zishuo/ugate
1
0
Fork 0
mirror of https://github.com/costinm/ugate.git synced 2024-07-06 23:52:40 +08:00
Code Issues Packages Projects Releases Wiki Activity
4f213a5560
ugate/cmd/iptables.sh
Costin Manolache 4f213a5560 Another 2 weekends of development. 
- updated gvisor to head, moved to ugate/ext/gvisor
- same for lwIP
- added a test harness with stable IDs
- improved the stream basic interface to allow eager send
- better use of buffers
2021-05-09 16:40:22 -07:00

154 lines
5.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/sh
# Simplified istio iptables
# Use a different GID to run iperf3 or tests.
# Defaults:
# - capture all in and out traffic, unless:
# - {INBOUND|OUTBOUND}_PORTS_INCLUDE - only those ports will be captured
# - {INBOUND|OUTBOUND}_PORTS_EXCLUDE - if INCLUDE is not set, everything except those ports
# To turn off, set *_PORTS_INCLUDE to "-".
# Ranges are not supported: istio used them as a workaround
# before transparent proxy worked efficiently.
# Capturing with tproxy can be done with separate script, should
# not be mixed in.
# For testing iperf3, use:
# PROXY_GROUP=costin INBOUND_PORTS_INCLUDE=5201 OUTBOUND_PORTS_INCLUDE=5201
OUTBOUND_CAPTURE_PORT=${OUTBOUND_CAPTURE_PORT:-15001}
INBOUND_CAPTURE_PORT=${INBOUND_CAPTURE_PORT:-15006}
set -x
# Default mode is Istio compatible capture
if [ -z "${IN}" ] ; then
INBOUND_PORTS_EXCLUDE=${INBOUND_PORTS_EXCLUDE:-"-"}
OUTBOUND_PORTS_EXCLUDE=${OUTBOUND_PORTS_EXCLUDE:-"-"}
else
# Default opt-in list of capture.
# May be set to "-" to not capture anything.
# If _PORTS_EXCLUDE is set, all ports except excluded are captured.
INBOUND_PORTS_INCLUDE=${INBOUND_PORTS_INCLUDE:-${IN}}
OUTBOUND_PORTS_INCLUDE=${OUTBOUND_PORTS_INCLUDE:-${OUT}}
fi
# If INCLUDE is set, only those ports are captured, else
# all ports except EXCLUDE are captured
if [ -z "${PROXY_GID}" ] ; then
PROXY_GID=$(id -g "${PROXY_GROUP:-istio-proxy}")
fi
ipt_clean() {
# Remove the old chains, to generate new configs.
${IPT} -t nat -D PREROUTING -p tcp -j ISTIO_INBOUND 2>/dev/null
${IPT} -t mangle -D PREROUTING -p tcp -j ISTIO_INBOUND 2>/dev/null
${IPT} -t nat -D OUTPUT -p tcp -j ISTIO_OUTPUT 2>/dev/null
# Flush and delete the istio chains.
${IPT} -t nat -F ISTIO_OUTPUT 2>/dev/null
${IPT} -t nat -X ISTIO_OUTPUT 2>/dev/null
${IPT} -t nat -F ISTIO_INBOUND 2>/dev/null
${IPT} -t nat -X ISTIO_INBOUND 2>/dev/null
# Must be last, the others refer to it
${IPT} -t nat -F ISTIO_REDIRECT 2>/dev/null
${IPT} -t nat -X ISTIO_REDIRECT 2>/dev/null
${IPT} -t nat -F ISTIO_IN_REDIRECT 2>/dev/null
${IPT} -t nat -X ISTIO_IN_REDIRECT 2>/dev/null
}
ipt_out() {
# Create a new chain for redirecting outbound traffic to the common Envoy port.
# In both chains, '-j RETURN' bypasses Envoy and '-j ISTIO_REDIRECT'
# redirects to Envoy.
${IPT} -t nat -N ISTIO_REDIRECT
${IPT} -t nat -A ISTIO_REDIRECT -p tcp -j REDIRECT --to-port "${OUTBOUND_CAPTURE_PORT}"
