登录 注册
开源 企业版 高校版 私有云 模力方舟 模力方舟
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
2 Star 1 Fork 0

李玮/trireme-lib

代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
克隆/下载
ipsets.go 9.45 KB
一键复制 编辑 原始数据 按行查看 历史
李玮 提交于 2020-01-29 13:23 +08:00 . v1
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377
package ipsetmanager



import (

	"encoding/base64"

	"io"

	"net"

	"sync"



	provider "git.cloud.top/DSec/trireme-lib/controller/pkg/aclprovider"

	"github.com/spaolacci/murmur3"

	ipsetpackage "github.com/zhaolanbao/go-ipset/ipset"



	"git.cloud.top/DSec/trireme-lib/policy"

	"go.uber.org/zap"

)



const (

	//IPv6DefaultIP is the default ip of v6

	IPv6DefaultIP = "::/0"

	//IPv4DefaultIP is the  default ip for v4

	IPv4DefaultIP = "0.0.0.0/0"

	//IPsetV4 version for ipv4

	IPsetV4 = iota

	//IPsetV6 version for ipv6

	IPsetV6

)



//ACLManager interface is used by supervisor. This interface provides the supervisor to

//create ipsets corresponding to service ID.

type ACLManager interface {

	AddToIPset(set provider.Ipset, data string) error

	DelFromIPset(set provider.Ipset, data string) error



	RegisterExternalNets(contextID string, extnets policy.IPRuleList) error

	DestroyUnusedIPsets()

	RemoveExternalNets(contextID string)

	GetIPsets(extnets policy.IPRuleList, ipver int) []string

	UpdateIPsets([]string, string)

}



type ipsetInfo struct {

	contextIDs map[string]bool

	name       string

	addresses  map[string]bool

}



type handler struct {

	serviceIDtoIPset      map[string]*ipsetInfo

	contextIDtoServiceIDs map[string]map[string]bool

	ipset                 provider.IpsetProvider

	ipsetPrefix           string

	ipFilter              func(net.IP) bool

	ipsetParams           *ipsetpackage.Params

	toDestroy             []string

}



type managerType struct {

	ipv4Handler *handler

	ipv6Handler *handler

	sync.RWMutex

}



const (

	ipv4String = "v4-"

	ipv6String = "v6-"

)



//CreateIPsetManager creates the handle with Interface ACLManager

func CreateIPsetManager(ipsetv4 provider.IpsetProvider, ipsetv6 provider.IpsetProvider) ACLManager {

	return &managerType{

		ipv4Handler: &handler{

			serviceIDtoIPset:      map[string]*ipsetInfo{},

			contextIDtoServiceIDs: map[string]map[string]bool{},

			ipset:                 ipsetv4,

			ipsetPrefix:           ipv4String,

			ipFilter: func(ip net.IP) bool {

				return (ip.To4() != nil)

			},

			ipsetParams: &ipsetpackage.Params{},

		},

		ipv6Handler: &handler{

			serviceIDtoIPset:      map[string]*ipsetInfo{},

			contextIDtoServiceIDs: map[string]map[string]bool{},

			ipset:                 ipsetv6,

			ipsetPrefix:           ipv6String,

			ipFilter: func(ip net.IP) bool {

				return (ip.To4() == nil)

			},

			ipsetParams: &ipsetpackage.Params{HashFamily: "inet6"},

		},

	}



}



func hashServiceID(serviceID string) string {

	hash := murmur3.New64()

	if _, err := io.WriteString(hash, serviceID); err != nil {

		return ""

	}



	return base64.URLEncoding.EncodeToString(hash.Sum(nil))

}



// AddToIPset is called with the ipset provider and the ip address to be added

func (m *managerType) AddToIPset(set provider.Ipset, data string) error {



	// ipset can not program this rule

	if data == IPv4DefaultIP {

		if err := m.AddToIPset(set, "0.0.0.0/1"); err != nil {

			return err

		}



		return m.AddToIPset(set, "128.0.0.0/1")

	}



	// ipset can not program this rule

	if data == IPv6DefaultIP {

		if err := m.AddToIPset(set, "::/1"); err != nil {

			return err

		}



		return m.AddToIPset(set, "8000::/1")

