Merge pull request #16 from danwinship/iptables-bypass

aojea · web-flow · commit e4cc04bb22f2 · 2024-04-05T19:41:26.000+02:00
Implement !FailOpen for iptables
diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
@@ -365,21 +365,31 @@ func (c *Controller) cleanNFTablesRules() {
 }
 
 func (c *Controller) syncIptablesRules() {
-	if err := c.ipt.InsertUnique("filter", "FORWARD", 1, "-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-bypass", "--queue-num", strconv.Itoa(c.config.QueueID)); err != nil {
+	queueRule := []string{"-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-num", strconv.Itoa(c.config.QueueID)}
+	if c.config.FailOpen {
+		queueRule = append(queueRule, "--queue-bypass")
+	}
+
+	if err := c.ipt.InsertUnique("filter", "FORWARD", 1, queueRule...); err != nil {
 		klog.Infof("error syncing iptables rule %v", err)
 	}
 
-	if err := c.ipt.InsertUnique("filter", "OUTPUT", 1, "-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-bypass", "--queue-num", strconv.Itoa(c.config.QueueID)); err != nil {
+	if err := c.ipt.InsertUnique("filter", "OUTPUT", 1, queueRule...); err != nil {
 		klog.Infof("error syncing iptables rule %v", err)
 	}
 }
 
 func (c *Controller) cleanIptablesRules() {
-	if err := c.ipt.Delete("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-bypass", "--queue-num", strconv.Itoa(c.config.QueueID)); err != nil {
+	queueRule := []string{"-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-num", strconv.Itoa(c.config.QueueID)}
+	if c.config.FailOpen {
+		queueRule = append(queueRule, "--queue-bypass")
+	}
+
+	if err := c.ipt.Delete("filter", "FORWARD", queueRule...); err != nil {
 		klog.Infof("error deleting iptables rule %v", err)
 	}
 
-	if err := c.ipt.Delete("filter", "OUTPUT", "-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-bypass", "--queue-num", strconv.Itoa(c.config.QueueID)); err != nil {
+	if err := c.ipt.Delete("filter", "OUTPUT", queueRule...); err != nil {
 		klog.Infof("error deleting iptables rule %v", err)
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -365,21 +365,31 @@ func (c *Controller) cleanNFTablesRules() {`
`365`	`365`	`}`
`366`	`366`
`367`	`367`	`func (c *Controller) syncIptablesRules() {`
`368`		`- if err := c.ipt.InsertUnique("filter", "FORWARD", 1, "-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-bypass", "--queue-num", strconv.Itoa(c.config.QueueID)); err != nil {`
	`368`	`+ queueRule := []string{"-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-num", strconv.Itoa(c.config.QueueID)}`
	`369`	`+ if c.config.FailOpen {`
	`370`	`+ queueRule = append(queueRule, "--queue-bypass")`
	`371`	`+ }`
	`372`	`+`
	`373`	`+ if err := c.ipt.InsertUnique("filter", "FORWARD", 1, queueRule...); err != nil {`
`369`	`374`	`klog.Infof("error syncing iptables rule %v", err)`
`370`	`375`	`}`
`371`	`376`
`372`		`- if err := c.ipt.InsertUnique("filter", "OUTPUT", 1, "-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-bypass", "--queue-num", strconv.Itoa(c.config.QueueID)); err != nil {`
	`377`	`+ if err := c.ipt.InsertUnique("filter", "OUTPUT", 1, queueRule...); err != nil {`
`373`	`378`	`klog.Infof("error syncing iptables rule %v", err)`
`374`	`379`	`}`
`375`	`380`	`}`
`376`	`381`
`377`	`382`	`func (c *Controller) cleanIptablesRules() {`
`378`		`- if err := c.ipt.Delete("filter", "FORWARD", "-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-bypass", "--queue-num", strconv.Itoa(c.config.QueueID)); err != nil {`
	`383`	`+ queueRule := []string{"-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-num", strconv.Itoa(c.config.QueueID)}`
	`384`	`+ if c.config.FailOpen {`
	`385`	`+ queueRule = append(queueRule, "--queue-bypass")`
	`386`	`+ }`
	`387`	`+`
	`388`	`+ if err := c.ipt.Delete("filter", "FORWARD", queueRule...); err != nil {`
`379`	`389`	`klog.Infof("error deleting iptables rule %v", err)`
`380`	`390`	`}`
`381`	`391`
`382`		`- if err := c.ipt.Delete("filter", "OUTPUT", "-m", "conntrack", "--ctstate", "NEW", "-j", "NFQUEUE", "--queue-bypass", "--queue-num", strconv.Itoa(c.config.QueueID)); err != nil {`
	`392`	`+ if err := c.ipt.Delete("filter", "OUTPUT", queueRule...); err != nil {`
`383`	`393`	`klog.Infof("error deleting iptables rule %v", err)`
`384`	`394`	`}`
`385`	`395`	`}`