44package iptm
55
66import (
7+ "fmt"
78 "os"
89 "os/exec"
910 "strconv"
@@ -114,11 +115,65 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
114115 }
115116 }
116117
118+ // Insert a RETURN on MARK rule for INGRESS in in AZURE-NPM-INGRESS-PORT chain
119+ entry .Chain = util .IptablesAzureIngressPortChain
120+ entry .Specs = []string {
121+ util .IptablesJumpFlag ,
122+ util .IptablesReturn ,
123+ util .IptablesModuleFlag ,
124+ util .IptablesMarkVerb ,
125+ util .IptablesMarkFlag ,
126+ util .IptablesAzureIngressMarkHex ,
127+ util .IptablesModuleFlag ,
128+ util .IptablesCommentModuleFlag ,
129+ util .IptablesCommentFlag ,
130+ fmt .Sprintf ("RETURN-on-INGRESS-mark-%s" , util .IptablesAzureIngressMarkHex ),
131+ }
132+ exists , err = iptMgr .Exists (entry )
133+ if err != nil {
134+ return err
135+ }
136+
137+ if ! exists {
138+ iptMgr .OperationFlag = util .IptablesInsertionFlag
139+ if _ , err := iptMgr .Run (entry ); err != nil {
140+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add default RETURN on INGRESS mark in AZURE-NPM-INGRESS-PORT chain." )
141+ return err
142+ }
143+ }
144+
117145 // Create AZURE-NPM-INGRESS-FROM chain.
118146 if err = iptMgr .AddChain (util .IptablesAzureIngressFromChain ); err != nil {
119147 return err
120148 }
121149
150+ // Insert a RETURN on MARK rule for INGRESS in in AZURE-NPM-INGRESS-FROM chain
151+ entry .Chain = util .IptablesAzureIngressFromChain
152+ entry .Specs = []string {
153+ util .IptablesJumpFlag ,
154+ util .IptablesReturn ,
155+ util .IptablesModuleFlag ,
156+ util .IptablesMarkVerb ,
157+ util .IptablesMarkFlag ,
158+ util .IptablesAzureIngressMarkHex ,
159+ util .IptablesModuleFlag ,
160+ util .IptablesCommentModuleFlag ,
161+ util .IptablesCommentFlag ,
162+ fmt .Sprintf ("RETURN-on-INGRESS-mark-%s" , util .IptablesAzureIngressMarkHex ),
163+ }
164+ exists , err = iptMgr .Exists (entry )
165+ if err != nil {
166+ return err
167+ }
168+
169+ if ! exists {
170+ iptMgr .OperationFlag = util .IptablesInsertionFlag
171+ if _ , err := iptMgr .Run (entry ); err != nil {
172+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add default RETURN on INGRESS mark in AZURE-NPM-INGRESS-FROM chain." )
173+ return err
174+ }
175+ }
176+
122177 // Create AZURE-NPM-EGRESS-PORT chain.
