// Copyright 2018 Microsoft. All rights reserved. // MIT License package util import "k8s.io/klog" // kubernetes related constants. const ( KubeSystemFlag string = "kube-system" KubePodTemplateHashFlag string = "pod-template-hash" KubeAllPodsFlag string = "all-pod" KubeAllNamespacesFlag string = "all-namespaces" KubeAppFlag string = "k8s-app" KubeProxyFlag string = "kube-proxy" KubePodStatusFailedFlag string = "Failed" KubePodStatusSucceededFlag string = "Succeeded" KubePodStatusUnknownFlag string = "Unknown" // The version of k8s that accept "AND" between namespaceSelector and podSelector is "1.11" k8sMajorVerForNewPolicyDef string = "1" k8sMinorVerForNewPolicyDef string = "11" ) var ( Iptables = IptablesNft Ip6tables = Ip6tablesLegacy //nolint (avoid warning to capitalize this p) IptablesSave = IptablesSaveNft IptablesRestore = IptablesRestoreNft ) // iptables related constants. const ( PlaceAzureChainAfterKubeServices = false PlaceAzureChainFirst = true IptablesNft string = "iptables-nft" Ip6tablesLegacy string = "ip6tables" //nolint (avoid warning to capitalize this p) IptablesSaveNft string = "iptables-nft-save" IptablesRestoreNft string = "iptables-nft-restore" IptablesLegacy string = "iptables" IptablesSaveLegacy string = "iptables-save" IptablesRestoreLegacy string = "iptables-restore" IptablesRestoreNoFlushFlag string = "--noflush" IptablesRestoreTableFlag string = "-T" IptablesRestoreCommit string = "COMMIT" IptablesConfigFile string = "/var/log/iptables.conf" IptablesTestConfigFile string = "/var/log/iptables-test.conf" IptablesLockFile string = "/run/xtables.lock" IptablesChainCreationFlag string = "-N" IptablesInsertionFlag string = "-I" IptablesAppendFlag string = "-A" IptablesDeletionFlag string = "-D" IptablesFlushFlag string = "-F" IptablesCheckFlag string = "-C" IptablesDestroyFlag string = "-X" IptablesJumpFlag string = "-j" IptablesWaitFlag string = "-w" IptablesDefaultWaitTime string = "60" IptablesAccept string = "ACCEPT" IptablesReject string = "REJECT" IptablesDrop string = "DROP" IptablesReturn string = "RETURN" IptablesMark string = "MARK" IptablesSrcFlag string = "src" IptablesDstFlag string = "dst" IptablesNamedPortFlag string = "dst,dst" IptablesNotFlag string = "!" IptablesProtFlag string = "-p" IptablesSFlag string = "-s" IptablesDFlag string = "-d" IptablesDstPortFlag string = "--dport" IptablesSrcPortFlag string = "--sport" IptablesModuleFlag string = "-m" IptablesSetModuleFlag string = "set" IptablesMatchSetFlag string = "--match-set" IptablesSetMarkFlag string = "--set-mark" IptablesMarkFlag string = "--mark" IptablesMarkVerb string = "mark" IptablesStateModuleFlag string = "state" IptablesStateFlag string = "--state" IptablesCtstateModuleFlag string = "conntrack" // state module is obsolete: https://unix.stackexchange.com/questions/108169/what-is-the-difference-between-m-conntrack-ctstate-and-m-state-state IptablesCtstateFlag string = "--ctstate" IptablesMultiportFlag string = "multiport" IptablesRelatedState string = "RELATED" IptablesEstablishedState string = "ESTABLISHED" IptablesNewState string = "NEW" IptablesFilterTable string = "filter" IptablesMangleTable string = "mangle" IptablesCommentModuleFlag string = "comment" IptablesCommentFlag string = "--comment" IptablesAddCommentFlag IptablesTableFlag string = "-t" IptablesListFlag string = "-L" IptablesNumericFlag string = "-n" IptablesLineNumbersFlag string = "--line-numbers" IptablesKubeServicesChain string = "KUBE-SERVICES" IptablesForwardChain string = "FORWARD" IptablesInputChain string = "INPUT" IptablesAzureChain string = "AZURE-NPM" IptablesAzureAcceptChain string = "AZURE-NPM-ACCEPT" IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" IptablesAzureIngressChain string = "AZURE-NPM-INGRESS" IptablesAzureIngressAllowMarkChain string = "AZURE-NPM-INGRESS-ALLOW-MARK" IptablesAzureEgressChain string = "AZURE-NPM-EGRESS" // Chains used in NPM v1 IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" IptablesAzureIngressDropsChain string = "AZURE-NPM-INGRESS-DROPS" IptablesAzureEgressDropsChain string = "AZURE-NPM-EGRESS-DROPS" // NPM v2 Chains IptablesAzureIngressPolicyChainPrefix string = "AZURE-NPM-INGRESS" IptablesAzureEgressPolicyChainPrefix string = "AZURE-NPM-EGRESS" // Below chain exists only in NPM before v1.2.6 IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS" // Below chain existing only in NPM before v1.2.7 IptablesAzureIngressWrongDropsChain string = "AZURE-NPM-INRGESS-DROPS" // Below chains exists only for before Azure-NPM:v1.0.27 // and should be removed after a baking