From d377a5157802ac31427d36a072fbaf1b64614423 Mon Sep 17 00:00:00 2001 From: Matthew Heon Date: Sun, 9 Sep 2018 13:31:56 -0400 Subject: Replace existing iptables handler with firewall code Use the new firewall code vendored from CNI to replace the existing iptables rule addition handler we had in place. This adds proper support for firewalld and should be much better at interacting with the firewall. Signed-off-by: Matthew Heon Closes: #1431 Approved by: baude --- pkg/firewall/common.go | 6 +++++- pkg/firewall/firewall_none.go | 6 ++++-- pkg/firewall/iptables.go | 21 --------------------- 3 files changed, 9 insertions(+), 24 deletions(-) (limited to 'pkg') diff --git a/pkg/firewall/common.go b/pkg/firewall/common.go index 993c691cd..a65d4f03d 100644 --- a/pkg/firewall/common.go +++ b/pkg/firewall/common.go @@ -21,6 +21,8 @@ import ( ) // FirewallNetConf represents the firewall configuration. +// Nolint applied for firewall.Firewall... name duplication notice. +//nolint type FirewallNetConf struct { //types.NetConf @@ -33,11 +35,13 @@ type FirewallNetConf struct { // to 'trusted' FirewalldZone string - PrevResult *current.Result + PrevResult *current.Result } // FirewallBackend is an interface to the system firewall, allowing addition and // removal of firewall rules. +// Nolint applied for firewall.Firewall... name duplication notice. +//nolint type FirewallBackend interface { Add(*FirewallNetConf) error Del(*FirewallNetConf) error diff --git a/pkg/firewall/firewall_none.go b/pkg/firewall/firewall_none.go index 9f9594b4a..9add24842 100644 --- a/pkg/firewall/firewall_none.go +++ b/pkg/firewall/firewall_none.go @@ -19,8 +19,10 @@ import ( ) // FirewallNone is a firewall backend for environments where manipulating the -// system firewall is unsupported (for example, when running without root) -type FirewallNone struct {} +// system firewall is unsupported (for example, when running without root). +// Nolint applied to avoid firewall.FirewallNone name duplication notes. +//nolint +type FirewallNone struct{} func newNoneBackend() (FirewallBackend, error) { return &FirewallNone{}, nil diff --git a/pkg/firewall/iptables.go b/pkg/firewall/iptables.go index 9f065dbcf..59d81b287 100644 --- a/pkg/firewall/iptables.go +++ b/pkg/firewall/iptables.go @@ -51,10 +51,6 @@ func generateFilterRule(privChainName string) []string { return []string{"-m", "comment", "--comment", "CNI firewall plugin rules", "-j", privChainName} } -func generateAdminRule(adminChainName string) []string { - return []string{"-m", "comment", "--comment", "CNI firewall plugin admin overrides", "-j", adminChainName} -} - func cleanupRules(ipt *iptables.IPTables, privChainName string, rules [][]string) { for _, rule := range rules { ipt.Delete("filter", privChainName, rule...) @@ -148,23 +144,6 @@ func (ib *iptablesBackend) delRules(conf *FirewallNetConf, ipt *iptables.IPTable return nil } -func findProtos(conf *FirewallNetConf) []iptables.Protocol { - protos := []iptables.Protocol{iptables.ProtocolIPv4, iptables.ProtocolIPv6} - if conf.PrevResult != nil { - // If PrevResult is given, scan all IP addresses to figure out - // which IP versions to use - protos = []iptables.Protocol{} - for _, addr := range conf.PrevResult.IPs { - if addr.Address.IP.To4() != nil { - protos = append(protos, iptables.ProtocolIPv4) - } else { - protos = append(protos, iptables.ProtocolIPv6) - } - } - } - return protos -} - type iptablesBackend struct { protos map[iptables.Protocol]*iptables.IPTables privChainName string -- cgit v1.2.3-54-g00ecf