL(r *bytes.Reader) (isNested bool, attrType, len uint16) {
|
|
binary.Read(r, nl.NativeEndian(), &len)
|
|
len -= nl.SizeofNfattr
|
|
|
|
binary.Read(r, nl.NativeEndian(), &attrType)
|
|
isNested = (attrType & nl.NLA_F_NESTED) == nl.NLA_F_NESTED
|
|
attrType = attrType & (nl.NLA_F_NESTED - 1)
|
|
|
|
return isNested, attrType, len
|
|
}
|
|
|
|
func parseBERaw16(r *bytes.Reader, v *uint16) {
|
|
binary.Read(r, binary.BigEndian, v)
|
|
}
|
|
|
|
func parseBERaw32(r *bytes.Reader, v *uint32) {
|
|
binary.Read(r, binary.BigEndian, v)
|
|
}
|
|
|
|
func parseBERaw64(r *bytes.Reader, v *uint64) {
|
|
binary.Read(r, binary.BigEndian, v)
|
|
}
|
|
|
|
func parseByteAndPacketCounters(r *bytes.Reader) (bytes, packets uint64) {
|
|
for i := 0; i < 2; i++ {
|
|
switch _, t, _ := parseNfAttrTL(r); t {
|
|
case nl.CTA_COUNTERS_BYTES:
|
|
parseBERaw64(r, &bytes)
|
|
case nl.CTA_COUNTERS_PACKETS:
|
|
parseBERaw64(r, &packets)
|
|
default:
|
|
return
|
|
}
|
|
}
|
|
return
|
|
}
|
|
|
|
func parseConnectionMark(r *bytes.Reader) (mark uint32) {
|
|
parseBERaw32(r, &mark)
|
|
return
|
|
}
|
|
|
|
func parseRawData(data []byte) *ConntrackFlow {
|
|
s := &ConntrackFlow{}
|
|
// First there is the Nfgenmsg header
|
|
// consume only the family field
|
|
reader := bytes.NewReader(data)
|
|
binary.Read(reader, nl.NativeEndian(), &s.FamilyType)
|
|
|
|
// skip rest of the Netfilter header
|
|
reader.Seek(3, seekCurrent)
|
|
// The message structure is the following:
|
|
// <len, NLA_F_NESTED|CTA_TUPLE_ORIG> 4 bytes
|
|
// <len, NLA_F_NESTED|CTA_TUPLE_IP> 4 bytes
|
|
// flow information of the forward flow
|
|
// <len, NLA_F_NESTED|CTA_TUPLE_REPLY> 4 bytes
|
|
// <len, NLA_F_NESTED|CTA_TUPLE_IP> 4 bytes
|
|
// flow information of the reverse flow
|
|
for reader.Len() > 0 {
|
|
if nested, t, l := parseNfAttrTL(reader); nested {
|
|
switch t {
|
|
case nl.CTA_TUPLE_ORIG:
|
|
if nested, t, _ = parseNfAttrTL(reader); nested && t == nl.CTA_TUPLE_IP {
|
|
parseIpTuple(reader, &s.Forward)
|
|
}
|
|
case nl.CTA_TUPLE_REPLY:
|
|
if nested, t, _ = parseNfAttrTL(reader); nested && t == nl.CTA_TUPLE_IP {
|
|
parseIpTuple(reader, &s.Reverse)
|
|
} else {
|
|
// Header not recognized skip it
|
|
reader.Seek(int64(l), seekCurrent)
|
|
}
|
|
case nl.CTA_COUNTERS_ORIG:
|
|
s.Forward.Bytes, s.Forward.Packets = parseByteAndPacketCounters(reader)
|
|
case nl.CTA_COUNTERS_REPLY:
|
|
s.Reverse.Bytes, s.Reverse.Packets = parseByteAndPacketCounters(reader)
|
|
}
|
|
} else {
|
|
switch t {
|
|
case nl.CTA_MARK:
|
|
s.Mark = parseConnectionMark(reader)
|
|
}
|
|
}
|
|
}
|
|
return s
|
|
}
|
|
|
|
// Conntrack parameters and options:
|
|
// -n, --src-nat ip source NAT ip
|
|
// -g, --dst-nat ip destination NAT ip
|
|
// -j, --any-nat ip source or destination NAT ip
|
|
// -m, --mark mark Set mark
|
|
// -c, --secmark secmark Set selinux secmark
|
|
// -e, --event-mask eventmask Event mask, eg. NEW,DESTROY
|
|
// -z, --zero Zero counters while listing
|
|
// -o, --output type[,...] Output format, eg. xml
|
|
// -l, --label label[,...] conntrack labels
|
|
|
|
// Common parameters and options:
|
|
// -s, --src, --orig-src ip Source address from original direction
|
|
// -d, --dst, --orig-dst ip Destination address from original direction
|
|
// -r, --reply-src ip Source address from reply direction
|
|
// -q, --reply-dst ip Destination address from reply direction
|
|
// -p, --protonum proto Layer 4 Protocol, eg. 'tcp'
|
|
// -f, --family proto Layer 3 Protocol, eg. 'ipv6'
|
|
// -t, --timeout timeout Set timeout
|
|
// -u, --status status Set status, eg. ASSURED
|
|
// -w, --zone value Set conntrack zone
|
|
// --orig-zone value Set zone for original direction
|
|
// --reply-zone value Set zone for reply direction
|
|
// -b, --buffer-size Netlink socket buffer size
|
|
// --mask-src ip Source mask address
|
|
// --mask-dst ip Destination mask address
|
|
|
|
// Layer 4 Protocol common parameters and options:
|
|
// TCP, UDP, SCTP, UDPLite and DCCP
|
|
// --sport, --orig-port-src port Source port in original direction
|
|
// --dport, --orig-port-dst port Destination port in original direction
|
|
|
|
// Filter types
|
|
type ConntrackFilterType uint8
|
|
|
|
const (
|
|
ConntrackOrigSrcIP = iota // -orig-src ip Source address from original direction
|
|
ConntrackOrigDstIP // -orig-dst ip Destination address from original direction
|
|
ConntrackReplySrcIP // --reply-src ip Reply Source IP
|
|
ConntrackReplyDstIP // --reply-dst ip Reply Destination IP
|
|
ConntrackReplyAnyIP // Match source or destination reply IP
|
|
ConntrackOrigSrcPort // --orig-port-src port Source port in original direction
|
|
ConntrackOrigDstPort // --orig-port-dst port Destination port in original direction
|
|
ConntrackNatSrcIP = ConntrackReplySrcIP // deprecated use instead ConntrackReplySrcIP
|
|
ConntrackNatDstIP = ConntrackReplyDstIP // deprecated use instead ConntrackReplyDstIP
|
|
ConntrackNatAnyIP = ConntrackReplyAnyIP // deprecated use instead ConntrackReplyAnyIP
|
|
)
|
|
|
|
type CustomConntrackFilter interface {
|
|
// MatchConntrackFlow applies the filter to the flow and returns true if the flow matches
|
|
// the filter or false otherwise
|
|
MatchConntrackFlow(flow *ConntrackFlow) bool
|
|
}
|
|
|
|
type ConntrackFilter struct {
|
|
ipFilter map[ConntrackFilterType]net.IP
|
|
portFilter map[ConntrackFilterType]uint16
|
|
protoFilter uint8
|
|
}
|
|
|
|
// AddIP adds an IP to the conntrack filter
|
|
func (f *ConntrackFilter) AddIP(tp ConntrackFilterType, ip net.IP) error {
|
|
if f.ipFilter == nil {
|
|
f.ipFilter = make(map[ConntrackFilterType]net.IP)
|
|
}
|
|
if _, ok := f.ipFilter[tp]; ok {
|
|
return errors.New("Filter attribute already present")
|
|
}
|
|
f.ipFilter[tp] = ip
|
|
return nil
|
|
}
|
|
|
|
// AddPort adds a Port to the conntrack filter if the Layer 4 protocol allows it
|
|