123178 if err := iptMgr .AddChain (util .IptablesAzureEgressPortChain ); err != nil {
124179 return err
@@ -135,7 +190,61 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
135190 if ! exists {
136191 iptMgr .OperationFlag = util .IptablesAppendFlag
137192 if _ , err := iptMgr .Run (entry ); err != nil {
138- metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add AZURE-NPM-INGRESS-PORT chain to AZURE-NPM chain." )
193+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add AZURE-NPM-EGRESS-PORT chain to AZURE-NPM chain." )
194+ return err
195+ }
196+ }
197+
198+ // Insert a RETURN on MARK rule for EGRESS in AZURE-NPM-EGRESS-PORT
199+ entry .Chain = util .IptablesAzureEgressPortChain
200+ entry .Specs = []string {
201+ util .IptablesJumpFlag ,
202+ util .IptablesReturn ,
203+ util .IptablesModuleFlag ,
204+ util .IptablesMarkVerb ,
205+ util .IptablesMarkFlag ,
206+ util .IptablesAzureEgressMarkHex ,
207+ util .IptablesModuleFlag ,
208+ util .IptablesCommentModuleFlag ,
209+ util .IptablesCommentFlag ,
210+ fmt .Sprintf ("RETURN-on-EGRESS-mark-%s" , util .IptablesAzureEgressMarkHex ),
211+ }
212+ exists , err = iptMgr .Exists (entry )
213+ if err != nil {
214+ return err
215+ }
216+
217+ if ! exists {
218+ iptMgr .OperationFlag = util .IptablesInsertionFlag
219+ if _ , err := iptMgr .Run (entry ); err != nil {
220+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add default RETURN on EGRESS mark in AZURE-NPM-EGRESS-PORT chain." )
221+ return err
222+ }
223+ }
224+
225+ // Insert a RETURN on MARK rule for EGRESS + INGRESS in AZURE-NPM-EGRESS-PORT
226+ entry .Chain = util .IptablesAzureEgressPortChain
227+ entry .Specs = []string {
228+ util .IptablesJumpFlag ,
229+ util .IptablesReturn ,
230+ util .IptablesModuleFlag ,
231+ util .IptablesMarkVerb ,
232+ util .IptablesMarkFlag ,
233+ util .IptablesAzureAcceptMarkHex ,
234+ util .IptablesModuleFlag ,
235+ util .IptablesCommentModuleFlag ,
236+ util .IptablesCommentFlag ,
237+ fmt .Sprintf ("RETURN-on-EGRESS-and-INGRESS-mark-%s" , util .IptablesAzureAcceptMarkHex ),
238+ }
239+ exists , err = iptMgr .Exists (entry )
240+ if err != nil {
241+ return err
242+ }
243+
244+ if ! exists {
245+ iptMgr .OperationFlag = util .IptablesInsertionFlag
246+ if _ , err := iptMgr .Run (entry ); err != nil {
247+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add default RETURN on EGRESS and INGRESS mark in AZURE-NPM-EGRESS-PORT chain." )
139248 return err
140249 }
141250 }
@@ -150,6 +259,142 @@ func (iptMgr *IptablesManager) InitNpmChains() error {
150259 return err
151260 }
152261
262+ // Insert a RETURN on MARK rule for EGRESS in AZURE-NPM-EGRESS-TO
263+ entry .Chain = util .IptablesAzureEgressToChain
264+ entry .Specs = []string {
265+ util .IptablesJumpFlag ,
266+ util .IptablesReturn ,
267+ util .IptablesModuleFlag ,
268+ util .IptablesMarkVerb ,
269+ util .IptablesMarkFlag ,
270+ util .IptablesAzureEgressMarkHex ,
271+ util .IptablesModuleFlag ,
272+ util .IptablesCommentModuleFlag ,
273+ util .IptablesCommentFlag ,
274+ fmt .Sprintf ("RETURN-on-EGRESS-mark-%s" , util .IptablesAzureEgressMarkHex ),
275+ }
276+ exists , err = iptMgr .Exists (entry )
277+ if err != nil {
278+ return err
279+ }
280+
281+ if ! exists {
282+ iptMgr .OperationFlag = util .IptablesInsertionFlag
283+ if _ , err := iptMgr .Run (entry ); err != nil {
284+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add default RETURN on EGRESS mark in AZURE-NPM-EGRESS-TO chain." )
285+ return err
286+ }
287+ }
288+
289+ // Insert a RETURN on MARK rule for EGRESS + INGRESS in AZURE-NPM-EGRESS-TO
290+ entry .Chain = util .IptablesAzureEgressToChain
291+ entry .Specs = []string {
292+ util .IptablesJumpFlag ,
293+ util .IptablesReturn ,
