tools/istio-iptables/pkg/capture/run_linux.go - dubbo-go-pixiu - Git at Google

 // Copyright Istio Authors
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //	http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package capture

 import (
 	"fmt"
 	"net"
 	"strconv"
 )

 import (
 	"github.com/vishvananda/netlink"
 	"golang.org/x/sys/unix"
 )

 import (
 	"github.com/apache/dubbo-go-pixiu/tools/istio-iptables/pkg/config"
 	"github.com/apache/dubbo-go-pixiu/tools/istio-iptables/pkg/constants"
 )

 // configureTProxyRoutes configures ip firewall rules to enable TPROXY support.
 // See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/original_src_filter
 func configureTProxyRoutes(cfg *config.Config) error {
 	if cfg.InboundPortsInclude != "" {
 		if cfg.InboundInterceptionMode == constants.TPROXY {
 			link, err := netlink.LinkByName("lo")
 			if err != nil {
 				return fmt.Errorf("failed to find 'lo' link: %v", err)
 			}
 			tproxyTable, err := strconv.Atoi(cfg.InboundTProxyRouteTable)
 			if err != nil {
 				return fmt.Errorf("failed to parse InboundTProxyRouteTable: %v", err)
 			}
 			tproxyMark, err := strconv.Atoi(cfg.InboundTProxyMark)
 			if err != nil {
 				return fmt.Errorf("failed to parse InboundTProxyMark: %v", err)
 			}
 			// Route all packets marked in chain ISTIODIVERT using routing table ${INBOUND_TPROXY_ROUTE_TABLE}.
 			// Equivalent to `ip rule add fwmark <tproxyMark> lookup <tproxyTable>`
 			families := []int{unix.AF_INET}
 			if cfg.EnableInboundIPv6 {
 				families = append(families, unix.AF_INET6)
 			}
 			for _, family := range families {
 				r := netlink.NewRule()
 				r.Family = family
 				r.Table = tproxyTable
 				r.Mark = tproxyMark
 				if err := netlink.RuleAdd(r); err != nil {
 					return fmt.Errorf("failed to configure netlink rule: %v", err)
 				}
 			}
 			// In routing table ${INBOUND_TPROXY_ROUTE_TABLE}, create a single default rule to route all traffic to
 			// the loopback interface.
 			// Equivalent to `ip route add local default dev lo table <table>`
 			cidrs := []string{"0.0.0.0/0"}
 			if cfg.EnableInboundIPv6 {
 				cidrs = append(cidrs, "0::0/0")
 			}
 			for _, fullCIDR := range cidrs {
 				_, dst, err := net.ParseCIDR(fullCIDR)
 				if err != nil {
 					return fmt.Errorf("parse CIDR: %v", err)
 				}

 				if err := netlink.RouteAdd(&netlink.Route{
 					Dst:       dst,
 					Scope:     netlink.SCOPE_HOST,
 					Type:      unix.RTN_LOCAL,
 					Table:     tproxyTable,
 					LinkIndex: link.Attrs().Index,
 				}); ignoreExists(err) != nil {
 					return fmt.Errorf("failed to add route: %v", err)
 				}
 			}
 		}
 	}
 	return nil
 }
	// Copyright Istio Authors
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.
	package capture

	import (
	"fmt"
	"net"
	"strconv"
	)

	import (
	"github.com/vishvananda/netlink"
	"golang.org/x/sys/unix"
	)

	import (
	"github.com/apache/dubbo-go-pixiu/tools/istio-iptables/pkg/config"
	"github.com/apache/dubbo-go-pixiu/tools/istio-iptables/pkg/constants"
	)

	// configureTProxyRoutes configures ip firewall rules to enable TPROXY support.
	// See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/original_src_filter
	func configureTProxyRoutes(cfg *config.Config) error {
	if cfg.InboundPortsInclude != "" {
	if cfg.InboundInterceptionMode == constants.TPROXY {
	link, err := netlink.LinkByName("lo")
	if err != nil {
	return fmt.Errorf("failed to find 'lo' link: %v", err)
	}
	tproxyTable, err := strconv.Atoi(cfg.InboundTProxyRouteTable)
	if err != nil {
	return fmt.Errorf("failed to parse InboundTProxyRouteTable: %v", err)
	}
	tproxyMark, err := strconv.Atoi(cfg.InboundTProxyMark)
	if err != nil {
	return fmt.Errorf("failed to parse InboundTProxyMark: %v", err)
	}
	// Route all packets marked in chain ISTIODIVERT using routing table ${INBOUND_TPROXY_ROUTE_TABLE}.
	// Equivalent to `ip rule add fwmark <tproxyMark> lookup <tproxyTable>`
	families := []int{unix.AF_INET}
	if cfg.EnableInboundIPv6 {
	families = append(families, unix.AF_INET6)
	}
	for _, family := range families {
	r := netlink.NewRule()
	r.Family = family
	r.Table = tproxyTable
	r.Mark = tproxyMark
	if err := netlink.RuleAdd(r); err != nil {
	return fmt.Errorf("failed to configure netlink rule: %v", err)
	}
	}
	// In routing table ${INBOUND_TPROXY_ROUTE_TABLE}, create a single default rule to route all traffic to
	// the loopback interface.
	// Equivalent to `ip route add local default dev lo table <table>`
	cidrs := []string{"0.0.0.0/0"}
	if cfg.EnableInboundIPv6 {
	cidrs = append(cidrs, "0::0/0")
	}
	for _, fullCIDR := range cidrs {
	_, dst, err := net.ParseCIDR(fullCIDR)
	if err != nil {
	return fmt.Errorf("parse CIDR: %v", err)
	}

	if err := netlink.RouteAdd(&netlink.Route{
	Dst: dst,
	Scope: netlink.SCOPE_HOST,
	Type: unix.RTN_LOCAL,
	Table: tproxyTable,
	LinkIndex: link.Attrs().Index,
	}); ignoreExists(err) != nil {
	return fmt.Errorf("failed to add route: %v", err)
	}
	}
	}
	}
	return nil
	}