github.com/aporeto-inc/trireme-lib@v10.358.0+incompatible/controller/internal/supervisor/iptablesctrl/ipsets.go (about) 1 package iptablesctrl 2 3 import ( 4 "fmt" 5 "strconv" 6 7 provider "go.aporeto.io/trireme-lib/controller/pkg/aclprovider" 8 "go.aporeto.io/trireme-lib/policy" 9 "go.uber.org/zap" 10 ) 11 12 // updateTargetNetworks updates the set of target networks. Tries to minimize 13 // read/writes to the ipset structures 14 func (i *iptables) updateTargetNetworks(set provider.Ipset, old, new []string) error { 15 16 deleteMap := map[string]bool{} 17 for _, net := range old { 18 deleteMap[net] = true 19 } 20 21 for _, net := range new { 22 if _, ok := deleteMap[net]; ok { 23 deleteMap[net] = false 24 continue 25 } 26 if err := i.aclmanager.AddToIPset(set, net); err != nil { 27 return fmt.Errorf("unable to update target set: %s", err) 28 } 29 } 30 31 for net, delete := range deleteMap { 32 if delete { 33 if err := i.aclmanager.DelFromIPset(set, net); err != nil { 34 zap.L().Debug("unable to remove network from set", zap.Error(err)) 35 } 36 } 37 } 38 return nil 39 } 40 41 // createProxySet creates a new target set -- ipportset is a list of {ip,port} 42 func (i *iptables) createProxySets(portSetName string) error { 43 destSetName, srvSetName := i.getSetNames(portSetName) 44 45 _, err := i.ipset.NewIpset(destSetName, "hash:net,port", i.impl.GetIPSetParam()) 46 if err != nil { 47 return fmt.Errorf("unable to create ipset for %s: %s", destSetName, err) 48 } 49 50 // create ipset for port match 51 _, err = i.ipset.NewIpset(srvSetName, proxySetPortIpsetType, nil) 52 if err != nil { 53 return fmt.Errorf("unable to create ipset for %s: %s", srvSetName, err) 54 } 55 56 return nil 57 } 58 59 func (i *iptables) updateProxySet(policy *policy.PUPolicy, portSetName string) error { 60 61 ipFilter := i.impl.IPFilter() 62 dstSetName, srvSetName := i.getSetNames(portSetName) 63 vipTargetSet := i.ipset.GetIpset(dstSetName) 64 if ferr := vipTargetSet.Flush(); ferr != nil { 65 zap.L().Warn("Unable to flush the vip proxy set") 66 } 67 68 for _, dependentService := range policy.DependentServices() { 69 addresses := dependentService.NetworkInfo.Addresses 70 min, max := dependentService.NetworkInfo.Ports.Range() 71 for _, addr := range addresses { 72 if ipFilter(addr.IP) { 73 for i := int(min); i <= int(max); i++ { 74 pair := addr.String() + "," + strconv.Itoa(i) 75 if err := vipTargetSet.Add(pair, 0); err != nil { 76 return fmt.Errorf("unable to add dependent ip %s to target networks ipset: %s", pair, err) 77 } 78 } 79 } 80 } 81 } 82 83 srvTargetSet := i.ipset.GetIpset(srvSetName) 84 if ferr := srvTargetSet.Flush(); ferr != nil { 85 zap.L().Warn("Unable to flush the pip proxy set") 86 } 87 88 for _, exposedService := range policy.ExposedServices() { 89 min, max := exposedService.PrivateNetworkInfo.Ports.Range() 90 for i := int(min); i <= int(max); i++ { 91 if err := srvTargetSet.Add(strconv.Itoa(i), 0); err != nil { 92 zap.L().Error("Failed to add vip", zap.Error(err)) 93 return fmt.Errorf("unable to add ip %d to target ports ipset: %s", i, err) 94 } 95 } 96 if exposedService.PublicNetworkInfo != nil { 97 min, max := exposedService.PublicNetworkInfo.Ports.Range() 98 for i := int(min); i <= int(max); i++ { 99 if err := srvTargetSet.Add(strconv.Itoa(i), 0); err != nil { 100 zap.L().Error("Failed to VIP for public network", zap.Error(err)) 101 return fmt.Errorf("Failed to program VIP: %s", err) 102 } 103 } 104 } 105 } 106 return nil 107 } 108 109 //getSetNamePair returns a pair of strings represent proxySetNames 110 func (i *iptables) getSetNames(portSetName string) (string, string) { 111 return portSetName + "-dst", portSetName + "-srv" 112 }