# Create a new chain for selectively redirecting outbound packets to Envoy.
${IPT} -t nat -N ISTIO_OUTPUT
# Jump to the ISTIO_OUTPUT chain from OUTPUT chain for all tcp traffic.
${IPT} -t nat -A OUTPUT -p tcp -j ISTIO_OUTPUT
if [ ${IPT} == "iptables" ] ; then
# 127.0.0.6 is bind connect from inbound passthrough cluster
${IPT} -t nat -A ISTIO_OUTPUT -o lo -s 127.0.0.6/32 -j RETURN
# Skip redirection for Envoy-aware applications and
# container-to-container traffic both of which explicitly use
# localhost.
${IPT} -t nat -A ISTIO_OUTPUT -d 127.0.0.1/32 -j RETURN
else
${IPT} -t nat -A ISTIO_OUTPUT -d ::1/32 -j RETURN
# Capture FD00 - VIP for mesh nodes
${IPT} -t nat -A ISTIO_OUTPUT -d fd00::/16 -j ISTIO_REDIRECT
fi
# Avoid infinite loops. Don't redirect Envoy traffic directly back to
# Envoy for non-loopback traffic.
${IPT} -t nat -A ISTIO_OUTPUT -m owner --gid-owner "${PROXY_GID}" -j RETURN
if [ -n "${OUTBOUND_PORTS_EXCLUDE}" ]; then
# BTS port is direct.
${IPT} -t nat -A ISTIO_OUTPUT -p tcp --dport 15007 -j RETURN
if [ "${OUTBOUND_PORTS_EXCLUDE}" != "-" ]; then
IFS=,
for port in $OUTBOUND_PORTS_EXCLUDE ; do
${IPT} -t nat -A ISTIO_OUTPUT -p tcp --dport "${port}" -j RETURN
done
fi
# Everything else
${IPT} -t nat -A ISTIO_OUTPUT -p tcp -j ISTIO_REDIRECT
else
# For probing iptables
${IPT} -t nat -A ISTIO_OUTPUT -p tcp --dport 15201 -j ISTIO_REDIRECT
if [ -n "${OUTBOUND_PORTS_INCLUDE}" ]; then
IFS=,
for port in ${OUTBOUND_PORTS_INCLUDE} ; do
${IPT} -t nat -A ISTIO_OUTPUT -p tcp --dport "${port}" -j ISTIO_REDIRECT
done
fi
fi
}
ipt_in() {
# Use this chain also for redirecting inbound traffic to the common Envoy port
${IPT} -t nat -N ISTIO_IN_REDIRECT
${IPT} -t nat -A ISTIO_IN_REDIRECT -p tcp -j REDIRECT --to-port "${INBOUND_CAPTURE_PORT}"
${IPT} -t nat -N ISTIO_INBOUND
${IPT} -t nat -A PREROUTING ${IN_IF:-} -p tcp -j ISTIO_INBOUND
# Istio uses * to indicate all capture.
if [ -n "${INBOUND_PORTS_EXCLUDE}" ]; then
${IPT} -t nat -A ISTIO_INBOUND -p tcp --dport 22 -j RETURN
${IPT} -t nat -A ISTIO_INBOUND -p tcp --dport 15007 -j RETURN
if [ "${INBOUND_PORTS_EXCLUDE}" != "-" ]; then
IFS=,
for port in ${INBOUND_PORTS_EXCLUDE} ; do
${IPT} -t nat -A ISTIO_INBOUND -p tcp --dport "${port}" -j RETURN
done
fi
${IPT} -t nat -A ISTIO_INBOUND -p tcp -j ISTIO_IN_REDIRECT
else
if [ "${INBOUND_PORTS_INCLUDE}" != "-" ] ; then
IFS=,
for port in ${INBOUND_PORTS_INCLUDE}; do
${IPT} -t nat -A ISTIO_INBOUND -p tcp --dport "${port}" -j ISTIO_IN_REDIRECT
done
fi
fi
}
IPT=iptables ipt_clean
IPT=iptables ipt_in
IPT=iptables ipt_out
IPT=ip6tables ipt_clean
IPT=ip6tables ipt_in
IPT=ip6tables ipt_out
Reference in New Issue View Git Blame Copy Permalink