Linux: Manage routes in a routing table dedicated to ZET. #892
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tomc797
force-pushed
the
feature/isolate_routes
branch
from
b069d8b
to
70b0a69
Compare
|
This change has ZET preferring to manage routes in route table 90 (the decimal code for 'Z'). Rules are configured within the route policy database to utilize the ZET routing table. The rule has preference 23141 (The decimal code for 'Ze'). Excluded routes are managed using the 'throw' route type. When a matching throw route is encountered, the route lookup process immediately terminates, and the routing process proceeds to the next policy rule with lower priority. |
tomc797
force-pushed
the
feature/isolate_routes
branch
3 times, most recently
from
d1bee89
to
c645395
Compare
tomc797
force-pushed
the
feature/isolate_routes
branch
from
35c9126
to
9b864ff
Compare
Signed-off-by: Tom Carroll <[email protected]>
tomc797
force-pushed
the
feature/isolate_routes
branch
from
6d7251e
to
9b7f884
Compare
Resolve interface differences between `iproute2` and `BusyBox` related to ip-rule behavior by implementing a minimal rtnetlink library. This enables direct management of rule insertion into the Routing Policy Database (RPDB). Signed-off-by: Tom Carroll <[email protected]>
ZET routes are managed in a dedicated routing table, distinct from `main` and `default`. The routing policy database is configured to prefer the routes managed in the ZET table over those stored in the main and default routing tables. This approach provides isolation, and thus additional security for ZET routes. Signed-off-by: Tom Carroll <[email protected]> Remove bypass. Squash with second. Signed-off-by: Tom Carroll <[email protected]> Use rtnetlink Signed-off-by: Tom Carroll <[email protected]>
Override `tls_uv`'s `tlsuv_socket` function to set the `SO_MARK` option on the created socket. Signed-off-by: Tom Carroll <[email protected]>
Introduces a customizable hook to allow overriding the default socket creation process for `hosted` sockets. Signed-off-by: Tom Carroll <[email protected]>
Implements setting the SO_MARK option for sockets designated for the `hosted` services. Signed-off-by: Tom Carroll <[email protected]>
tomc797
force-pushed
the
feature/isolate_routes
branch
from
9b7f884
to
78fa829
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Linux has the capability to support multiple routing tables. So let's manage ZET routes in a dedicated routing table, distinct from main and default. The routing policy database is configured to prefer the routes managed in the ZET table over those stored in the main and default routing tables. This approach provides isolation, and thus additional security for ZET routes.
This serves two purposes: