Commit Graph

33 Commits

Author SHA1 Message Date
06ba001d84 Update containernetworking/cni to v1.2.3 for GC
Signed-off-by: Dan Winship <danwinship@redhat.com>
2024-08-28 12:17:48 -04:00
0a100e5d8f meta: firewall: Fix firewalld test with non-abstract sockets
On a recent Fedora Rawhide, dbus-daemon-1.14.8-1 prints a string
prefixed by 'unix:path' instead of the expected 'unix:abstract', thereby
failing the test. Allowing this alternate prefix fixes the test, so for
communication with the daemon it is not relevant.

Signed-off-by: Phil Sutter <psutter@redhat.com>
2023-07-20 11:34:34 +02:00
10ddd9e454 enable govet and unparam linters
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-04-11 12:07:04 +02:00
deec68747e Merge pull request #853 from mmorel-35/ginkgolinter
enable ginkgolinter linter
2023-04-04 15:24:20 +02:00
8813bfea7b Merge pull request #855 from mmorel-35/linters
enable durationcheck,  predeclared, unconvert, unused and wastedassign linters
2023-03-27 10:53:34 -05:00
d71d0f2da1 Fix revive linter errors
Golangci-lint is now running version 1.52.1. This introduced some errors.

Signed-off-by: Marcelo Guerrero Viveros <marguerr@redhat.com>
2023-03-24 21:04:39 +01:00
2fb0efe8a3 enable durationcheck, predeclared, unconvert, unused and wastedassign linters
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-16 07:29:37 +01:00
09f36a295d enable ginkgolinter linter
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-13 22:27:21 +00:00
79f524689c enable gocritic linter
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-13 17:59:33 +01:00
5a7619c019 enable gosimple linter
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-13 17:59:31 +01:00
d12b81dec5 ci(lint): setup golangci-lint
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
2023-03-01 06:55:40 +00:00
2d1005ec02 Update tests to utilize ginkgo/v2
This commit updates the import of ginkgo to v2 in
all of the tests.

Signed-off-by: liornoy <lnoy@redhat.com>
Co-authored-by: Sascha Grunert <sgrunert@redhat.com>
2023-02-13 21:15:18 +02:00
22dd6c553d firewall: support ingressPolicy=(open|same-bridge) for isolating bridges as in Docker
This commit adds a new parameter `ingressPolicy` (`string`) to the `firewall` plugin.
The supported values are `open` and `same-bridge`.

- `open` is the default and does NOP.

- `same-bridge` creates "CNI-ISOLATION-STAGE-1" and "CNI-ISOLATION-STAGE-2"
that are similar to Docker libnetwork's "DOCKER-ISOLATION-STAGE-1" and
"DOCKER-ISOLATION-STAGE-2" rules.

e.g., when `ns1` and `ns2` are connected to bridge `cni1`, and `ns3` is
connected to bridge `cni2`, the `same-bridge` ingress policy disallows
communications between `ns1` and `ns3`, while allowing communications
between `ns1` and `ns2`.

Please refer to the comment lines in `ingresspolicy.go` for the actual iptables rules.

The `same-bridge` ingress policy is expected to be used in conjunction
with `bridge` plugin. May not work as expected with other "main" plugins.

It should be also noted that the `same-bridge` ingress policy executes
raw `iptables` commands directly, even when the `backend` is set to `firewalld`.
We could potentially use the "direct" API of firewalld [1] to execute
iptables via firewalld, but it doesn't seem to have a clear benefit over just directly
executing raw iptables commands.
(Anyway, we have been already executing raw iptables commands in the `portmap` plugin)

[1] https://firewalld.org/documentation/direct/options.html

This commit replaces the `isolation` plugin proposal (issue 573, PR 574).
The design of `ingressPolicy` was discussed in the comments of the withdrawn PR 574 ,
but `same-network` was renamed to `same-bridge` then.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-02-03 15:49:43 +09:00
ba48f8a659 plugins: fix bug where support for CNI version 0.4.0 or 1.0.0 was dropped
Signed-off-by: Casey Callendrello <cdc@redhat.com>
2021-09-07 15:48:16 +02:00
bc856372bb go.mod: godbus/dbus/v5 v5.0.3, coreos/go-systemd v22.2.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-09 00:07:25 +02:00
5b02c2ab70 Fix broken links to online docs in plugin READMEs
Signed-off-by: Kavya <kavya.g@ibm.com>
2021-03-25 13:07:33 +05:30
f33eedb6eb firewall: increase test coverage to 1.0.0 and older spec versions
Signed-off-by: Dan Williams <dcbw@redhat.com>
2021-02-12 14:56:24 -06:00
7d8c767622 plugins: update to spec version 1.0.0
Signed-off-by: Dan Williams <dcbw@redhat.com>
2021-02-11 23:27:08 -06:00
cccf5395e8 Updating plugin README.md files (#549)
Removing content and pointing at the new website as a part of the CNI Documentation migration.

Signed-off-by: Nate W <4453979+nate-double-u@users.noreply.github.com>
2020-11-18 17:38:45 +01:00
3aadb402e4 Merge pull request #505 from xtreme-sameer-vohra/patch-1
Update firewall README.md
2020-08-05 10:26:27 -05:00
021462563b Update firewall README.md CNI-ADMIN
Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>
2020-08-04 15:35:39 -05:00
813f541d30 firewall: fix some typos in docs
Signed-off-by: Bruce Ma <brucema19901024@gmail.com>
2020-07-22 19:38:24 +08:00
051452cdcf Update firewall README.md
Document `CNI-ADMIN` chain usage as well as `iptablesAdminChainName`

Signed-off-by: Sameer Vohra <vohra.sam@gmail.com>
2020-07-13 18:56:19 -05:00
2bd04cb92f firewall: fix generate of admin chain comment
Signed-off-by: Dan Williams <dcbw@redhat.com>
2020-07-01 10:38:12 -05:00
58dd90b996 ensure iptables chain creation is idempotent
Concurrent use of the `portmap` and `firewall` plugins can result in
errors during iptables chain creation:

- The `portmap` plugin has a time-of-check-time-of-use race where it
  checks for existence of the chain but the operation isn't atomic.
- The `firewall` plugin doesn't check for existing chains and just
  returns an error.

This commit makes both operations idempotent by creating the chain and
then discarding the error if it's caused by the chain already
existing. It also factors the chain creation out into `pkg/utils` as a
site for future refactoring work.

Signed-off-by: Tim Gross <tim@0x74696d.com>
2019-11-11 10:00:11 -05:00
0a1421a08c firewall: remove unused netns check from DEL method
Signed-off-by: Erik Sipsma <sipsma@amazon.com>
2019-09-25 20:38:02 +00:00
fc7059c1ae firewall: don't return error in DEL if prevResult is not found.
The CNI spec states that for DEL implementations, "when CNI_NETNS and/or
prevResult are not provided, the plugin should clean up as many resources as
possible (e.g. releasing IPAM allocations) and return a successful response".
This change results in the firewall plugin conforming to the spec by not
returning an error whenever the del method is not provided a prevResult.

Signed-off-by: Erik Sipsma <sipsma@amazon.com>
2019-09-23 21:11:07 +00:00
72f2a1ffd4 plugins: correctly output build version, cosmetic cleanups
Now that libcni has the ability to print a version message, plumb it
through correctly.

While we're at it,
- fix import paths
- run gofmt
- add some more comments to sample
- add container runtime swappability for release
2019-04-15 16:52:07 +02:00
d47387c6fe Add Check support to firewall meta plugin, test cases 2019-04-12 14:37:21 -04:00
95be5da5e2 firewall: add a couple more testcases 2019-04-12 14:37:21 -04:00
b46e1a0138 firewall: consolidate firewalld code into firewall plugin 2019-04-12 14:37:21 -04:00
9d6f1e9975 firewall: add firewalld functionality to firewall plugin
Example of usage, which uses flannel for allocating IP
addresses for containers and then registers them in `trusted`
zone in firewalld:

{
  "cniVersion": "0.3.1",
  "name": "flannel-firewalld",
  "plugins": [
    {
      "name": "cbr0",
      "type": "flannel",
      "delegate": {
        "isDefaultGateway": true
      }
    },
    {
      "type": "firewall",
      "backend": "firewalld",
      "zone": "trusted"
    }
  ]
}

Fixes #114

Signed-off-by: Alban Crequy <alban@kinvolk.io>
Signed-off-by: Michal Rostecki <mrostecki@suse.com>
2019-04-12 14:37:21 -04:00
d096a4df48 firewall: new plugin which allows a host interface to send/receive traffic
Distros often have additional rules in the their iptabvles 'filter' table
that do things like:

-A FORWARD -j REJECT --reject-with icmp-host-prohibited

docker, for example, gets around this by adding explicit rules to the filter
table's FORWARD chain to allow traffic from the docker0 interface.  Do that
for a given host interface too, as a chained plugin.
2019-04-12 14:37:21 -04:00