diff --git a/tools/dpvs-agent/cmd/dpvs-agent-server/api_init.go b/tools/dpvs-agent/cmd/dpvs-agent-server/api_init.go index 7912acbce..80b00831e 100644 --- a/tools/dpvs-agent/cmd/dpvs-agent-server/api_init.go +++ b/tools/dpvs-agent/cmd/dpvs-agent-server/api_init.go @@ -25,7 +25,7 @@ import ( "time" "github.com/hashicorp/go-hclog" - "github.com/lestrrat-go/file-rotatelogs" + rotatelogs "github.com/lestrrat-go/file-rotatelogs" "github.com/dpvs-agent/cmd/device" "github.com/dpvs-agent/cmd/ipvs" diff --git a/tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_allow.go b/tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_allow.go index f1e068e5d..ab04f776e 100644 --- a/tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_allow.go +++ b/tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_allow.go @@ -16,6 +16,7 @@ package ipvs import ( "net" + "strings" "github.com/dpvs-agent/pkg/ipc/pool" "github.com/dpvs-agent/pkg/ipc/types" @@ -48,18 +49,29 @@ func (h *delVsAllow) Handle(params apiVs.DeleteVsVipPortAllowParams) middleware. failed := false for _, allow := range params.ACL.Items { - if net.ParseIP(allow.Addr) == nil { - h.logger.Error("Invalid ip addr del.", "VipPort", params.VipPort, "Addr", allow.Addr) - return apiVs.NewDeleteVsVipPortAllowInvalidFrontend() + spec.SetCaddr("") + spec.SetIpset("") + if len(allow.Ipset) > 0 { + if !strings.HasPrefix(allow.Ipset, "ipset:") { + h.logger.Error("Invalid allow ipset format in del.", "VipPort", params.VipPort, + "Ipset", allow.Ipset, "expecting \"ipset:NAME\"") + return apiVs.NewPutVsVipPortAllowInvalidFrontend() + } + spec.SetIpset(allow.Ipset) + } else { + if net.ParseIP(allow.Addr) == nil { + h.logger.Error("Invalid ip addr del in del.", "VipPort", params.VipPort, "Addr", allow.Addr) + return apiVs.NewDeleteVsVipPortAllowInvalidFrontend() + } + spec.SetCaddr(allow.Addr) } - spec.SetSrc(allow.Addr) if result := spec.Del(h.connPool, false, h.logger); result != types.EDPVS_OK { failed = true h.logger.Error("IP Addr delete from white list failed.", "VipPort", params.VipPort, "Addr", allow.Addr, "result", result.String()) continue } - h.logger.Info("IP Addr delete from white list success.", "VipPort", params.VipPort, "Addr", allow.Addr) + h.logger.Info("Delete entry from black list success.", "VipPort", params.VipPort, "Addr", allow.Addr, "Ipset", allow.Ipset) } if failed { diff --git a/tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_deny.go b/tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_deny.go index 54d2bb9d2..f328056b2 100644 --- a/tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_deny.go +++ b/tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_deny.go @@ -16,6 +16,7 @@ package ipvs import ( "net" + "strings" "github.com/dpvs-agent/pkg/ipc/pool" "github.com/dpvs-agent/pkg/ipc/types" @@ -48,18 +49,29 @@ func (h *delVsDeny) Handle(params apiVs.DeleteVsVipPortDenyParams) middleware.Re failed := false for _, deny := range params.ACL.Items { - if net.ParseIP(deny.Addr) == nil { - h.logger.Error("Invalid ip addr del.", "VipPort", params.VipPort, "Addr", deny.Addr) - return apiVs.NewDeleteVsVipPortDenyInvalidFrontend() + spec.SetCaddr("") + spec.SetIpset("") + if