Skip to content

Commit

Permalink
tools/dpvs-agent: adapted for ipset-type allow/deny list
Browse files Browse the repository at this point in the history
Signed-off-by: ywc689 <[email protected]>
  • Loading branch information
ywc689 committed Jun 19, 2024
1 parent 3ea9e97 commit 6ffc582
Show file tree
Hide file tree
Showing 9 changed files with 129 additions and 51 deletions.
2 changes: 1 addition & 1 deletion tools/dpvs-agent/cmd/dpvs-agent-server/api_init.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (
"time"

"github.com/hashicorp/go-hclog"
"github.com/lestrrat-go/file-rotatelogs"
rotatelogs "github.com/lestrrat-go/file-rotatelogs"

"github.com/dpvs-agent/cmd/device"
"github.com/dpvs-agent/cmd/ipvs"
Expand Down
22 changes: 17 additions & 5 deletions tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_allow.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package ipvs

import (
"net"
"strings"

"github.com/dpvs-agent/pkg/ipc/pool"
"github.com/dpvs-agent/pkg/ipc/types"
Expand Down Expand Up @@ -48,18 +49,29 @@ func (h *delVsAllow) Handle(params apiVs.DeleteVsVipPortAllowParams) middleware.

failed := false
for _, allow := range params.ACL.Items {
if net.ParseIP(allow.Addr) == nil {
h.logger.Error("Invalid ip addr del.", "VipPort", params.VipPort, "Addr", allow.Addr)
return apiVs.NewDeleteVsVipPortAllowInvalidFrontend()
spec.SetCaddr("")
spec.SetIpset("")
if len(allow.Ipset) > 0 {
if !strings.HasPrefix(allow.Ipset, "ipset:") {
h.logger.Error("Invalid allow ipset format in del.", "VipPort", params.VipPort,
"Ipset", allow.Ipset, "expecting \"ipset:NAME\"")
return apiVs.NewPutVsVipPortAllowInvalidFrontend()
}
spec.SetIpset(allow.Ipset)
} else {
if net.ParseIP(allow.Addr) == nil {
h.logger.Error("Invalid ip addr del in del.", "VipPort", params.VipPort, "Addr", allow.Addr)
return apiVs.NewDeleteVsVipPortAllowInvalidFrontend()
}
spec.SetCaddr(allow.Addr)
}
spec.SetSrc(allow.Addr)

if result := spec.Del(h.connPool, false, h.logger); result != types.EDPVS_OK {
failed = true
h.logger.Error("IP Addr delete from white list failed.", "VipPort", params.VipPort, "Addr", allow.Addr, "result", result.String())
continue
}
h.logger.Info("IP Addr delete from white list success.", "VipPort", params.VipPort, "Addr", allow.Addr)
h.logger.Info("Delete entry from black list success.", "VipPort", params.VipPort, "Addr", allow.Addr, "Ipset", allow.Ipset)
}

if failed {
Expand Down
22 changes: 17 additions & 5 deletions tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_deny.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package ipvs

import (
"net"
"strings"

"github.com/dpvs-agent/pkg/ipc/pool"
"github.com/dpvs-agent/pkg/ipc/types"
Expand Down Expand Up @@ -48,18 +49,29 @@ func (h *delVsDeny) Handle(params apiVs.DeleteVsVipPortDenyParams) middleware.Re

failed := false
for _, deny := range params.ACL.Items {
if net.ParseIP(deny.Addr) == nil {
h.logger.Error("Invalid ip addr del.", "VipPort", params.VipPort, "Addr", deny.Addr)
return apiVs.NewDeleteVsVipPortDenyInvalidFrontend()
spec.SetCaddr("")
spec.SetIpset("")
if len(deny.Ipset) > 0 {
if !strings.HasPrefix(deny.Ipset, "ipset:") {
h.logger.Error("Invalid deny ipset format in del.", "VipPort", params.VipPort,
"Ipset", deny.Ipset, "expecting \"ipset:NAME\"")
return apiVs.NewPutVsVipPortDenyInvalidFrontend()
}
spec.SetIpset(deny.Ipset)
} else {
if net.ParseIP(deny.Addr) == nil {
h.logger.Error("Invalid ip addr in del.", "VipPort", params.VipPort, "Addr", deny.Addr)
return apiVs.NewDeleteVsVipPortDenyInvalidFrontend()
}
spec.SetCaddr(deny.Addr)
}
spec.SetSrc(deny.Addr)

if result := spec.Del(h.connPool, true, h.logger); result != types.EDPVS_OK {
h.logger.Error("IP Addr delete from black list failed.", "VipPort", params.VipPort, "Addr", deny.Addr, "result", result.String())
failed = true
continue
}
h.logger.Info("IP Addr delete from black list success.", "VipPort", params.VipPort, "Addr", deny.Addr)
h.logger.Info("Delete entry from black list success.", "VipPort", params.VipPort, "Addr", deny.Addr, "Ipset", deny.Ipset)
}

if failed {
Expand Down
22 changes: 17 additions & 5 deletions tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_allow.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package ipvs
import (
// "fmt"
"net"
"strings"

