From 81c0084acbcceaf5bb85efeb248b3550e1594e6e Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Tue, 19 Nov 2024 02:05:07 +0900 Subject: [PATCH] loxilb-io/loxilb#864 Initail support for lb source ranges --- api/models/loadbalance_entry.go | 2 +- api/restapi/embedded_spec.go | 6 +- api/restapi/handler/firewall.go | 5 +- api/restapi/handler/loadbalancer.go | 6 +- api/swagger.yml | 2 +- common/common.go | 10 +- pkg/loxinet/apiclient.go | 2 +- pkg/loxinet/dpbroker.go | 5 +- pkg/loxinet/dpebpf_linux.go | 13 +- pkg/loxinet/loxinettest.go | 2 +- pkg/loxinet/rules.go | 201 ++++++++++++++++++++++------ pkg/loxinet/xsync_server.go | 2 +- 12 files changed, 195 insertions(+), 61 deletions(-) diff --git a/api/models/loadbalance_entry.go b/api/models/loadbalance_entry.go index a7920530..18ae1a1b 100644 --- a/api/models/loadbalance_entry.go +++ b/api/models/loadbalance_entry.go @@ -313,7 +313,7 @@ type LoadbalanceEntryServiceArguments struct { Bgp bool `json:"bgp,omitempty"` // block-number if any of this LB entry - Block uint16 `json:"block,omitempty"` + Block uint32 `json:"block,omitempty"` // IP address for external access ExternalIP string `json:"externalIP,omitempty"` diff --git a/api/restapi/embedded_spec.go b/api/restapi/embedded_spec.go index 2e824087..6349ab66 100644 --- a/api/restapi/embedded_spec.go +++ b/api/restapi/embedded_spec.go @@ -5117,7 +5117,7 @@ func init() { "block": { "description": "block-number if any of this LB entry", "type": "integer", - "format": "uint16" + "format": "uint32" }, "externalIP": { "description": "IP address for external access", @@ -11374,7 +11374,7 @@ func init() { "block": { "description": "block-number if any of this LB entry", "type": "integer", - "format": "uint16" + "format": "uint32" }, "externalIP": { "description": "IP address for external access", @@ -11509,7 +11509,7 @@ func init() { "block": { "description": "block-number if any of this LB entry", "type": "integer", - "format": "uint16" + "format": "uint32" }, "externalIP": { "description": "IP address for external access", diff --git a/api/restapi/handler/firewall.go b/api/restapi/handler/firewall.go index 8a128fd2..93cb5a84 100644 --- a/api/restapi/handler/firewall.go +++ b/api/restapi/handler/firewall.go @@ -35,7 +35,7 @@ func ConfigPostFW(params operations.PostConfigFirewallParams) middleware.Respond Rules.DstPortMax = uint16(params.Attr.RuleArguments.MaxDestinationPort) Rules.DstPortMin = uint16(params.Attr.RuleArguments.MinDestinationPort) Rules.InPort = params.Attr.RuleArguments.PortName - Rules.Pref = uint16(params.Attr.RuleArguments.Preference) + Rules.Pref = uint32(params.Attr.RuleArguments.Preference) Rules.Proto = uint8(params.Attr.RuleArguments.Protocol) Rules.SrcIP = params.Attr.RuleArguments.SourceIP Rules.SrcPortMax = uint16(params.Attr.RuleArguments.MaxSourcePort) @@ -102,7 +102,7 @@ func ConfigDeleteFW(params operations.DeleteConfigFirewallParams) middleware.Res Rules.InPort = *params.PortName } if params.Preference != nil { - Rules.Pref = uint16(*params.Preference) + Rules.Pref = uint32(*params.Preference) } if params.Protocol != nil { Rules.Proto = uint8(*params.Protocol) @@ -175,7 +175,6 @@ func ConfigGetFW(params operations.GetConfigFirewallAllParams) middleware.Respon tmpOpts.ToIP = FW.Opts.ToIP tmpOpts.ToPort = int64(FW.Opts.ToPort) tmpOpts.Counter = FW.Opts.Counter - tmpResult.RuleArguments = &tmpRule tmpResult.Opts = &tmpOpts diff --git a/api/restapi/handler/loadbalancer.go b/api/restapi/handler/loadbalancer.go index bcc14fbb..81bf3692 100644 --- a/api/restapi/handler/loadbalancer.go +++ b/api/restapi/handler/loadbalancer.go @@ -93,7 +93,7 @@ func ConfigDeleteLoadbalancer(params operations.DeleteConfigLoadbalancerHosturlH lbServ.HostUrl = params.Hosturl } if params.Block != nil { - lbServ.BlockNum = uint16(*params.Block) + lbServ.BlockNum = uint32(*params.Block) } if params.Bgp != nil { lbServ.Bgp = *params.Bgp @@ -119,7 +119,7 @@ func ConfigDeleteLoadbalancerWithoutPath(params operations.DeleteConfigLoadbalan lbServ.Proto = params.Proto lbServ.HostUrl = "" if params.Block != nil { - lbServ.BlockNum = uint16(*params.Block) + lbServ.BlockNum = uint32(*params.Block) } if params.Bgp != nil { lbServ.Bgp = *params.Bgp @@ -155,7 +155,7 @@ func ConfigGetLoadbalancer(params operations.GetConfigLoadbalancerAllParams) mid tmpSvc.Bgp = lb.Serv.Bgp tmpSvc.Port = int64(lb.Serv.ServPort) tmpSvc.Protocol = lb.Serv.Proto - tmpSvc.Block = uint16(lb.Serv.BlockNum) + tmpSvc.Block = uint32(lb.Serv.BlockNum) tmpSvc.Sel = int64(lb.Serv.Sel) tmpSvc.Mode = int32(lb.Serv.Mode) tmpSvc.Security = int32(lb.Serv.Security) diff --git a/api/swagger.yml b/api/swagger.yml index e098f569..eace2bbe 100644 --- a/api/swagger.yml +++ b/api/swagger.yml @@ -3011,7 +3011,7 @@ definitions: description: value for Security mode (0-Plain, 1-HTTPs) block: type: integer - format: uint16 + format: uint32 description: block-number if any of this LB entry inactiveTimeOut: type: integer diff --git a/common/common.go b/common/common.go index c00227a0..1f5069dc 100644 --- a/common/common.go +++ b/common/common.go @@ -431,7 +431,7 @@ type FwRuleArg struct { // InPort - the incoming port InPort string `json:"portName"` // Pref - User preference for ordering - Pref uint16 `json:"preference"` + Pref uint32 `json:"preference"` } // FwRuleMod - Info related to a firewall entry @@ -544,7 +544,7 @@ type LbServiceArg struct { // Proto - the service protocol of the load-balancer rule Proto string `json:"protocol"` // BlockNum - An arbitrary block num to further segregate a service - BlockNum uint16 `json:"block"` + BlockNum uint32 `json:"block"` // Sel - one of LbSelRr,LbSelHash, or LbSelHash Sel EpSelect `json:"sel"` // Bgp - export this rule with goBGP @@ -604,6 +604,12 @@ type LbSecIPArg struct { SecIP string `json:"secondaryIP"` } +// LbAllowedSrcIPArg - Allowed Src IPs +type LbAllowedSrcIPArg struct { + // Prefix - Allowed Prefix + Prefix string `json:"prefix"` +} + // LbRuleMod - Info related to a load-balancer entry type LbRuleMod struct { // Serv - service argument of type