	}



	return set.Add(data, 0)

}



// DelFromIPset is called with the ipset set provider and the ip to be removed from ipset

func (m *managerType) DelFromIPset(set provider.Ipset, data string) error {



	if data == IPv4DefaultIP {

		if err := m.DelFromIPset(set, "0.0.0.0/1"); err != nil {

			return err

		}



		return m.DelFromIPset(set, "128.0.0.0/1")

	}



	if data == IPv6DefaultIP {

		if err := m.DelFromIPset(set, "::/1"); err != nil {

			return err

		}



		return m.DelFromIPset(set, "8000::/1")

	}



	return set.Del(data)

}



func (m *managerType) synchronizeIPsinIpset(ipHandler *handler, ipsetInfo *ipsetInfo, addresses []string) {

	newips := map[string]bool{}

	ipsetHandler := ipHandler.ipset.GetIpset(ipsetInfo.name)



	for _, address := range addresses {

		netIP := net.ParseIP(address)

		if netIP == nil {

			netIP, _, _ = net.ParseCIDR(address)

		}



		if !ipHandler.ipFilter(netIP) {

			continue

		}



		newips[address] = true



		if _, ok := ipsetInfo.addresses[address]; !ok {

			if err := m.AddToIPset(ipsetHandler, address); err != nil {

				zap.L().Error("Error adding IPs to ipset", zap.String("ipset", ipsetInfo.name), zap.String("address", address))

			}

		}

		delete(ipsetInfo.addresses, address)

	}



	// Remove the old entries

	for address, val := range ipsetInfo.addresses {

		if val {

			if err := m.DelFromIPset(ipsetHandler, address); err != nil {

				zap.L().Error("Error removing IPs from ipset", zap.String("ipset", ipsetInfo.name), zap.String("address", address))

			}

		}

	}



	ipsetInfo.addresses = newips

}



func createIPset(ipHandler *handler, serviceID string) (*ipsetInfo, error) {

	ipsetName := "TRI-" + ipHandler.ipsetPrefix + "ext-" + hashServiceID(serviceID)

	_, err := ipHandler.ipset.NewIpset(ipsetName, "hash:net", ipHandler.ipsetParams)

	if err != nil {

		return nil, err

	}



	ipset := &ipsetInfo{contextIDs: map[string]bool{}, name: ipsetName, addresses: map[string]bool{}}

	ipHandler.serviceIDtoIPset[serviceID] = ipset



	return ipset, nil

}



func deleteServiceID(ipHandler *handler, serviceID string) {

	ipsetInfo := ipHandler.serviceIDtoIPset[serviceID]

	ipHandler.toDestroy = append(ipHandler.toDestroy, ipsetInfo.name)

	delete(ipHandler.serviceIDtoIPset, serviceID)

}



func reduceReferenceFromServiceID(ipHandler *handler, contextID string, serviceID string) {

	var ipset *ipsetInfo



	if ipset = ipHandler.serviceIDtoIPset[serviceID]; ipset == nil {

		zap.L().Error("Could not find ipset corresponding to serviceID", zap.String("serviceID", serviceID))

		return

	}



	delete(ipset.contextIDs, contextID)



	// there are no references from any pu. safe to destroy now

	if len(ipset.contextIDs) == 0 {

		deleteServiceID(ipHandler, serviceID)

	}

}



// RegisterExternalNets registers the contextID and the corresponding serviceIDs

func (m *managerType) RegisterExternalNets(contextID string, extnets policy.IPRuleList) error {

	m.Lock()

	defer m.Unlock()



	processExtnets := func(ipHandler *handler) error {

		for _, extnet := range extnets {

			var ipset *ipsetInfo



			serviceID := extnet.Policy.ServiceID

			if ipset = ipHandler.serviceIDtoIPset[serviceID]; ipset == nil {

				var err error

				if ipset, err = createIPset(ipHandler, serviceID); err != nil {

					return err

				}

			}



			m.synchronizeIPsinIpset(ipHandler, ipset, extnet.Addresses)