// "github.com/dpvs-agent/models"
"github.com/dpvs-agent/pkg/ipc/pool"
Expand Down Expand Up @@ -50,18 +51,29 @@ func (h *putVsAllow) Handle(params apiVs.PutVsVipPortAllowParams) middleware.Res

failed := false
for _, allow := range params.ACL.Items {
if net.ParseIP(allow.Addr) == nil {
h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", allow.Addr)
return apiVs.NewPutVsVipPortAllowInvalidFrontend()
spec.SetCaddr("")
spec.SetIpset("")
if len(allow.Ipset) > 0 {
if !strings.HasPrefix(allow.Ipset, "ipset:") {
h.logger.Error("Invalid allow ipset format in add.", "VipPort", params.VipPort,
"Ipset", allow.Ipset, "expecting \"ipset:NAME\"")
return apiVs.NewPutVsVipPortAllowInvalidFrontend()
}
spec.SetIpset(allow.Ipset)
} else {
if net.ParseIP(allow.Addr) == nil {
h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", allow.Addr)
return apiVs.NewPutVsVipPortAllowInvalidFrontend()
}
spec.SetCaddr(allow.Addr)
}
spec.SetSrc(allow.Addr)

if result := spec.Add(h.connPool, false, h.logger); result != types.EDPVS_OK {
failed = true
h.logger.Error("Add ip addr to white list failed.", "VipPort", params.VipPort, "Addr", allow.Addr, "result", result.String())
continue
}
h.logger.Info("Add ip addr to white list success.", "VipPort", params.VipPort, "Addr", allow.Addr)
h.logger.Info("Add entry to white list success.", "VipPort", params.VipPort, "Addr", allow.Addr, "Ipset", allow.Ipset)
}

if failed {
Expand Down
22 changes: 17 additions & 5 deletions tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_deny.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ package ipvs
import (
// "fmt"
"net"
"strings"

// "github.com/dpvs-agent/models"
"github.com/dpvs-agent/pkg/ipc/pool"
Expand Down Expand Up @@ -50,18 +51,29 @@ func (h *putVsDeny) Handle(params apiVs.PutVsVipPortDenyParams) middleware.Respo

failed := false
for _, deny := range params.ACL.Items {
if net.ParseIP(deny.Addr) == nil {
h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", deny.Addr)
return apiVs.NewPutVsVipPortDenyInvalidFrontend()
spec.SetCaddr("")
spec.SetIpset("")
if len(deny.Ipset) > 0 {
if !strings.HasPrefix(deny.Ipset, "ipset:") {
h.logger.Error("Invalid deny ipset format in add.", "VipPort", params.VipPort,
"Ipset", deny.Ipset, "expecting \"ipset:NAME\"")
return apiVs.NewPutVsVipPortDenyInvalidFrontend()
}
spec.SetIpset(deny.Ipset)
} else {
if net.ParseIP(deny.Addr) == nil {
h.logger.Error("Invalid deny ip addr in add.", "VipPort", params.VipPort, "Addr", deny.Addr)
return apiVs.NewPutVsVipPortDenyInvalidFrontend()
}
spec.SetCaddr(deny.Addr)
}
spec.SetSrc(deny.Addr)

if result := spec.Add(h.connPool, true, h.logger); result != types.EDPVS_OK {
h.logger.Error("Add ip addr to black list failed.", "VipPort", params.VipPort, "Addr", deny.Addr, "result", result.String())
failed = true
continue
}
h.logger.Info("Add ip addr to black list success.", "VipPort", params.VipPort, "Addr", deny.Addr)
h.logger.Info("Add entry to black list success.", "VipPort", params.VipPort, "Addr", deny.Addr, "Ipset", deny.Ipset)
}

if failed {
Expand Down
2 changes: 2 additions & 0 deletions tools/dpvs-agent/dpvs-agent-api.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -185,6 +185,8 @@ definitions:
properties:
addr:
type: string
ipset:
type: string
InetAddrSpec:
properties:
addr:
Expand Down
3 changes: 3 additions & 0 deletions tools/dpvs-agent/models/cert_auth_spec.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

79 changes: 49 additions & 30 deletions tools/dpvs-agent/pkg/ipc/types/certificate.go
Original file line number Diff line number Diff line change
Expand Up @@ -31,14 +31,22 @@ import (
"github.com/dpvs-agent/pkg/ipc/pool"
)