294+ util .IptablesModuleFlag ,
295+ util .IptablesMarkVerb ,
296+ util .IptablesMarkFlag ,
297+ util .IptablesAzureAcceptMarkHex ,
298+ util .IptablesModuleFlag ,
299+ util .IptablesCommentModuleFlag ,
300+ util .IptablesCommentFlag ,
301+ fmt .Sprintf ("RETURN-on-EGRESS-and-INGRESS-mark-%s" , util .IptablesAzureAcceptMarkHex ),
302+ }
303+ exists , err = iptMgr .Exists (entry )
304+ if err != nil {
305+ return err
306+ }
307+
308+ if ! exists {
309+ iptMgr .OperationFlag = util .IptablesInsertionFlag
310+ if _ , err := iptMgr .Run (entry ); err != nil {
311+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add default RETURN on EGRESS and INGRESS mark in AZURE-NPM-EGRESS-TO chain." )
312+ return err
313+ }
314+ }
315+
316+ // TODO move this in to a function for readability
317+ // Insert a ACCEPT rule for INGRESS-and-EGRESS marked packets
318+ entry .Chain = util .IptablesAzureChain
319+ entry .Specs = []string {
320+ util .IptablesJumpFlag ,
321+ util .IptablesAccept ,
322+ util .IptablesModuleFlag ,
323+ util .IptablesMarkVerb ,
324+ util .IptablesMarkFlag ,
325+ util .IptablesAzureAcceptMarkHex ,
326+ util .IptablesModuleFlag ,
327+ util .IptablesCommentModuleFlag ,
328+ util .IptablesCommentFlag ,
329+ fmt .Sprintf ("ACCEPT-on-INGRESS-and-EGRESS-mark-%s" , util .IptablesAzureAcceptMarkHex ),
330+ }
331+ exists , err = iptMgr .Exists (entry )
332+ if err != nil {
333+ return err
334+ }
335+
336+ if ! exists {
337+ iptMgr .OperationFlag = util .IptablesAppendFlag
338+ if _ , err := iptMgr .Run (entry ); err != nil {
339+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add marked ACCEPT rule to AZURE-NPM chain." )
340+ return err
341+ }
342+ }
343+
344+ // Insert a ACCEPT rule for INGRESS marked packets
345+ entry .Chain = util .IptablesAzureChain
346+ entry .Specs = []string {
347+ util .IptablesJumpFlag ,
348+ util .IptablesAccept ,
349+ util .IptablesModuleFlag ,
350+ util .IptablesMarkVerb ,
351+ util .IptablesMarkFlag ,
352+ util .IptablesAzureIngressMarkHex ,
353+ util .IptablesModuleFlag ,
354+ util .IptablesCommentModuleFlag ,
355+ util .IptablesCommentFlag ,
356+ fmt .Sprintf ("ACCEPT-on-INGRESS-mark-%s" , util .IptablesAzureIngressMarkHex ),
357+ }
358+ exists , err = iptMgr .Exists (entry )
359+ if err != nil {
360+ return err
361+ }
362+
363+ if ! exists {
364+ iptMgr .OperationFlag = util .IptablesAppendFlag
365+ if _ , err := iptMgr .Run (entry ); err != nil {
366+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add marked ACCEPT rule for INGRESS mark to AZURE-NPM chain." )
367+ return err
368+ }
369+ }
370+
371+ // Insert a ACCEPT rule for EGRESS marked packets
372+ entry .Chain = util .IptablesAzureChain
373+ entry .Specs = []string {
374+ util .IptablesJumpFlag ,
375+ util .IptablesAccept ,
376+ util .IptablesModuleFlag ,
377+ util .IptablesMarkVerb ,
378+ util .IptablesMarkFlag ,
379+ util .IptablesAzureEgressMarkHex ,
380+ util .IptablesModuleFlag ,
381+ util .IptablesCommentModuleFlag ,
382+ util .IptablesCommentFlag ,
383+ fmt .Sprintf ("ACCEPT-on-EGRESS-mark-%s" , util .IptablesAzureEgressMarkHex ),
384+ }
385+ exists , err = iptMgr .Exists (entry )
386+ if err != nil {
387+ return err
388+ }
389+
390+ if ! exists {
391+ iptMgr .OperationFlag = util .IptablesAppendFlag
392+ if _ , err := iptMgr .Run (entry ); err != nil {
393+ metrics .SendErrorLogAndMetric (util .IptmID , "Error: failed to add marked ACCEPT rule for EGRESS mark to AZURE-NPM chain." )
394+ return err
395+ }
396+ }
397+
153398 // Append AZURE-NPM-TARGET-SETS chain to AZURE-NPM chain.
154399 entry .Chain = util .IptablesAzureChain
155400 entry .Specs = []string {util .IptablesJumpFlag , util .IptablesAzureTargetSetsChain }
0 commit comments