talos/plugins
1
0
Fork 0
mirror of https://github.com/containernetworking/plugins.git synced 2025-12-15 18:53:19 +00:00
Code Issues Projects Releases Packages Wiki Activity
Some reference and example networking plugins, maintained by the CNI team.
1,901 commits 10 branches 52 tags 22 MiB
Find a file
Exact
Etienne Champetier 9b3772e1a7 portmap: ensure nftables backend only intercept local traffic 
portmap iptables backend uses `-m addrtype --dst-type LOCAL`
and a common chain (CNI-HOSTPORT-DNAT) for both hostPort and hostIP/hostPort.

Before this commit, nftables backend was using 2 separate chains,
`hostip_hostports` and `hostports`. The goal was to avoid using
`fib daddr type local` before we jump to `hostip_hostports`,
but this is a behavior change compared to iptables backend,
and a security issue (hostIP: 1.1.1.1 / hostPort: 53).
Also while switching from input to prerouting hook, we forgot to
add the fib lookup for `hostports`, rendering the nftables backend half broken.

To allow transparent upgrades and avoid running the fib lookup twice,
we use an intermediate chain (`hostports_all`)
```
chain hostports_all {
    jump hostip_hostports
    jump hostports
}
```

Long-term we want to remove `hostip_hostports`,
so all new rules are created in the `hostports` chain.

We can't use implicit chains (`jump { jump hostip_hostports; jump hostports }`)
as it's not supported by knftables.Fake yet.

Fixes 9296c5f80a
Fixes 01a94e17c7

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
2025-11-13 12:10:49 +01:00
.github ci, release: bump go to v1.25 2025-09-01 17:23:06 +02:00
integration make test working again 2024-10-14 11:47:24 +02:00
pkg Ignore settling with down state since it will never settle 2025-10-02 16:26:23 +02:00
plugins portmap: ensure nftables backend only intercept local traffic 2025-11-13 12:10:49 +01:00
vendor build(deps): bump the golang group across 1 directory with 5 updates 2025-08-25 17:04:23 +02:00
.gitignore Update Vendor 2018-09-21 00:34:07 +08:00
.golangci.yml lint: allow "util" package 2025-09-01 17:23:06 +02:00
.yamllint.yml ci(lint): setup yamllint linter 2023-02-25 12:10:11 +00:00
build_linux.sh build: Use POSIX sh for shell scripts 2023-09-29 16:57:19 +02:00
build_windows.sh build: Use POSIX sh for shell scripts 2023-09-29 16:57:19 +02:00
CONTRIBUTING.md Merge pull request #396 from oshothebig/contributing-doc 2019-10-09 10:21:03 -05:00
DCO Add missing DCO 2018-10-11 16:15:24 +01:00
go.mod build(deps): bump the golang group across 1 directory with 5 updates 2025-08-25 17:04:23 +02:00
go.sum build(deps): bump the golang group across 1 directory with 5 updates 2025-08-25 17:04:23 +02:00
LICENSE Initial commit 2017-03-10 16:46:52 +01:00
OWNERS.md Update email to gmail 2022-12-07 11:57:16 -07:00
README.md dummy: Create a Dummy CNI plugin that creates a virtual interface. 2022-08-11 13:50:37 +01:00
RELEASING.md Add release process 2017-07-11 13:57:49 -07:00
test_linux.sh test: enable unpriv user namespaces 2025-01-14 17:49:22 +01:00
test_windows.sh build: Use POSIX sh for shell scripts 2023-09-29 16:57:19 +02:00

README.md

test

Plugins

Some CNI network plugins, maintained by the containernetworking team. For more information, see the CNI website.

Read CONTRIBUTING for build and test instructions.

Plugins supplied:

Main: interface-creating

  • bridge: Creates a bridge, adds the host and the container to it.
  • ipvlan: Adds an ipvlan interface in the container.
  • loopback: Set the state of loopback interface to up.
  • macvlan: Creates a new MAC address, forwards all traffic to that to the container.
  • ptp: Creates a veth pair.
  • vlan: Allocates a vlan device.
  • host-device: Move an already-existing device into a container.
  • dummy: Creates a new Dummy device in the container.

Windows: Windows specific

  • win-bridge: Creates a bridge, adds the host and the container to it.
  • win-overlay: Creates an overlay interface to the container.

IPAM: IP address allocation

  • dhcp: Runs a daemon on the host to make DHCP requests on behalf of the container
  • host-local: Maintains a local database of allocated IPs
  • static: Allocate a single static IPv4/IPv6 address to container. It's useful in debugging purpose.

Meta: other plugins

  • tuning: Tweaks sysctl parameters of an existing interface
  • portmap: An iptables-based portmapping plugin. Maps ports from the host's address space to the container.
  • bandwidth: Allows bandwidth-limiting through use of traffic control tbf (ingress/egress).
  • sbr: A plugin that configures source based routing for an interface (from which it is chained).
  • firewall: A firewall plugin which uses iptables or firewalld to add rules to allow traffic to/from the container.

Sample

The sample plugin provides an example for building your own plugin.

Contact

For any questions about CNI, please reach out via:

If you have a security issue to report, please do so privately to the email addresses listed in the OWNERS file.