/* derived from: include/conf/ipset.h */
const IPSET_MAXNAMELEN = 32

/*
derived from:
- include/conf/blklst.h
- include/conf/whtlst.h
*/
type CertificateAuthoritySpec struct {
src [0x10]byte
dst [0x10]byte
af uint32
fwmark uint32
port uint16
proto uint8
padding uint8
vaddr [0x10]byte
vport uint16
proto uint8
af uint8

caddr [0x10]byte
ipset [IPSET_MAXNAMELEN]byte
}

type CertificateAuthorityFront struct {
Expand All @@ -54,12 +62,12 @@ func NewCertificateAuthorityFront() *CertificateAuthorityFront {
}

func (o *CertificateAuthoritySpec) Copy(src *CertificateAuthoritySpec) bool {
o.af = src.af
o.fwmark = src.fwmark
o.port = src.port
copy(o.vaddr[:], src.vaddr[:])
o.vport = src.vport
o.proto = src.proto
copy(o.src[:], src.src[:])
copy(o.dst[:], src.dst[:])
o.af = src.af
copy(o.caddr[:], src.caddr[:])
copy(o.ipset[:], src.ipset[:])
return true
}

Expand All @@ -80,19 +88,19 @@ func (o *CertificateAuthoritySpec) ParseVipPortProto(vipport string) error {
o.proto = unix.IPPROTO_TCP
}

// port := items[1]
port, err := strconv.Atoi(items[1])
// vport := items[1]
vport, err := strconv.Atoi(items[1])
if err != nil {
return err
}
o.SetPort(uint16(port))
o.SetVport(uint16(vport))

vip := items[0]
if net.ParseIP(vip) == nil {
return errors.New(fmt.Sprintf("invalid ip addr: %s\n", vip))
vaddr := items[0]
if net.ParseIP(vaddr) == nil {
return errors.New(fmt.Sprintf("invalid ip addr: %s\n", vaddr))
}

o.SetDst(vip)
o.SetVaddr(vaddr)

return nil
}
Expand Down Expand Up @@ -150,42 +158,53 @@ func (o *CertificateAuthorityFront) GetCount() uint32 {
return o.count
}

func (o *CertificateAuthoritySpec) SetAf(af uint32) {
func (o *CertificateAuthoritySpec) SetAf(af uint8) {
o.af = af
}

func (o *CertificateAuthoritySpec) SetSrc(addr string) {
func (o *CertificateAuthoritySpec) SetCaddr(addr string) {
if len(addr) == 0 {
var zeros [0x10]byte
copy(o.caddr[:], zeros[:])
return
}
if strings.Contains(addr, ":") {
o.SetAf(unix.AF_INET6)
copy(o.src[:], net.ParseIP(addr))
copy(o.caddr[:], net.ParseIP(addr))
return
}
o.SetAf(unix.AF_INET)
buf := new(bytes.Buffer)
binary.Write(buf, binary.LittleEndian, net.ParseIP(addr))
copy(o.src[:], buf.Bytes()[12:])
copy(o.caddr[:], buf.Bytes()[12:])
}

func (o *CertificateAuthoritySpec) SetDst(addr string) {
func (o *CertificateAuthoritySpec) SetVaddr(addr string) {
if strings.Contains(addr, ":") {
o.SetAf(unix.AF_INET6)
copy(o.dst[:], net.ParseIP(addr))
copy(o.vaddr[:], net.ParseIP(addr))
return
}
o.SetAf(unix.AF_INET)
buf := new(bytes.Buffer)
binary.Write(buf, binary.LittleEndian, net.ParseIP(addr))
copy(o.dst[:], buf.Bytes()[12:])
copy(o.vaddr[:], buf.Bytes()[12:])
}

func (o *CertificateAuthoritySpec) SetFwmark(fwmark uint32) {
o.fwmark = fwmark
func (o *CertificateAuthoritySpec) SetIpset(ipset string) {
if len(ipset) == 0 {
var zeros [IPSET_MAXNAMELEN]byte
copy(o.ipset[:], zeros[:])
return
}
buf := []byte(ipset)
copy(o.ipset[:], buf[6:])
}

func (o *CertificateAuthoritySpec) SetPort(port uint16) {
func (o *CertificateAuthoritySpec) SetVport(port uint16) {
buf := new(bytes.Buffer)
binary.Write(buf, binary.LittleEndian, uint16(port))
o.port = binary.BigEndian.Uint16(buf.Bytes())
o.vport = binary.BigEndian.Uint16(buf.Bytes())
}

func (o *CertificateAuthoritySpec) SetProto(proto string) {
Expand Down
6 changes: 6 additions & 0 deletions tools/dpvs-agent/restapi/embedded_spec.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 6ffc582

Please sign in to comment.