tools/dpvs-agent: adapted for ipset-type allow/deny list

Signed-off-by: ywc689 <ywc689@163.com>

tools/dpvs-agent/cmd/dpvs-agent-server/api_init.go

@@ -25,7 +25,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-hclog"
-	"github.com/lestrrat-go/file-rotatelogs"
+	rotatelogs "github.com/lestrrat-go/file-rotatelogs"
 
 	"github.com/dpvs-agent/cmd/device"
 	"github.com/dpvs-agent/cmd/ipvs"

tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_allow.go

@@ -16,6 +16,7 @@ package ipvs
 
 import (
 	"net"
+	"strings"
 
 	"github.com/dpvs-agent/pkg/ipc/pool"
 	"github.com/dpvs-agent/pkg/ipc/types"
@@ -48,18 +49,29 @@ func (h *delVsAllow) Handle(params apiVs.DeleteVsVipPortAllowParams) middleware.
 
 	failed := false
 	for _, allow := range params.ACL.Items {
-		if net.ParseIP(allow.Addr) == nil {
-			h.logger.Error("Invalid ip addr del.", "VipPort", params.VipPort, "Addr", allow.Addr)
-			return apiVs.NewDeleteVsVipPortAllowInvalidFrontend()
+		spec.SetCaddr("")
+		spec.SetIpset("")
+		if len(allow.Ipset) > 0 {
+			if !strings.HasPrefix(allow.Ipset, "ipset:") {
+				h.logger.Error("Invalid allow ipset format in del.", "VipPort", params.VipPort,
+					"Ipset", allow.Ipset, "expecting \"ipset:NAME\"")
+				return apiVs.NewPutVsVipPortAllowInvalidFrontend()
+			}
+			spec.SetIpset(allow.Ipset)
+		} else {
+			if net.ParseIP(allow.Addr) == nil {
+				h.logger.Error("Invalid ip addr del in del.", "VipPort", params.VipPort, "Addr", allow.Addr)
+				return apiVs.NewDeleteVsVipPortAllowInvalidFrontend()
+			}
+			spec.SetCaddr(allow.Addr)
 		}
-		spec.SetSrc(allow.Addr)
 
 		if result := spec.Del(h.connPool, false, h.logger); result != types.EDPVS_OK {
 			failed = true
 			h.logger.Error("IP Addr delete from white list failed.", "VipPort", params.VipPort, "Addr", allow.Addr, "result", result.String())
 			continue
 		}
-		h.logger.Info("IP Addr delete from white list success.", "VipPort", params.VipPort, "Addr", allow.Addr)
+		h.logger.Info("Delete entry from black list success.", "VipPort", params.VipPort, "Addr", allow.Addr, "Ipset", allow.Ipset)
 	}
 
 	if failed {

tools/dpvs-agent/cmd/ipvs/delete_vs_vip_port_deny.go

@@ -16,6 +16,7 @@ package ipvs
 
 import (
 	"net"
+	"strings"
 
 	"github.com/dpvs-agent/pkg/ipc/pool"
 	"github.com/dpvs-agent/pkg/ipc/types"
@@ -48,18 +49,29 @@ func (h *delVsDeny) Handle(params apiVs.DeleteVsVipPortDenyParams) middleware.Re
 
 	failed := false
 	for _, deny := range params.ACL.Items {
-		if net.ParseIP(deny.Addr) == nil {
-			h.logger.Error("Invalid ip addr del.", "VipPort", params.VipPort, "Addr", deny.Addr)
-			return apiVs.NewDeleteVsVipPortDenyInvalidFrontend()
+		spec.SetCaddr("")
+		spec.SetIpset("")
+		if len(deny.Ipset) > 0 {
+			if !strings.HasPrefix(deny.Ipset, "ipset:") {
+				h.logger.Error("Invalid deny ipset format in del.", "VipPort", params.VipPort,
+					"Ipset", deny.Ipset, "expecting \"ipset:NAME\"")
+				return apiVs.NewPutVsVipPortDenyInvalidFrontend()
+			}
+			spec.SetIpset(deny.Ipset)
+		} else {
+			if net.ParseIP(deny.Addr) == nil {
+				h.logger.Error("Invalid ip addr in del.", "VipPort", params.VipPort, "Addr", deny.Addr)
+				return apiVs.NewDeleteVsVipPortDenyInvalidFrontend()
+			}
+			spec.SetCaddr(deny.Addr)
 		}
-		spec.SetSrc(deny.Addr)
 
 		if result := spec.Del(h.connPool, true, h.logger); result != types.EDPVS_OK {
 			h.logger.Error("IP Addr delete from black list failed.", "VipPort", params.VipPort, "Addr", deny.Addr, "result", result.String())
 			failed = true
 			continue
 		}
-		h.logger.Info("IP Addr delete from black list success.", "VipPort", params.VipPort, "Addr", deny.Addr)
+		h.logger.Info("Delete entry from black list success.", "VipPort", params.VipPort, "Addr", deny.Addr, "Ipset", deny.Ipset)
 	}
 
 	if failed {

tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_allow.go

@@ -17,6 +17,7 @@ package ipvs
 import (
 	// "fmt"
 	"net"
+	"strings"
 
 	// "github.com/dpvs-agent/models"
 	"github.com/dpvs-agent/pkg/ipc/pool"
@@ -50,18 +51,29 @@ func (h *putVsAllow) Handle(params apiVs.PutVsVipPortAllowParams) middleware.Res
 
 	failed := false
 	for _, allow := range params.ACL.Items {
-		if net.ParseIP(allow.Addr) == nil {
-			h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", allow.Addr)
-			return apiVs.NewPutVsVipPortAllowInvalidFrontend()
+		spec.SetCaddr("")
+		spec.SetIpset("")
+		if len(allow.Ipset) > 0 {
+			if !strings.HasPrefix(allow.Ipset, "ipset:") {
+				h.logger.Error("Invalid allow ipset format in add.", "VipPort", params.VipPort,
+					"Ipset", allow.Ipset, "expecting \"ipset:NAME\"")
+				return apiVs.NewPutVsVipPortAllowInvalidFrontend()
+			}
+			spec.SetIpset(allow.Ipset)
+		} else {
+			if net.ParseIP(allow.Addr) == nil {
+				h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", allow.Addr)
+				return apiVs.NewPutVsVipPortAllowInvalidFrontend()
+			}
+			spec.SetCaddr(allow.Addr)
 		}
-		spec.SetSrc(allow.Addr)
 
 		if result := spec.Add(h.connPool, false, h.logger); result != types.EDPVS_OK {
 			failed = true
 			h.logger.Error("Add ip addr to white list failed.", "VipPort", params.VipPort, "Addr", allow.Addr, "result", result.String())
 			continue
 		}
-		h.logger.Info("Add ip addr to white list success.", "VipPort", params.VipPort, "Addr", allow.Addr)
+		h.logger.Info("Add entry to white list success.", "VipPort", params.VipPort, "Addr", allow.Addr, "Ipset", allow.Ipset)
 	}
 
 	if failed {

tools/dpvs-agent/cmd/ipvs/put_vs_vip_port_deny.go

@@ -17,6 +17,7 @@ package ipvs
 import (
 	// "fmt"
 	"net"
+	"strings"
 
 	// "github.com/dpvs-agent/models"
 	"github.com/dpvs-agent/pkg/ipc/pool"
@@ -50,18 +51,29 @@ func (h *putVsDeny) Handle(params apiVs.PutVsVipPortDenyParams) middleware.Respo
 
 	failed := false
 	for _, deny := range params.ACL.Items {
-		if net.ParseIP(deny.Addr) == nil {
-			h.logger.Error("Invalid ip addr add.", "VipPort", params.VipPort, "Addr", deny.Addr)
-			return apiVs.NewPutVsVipPortDenyInvalidFrontend()
+		spec.SetCaddr("")
+		spec.SetIpset("")
+		if len(deny.Ipset) > 0 {
+			if !strings.HasPrefix(deny.Ipset, "ipset:") {
+				h.logger.Error("Invalid deny ipset format in add.", "VipPort", params.VipPort,
+					"Ipset", deny.Ipset, "expecting \"ipset:NAME\"")
+				return apiVs.NewPutVsVipPortDenyInvalidFrontend()
+			}
+			spec.SetIpset(deny.Ipset)
+		} else {
+			if net.ParseIP(deny.Addr) == nil {
+				h.logger.Error("Invalid deny ip addr in add.", "VipPort", params.VipPort, "Addr", deny.Addr)
+				return apiVs.NewPutVsVipPortDenyInvalidFrontend()
+			}
+			spec.SetCaddr(deny.Addr)
 		}
-		spec.SetSrc(deny.Addr)
 
 		if result := spec.Add(h.connPool, true, h.logger); result != types.EDPVS_OK {
 			h.logger.Error("Add ip addr to black list failed.", "VipPort", params.VipPort, "Addr", deny.Addr, "result", result.String())
 			failed = true
 			continue
 		}
-		h.logger.Info("Add ip addr to black list success.", "VipPort", params.VipPort, "Addr", deny.Addr)
+		h.logger.Info("Add entry to black list success.", "VipPort", params.VipPort, "Addr", deny.Addr, "Ipset", deny.Ipset)
 	}
 
 	if failed {

tools/dpvs-agent/dpvs-agent-api.yaml

@@ -185,6 +185,8 @@ definitions:
     properties:
       addr:
         type: string
+      ipset:
+        type: string
   InetAddrSpec:
     properties:
       addr:

tools/dpvs-agent/pkg/ipc/types/certificate.go

@@ -31,14 +31,22 @@ import (
 	"github.com/dpvs-agent/pkg/ipc/pool"
 )
 
