-
Notifications
You must be signed in to change notification settings - Fork 0
/
default_planners.go
75 lines (58 loc) · 1.76 KB
/
default_planners.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
package planner
import (
"lib/rules"
"vxlan-policy-agent/enforcer"
"code.cloudfoundry.org/lager"
)
//go:generate counterfeiter -o fakes/loggingStateGetter.go --fake-name LoggingStateGetter . loggingStateGetter
type loggingStateGetter interface {
IsEnabled() bool
}
type VxlanDefaultLocalPlanner struct {
Logger lager.Logger
LocalSubnet string
Chain enforcer.Chain
LoggingState loggingStateGetter
}
func (p *VxlanDefaultLocalPlanner) GetRulesAndChain() (enforcer.RulesWithChain, error) {
theRules, err := p.GetRules()
if err != nil {
return enforcer.RulesWithChain{}, err
}
return enforcer.RulesWithChain{
Chain: p.Chain,
Rules: theRules,
}, nil
}
func (p *VxlanDefaultLocalPlanner) GetRules() ([]rules.IPTablesRule, error) {
ruleset := []rules.IPTablesRule{rules.NewAcceptExistingLocalRule()}
if p.LoggingState.IsEnabled() {
ruleset = append(ruleset, rules.NewLogLocalRejectRule(p.LocalSubnet))
}
ruleset = append(ruleset, rules.NewDefaultDenyLocalRule(p.LocalSubnet))
return ruleset, nil
}
type VxlanDefaultRemotePlanner struct {
Logger lager.Logger
VNI int
Chain enforcer.Chain
LoggingState loggingStateGetter
}
func (p *VxlanDefaultRemotePlanner) GetRulesAndChain() (enforcer.RulesWithChain, error) {
theRules, err := p.GetRules()
if err != nil {
return enforcer.RulesWithChain{}, err
}
return enforcer.RulesWithChain{
Chain: p.Chain,
Rules: theRules,
}, nil
}
func (p *VxlanDefaultRemotePlanner) GetRules() ([]rules.IPTablesRule, error) {
ruleset := []rules.IPTablesRule{rules.NewAcceptExistingRemoteRule(p.VNI)}
if p.LoggingState.IsEnabled() {
ruleset = append(ruleset, rules.NewLogRemoteRejectRule(p.VNI))
}
ruleset = append(ruleset, rules.NewDefaultDenyRemoteRule(p.VNI))
return ruleset, nil
}