Created
May 13, 2020 09:46
-
-
Save darabi/d4d6519f6cf0e8d1ea46547038d0dd4e to your computer and use it in GitHub Desktop.
Shorewall start script which restores Kubernetes and Cilium iptables chains
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# the idea is not mine: | |
# | |
# https://blog.discourse.org/2015/11/shorewalldocker-two-great-tastes-that-taste-great-together/# | |
# | |
BACKUP=/etc/shorewall/kubernetes_rules | |
if [ -f $BACKUP ]; then | |
echo Restore Kubernetes specific rules | |
# Kubernetes custom chains AND Cilium chains were backed up in /etc/shorewall/stop | |
# we have to re-create the jump instructions both for Kubernetes and Cilium | |
# cf. https://docs.cilium.io/en/v1.6/architecture/#kubernetes-integration | |
iptables-restore -n < $BACKUP | |
# filter table | |
iptables -t filter -I INPUT 1 -j KUBE-FIREWALL | |
iptables -t filter -I INPUT 1 -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES | |
iptables -t filter -I INPUT 1 -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
iptables -t filter -I OUTPUT 1 -j KUBE-FIREWALL | |
iptables -t filter -I OUTPUT 1 -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
iptables -t filter -I FORWARD 1 -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
iptables -t filter -I FORWARD 1 -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD | |
# insert jumps from nat table chains | |
iptables -t nat -I PREROUTING 1 -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
iptables -t nat -I OUTPUT 1 -m comment --comment "kubernetes service portals" -j KUBE-SERVICES | |
iptables -t nat -I POSTROUTING 1 -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING | |
# | |
# When using Cilium, we have to preserve its chains too, which were already dumped | |
# in /etc/shorewall/stop. | |
# | |
# cf. https://docs.cilium.io/en/v1.6/architecture/#kubernetes-integration | |
# | |
# the Cilium jumps are located before the Kubernetes jumps (-I ... 1) | |
# you can verify these by doing a quick 'iptables -t {filter,nat,mangle} -S | less | |
# | |
# or iptables -t filter -S | grep -v -e '-[A|N] CILI' | grep CILIUM | |
iptables -t filter -I INPUT 1 -m comment --comment "cilium-feeder: CILIUM_INPUT" -j CILIUM_INPUT | |
iptables -t filter -I FORWARD 1 -m comment --comment "cilium-feeder: CILIUM_FORWARD" -j CILIUM_FORWARD | |
iptables -t filter -I OUTPUT 1 -m comment --comment "cilium-feeder: CILIUM_OUTPUT" -j CILIUM_OUTPUT | |
iptables -t mangle -I PREROUTING 1 -m comment --comment "cilium-feeder: CILIUM_PRE_mangle" -j CILIUM_PRE_mangle | |
iptables -t mangle -I POSTROUTING 1 -m comment --comment "cilium-feeder: CILIUM_POST_mangle" -j CILIUM_POST_mangle | |
iptables -t nat -I PREROUTING 1 -m comment --comment "cilium-feeder: CILIUM_PRE_nat" -j CILIUM_PRE_nat | |
iptables -t nat -I OUTPUT 1 -m comment --comment "cilium-feeder: CILIUM_OUTPUT_nat" -j CILIUM_OUTPUT_nat | |
iptables -t nat -I POSTROUTING 1 -m comment --comment "cilium-feeder: CILIUM_POST_nat" -j CILIUM_POST_nat | |
iptables -t raw -I PREROUTING 1 -m comment --comment "cilium-feeder: CILIUM_PRE_raw" -j CILIUM_PRE_raw | |
iptables -t raw -I OUTPUT 1 -m comment --comment "cilium-feeder: CILIUM_OUTPUT_raw" -j CILIUM_OUTPUT_raw | |
rm -f $BACKUP | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment