-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add iptables4nattemplate chain client element to connectioncontextk…
…ernel chain * Turn routelocalnet chain element to a client element and move to cmnnectioncontextkernel chain * Add setroutelocalnet chain server element Signed-off-by: Sergey Shlyanin <sergey.shlyanin@xored.com>
- Loading branch information
Sergey Shlyanin
committed
May 12, 2022
1 parent
cc7b4d9
commit 9bd5e37
Showing
9 changed files
with
395 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
138 changes: 138 additions & 0 deletions
138
pkg/kernel/networkservice/connectioncontextkernel/iptables4nattemplate/client.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,138 @@ | ||
| // Copyright (c) 2022 Xored Software Inc and others. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at: | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| //go:build linux | ||
| // +build linux | ||
|
|
||
| package iptables4nattemplate | ||
|
|
||
| import ( | ||
| "context" | ||
|
|
||
| "github.com/pkg/errors" | ||
| "google.golang.org/grpc" | ||
|
|
||
| "github.com/golang/protobuf/ptypes/empty" | ||
| "github.com/networkservicemesh/api/pkg/api/networkservice" | ||
| "github.com/networkservicemesh/api/pkg/api/networkservice/mechanisms/kernel" | ||
| "github.com/networkservicemesh/sdk/pkg/networkservice/core/next" | ||
| "github.com/networkservicemesh/sdk/pkg/networkservice/utils/metadata" | ||
|
|
||
| "github.com/networkservicemesh/sdk-kernel/pkg/kernel/tools/nshandle" | ||
| ) | ||
|
|
||
| type iptablesClient struct { | ||
| manager IPTablesManager | ||
| } | ||
|
|
||
| // NewClient - returns a new networkservice.NetworkServiceClient that modify IPTables rules | ||
| // by mechanism provided template on Request and rollbacks rules changes on Close | ||
| func NewClient() networkservice.NetworkServiceClient { | ||
| return &iptablesClient{ | ||
| manager: &iptableManagerImpl{}, | ||
| } | ||
| } | ||
|
|
||
| func (c *iptablesClient) Request(ctx context.Context, request *networkservice.NetworkServiceRequest, opts ...grpc.CallOption) (*networkservice.Connection, error) { | ||
| ctxMap := metadata.Map(ctx, metadata.IsClient(c)) | ||
| _, rulesWasApplied := ctxMap.Load(applyIPTablesKey{}) | ||
|
|
||
| conn, err := next.Client(ctx).Request(ctx, request, opts...) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| // Check refresh requests | ||
| if rulesWasApplied { | ||
| return conn, nil | ||
| } | ||
|
|
||
| mechanism := kernel.ToMechanism(conn.GetMechanism()) | ||
| if mechanism != nil && len(mechanism.GetIPTables4NatTemplate()) != 0 { | ||
| rules, err := mechanism.EvaluateIPTables4NatTemplate(conn) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
|
|
||
| currentNsHandler, err := nshandle.Current() | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| defer func() { _ = currentNsHandler.Close() }() | ||
|
|
||
| targetHsHandler, err := nshandle.FromURL(mechanism.GetNetNSURL()) | ||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| defer func() { _ = targetHsHandler.Close() }() | ||
|
|
||
| err = nshandle.RunIn(currentNsHandler, targetHsHandler, func() error { | ||
| initialRules, iptableErr := c.manager.Get() | ||
| if iptableErr != nil { | ||
| return iptableErr | ||
| } | ||
|
|
||
| ctxMap.Store(applyIPTablesKey{}, initialRules) | ||
|
|
||
| iptableErr = c.manager.Apply(rules) | ||
| if iptableErr != nil { | ||
| return iptableErr | ||
| } | ||
|
|
||
| return nil | ||
| }) | ||
|
|
||
| if err != nil { | ||
| return nil, err | ||
| } | ||
| } | ||
|
|
||
| return conn, nil | ||
| } | ||
|
|
||
| func (c *iptablesClient) Close(ctx context.Context, conn *networkservice.Connection, opts ...grpc.CallOption) (*empty.Empty, error) { | ||
| _, err := next.Client(ctx).Close(ctx, conn, opts...) | ||
|
|
||
| var restoreErr error | ||
| ctxMap := metadata.Map(ctx, metadata.IsClient(c)) | ||
| if initialRules, rulesWasApplied := ctxMap.Load(applyIPTablesKey{}); rulesWasApplied { | ||
| mechanism := kernel.ToMechanism(conn.GetMechanism()) | ||
| currentNsHandler, handleErr := nshandle.Current() | ||
| if handleErr != nil { | ||
| return nil, handleErr | ||
| } | ||
| defer func() { _ = currentNsHandler.Close() }() | ||
|
|
||
| targetHsHandler, handleErr := nshandle.FromURL(mechanism.GetNetNSURL()) | ||
| if handleErr != nil { | ||
| return nil, handleErr | ||
| } | ||