period. IptablesAzureIngressFromNsChain string = "AZURE-NPM-INGRESS-FROM-NS" IptablesAzureIngressFromPodChain string = "AZURE-NPM-INGRESS-FROM-POD" IptablesAzureEgressToNsChain string = "AZURE-NPM-EGRESS-TO-NS" IptablesAzureEgressToPodChain string = "AZURE-NPM-EGRESS-TO-POD" // Below are the skb->mark NPM will use for different criteria // for V1 IptablesAzureClearMarkHex string = "0x0" // for v2, deprecated IptablesAzureClearMarkHexV2 string = "0x0/0xE00" // marks in NPM v2 // NPM uses the 3rd word of the 32-bit mark for the purpose of // identifying the traffic direction and decision making. // NPM uses 9th, 10th and 11th bit for marking IptablesAzureIngressAllowMarkHex string = "0x200/0x200" IptablesAzureIngressDropMarkHex string = "0x400/0x400" IptablesAzureEgressDropMarkHex string = "0x800/0x800" // marks in NPM v1 IptablesAzureIngressMarkHex string = "0x2000" // IptablesAzureEgressXMarkHex is used for us to not override but append to the existing MARK // https://unix.stackexchange.com/a/283455 comment contains the explanation on // MARK manipulations with offset. IptablesAzureEgressXMarkHex string = "0x1000/0x1000" // IptablesAzureEgressMarkHex is for checking the absolute value of the mark IptablesAzureEgressMarkHex string = "0x1000" IptablesAzureAcceptMarkHex string = "0x3000" ) // ipset related constants. const ( Ipset string = "ipset" IpsetSaveFlag string = "save" IpsetRestoreFlag string = "restore" IpsetConfigFile string = "/var/log/ipset.conf" IpsetTestConfigFile string = "/var/log/ipset-test.conf" IpsetCreationFlag string = "-N" IpsetAppendFlag string = "-A" IpsetDeletionFlag string = "-D" IpsetFlushFlag string = "-F" IpsetDestroyFlag string = "-X" IpsetExistFlag string = "-exist" IpsetFileFlag string = "-file" IPsetCheckListFlag string = "list" IpsetTestFlag string = "test" IpsetSetGenericFlag string = "setgeneric" // not used in ipset commands, used as an internal identifier for nethash/hash:ip,port IpsetSetListFlag string = "setlist" IpsetNetHashFlag string = "nethash" IpsetIPPortHashFlag string = "hash:ip,port" IpsetUDPFlag string = "udp:" IpsetSCTPFlag string = "sctp:" IpsetTCPFlag string = "tcp:" IpsetLabelDelimter string = ":" AzureNpmFlag string = "azure-npm" AzureNpmPrefix string = "azure-npm-" IpsetMaxelemName string = "maxelem" // todo, what's using this? IpsetMaxelemNum string = "4294967295" IpsetNomatch string = "nomatch" // Prefixes for ipsets NamedPortIPSetPrefix string = "namedport:" NamespacePrefix string = "ns-" NamespaceLabelPrefix string = "nslabel-" PodLabelPrefix string = "podlabel-" CIDRPrefix string = "cidr-" NestedLabelPrefix string = "nestedlabel-" EmptySetPrefix string = "empty-" NegationPrefix string = "not-" SetPolicyDelimiter string = "," ) const ( BashCommand string = "bash" BashCommandFlag string = "-c" ) // NPM telemetry constants. const ( AddNamespaceEvent string = "Add Namespace" UpdateNamespaceEvent string = "Update Namespace" DeleteNamespaceEvent string = "Delete Namespace" AddPodEvent string = "Add Pod" UpdatePodEvent string = "Update Pod" DeletePodEvent string = "Delete Pod" AddNetworkPolicyEvent string = "Add network policy" UpdateNetworkPolicyEvent string = "Update network policy" DeleteNetworkPolicyEvent string = "Delete network policy" ErrorMetric string = "ErrorMetric" PackageName string = "PackageName" FunctionName string = "FunctionName" ErrorCode string = "ErrorCode" // Default batch size in AI telemetry // Defined here https://docs.microsoft.com/en-us/azure/azure-monitor/app/pricing BatchSizeInBytes int = 32768 BatchIntervalInSecs int = 30 RefreshTimeoutInSecs int = 15 GetEnvRetryCount int = 5 GetEnvRetryWaitTimeInSecs int = 3 AiInitializeRetryCount int = 3 AiInitializeRetryInMin int = 1 ErrorValue float64 = 1 ) const ( // AzureNetworkName is the default network Azure CNI creates AzureNetworkName = "azure" // CalicoNetworkName is the default network Calico CNI creates CalicoNetworkName = "Calico" ) // These ID represents where did the error log generate from. // It's for better query purpose. In Kusto these value are used in // OperationID column const ( NpmID int = iota + 1 IpsmID // ipsetmanager in v2 IptmID // policymanager in v2 NSID PodID NetpolID UtilID DaemonID ControllerID DaemonDataplaneID // for v2 FanOutServerID // for v2 ) func SetIptablesToNft() { klog.Info("setting iptables to nft") Iptables = IptablesNft IptablesSave = IptablesSaveNft IptablesRestore = IptablesRestoreNft } func SetIptablesToLegacy() { klog.Info("setting iptables to legacy") Iptables = IptablesLegacy IptablesSave = IptablesSaveLegacy IptablesRestore = IptablesRestoreLegacy }