forked from ligato/vpp-agent
-
Notifications
You must be signed in to change notification settings - Fork 0
/
acl.go
327 lines (296 loc) · 9.53 KB
/
acl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
// Copyright (c) 2018 Cisco and/or its affiliates.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at:
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package descriptor
import (
"bytes"
"net"
"github.com/gogo/protobuf/proto"
prototypes "github.com/gogo/protobuf/types"
"github.com/ligato/cn-infra/idxmap"
"github.com/ligato/cn-infra/logging"
"github.com/pkg/errors"
acl "github.com/ligato/vpp-agent/api/models/vpp/acl"
"github.com/ligato/vpp-agent/plugins/kvscheduler/api"
"github.com/ligato/vpp-agent/plugins/vpp/aclplugin/aclidx"
"github.com/ligato/vpp-agent/plugins/vpp/aclplugin/descriptor/adapter"
"github.com/ligato/vpp-agent/plugins/vpp/aclplugin/vppcalls"
"github.com/ligato/vpp-agent/plugins/vpp/ifplugin"
ifdescriptor "github.com/ligato/vpp-agent/plugins/vpp/ifplugin/descriptor"
)
const (
// ACLDescriptorName is descriptor name
ACLDescriptorName = "vpp-acl"
)
// ACLDescriptor is descriptor for ACL
type ACLDescriptor struct {
// dependencies
log logging.Logger
aclHandler vppcalls.ACLVppAPI
// runtime
ifPlugin ifplugin.API
}
// NewACLDescriptor is constructor for ACL descriptor
func NewACLDescriptor(aclHandler vppcalls.ACLVppAPI, ifPlugin ifplugin.API,
logger logging.PluginLogger) *ACLDescriptor {
return &ACLDescriptor{
log: logger.NewLogger("acl-descriptor"),
ifPlugin: ifPlugin,
aclHandler: aclHandler,
}
}
// GetDescriptor returns descriptor suitable for registration (via adapter) with
// the KVScheduler.
func (d *ACLDescriptor) GetDescriptor() *adapter.ACLDescriptor {
return &adapter.ACLDescriptor{
Name: ACLDescriptorName,
NBKeyPrefix: acl.ModelACL.KeyPrefix(),
ValueTypeName: acl.ModelACL.ProtoName(),
KeySelector: acl.ModelACL.IsKeyValid,
KeyLabel: acl.ModelACL.StripKeyPrefix,
ValueComparator: d.EquivalentACLs,
WithMetadata: true,
MetadataMapFactory: func() idxmap.NamedMappingRW {
return aclidx.NewACLIndex(d.log, "vpp-acl-index")
},
Create: d.Create,
Delete: d.Delete,
Update: d.Update,
UpdateWithRecreate: d.UpdateWithRecreate,
Retrieve: d.Retrieve,
DerivedValues: d.DerivedValues,
RetrieveDependencies: []string{ifdescriptor.InterfaceDescriptorName},
}
}
// EquivalentACLs compares two ACLs
func (d *ACLDescriptor) EquivalentACLs(key string, oldACL, newACL *acl.ACL) bool {
// check if ACL name changed
if oldACL.Name != newACL.Name {
return false
}
// check if rules changed (order matters)
if len(oldACL.Rules) != len(newACL.Rules) {
return false
}
for i := 0; i < len(oldACL.Rules); i++ {
if !d.equivalentACLRules(oldACL.Rules[i], newACL.Rules[i]) {
return false
}
}
return true
}
// validateRules provided in ACL. Every rule has to contain actions and matches.