| defer func() { _ = targetHsHandler.Close() }() | ||
|
|
||
| restoreErr = nshandle.RunIn(currentNsHandler, targetHsHandler, func() error { | ||
| return c.manager.Restore(initialRules.(string)) | ||
| }) | ||
| } | ||
|
|
||
| if err != nil && restoreErr != nil { | ||
| return nil, errors.Wrap(err, restoreErr.Error()) | ||
| } | ||
| if restoreErr != nil { | ||
| return nil, restoreErr | ||
| } | ||
|
|
||
| return &empty.Empty{}, err | ||
| } |
117 changes: 117 additions & 0 deletions
117
pkg/kernel/networkservice/connectioncontextkernel/iptables4nattemplate/common.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| // Copyright (c) 2022 Xored Software Inc and others. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at: | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| //go:build linux | ||
| // +build linux | ||
|
|
||
| package iptables4nattemplate | ||
|
|
||
| import ( | ||
| "bytes" | ||
| "fmt" | ||
| "os" | ||
| "strings" | ||
|
|
||
| "github.com/edwarnicke/exechelper" | ||
| "github.com/pkg/errors" | ||
| ) | ||
|
|
||
| type applyIPTablesKey struct { | ||
| } | ||
|
|
||
| type iptableManagerImpl struct { | ||
| } | ||
|
|
||
| // IPTablesManager provides methods for iptables nat rules management | ||
| type IPTablesManager interface { | ||
| Get() (string, error) | ||
| Restore(string) error | ||
| Apply([]string) error | ||
| } | ||
|
|
||
| func (m *iptableManagerImpl) Get() (string, error) { | ||
| cmdStr := "iptables-save" | ||
| buf := bytes.NewBuffer([]byte{}) | ||
| err := exechelper.Run(cmdStr, | ||
| exechelper.WithStdout(buf), | ||
| exechelper.WithStderr(buf), | ||
| ) | ||
| if err != nil { | ||
| err = errors.Wrapf(err, "%s", buf.String()) | ||
| return "", err | ||
| } | ||
|
|
||
| return buf.String(), nil | ||
| } | ||
|
|
||
| func (m *iptableManagerImpl) Apply(rules []string) error { | ||
| for _, rule := range rules { | ||
| arguments := strings.Split(rule, " ") | ||
|
|
||
| cmdStr := "iptables -t nat" | ||
| buf := bytes.NewBuffer([]byte{}) | ||
| err := exechelper.Run(cmdStr, | ||
| exechelper.WithArgs(arguments...), | ||
| exechelper.WithStdout(buf), | ||
| exechelper.WithStderr(buf), | ||
| ) | ||
| if err != nil { | ||
| err = errors.Wrapf(err, "%s", buf.String()) | ||
| return err | ||
| } | ||
| } | ||
|
|
||
| return nil | ||
| } | ||
|
|
||
| func (m *iptableManagerImpl) writeTmpRule(rules string) (string, error) { | ||
| fo, err := os.CreateTemp("/tmp", "rules-*") | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
|
|
||
| defer func() { _ = fo.Close() }() | ||
| _, err = fo.WriteString(rules) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
|
|
||
| return fo.Name(), nil | ||
| } | ||
|
|
||
| func (m *iptableManagerImpl) Restore(rules string) error { | ||
| // Save rules to a temp file | ||
| tmpFile, err := m.writeTmpRule(rules) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| defer func() { _ = os.Remove(tmpFile) }() | ||
|
|
||
| // Restore rules | ||
| cmdStr := fmt.Sprintf("iptables-restore %s", tmpFile) | ||
| buf := bytes.NewBuffer([]byte{}) | ||
| err = exechelper.Run(cmdStr, | ||
| exechelper.WithStdout(buf), | ||
| exechelper.WithStderr(buf), | ||
| ) | ||
| if err != nil { | ||
| err = errors.Wrapf(err, "%s", buf.String()) | ||
| return err | ||
| } | ||
|
|
||
| return nil | ||
| } |
18 changes: 18 additions & 0 deletions
18
pkg/kernel/networkservice/connectioncontextkernel/iptables4nattemplate/doc.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| // Copyright (c) 2022 Xored Software Inc and others. | ||
| // | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
| // | ||
| // Licensed under the Apache License, Version 2.0 (the "License"); | ||
| // you may not use this file except in compliance with the License. | ||
| // You may obtain a copy of the License at: | ||
| // | ||
| // http://www.apache.org/licenses/LICENSE-2.0 | ||
| // | ||
| // Unless required by applicable law or agreed to in writing, software | ||
| // distributed under the License is distributed on an "AS IS" BASIS, | ||
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| // See the License for the specific language governing permissions and | ||
| // limitations under the License. | ||
|
|
||
| // Package iptables4nattemplate provides chain element for setup iptables nat rules | ||
| package iptables4nattemplate |
Oops, something went wrong.