func (f *ConntrackFilter) AddPort(tp ConntrackFilterType, port uint16) error {
|
|
switch f.protoFilter {
|
|
// TCP, UDP, DCCP, SCTP, UDPLite
|
|
case 6, 17, 33, 132, 136:
|
|
default:
|
|
return fmt.Errorf("Filter attribute not available without a valid Layer 4 protocol: %d", f.protoFilter)
|
|
}
|
|
|
|
if f.portFilter == nil {
|
|
f.portFilter = make(map[ConntrackFilterType]uint16)
|
|
}
|
|
if _, ok := f.portFilter[tp]; ok {
|
|
return errors.New("Filter attribute already present")
|
|
}
|
|
f.portFilter[tp] = port
|
|
return nil
|
|
}
|
|
|
|
// AddProtocol adds the Layer 4 protocol to the conntrack filter
|
|
func (f *ConntrackFilter) AddProtocol(proto uint8) error {
|
|
if f.protoFilter != 0 {
|
|
return errors.New("Filter attribute already present")
|
|
}
|
|
f.protoFilter = proto
|
|
return nil
|
|
}
|
|
|
|
// MatchConntrackFlow applies the filter to the flow and returns true if the flow matches the filter
|
|
// false otherwise
|
|
func (f *ConntrackFilter) MatchConntrackFlow(flow *ConntrackFlow) bool {
|
|
if len(f.ipFilter) == 0 && len(f.portFilter) == 0 && f.protoFilter == 0 {
|
|
// empty filter always not match
|
|
return false
|
|
}
|
|
|
|
// -p, --protonum proto Layer 4 Protocol, eg. 'tcp'
|
|
if f.protoFilter != 0 && flow.Forward.Protocol != f.protoFilter {
|
|
// different Layer 4 protocol always not match
|
|
return false
|
|
}
|
|
|
|
match := true
|
|
|
|
// IP conntrack filter
|
|
if len(f.ipFilter) > 0 {
|
|
// -orig-src ip Source address from original direction
|
|
if elem, found := f.ipFilter[ConntrackOrigSrcIP]; found {
|
|
match = match && elem.Equal(flow.Forward.SrcIP)
|
|
}
|
|
|
|
// -orig-dst ip Destination address from original direction
|
|
if elem, found := f.ipFilter[ConntrackOrigDstIP]; match && found {
|
|
match = match && elem.Equal(flow.Forward.DstIP)
|
|
}
|
|
|
|
// -src-nat ip Source NAT ip
|
|
if elem, found := f.ipFilter[ConntrackReplySrcIP]; match && found {
|
|
match = match && elem.Equal(flow.Reverse.SrcIP)
|
|
}
|
|
|
|
// -dst-nat ip Destination NAT ip
|
|
if elem, found := f.ipFilter[ConntrackReplyDstIP]; match && found {
|
|
match = match && elem.Equal(flow.Reverse.DstIP)
|
|
}
|
|
|
|
// Match source or destination reply IP
|
|
if elem, found := f.ipFilter[ConntrackReplyAnyIP]; match && found {
|
|
match = match && (elem.Equal(flow.Reverse.SrcIP) || elem.Equal(flow.Reverse.DstIP))
|
|
}
|
|
}
|
|
|
|
// Layer 4 Port filter
|
|
if len(f.portFilter) > 0 {
|
|
// -orig-port-src port Source port from original direction
|
|
if elem, found := f.portFilter[ConntrackOrigSrcPort]; match && found {
|
|
match = match && elem == flow.Forward.SrcPort
|
|
}
|
|
|
|
// -orig-port-dst port Destination port from original direction
|
|
if elem, found := f.portFilter[ConntrackOrigDstPort]; match && found {
|
|
match = match && elem == flow.Forward.DstPort
|
|
}
|
|
}
|
|
|
|
return match
|
|
}
|
|
|
|
var _ CustomConntrackFilter = (*ConntrackFilter)(nil)
|