istio
61 строка · 2.0 Кб
1// Copyright Istio Authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14package config16import (18"fmt"19"net/netip"20)21const (23// Due to implementation constraints, we have to impose a limit on the24// number of owner groups whose outgoing traffic should be redirected25// to Envoy.26//27// Since all included groups will be translated into a single Iptables28// rule that combines N match expressions `-m owner ! --gid-owner <GID>`,29// we need to be sure it won't be too long.30//31// Most common Linux distributions allow no more than 128-120032// match expressions per rule.33maxOwnerGroupsInclude = 6434)35func ValidateOwnerGroups(include, exclude string) error {37filter := ParseInterceptFilter(include, exclude)38if !filter.Except && len(filter.Values) > maxOwnerGroupsInclude {39return fmt.Errorf("number of owner groups whose outgoing traffic "+40"should be redirected to Envoy cannot exceed %d, got %d: %v",41maxOwnerGroupsInclude, len(filter.Values), filter.Values)42}43return nil44}45func ValidateIPv4LoopbackCidr(cidr string) error {47ipp, err := netip.ParsePrefix(cidr)48if err != nil {49return fmt.Errorf("failed to parse CIDR %s: %v", cidr, err)50}51if !ipp.Addr().Is4() || !ipp.Addr().IsLoopback() {53return fmt.Errorf("expected valid IPv4 loopback address in CIDR %s; found %v", cidr, ipp.Addr())54}55ones := ipp.Bits()57if ones < 8 || ones > 32 {58return fmt.Errorf("expected CIDR %s to have mask in range [8, 32]; found %v", cidr, ones)59}60return nil61}62