diff --git a/pkg/nettools/ipset.go b/pkg/nettools/ipset.go index a4344f8..75f3258 100644 --- a/pkg/nettools/ipset.go +++ b/pkg/nettools/ipset.go @@ -24,6 +24,11 @@ import ( log "github.com/sirupsen/logrus" ) +const ( + // IPSetListWithAwk is a string to execute an ipset list command and filter out results with awk + IPSetListWithAwk = "ipset list %s | awk " + `'$0 ~ "^Members:$" {found=1; ln=NR}; NR>ln && found == 1 {print $1}'` +) + /* IPSetHelper provides methods to manage ipset sets. @@ -110,7 +115,7 @@ func (h *execIPSetHelper) EnsureSetHasOnly(name string, ips []net.IP) error { ip := iip.(net.IP) log.Debugf("Adding IP %s to ipset %s", ip.String(), name) if err := h.addIPToSet(name, ip); err != nil { - log.Debugf("Error adding entry %v to ipset %s", ip, name) + log.Errorf("Error adding entry %v to ipset %s", ip, name) return err } } @@ -127,10 +132,10 @@ func (h *execIPSetHelper) EnsureSetHasOnly(name string, ips []net.IP) error { } func (h *execIPSetHelper) GetIPs(name string) ([]net.IP, error) { - // # ipset list myset | tail -n +9 | cut -f1 -d" " + // # ipset list myset | awk '$0 ~ "^Members:$" {found=1; ln=NR}; NR>ln && found == 1 {print $1}' // 127.0.0.1 // 127.0.0.2 - cmd := fmt.Sprintf("ipset list %s | tail -n +9 | cut -f1 -d' '", name) + cmd := fmt.Sprintf(IPSetListWithAwk, name) res := h.exec.RunCommand("sh", "-c", cmd) if res.Err != nil || res.ExitCode != 0 { log.Debugf("Problem listing ipset %s - probably it's OK and it just doesn't exist: "+ @@ -151,7 +156,7 @@ func (h *execIPSetHelper) GetIPs(name string) ([]net.IP, error) { func (h *execIPSetHelper) addIPToSet(name string, ip net.IP) error { res := h.exec.RunCommand("ipset", "add", name, ip.String()) if res.Err != nil || res.ExitCode != 0 { - log.Debugf("Error adding IP %s to ipset %s: %v, stdErr: %s", + log.Errorf("Error adding IP %s to ipset %s: %v, stdErr: %s", ip.String(), name, res.Err, res.StdErr) return res.Err } diff --git a/pkg/nettools/ipset_test.go b/pkg/nettools/ipset_test.go index cf746fc..a6deabe 100644 --- a/pkg/nettools/ipset_test.go +++ b/pkg/nettools/ipset_test.go @@ -14,12 +14,14 @@ limitations under the License. */ package nettools_test import ( + "fmt" "net" "os/exec" "testing" "github.com/DevFactory/go-tools/pkg/linux/command" cmdmock "github.com/DevFactory/go-tools/pkg/linux/command/mock" + "github.com/DevFactory/go-tools/pkg/nettools" nt "github.com/DevFactory/go-tools/pkg/nettools" netth "github.com/DevFactory/go-tools/pkg/nettools/testhelpers" "github.com/stretchr/testify/assert" @@ -113,7 +115,7 @@ func Test_execIPSetHelper_GetIPs(t *testing.T) { expected: []net.IP{}, mockInfo: []*cmdmock.ExecInfo{ { - Expected: "sh -c ipset list 12341234abc | tail -n +9 | cut -f1 -d' '", + Expected: fmt.Sprintf("sh -c %s", fmt.Sprintf(nettools.IPSetListWithAwk, "12341234abc")), Returned: netth.ExecResultOKNoOutput(), }, }, @@ -127,7 +129,7 @@ func Test_execIPSetHelper_GetIPs(t *testing.T) { expected: []net.IP{}, mockInfo: []*cmdmock.ExecInfo{ { - Expected: "sh -c ipset list 12341234abc | tail -n +9 | cut -f1 -d' '", + Expected: fmt.Sprintf("sh -c %s", fmt.Sprintf(nettools.IPSetListWithAwk, "12341234abc")), Returned: execResultIpsetNotFound(), }, }, @@ -139,7 +141,7 @@ func Test_execIPSetHelper_GetIPs(t *testing.T) { expected: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("127.0.0.2")}, mockInfo: []*cmdmock.ExecInfo{ { - Expected: "sh -c ipset list 12341234abc | tail -n +9 | cut -f1 -d' '", + Expected: fmt.Sprintf("sh -c %s", fmt.Sprintf(nettools.IPSetListWithAwk, "12341234abc")), Returned: execResultIpsetIPs(), }, }, @@ -172,7 +174,7 @@ func Test_execIPSetHelper_EnsureSetHasOnly(t *testing.T) { addresses: []net.IP{}, mockInfo: []*cmdmock.ExecInfo{ { - Expected: "sh -c ipset list 12341234abc | tail -n +9 | cut -f1 -d' '", + Expected: fmt.Sprintf("sh -c %s", fmt.Sprintf(nettools.IPSetListWithAwk, "12341234abc")), Returned: netth.ExecResultOKNoOutput(), }, }, @@ -184,7 +186,7 @@ func Test_execIPSetHelper_EnsureSetHasOnly(t *testing.T) { addresses: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("127.0.0.2")}, mockInfo: []*cmdmock.ExecInfo{ { - Expected: "sh -c ipset list 12341234abc | tail -n +9 | cut -f1 -d' '", + Expected: fmt.Sprintf("sh -c %s", fmt.Sprintf(nettools.IPSetListWithAwk, "12341234abc")), Returned: netth.ExecResultOKNoOutput(), }, { @@ -204,7 +206,7 @@ func Test_execIPSetHelper_EnsureSetHasOnly(t *testing.T) { addresses: []net.IP{}, mockInfo: []*cmdmock.ExecInfo{ { - Expected: "sh -c ipset list 12341234abc | tail -n +9 | cut -f1 -d' '", + Expected: fmt.Sprintf("sh -c %s", fmt.Sprintf(nettools.IPSetListWithAwk, "12341234abc")), Returned: execResultIpsetIPs(), }, { @@ -224,7 +226,7 @@ func Test_execIPSetHelper_EnsureSetHasOnly(t *testing.T) { addresses: []net.IP{net.ParseIP("127.0.0.1"), net.ParseIP("127.0.0.3")}, mockInfo: []*cmdmock.ExecInfo{ { - Expected: "sh -c ipset list 12341234abc | tail -n +9 | cut -f1 -d' '", + Expected: fmt.Sprintf("sh -c %s", fmt.Sprintf(nettools.IPSetListWithAwk, "12341234abc")), Returned: execResultIpsetIPs(), }, { diff --git a/pkg/nettools/iptables.go b/pkg/nettools/iptables.go index 0bc50a3..50d32f7 100644 --- a/pkg/nettools/iptables.go +++ b/pkg/nettools/iptables.go @@ -36,7 +36,7 @@ const ( iptablesRetriesDelayMSec = 100 // this uses awk to list the content of a single chain in a table using iptables-save command awkIptablesSaveMagicFilter = "iptables-save | awk -v table=%s -v chain=%s " + - `'$0 ~ "^*"table"$" {in_table=1};$1 ~ "^COMMIT$" {in_table=0};in_table == 1 && $2 ~ "^"chain"$" {print $0}'` + `'$0 ~ "^\*"table"$" {in_table=1};$1 ~ "^COMMIT$" {in_table=0};in_table == 1 && $2 ~ "^"chain"$" {print $0}'` ) // IPTablesRuleArgs provides arguments for an iptables rule @@ -144,8 +144,8 @@ func (h *execIPTablesHelper) EnsureExistsOnlyAppend(args IPTablesRuleArgs) error selector, action := rule.GetSelectorAndAction() err = h.runChangingRule(rule.Table, rule.ChainName, "-D", selector, rule.Comment, action, nil) if err != nil { - log.Debug("Error deleting rule by comment in table %s chain %s; exact info above; error: %v", - args.Table, args.ChainName, "-D", selector, action) + log.Debugf("Error deleting rule by comment in table %s chain %s; exact info above; error: %v", + args.Table, args.ChainName, action) return err } } @@ -176,7 +176,7 @@ func (h *execIPTablesHelper) DeleteByComment(table, chain, comment string) error selector, action := rule.GetSelectorAndAction() err = h.runChangingRule(rule.Table, rule.ChainName, "-D", selector, rule.Comment, action, nil) if err != nil { - log.Debug("Error deleting rule by comment in table %s chain %s; exact info above; error: %v", + log.Debugf("Error deleting rule by comment in table %s chain %s; exact info above; error: %v", table, chain, err) return err } @@ -302,8 +302,8 @@ func (h *execIPTablesHelper) listRules(tableName, chainName, regexpFilter string res := h.exec.RunCommandWithRetriesAndDelay(iptablesRetries, iptablesRetriesDelayMSec, []int{0}, "sh", "-c", shCommand) if res.Err != nil || res.StdErr != "" { - log.Debug("Error running iptables-save with awk filter for table %s and chain %s: %v", - tableName, chainName, res.Err) + log.Errorf("Error running iptables-save with awk filter for table %s and chain %s: %v - %v", + tableName, chainName, res.Err, res.StdErr) if res.Err != nil { return nil, res.Err } @@ -385,7 +385,7 @@ func (h *execIPTablesHelper) loadRulesWithComment(tableName, chainName, comment for i, entry := range entries { rule, err := h.parseIPTablesSaveEntry(tableName, chainName, entry) if err != nil { - log.Debug("Can't parse rules loaded from table %s and chain %s", tableName, chainName) + log.Debugf("Can't parse rules loaded from table %s and chain %s", tableName, chainName) } result[i] = rule } diff --git a/pkg/nettools/iptables_test.go b/pkg/nettools/iptables_test.go index 9339018..2cf85ea 100644 --- a/pkg/nettools/iptables_test.go +++ b/pkg/nettools/iptables_test.go @@ -29,7 +29,7 @@ import ( const ( awkIPTablesForNatTest = "sh -c iptables-save | awk -v table=nat -v chain=test " + - `'$0 ~ "^*"table"$" {in_table=1};$1 ~ "^COMMIT$" {in_table=0};in_table == 1 && $2 ~ "^"chain"$" {print $0}'` + `'$0 ~ "^\*"table"$" {in_table=1};$1 ~ "^COMMIT$" {in_table=0};in_table == 1 && $2 ~ "^"chain"$" {print $0}'` ) func Test_execIPTablesHelper_EnsureChainExists(t *testing.T) {