			// have a backreference from serviceID to contextID

			ipset.contextIDs[contextID] = true

		}



		return nil

	}



	processOlderExtnets := func(ipHandler *handler) {

		newExtnets := map[string]bool{}



		for _, extnet := range extnets {



			serviceID := extnet.Policy.ServiceID

			newExtnets[serviceID] = true

			m, ok := ipHandler.contextIDtoServiceIDs[contextID]



			if ok && m[serviceID] {

				delete(m, serviceID)

			}

		}



		for serviceID := range ipHandler.contextIDtoServiceIDs[contextID] {

			reduceReferenceFromServiceID(ipHandler, contextID, serviceID)

		}



		ipHandler.contextIDtoServiceIDs[contextID] = newExtnets

	}



	if err := processExtnets(m.ipv4Handler); err != nil {

		return err

	}



	if err := processExtnets(m.ipv6Handler); err != nil {

		return err

	}



	processOlderExtnets(m.ipv4Handler)

	processOlderExtnets(m.ipv6Handler)



	return nil

}



// DestroyUnusedIPsets destroys the unused ipsets.

func (m *managerType) DestroyUnusedIPsets() {

	m.Lock()

	defer m.Unlock()



	destroy := func(ipHandler *handler) {

		for _, ipsetName := range ipHandler.toDestroy {

			ipsetHandler := ipHandler.ipset.GetIpset(ipsetName)

			if err := ipsetHandler.Destroy(); err != nil {

				zap.L().Warn("Failed to destroy ipset", zap.String("ipset", ipsetName), zap.Error(err))

			}



		}

	}



	destroy(m.ipv4Handler)

	destroy(m.ipv6Handler)

}



// RemoveExternalNets is called when the contextID is being unsupervised such that all the external nets can be deleted.

func (m *managerType) RemoveExternalNets(contextID string) {

	m.Lock()



	process := func(ipHandler *handler) {

		m, ok := ipHandler.contextIDtoServiceIDs[contextID]

		if ok {

			for serviceID := range m {

				reduceReferenceFromServiceID(ipHandler, contextID, serviceID)

			}

		}



		delete(ipHandler.contextIDtoServiceIDs, contextID)

	}



	process(m.ipv4Handler)

	process(m.ipv6Handler)



	m.Unlock()

	m.DestroyUnusedIPsets()

}



// GetIPsets returns the ipset names corresponding to the serviceIDs.

func (m *managerType) GetIPsets(extnets policy.IPRuleList, ipver int) []string {

	m.Lock()

	defer m.Unlock()



	var ipHandler *handler



	if ipver == IPsetV4 {

		ipHandler = m.ipv4Handler

	} else {

		ipHandler = m.ipv6Handler

	}



	var ipsets []string



	for _, extnet := range extnets {

		serviceID := extnet.Policy.ServiceID



		ipsetInfo, ok := ipHandler.serviceIDtoIPset[serviceID]

		if ok {

			ipsets = append(ipsets, ipsetInfo.name)

		}

	}



	return ipsets

}



// UpdateIPsets updates the ip addresses in the ipsets corresponding to the serviceID

func (m *managerType) UpdateIPsets(addresses []string, serviceID string) {

	m.Lock()

	defer m.Unlock()



	process := func(ipHandler *handler) {

		for _, address := range addresses {

			netIP := net.ParseIP(address)

			if netIP == nil {

				netIP, _, _ = net.ParseCIDR(address)

			}



			if !ipHandler.ipFilter(netIP) {

				continue

			}



			if ipset := ipHandler.serviceIDtoIPset[serviceID]; ipset != nil {

				ipsetHandler := ipHandler.ipset.GetIpset(ipset.name)

				if err := m.AddToIPset(ipsetHandler, address); err != nil {

					zap.L().Error("Error adding IPs to ipset", zap.String("ipset", ipset.name), zap.String("address", address))

				}

				ipset.addresses[address] = true

			}

		}

	}



	process(m.ipv4Handler)

	process(m.ipv6Handler)

}
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/emmoblin/trireme-lib.git
git@gitee.com:emmoblin/trireme-lib.git
emmoblin
trireme-lib
trireme-lib
7726874a2b9a
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部