len(deny.Ipset) > 0 { + if !strings.HasPrefix(deny.Ipset, "ipset:") { + h.logger.Error("Invalid deny ipset format in del.", "VipPort", params.VipPort, + "Ipset", deny.Ipset, "expecting \"ipset:NAME\"") + return apiVs.NewPutVsVipPortDenyInvalidFrontend() + } + spec.SetIpset(deny.Ipset) + } else { + if net.ParseIP(deny.Addr) == nil { + h.logger.Error("Invalid ip addr in del.", "VipPort", params.VipPort, "Addr", deny.Addr) + return apiVs.NewDeleteVsVipPortDenyInvalidFrontend() + } + spec.SetCaddr(deny.Addr) } - spec.SetSrc(deny.Addr) if result := spec.Del(h.connPool, true, h.logger); result != types.EDPVS_OK { h.logger.Error("IP Addr delete from black list failed.", "VipPort", params.VipPort, "Addr", deny.Addr, "result", result.String()) failed = true continue } - h.logger.Info("IP Addr delete from black list success.", "VipPort", params.VipPort, "Addr", deny.Addr) + h.logger.Info("Delete entry from black list success.", "VipPort", params.VipPort, "Addr", deny.Addr, "Ipset", deny.Ipset) } if failed { diff --git a/tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_allow.go b/tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_allow.go index a5ff5753a..5227b314b 100644 --- a/tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_allow.go +++ b/tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_allow.go @@ -17,6 +17,7 @@ package ipvs import ( // "fmt" "net" + "strings" // "github.com/dpvs-agent/models" "github.com/dpvs-agent/pkg/ipc/pool" @@ -50,18 +51,29 @@ func (h *putVsAllow) Handle(params apiVs.PutVsVipPortAllowParams) middleware.Res failed := false for _, allow := range params.ACL.Items { - if net.ParseIP(allow.Addr) == nil { - h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", allow.Addr) - return apiVs.NewPutVsVipPortAllowInvalidFrontend() + spec.SetCaddr("") + spec.SetIpset("") + if len(allow.Ipset) > 0 { + if !strings.HasPrefix(allow.Ipset, "ipset:") { + h.logger.Error("Invalid allow ipset format in add.", "VipPort", params.VipPort, + "Ipset", allow.Ipset, "expecting \"ipset:NAME\"") + return apiVs.NewPutVsVipPortAllowInvalidFrontend() + } + spec.SetIpset(allow.Ipset) + } else { + if net.ParseIP(allow.Addr) == nil { + h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", allow.Addr) + return apiVs.NewPutVsVipPortAllowInvalidFrontend() + } + spec.SetCaddr(allow.Addr) } - spec.SetSrc(allow.Addr) if result := spec.Add(h.connPool, false, h.logger); result != types.EDPVS_OK { failed = true h.logger.Error("Add ip addr to white list failed.", "VipPort", params.VipPort, "Addr", allow.Addr, "result", result.String()) continue } - h.logger.Info("Add ip addr to white list success.", "VipPort", params.VipPort, "Addr", allow.Addr) + h.logger.Info("Add entry to white list success.", "VipPort", params.VipPort, "Addr", allow.Addr, "Ipset", allow.Ipset) } if failed { diff --git a/tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_deny.go b/tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_deny.go index 632b563f6..5ff636871 100644 --- a/tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_deny.go +++ b/tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_deny.go @@ -17,6 +17,7 @@ package ipvs import ( // "fmt" "net" + "strings" // "github.com/dpvs-agent/models" "github.com/dpvs-agent/pkg/ipc/pool" @@ -50,18 +51,29 @@ func (h *putVsDeny) Handle(params apiVs.PutVsVipPortDenyParams) middleware.Respo failed := false for _, deny := range params.ACL.Items { - if net.ParseIP(deny.Addr) == nil { - h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", deny.Addr) - return apiVs.NewPutVsVipPortDenyInvalidFrontend() + spec.SetCaddr("") + spec.SetIpset("") + if len(deny.Ipset) > 0 { + if !strings.HasPrefix(deny.Ipset, "ipset:") { + h.logger.Error("Invalid deny ipset format in add.", "VipPort", params.VipPort, + "Ipset", deny.Ipset, "expecting \"ipset:NAME\"") + return apiVs.NewPutVsVipPortDenyInvalidFrontend() + } + spec.SetIpset(deny.Ipset) + } else { + if net.ParseIP(deny.Addr) == nil { + h.logger.Error("Invalid deny ip addr in add.", "VipPort", params.VipPort, "Addr", deny.Addr) + return apiVs.NewPutVsVipPortDenyInvalidFrontend() + } + spec.SetCaddr(deny.Addr) } - spec.SetSrc(deny.Addr) if result := spec.Add(h.connPool, true, h.logger); result != types.EDPVS_OK { h.logger.Error("Add ip addr to black list failed.", "VipPort", params.VipPort, "Addr", deny.Addr, "result", result.String()) failed = true continue } - h.logger.Info("Add ip addr to black list success.", "VipPort", params.VipPort, "Addr", deny.Addr) + h.logger.Info("Add entry to black list success.", "VipPort", params.VipPort, "Addr", deny.Addr, "Ipset", deny.Ipset) } if failed { diff --git a/tools/dpvs-agent/dpvs-agent-api.yaml b/tools/dpvs-agent/dpvs-agent-api.yaml index f06d79c92..7dfa11cb4 100644 --- a/tools/dpvs-agent/dpvs-agent-api.yaml +++ b/tools/dpvs-agent/dpvs-agent-api.yaml @@ -185,6 +185,8 @@ definitions: properties: addr: type: string + ipset: + type: string InetAddrSpec: properties: addr: diff --git a/tools/dpvs-agent/models/cert_auth_spec.go b/tools/dpvs-agent/models/cert_auth_spec.go index 61648012e..a7896bd28 100644 --- a/tools/dpvs-agent/models/cert_auth_spec.go +++ b/tools/dpvs-agent/models/cert_auth_spec.go @@ -19,6 +19,9 @@ type CertAuthSpec struct { // addr Addr string `json:"addr,omitempty"` + + // ipset + Ipset string `json:"ipset,omitempty"` } // Validate validates this cert auth spec diff --git a/tools/dpvs-agent/pkg/ipc/types/certificate.go b/tools/dpvs-agent/pkg/ipc/types/certificate.go index 5f8ea82a5..770a9bdeb 100644 --- a/tools/dpvs-agent/pkg/ipc/types/certificate.go +++ b/tools/dpvs-agent/pkg/ipc/types/certificate.go @@ -31,14 +31,22 @@ import ( "github.com/dpvs-agent/pkg/ipc/pool" ) +/* derived from: include/conf/ipset.h */ +const IPSET_MAXNAMELEN = 32 + +/* +derived from: + - include/conf/blklst.h + - include/conf/whtlst.h +*/ type CertificateAuthoritySpec struct { - src [0x10]byte - dst [0x10]byte - af uint32 - fwmark uint32 - port uint16 - proto uint8 - padding uint8 + vaddr [0x10]byte + vport uint16 + proto uint8 + af uint8 + + caddr [0x10]byte + ipset [IPSET_MAXNAMELEN]byte } type CertificateAuthorityFront struct { @@ -54,12 +62,12 @@ func NewCertificateAuthorityFront() *CertificateAuthorityFront { } func (o *CertificateAuthoritySpec) Copy(src *CertificateAuthoritySpec) bool { - o.af = src.af - o.fwmark = src.fwmark - o.port = src.port + copy(o.vaddr[:], src.vaddr[:]) + o.vport = src.vport o.proto = src.proto - copy(o.src[:], src.src[:]) - copy(o.dst[:], src.dst[:]) + o.af = src.af + copy(o.caddr[:], src.caddr[:]) + copy(o.ipset[:], src.ipset[:]) return true } @@ -80,19 +88,19 @@ func (o *CertificateAuthoritySpec) ParseVipPortProto(vipport string) error { o.proto = unix.IPPROTO_TCP } - // port := items[1] - port, err := strconv.Atoi(items[1]) + // vport := items[1] + vport, err := strconv.Atoi(items[1]) if err != nil { return err } - o.SetPort(uint16(port)) + o.SetVport(uint16(vport)) - vip := items[0] - if net.ParseIP(vip) == nil { - return errors.New(fmt.Sprintf("invalid ip addr: %s\n", vip)) + vaddr := items[0] + if net.ParseIP(vaddr) == nil { + return errors.New(fmt.Sprintf("invalid ip addr: %s\n", vaddr)) } - o.SetDst(vip) + o.SetVaddr(vaddr) return nil } @@ -150,42 +158,53 @@ func (o *CertificateAuthorityFront) GetCount() uint32 { return o.count } -func (o *CertificateAuthoritySpec) SetAf(af uint32) { +func (o *CertificateAuthoritySpec) SetAf(af uint8) { o.af = af } -func (o *CertificateAuthoritySpec) SetSrc(addr string) { +func (o *CertificateAuthoritySpec) SetCaddr(addr string) { + if len(addr) == 0 { + var zeros [0x10]byte + copy(o.caddr[:], zeros[:]) + return + } if strings.Contains(addr, ":") { o.SetAf(unix.AF_INET6) - copy(o.src[:], net.ParseIP(addr)) + copy(o.caddr[:], net.ParseIP(addr)) return } o.SetAf(unix.AF_INET) buf := new(bytes.Buffer) binary.Write(buf, binary.LittleEndian, net.ParseIP(addr)) - copy(o.src[:], buf.Bytes()[12:]) + copy(o.caddr[:], buf.Bytes()[12:]) } -func (o *CertificateAuthoritySpec) SetDst(addr string) { +func (o *CertificateAuthoritySpec) SetVaddr(addr string) { if strings.Contains(addr, ":") { o.SetAf(unix.AF_INET6) - copy(o.dst[:], net.ParseIP(addr)) + copy(o.vaddr[:], net.ParseIP(addr)) return } o.SetAf(unix.AF_INET) buf := new(bytes.Buffer) binary.Write(buf, binary.LittleEndian, net.ParseIP(addr)) - copy(o.dst[:], buf.Bytes()[12:]) + copy(o.vaddr[:], buf.Bytes()[12:]) } -func (o *CertificateAuthoritySpec) SetFwmark(fwmark uint32) { - o.fwmark = fwmark +func (o *CertificateAuthoritySpec) SetIpset(ipset string) { + if len(ipset) == 0 { + var zeros [IPSET_MAXNAMELEN]byte + copy(o.ipset[:], zeros[:]) + return + } + buf := []byte(ipset) + copy(o.ipset[:], buf[6:]) } -func (o *CertificateAuthoritySpec) SetPort(port uint16) { +func (o *CertificateAuthoritySpec) SetVport(port uint16) { buf := new(bytes.Buffer) binary.Write(buf, binary.LittleEndian, uint16(port)) - o.port = binary.BigEndian.Uint16(buf.Bytes()) + o.vport = binary.BigEndian.Uint16(buf.Bytes()) } func (o *CertificateAuthoritySpec) SetProto(proto string) { diff --git a/tools/dpvs-agent/restapi/embedded_spec.go b/tools/dpvs-agent/restapi/embedded_spec.go index aef67a7fe..de771c7bc 100644 --- a/tools/dpvs-agent/restapi/embedded_spec.go +++ b/tools/dpvs-agent/restapi/embedded_spec.go @@ -1444,6 +1444,9 @@ func init() { "properties": { "addr": { "type": "string" + }, + "ipset": { + "type": "string" } } }, @@ -3986,6 +3989,9 @@ func init() { "properties": { "addr": { "type": "string" + }, + "ipset": { + "type": "string" } } },