As the data plane of Service Mesh, the apisix-mesh-agent must have the ability to setup rules to forward traffic from the original port to APISIX. Tools what we can use can be iptables. What's more, Istio always has a common go package to setup and clean iptables rules. It supports to set up rules on demand.
What we can do is exposing two sub commands:
setup-iptables
This command set up some rules, it should support the following options.
--inbound-interception-mode, the oundinterception rule mode for inbound traffic, can be REDIRECT now, we can support TPROXY in the future.
--apisix-port, the target port where all TCP traffic should be redirected on.
--inbound-port, inbound port that should be redirected, this option can be specified multiple times, default is "*", which means all inbound ports will be intercepted.
--outbound-port, outbound port that should be redirected, this option can be specified multiple times, default is "*", which means all outbound ports will be intercepted.
--dry-run dry run mode.
cleanup-iptables
This command cleanup all rules that set by setup-interception command.
--dry-run dry run mode.
Usage
When VM/Pod initialized, the apisix-mesh-agent setup-interception should be run firstly.
tokers
commented
3 years ago
As the data plane of Service Mesh, the apisix-mesh-agent must have the ability to setup rules to forward traffic from the original port to APISIX. Tools what we can use can be iptables. What's more, Istio always has a common go package to setup and clean iptables rules. It supports to set up rules on demand.
What we can do is exposing two sub commands:
setup-iptables
This command set up some rules, it should support the following options.
--inbound-interception-mode, the oundinterception rule mode for inbound traffic, can beREDIRECTnow, we can supportTPROXYin the future.--apisix-port, the target port where all TCP traffic should be redirected on.--inbound-port, inbound port that should be redirected, this option can be specified multiple times, default is "*", which means all inbound ports will be intercepted.--outbound-port, outbound port that should be redirected, this option can be specified multiple times, default is "*", which means all outbound ports will be intercepted.--dry-rundry run mode.cleanup-iptables
This command cleanup all rules that set by
setup-interceptioncommand.--dry-rundry run mode.Usage
When VM/Pod initialized, the
apisix-mesh-agent setup-interceptionshould be run firstly.If you want to cancel these rules, just run: