-
Notifications
You must be signed in to change notification settings - Fork 51
/
portset.go
127 lines (97 loc) · 3.51 KB
/
portset.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
package iptablesctrl
import (
"fmt"
"go.aporeto.io/trireme-lib/controller/constants"
"go.uber.org/zap"
)
func (i *iptables) getPortSet(contextID string) string {
portset, err := i.contextIDToPortSetMap.Get(contextID)
if err != nil {
return ""
}
return portset.(string)
}
// createPortSets creates either UID or process port sets. This is only
// needed for Linux PUs and it returns immediately for container PUs.
func (i *iptables) createPortSet(contextID string, username string) error {
if i.mode == constants.RemoteContainer {
return nil
}
ipsetPrefix := i.impl.GetIPSetPrefix()
prefix := ""
if username != "" {
prefix = ipsetPrefix + uidPortSetPrefix
} else {
prefix = ipsetPrefix + processPortSetPrefix
}
portSetName := puPortSetName(contextID, prefix)
_, err := i.ipset.NewIpset(portSetName, portSetIpsetType, nil)
if err != nil {
return err
}
i.contextIDToPortSetMap.AddOrUpdate(contextID, portSetName)
return nil
}
// deletePortSet delets the ports set that was created for a Linux PU.
// It returns without errors for container PUs.
func (i *iptables) deletePortSet(contextID string) error {
if i.mode == constants.RemoteContainer {
return nil
}
portSetName := i.getPortSet(contextID)
if portSetName == "" {
return fmt.Errorf("Failed to find port set")
}
ips := i.ipset.GetIpset(portSetName)
if err := ips.Destroy(); err != nil {
return fmt.Errorf("Failed to delete pu port set "+portSetName, zap.Error(err))
}
if err := i.contextIDToPortSetMap.Remove(contextID); err != nil {
zap.L().Debug("portset not found for the contextID", zap.String("contextID", contextID))
}
return nil
}
// DeletePortFromPortSet deletes ports from port sets
func (i *iptables) DeletePortFromPortSet(contextID string, port string) error {
portSetName := i.getPortSet(contextID)
if portSetName == "" {
return fmt.Errorf("unable to get portset for contextID %s", contextID)
}
ips := i.ipset.GetIpset(portSetName)
if err := ips.Del(port); err != nil {
return fmt.Errorf("unable to delete port from portset: %s", err)
}
return nil
}
// DeletePortFromPortSet deletes ports from port sets
func (i *Instance) DeletePortFromPortSet(contextID string, port string) error {
if err := i.iptv4.DeletePortFromPortSet(contextID, port); err != nil {
zap.L().Warn("Failed to delete port from ipv4 portset ", zap.String("contextID", contextID), zap.String("port", port), zap.Error(err))
}
if err := i.iptv6.DeletePortFromPortSet(contextID, port); err != nil {
zap.L().Warn("Failed to delete port from ipv6 portset ", zap.String("port", port), zap.Error(err))
}
return nil
}
// AddPortToPortSet adds ports to the portsets
func (i *iptables) AddPortToPortSet(contextID string, port string) error {
portSetName := i.getPortSet(contextID)
if portSetName == "" {
return fmt.Errorf("unable to get portset for contextID %s", contextID)
}
ips := i.ipset.GetIpset(portSetName)
if err := ips.Add(port, 0); err != nil {
return fmt.Errorf("unable to add port to portset: %s", err)
}
return nil
}
// AddPortToPortSet adds ports to the portsets
func (i *Instance) AddPortToPortSet(contextID string, port string) error {
if err := i.iptv4.AddPortToPortSet(contextID, port); err != nil {
zap.L().Warn("Failed to add port to ipv4 portset", zap.String("contextID", contextID), zap.String("port", port), zap.Error(err))
}
if err := i.iptv6.AddPortToPortSet(contextID, port); err != nil {
zap.L().Warn("Failed to add port to ipv6 portset", zap.String("contextID", contextID), zap.String("port", port), zap.Error(err))
}
return nil
}