istio

1
// Copyright Istio Authors
2
//
3
// Licensed under the Apache License, Version 2.0 (the "License");
4
// you may not use this file except in compliance with the License.
5
// You may obtain a copy of the License at
6
//
7
//     http://www.apache.org/licenses/LICENSE-2.0
8
//
9
// Unless required by applicable law or agreed to in writing, software
10
// distributed under the License is distributed on an "AS IS" BASIS,
11
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
// See the License for the specific language governing permissions and
13
// limitations under the License.
14

15
package constants
16

17
import (
18
	"time"
19

20
	"istio.io/istio/pkg/env"
21
)
22

23
// iptables tables
24
const (
25
	MANGLE = "mangle"
26
	NAT    = "nat"
27
	FILTER = "filter"
28
	RAW    = "raw"
29
)
30

31
// Built-in iptables chains
32
const (
33
	INPUT       = "INPUT"
34
	OUTPUT      = "OUTPUT"
35
	FORWARD     = "FORWARD"
36
	PREROUTING  = "PREROUTING"
37
	POSTROUTING = "POSTROUTING"
38
)
39

40
var BuiltInChainsMap = map[string]struct{}{
41
	INPUT:       {},
42
	OUTPUT:      {},
43
	FORWARD:     {},
44
	PREROUTING:  {},
45
	POSTROUTING: {},
46
}
47

48
// Constants used for generating iptables commands
49
const (
50
	TCP = "tcp"
51
	UDP = "udp"
52

53
	TPROXY   = "TPROXY"
54
	RETURN   = "RETURN"
55
	ACCEPT   = "ACCEPT"
56
	REJECT   = "REJECT"
57
	REDIRECT = "REDIRECT"
58
	MARK     = "MARK"
59
	CT       = "CT"
60
	DROP     = "DROP"
61
)
62

63
const (
64
	// IPVersionSpecific is used as an input to rules that will be replaced with an ip version (v4/v6)
65
	// specific value
66
	IPVersionSpecific = "PLACEHOLDER_IP_VERSION_SPECIFIC"
67
)
68

69
// iptables chains
70
const (
71
	ISTIOOUTPUT     = "ISTIO_OUTPUT"
72
	ISTIOINBOUND    = "ISTIO_INBOUND"
73
	ISTIODIVERT     = "ISTIO_DIVERT"
74
	ISTIOTPROXY     = "ISTIO_TPROXY"
75
	ISTIOREDIRECT   = "ISTIO_REDIRECT"
76
	ISTIOINREDIRECT = "ISTIO_IN_REDIRECT"
77
)
78

79
// Constants used in cobra/viper CLI
80
const (
81
	InboundInterceptionMode   = "istio-inbound-interception-mode"
82
	InboundTProxyMark         = "istio-inbound-tproxy-mark"
83
	InboundTProxyRouteTable   = "istio-inbound-tproxy-route-table"
84
	InboundPorts              = "istio-inbound-ports"
85
	LocalExcludePorts         = "istio-local-exclude-ports"
86
	ExcludeInterfaces         = "istio-exclude-interfaces"
87
	ServiceCidr               = "istio-service-cidr"
88
	ServiceExcludeCidr        = "istio-service-exclude-cidr"
89
	OutboundPorts             = "istio-outbound-ports"
90
	LocalOutboundPortsExclude = "istio-local-outbound-ports-exclude"
91
	EnvoyPort                 = "envoy-port"
92
	InboundCapturePort        = "inbound-capture-port"
93
	InboundTunnelPort         = "inbound-tunnel-port"
94
	ProxyUID                  = "proxy-uid"
95
	ProxyGID                  = "proxy-gid"
96
	KubeVirtInterfaces        = "kube-virt-interfaces"
97
	DryRun                    = "dry-run"
98
	TraceLogging              = "iptables-trace-logging"
99
	RestoreFormat             = "restore-format"
100
	SkipRuleApply             = "skip-rule-apply"
101
	RunValidation             = "run-validation"
102
	IptablesProbePort         = "iptables-probe-port"
103
	ProbeTimeout              = "probe-timeout"
104
	RedirectDNS               = "redirect-dns"
105
	DropInvalid               = "drop-invalid"
106
	DualStack                 = "dual-stack"
107
	CaptureAllDNS             = "capture-all-dns"
108
	NetworkNamespace          = "network-namespace"
109
	CNIMode                   = "cni-mode"
110
	IptablesVersion           = "iptables-version"
111
)
112

113
// Environment variables that deliberately have no equivalent command-line flags.
114
//
115
// The variables are defined as env.Var for documentation purposes.
116
//
117
// Use viper to resolve the value of the environment variable.
118
var (
119
	HostIPv4LoopbackCidr = env.Register("ISTIO_OUTBOUND_IPV4_LOOPBACK_CIDR", "127.0.0.1/32",
120
		`IPv4 CIDR range used to identify outbound traffic on loopback interface intended for application container`)
121

122
	OwnerGroupsInclude = env.Register("ISTIO_OUTBOUND_OWNER_GROUPS", "*",
123
		`Comma separated list of groups whose outgoing traffic is to be redirected to Envoy.
124
A group can be specified either by name or by a numeric GID.
125
The wildcard character "*" can be used to configure redirection of traffic from all groups.`)
126

127
	OwnerGroupsExclude = env.Register("ISTIO_OUTBOUND_OWNER_GROUPS_EXCLUDE", "",
128
		`Comma separated list of groups whose outgoing traffic is to be excluded from redirection to Envoy.
129
A group can be specified either by name or by a numeric GID.
130
Only applies when traffic from all groups (i.e. "*") is being redirected to Envoy.`)
131

132
	IstioInboundInterceptionMode = env.Register("INBOUND_INTERCEPTION_MODE", "",
133
		`The mode used to redirect inbound connections to Envoy, either "REDIRECT" or "TPROXY"`)
134

135
	IstioInboundTproxyMark = env.Register("INBOUND_TPROXY_MARK", "",
136
		``)
137
)
138

139
const (
140
	DefaultProxyUID    = "1337"
141
	DefaultProxyUIDInt = int64(1337)
142
)
143

144
// Constants used in environment variables
145
const (
146
	EnvoyUser = "ENVOY_USER"
147
)
148

149
// Constants for syscall
150
const (
151
	// sys/socket.h
152
	SoOriginalDst = 80
153
)
154

155
const (
156
	DefaultIptablesProbePort     = "15002"
157
	DefaultIptablesProbePortUint = 15002
158
	DefaultProbeTimeout          = 5 * time.Second
159
)
160

161
const (
162
	ValidationContainerName = "istio-validation"
163
	ValidationErrorCode     = 126
164
)
165

166
// DNS ports
167
const (
168
	IstioAgentDNSListenerPort = "15053"
169
)
170

171
// type of iptables operation/command to run, as an enum
172
// the implementation will choose the correct underlying binary,
173
// so callers should just use these enums to indicate what they want to do.
174
type IptablesCmd int
175

176
const (
177
	IPTables        IptablesCmd = iota
178
	IPTablesSave    IptablesCmd = iota
179
	IPTablesRestore IptablesCmd = iota
180
)
181