+/* derived from: include/conf/ipset.h */
+const IPSET_MAXNAMELEN = 32
+
+/*
+derived from:
+  - include/conf/blklst.h
+  - include/conf/whtlst.h
+*/
 type CertificateAuthoritySpec struct {
-	src     [0x10]byte
-	dst     [0x10]byte
-	af      uint32
-	fwmark  uint32
-	port    uint16
-	proto   uint8
-	padding uint8
+	vaddr [0x10]byte
+	vport uint16
+	proto uint8
+	af    uint8
+
+	caddr [0x10]byte
+	ipset [IPSET_MAXNAMELEN]byte
 }
 
 type CertificateAuthorityFront struct {
@@ -54,12 +62,12 @@ func NewCertificateAuthorityFront() *CertificateAuthorityFront {
 }
 
 func (o *CertificateAuthoritySpec) Copy(src *CertificateAuthoritySpec) bool {
-	o.af = src.af
-	o.fwmark = src.fwmark
-	o.port = src.port
+	copy(o.vaddr[:], src.vaddr[:])
+	o.vport = src.vport
 	o.proto = src.proto
-	copy(o.src[:], src.src[:])
-	copy(o.dst[:], src.dst[:])
+	o.af = src.af
+	copy(o.caddr[:], src.caddr[:])
+	copy(o.ipset[:], src.ipset[:])
 	return true
 }
 
@@ -80,19 +88,19 @@ func (o *CertificateAuthoritySpec) ParseVipPortProto(vipport string) error {
 		o.proto = unix.IPPROTO_TCP
 	}
 
-	// port := items[1]
-	port, err := strconv.Atoi(items[1])
+	// vport := items[1]
+	vport, err := strconv.Atoi(items[1])
 	if err != nil {
 		return err
 	}
-	o.SetPort(uint16(port))
+	o.SetVport(uint16(vport))
 
-	vip := items[0]
-	if net.ParseIP(vip) == nil {
-		return errors.New(fmt.Sprintf("invalid ip addr: %s\n", vip))
+	vaddr := items[0]
+	if net.ParseIP(vaddr) == nil {
+		return errors.New(fmt.Sprintf("invalid ip addr: %s\n", vaddr))
 	}
 
-	o.SetDst(vip)
+	o.SetVaddr(vaddr)
 
 	return nil
 }
@@ -150,42 +158,53 @@ func (o *CertificateAuthorityFront) GetCount() uint32 {
 	return o.count
 }
 
-func (o *CertificateAuthoritySpec) SetAf(af uint32) {
+func (o *CertificateAuthoritySpec) SetAf(af uint8) {
 	o.af = af
 }
 
-func (o *CertificateAuthoritySpec) SetSrc(addr string) {
+func (o *CertificateAuthoritySpec) SetCaddr(addr string) {
+	if len(addr) == 0 {
+		var zeros [0x10]byte
+		copy(o.caddr[:], zeros[:])
+		return
+	}
 	if strings.Contains(addr, ":") {
 		o.SetAf(unix.AF_INET6)
-		copy(o.src[:], net.ParseIP(addr))
+		copy(o.caddr[:], net.ParseIP(addr))
 		return
 	}
 	o.SetAf(unix.AF_INET)
 	buf := new(bytes.Buffer)
 	binary.Write(buf, binary.LittleEndian, net.ParseIP(addr))
-	copy(o.src[:], buf.Bytes()[12:])
+	copy(o.caddr[:], buf.Bytes()[12:])
 }
 
-func (o *CertificateAuthoritySpec) SetDst(addr string) {
+func (o *CertificateAuthoritySpec) SetVaddr(addr string) {
 	if strings.Contains(addr, ":") {
 		o.SetAf(unix.AF_INET6)
-		copy(o.dst[:], net.ParseIP(addr))
+		copy(o.vaddr[:], net.ParseIP(addr))
 		return
 	}
 	o.SetAf(unix.AF_INET)
 	buf := new(bytes.Buffer)
 	binary.Write(buf, binary.LittleEndian, net.ParseIP(addr))
-	copy(o.dst[:], buf.Bytes()[12:])
+	copy(o.vaddr[:], buf.Bytes()[12:])
 }
 
-func (o *CertificateAuthoritySpec) SetFwmark(fwmark uint32) {
-	o.fwmark = fwmark
+func (o *CertificateAuthoritySpec) SetIpset(ipset string) {
+	if len(ipset) == 0 {
+		var zeros [IPSET_MAXNAMELEN]byte
+		copy(o.ipset[:], zeros[:])
+		return
+	}
+	buf := []byte(ipset)
+	copy(o.ipset[:], buf[6:])
 }
 
-func (o *CertificateAuthoritySpec) SetPort(port uint16) {
+func (o *CertificateAuthoritySpec) SetVport(port uint16) {
 	buf := new(bytes.Buffer)
 	binary.Write(buf, binary.LittleEndian, uint16(port))
-	o.port = binary.BigEndian.Uint16(buf.Bytes())
+	o.vport = binary.BigEndian.Uint16(buf.Bytes())
 }
 
 func (o *CertificateAuthoritySpec) SetProto(proto string) {