// Current limitation: L2 and L3/4 have to be split to different ACLs and
// there cannot be L2 rules and L3/4 rules in the same ACL.
func (d *ACLDescriptor) validateRules(aclName string, rules []*acl.ACL_Rule) ([]*acl.ACL_Rule, bool) {
var validL3L4Rules []*acl.ACL_Rule
var validL2Rules []*acl.ACL_Rule
for _, rule := range rules {
if rule.GetIpRule() != nil {
validL3L4Rules = append(validL3L4Rules, rule)
}
if rule.GetMacipRule() != nil {
validL2Rules = append(validL2Rules, rule)
}
}
if len(validL3L4Rules) > 0 && len(validL2Rules) > 0 {
d.log.Warnf("ACL %s contains L2 rules and L3/L4 rules as well. This case is not supported, only L3/L4 rules will be resolved",
aclName)
return validL3L4Rules, false
} else if len(validL3L4Rules) > 0 {
return validL3L4Rules, false
} else {
return validL2Rules, true
}
}
// Create configures ACL
func (d *ACLDescriptor) Create(key string, acl *acl.ACL) (metadata *aclidx.ACLMetadata, err error) {
if len(acl.Rules) == 0 {
return nil, errors.Errorf("failed to configure ACL %s, no rules to set", acl.Name)
}
rules, isL2MacIP := d.validateRules(acl.Name, acl.Rules)
// Configure ACL rules.
var vppACLIndex uint32
if isL2MacIP {
vppACLIndex, err = d.aclHandler.AddMACIPACL(rules, acl.Name)
if err != nil {
return nil, errors.Errorf("failed to add MACIP ACL %s: %v", acl.Name, err)
}
} else {
vppACLIndex, err = d.aclHandler.AddACL(rules, acl.Name)
if err != nil {
return nil, errors.Errorf("failed to add IP ACL %s: %v", acl.Name, err)
}
}
metadata = &aclidx.ACLMetadata{
Index: vppACLIndex,
L2: isL2MacIP,
}
return metadata, nil
}
// Delete deletes ACL
func (d *ACLDescriptor) Delete(key string, acl *acl.ACL, metadata *aclidx.ACLMetadata) error {
if metadata.L2 {
// Remove ACL L2.
err := d.aclHandler.DeleteMACIPACL(metadata.Index)
if err != nil {
return errors.Errorf("failed to delete MACIP ACL %s: %v", acl.Name, err)
}
} else {
// Remove ACL L3/L4.
err := d.aclHandler.DeleteACL(metadata.Index)
if err != nil {
return errors.Errorf("failed to delete IP ACL %s: %v", acl.Name, err)
}
}
return nil
}
// Update modifies ACL
func (d *ACLDescriptor) Update(key string, oldACL, newACL *acl.ACL, oldMetadata *aclidx.ACLMetadata) (newMetadata *aclidx.ACLMetadata, err error) {
// Validate rules.
rules, isL2MacIP := d.validateRules(newACL.Name, newACL.Rules)
if isL2MacIP {
// L2 ACL
err := d.aclHandler.ModifyMACIPACL(oldMetadata.Index, rules, newACL.Name)
if err != nil {
return nil, errors.Errorf("failed to modify MACIP ACL %s: %v", newACL.Name, err)
}
} else {
// L3/L4 ACL can be modified directly.
err := d.aclHandler.ModifyACL(oldMetadata.Index, rules, newACL.Name)
if err != nil {
return nil, errors.Errorf("failed to modify IP ACL %s: %v", newACL.Name, err)
}
}
newMetadata = &aclidx.ACLMetadata{
Index: oldMetadata.Index,
L2: isL2MacIP,
}
return newMetadata, nil
}
// UpdateWithRecreate checks if modification requires recreation
func (d *ACLDescriptor) UpdateWithRecreate(key string, oldACL, newACL *acl.ACL, metadata *aclidx.ACLMetadata) bool {
var hasL2 bool
for _, rule := range oldACL.Rules {
if rule.GetMacipRule() != nil {
hasL2 = true
} else if rule.GetIpRule() != nil && hasL2 {
return true
}
}
return false
}
// DerivedValues returns list of derived values for ACL.
func (d *ACLDescriptor) DerivedValues(key string, value *acl.ACL) (derived []api.KeyValuePair) {
for _, ifName := range value.GetInterfaces().GetIngress() {
derived = append(derived, api.KeyValuePair{
Key: acl.ToInterfaceKey(value.Name, ifName, acl.IngressFlow),
Value: &prototypes.Empty{},
})
}
for _, ifName := range value.GetInterfaces().GetEgress() {
derived = append(derived, api.KeyValuePair{
Key: acl.ToInterfaceKey(value.Name, ifName, acl.EgressFlow),
Value: &prototypes.Empty{},
})
}
return derived
}
// Retrieve returns list of configured ACLs with metadata.
func (d *ACLDescriptor) Retrieve(correlate []adapter.ACLKVWithMetadata) (
acls []adapter.ACLKVWithMetadata, err error,
) {
// Retrieve VPP configuration.
ipACLs, err := d.aclHandler.DumpACL()
if err != nil {
return nil, errors.Errorf("failed to dump IP ACLs: %v", err)
}
macipACLs, err := d.aclHandler.DumpMACIPACL()
if err != nil {
return nil, errors.Errorf("failed to dump MAC IP ACLs: %v", err)
}
for _, ipACL := range ipACLs {
acls = append(acls, adapter.ACLKVWithMetadata{
Key: acl.Key(ipACL.ACL.Name),
Value: ipACL.ACL,
Metadata: &aclidx.ACLMetadata{
Index: ipACL.Meta.Index,
},
Origin: api.FromNB,
})
}
for _, macipACL := range macipACLs {
acls = append(acls, adapter.ACLKVWithMetadata{
Key: acl.Key(macipACL.ACL.Name),
Value: macipACL.ACL,
Metadata: &aclidx.ACLMetadata{
Index: macipACL.Meta.Index,
L2: true,
},
Origin: api.FromNB,
})
}
return
}
// equivalentACLRules compares two ACL rules, handling the cases of unspecified
// source/destination networks.
func (d *ACLDescriptor) equivalentACLRules(rule1, rule2 *acl.ACL_Rule) bool {
// Action
if rule1.Action != rule2.Action {
return false
}
// MAC IP Rule
if !proto.Equal(rule1.MacipRule, rule2.MacipRule) {
return false
}
// IP Rule
ipRule1 := rule1.GetIpRule()
ipRule2 := rule2.GetIpRule()
if !proto.Equal(ipRule1.GetIcmp(), ipRule2.GetIcmp()) ||
!proto.Equal(ipRule1.GetTcp(), ipRule2.GetTcp()) ||
!proto.Equal(ipRule1.GetUdp(), ipRule2.GetUdp()) {
return false
}
if !d.equivalentIPRuleNetworks(ipRule1.GetIp().GetSourceNetwork(), ipRule2.GetIp().GetSourceNetwork()) {
return false
}
if !d.equivalentIPRuleNetworks(ipRule1.GetIp().GetDestinationNetwork(), ipRule2.GetIp().GetDestinationNetwork()) {
return false
}
return true
}
// equivalentIPRuleNetworks compares two IP networks, taking into account the fact
// that empty string is equivalent to address with all zeroes.
func (d *ACLDescriptor) equivalentIPRuleNetworks(net1, net2 string) bool {
var (
ip1, ip2 net.IP
ipNet1, ipNet2 *net.IPNet
err1, err2 error
)
if net1 != "" {
ip1, ipNet1, err1 = net.ParseCIDR(net1)
}
if net2 != "" {
ip2, ipNet2, err2 = net.ParseCIDR(net2)
}
if err1 != nil || err2 != nil {
return net1 == net2
}
if ipNet1 == nil {
return ipNet2 == nil || ip2.IsUnspecified()
}
if ipNet2 == nil {
return ipNet1 == nil || ip1.IsUnspecified()
}
return ip1.Equal(ip2) && bytes.Equal(ipNet1.Mask, ipNet2.Mask)
}