LbServiceArg diff --git a/pkg/loxinet/apiclient.go b/pkg/loxinet/apiclient.go index cfaf068b..16691ad4 100644 --- a/pkg/loxinet/apiclient.go +++ b/pkg/loxinet/apiclient.go @@ -332,7 +332,7 @@ func (na *NetAPIStruct) NetLbRuleAdd(lm *cmn.LbRuleMod) (int, error) { mh.mtx.Lock() defer mh.mtx.Unlock() var ips []string - ret, err := mh.zr.Rules.AddLbRule(lm.Serv, lm.SecIPs[:], lm.Eps[:]) + ret, err := mh.zr.Rules.AddLbRule(lm.Serv, lm.SecIPs[:], nil, lm.Eps[:]) if err == nil && lm.Serv.Bgp { if mh.bgp != nil { ips = append(ips, lm.Serv.ServIP) diff --git a/pkg/loxinet/dpbroker.go b/pkg/loxinet/dpbroker.go index db7b6847..df5763fc 100644 --- a/pkg/loxinet/dpbroker.go +++ b/pkg/loxinet/dpbroker.go @@ -293,9 +293,10 @@ type LBDpWorkQ struct { ZoneNum int ServiceIP net.IP L4Port uint16 - BlockNum uint16 + BlockNum uint32 DsrMode bool CsumDis bool + SrcCheck bool SecMode SecT HostURL string Proto uint8 @@ -333,7 +334,7 @@ type DpCtInfo struct { ServiceIP net.IP `json:"serviceip"` ServProto string `json:"servproto"` L4ServPort uint16 `json:"l4servproto"` - BlockNum uint16 `json:"blocknum"` + BlockNum uint32 `json:"blocknum"` RuleID uint32 `json:"ruleid"` } diff --git a/pkg/loxinet/dpebpf_linux.go b/pkg/loxinet/dpebpf_linux.go index cec18455..2fb301a0 100644 --- a/pkg/loxinet/dpebpf_linux.go +++ b/pkg/loxinet/dpebpf_linux.go @@ -952,10 +952,10 @@ func DpLBRuleMod(w *LBDpWorkQ) int { key := new(natKey) - key.mark = C.ushort(w.BlockNum) + key.mark = C.uint(w.BlockNum) if w.NatType == DpSnat { - key.mark |= 0x1000 + key.mark |= SrcChkFwMark } else { key.daddr = [4]C.uint{0, 0, 0, 0} if tk.IsNetIPv4(w.ServiceIP.String()) { @@ -965,9 +965,9 @@ func DpLBRuleMod(w *LBDpWorkQ) int { convNetIP2DPv6Addr(unsafe.Pointer(&key.daddr[0]), w.ServiceIP) key.v6 = 1 } - key.mark = C.ushort(w.BlockNum) + key.mark = C.uint(w.BlockNum) key.dport = C.ushort(tk.Htons(w.L4Port)) - key.l4proto = C.uchar(w.Proto) + key.l4proto = C.ushort(w.Proto) key.zone = C.ushort(w.ZoneNum) } @@ -1020,6 +1020,9 @@ func DpLBRuleMod(w *LBDpWorkQ) int { if w.DsrMode { dat.ca.oaux = 1 } + if w.SrcCheck { + dat.chksrc = 1 + } nxfa := (*nxfrmAct)(unsafe.Pointer(&dat.nxfrms[0])) @@ -1053,7 +1056,7 @@ func DpLBRuleMod(w *LBDpWorkQ) int { nxfa.inactive = 1 } - dat.nxfrm = C.ushort(len(w.endPoints)) + dat.nxfrm = C.uchar(len(w.endPoints)) if w.CsumDis { dat.cdis = 1 } else { diff --git a/pkg/loxinet/loxinettest.go b/pkg/loxinet/loxinettest.go index 0b98318c..e9541f8e 100644 --- a/pkg/loxinet/loxinettest.go +++ b/pkg/loxinet/loxinettest.go @@ -289,7 +289,7 @@ func TestLoxinet(t *testing.T) { Weight: 2, }, } - _, err = mh.zr.Rules.AddLbRule(lbServ, nil, lbEps[:]) + _, err = mh.zr.Rules.AddLbRule(lbServ, nil, nil, lbEps[:]) if err != nil { t.Errorf("failed to add nat lb rule for 10.10.10.1\n") } diff --git a/pkg/loxinet/rules.go b/pkg/loxinet/rules.go index 0b137701..a656a984 100644 --- a/pkg/loxinet/rules.go +++ b/pkg/loxinet/rules.go @@ -79,20 +79,22 @@ const ( // constants const ( MaxLBEndPoints = 32 - DflLbaInactiveTries = 2 // Default number of inactive tries before LB arm is turned off - MaxDflLbaInactiveTries = 100 // Max number of inactive tries before LB arm is turned off - DflLbaCheckTimeout = 10 // Default timeout for checking LB arms - DflHostProbeTimeout = 60 // Default probe timeout for end-point host - InitHostProbeTimeout = 15 // Initial probe timeout for end-point host - MaxHostProbeTime = 24 * 3600 // Max possible host health check duration - LbDefaultInactiveTimeout = 4 * 60 // Default inactive timeout for established sessions - LbDefaultInactiveNSTimeout = 20 // Default inactive timeout for non-session oriented protocols - LbMaxInactiveTimeout = 24 * 3600 // Maximum inactive timeout for established sessions - MaxEndPointCheckers = 4 // Maximum helpers to check endpoint health - EndPointCheckerDuration = 2 // Duration at which ep-helpers will run - MaxEndPointSweeps = 20 // Maximum end-point sweeps per round - VIPSweepDuration = 30 // Duration of periodic VIP maintenance - DefaultPersistTimeOut = 10800 // Default persistent LB session timeout + DflLbaInactiveTries = 2 // Default number of inactive tries before LB arm is turned off + MaxDflLbaInactiveTries = 100 // Max number of inactive tries before LB arm is turned off + DflLbaCheckTimeout = 10 // Default timeout for checking LB arms + DflHostProbeTimeout = 60 // Default probe timeout for end-point host + InitHostProbeTimeout = 15 // Initial probe timeout for end-point host + MaxHostProbeTime = 24 * 3600 // Max possible host health check duration + LbDefaultInactiveTimeout = 4 * 60 // Default inactive timeout for established sessions + LbDefaultInactiveNSTimeout = 20 // Default inactive timeout for non-session oriented protocols + LbMaxInactiveTimeout = 24 * 3600 // Maximum inactive timeout for established sessions + MaxEndPointCheckers = 4 // Maximum helpers to check endpoint health + EndPointCheckerDuration = 2 // Duration at which ep-helpers will run + MaxEndPointSweeps = 20 // Maximum end-point sweeps per round + VIPSweepDuration = 30 // Duration of periodic VIP maintenance + DefaultPersistTimeOut = 10800 // Default persistent LB session timeout + SnatFwMark = 0x80000000 // Snat Marker + SrcChkFwMark = 0x40000000 // Src check Marker ) type ruleTType uint @@ -154,7 +156,7 @@ type ruleTuples struct { inL4Prot rule8Tuple inL4Src rule16Tuple inL4Dst rule16Tuple - pref uint16 + pref uint32 path string } @@ -290,6 +292,7 @@ type ruleEnt struct { name string inst string secMode cmn.LBSec + srcList []*allowedSrcElem locIPs map[string]struct{} } @@ -299,7 +302,7 @@ type ruleTable struct { eMap map[string]*ruleEnt rArr [RtMaximumLbs]*ruleEnt pMap []*ruleEnt - Mark *tk.Counter + Mark *utils.Marker } type ruleTableType uint @@ -334,6 +337,13 @@ type vipElem struct { inst string } +type allowedSrcElem struct { + ref int + srcPref *net.IPNet + mark uint64 + lbmark uint32 +} + // RuleH - context container type RuleH struct { zone *Zone @@ -341,6 +351,8 @@ type RuleH struct { tables [RtMax]ruleTable epMap map[string]*epHost vipMap map[string]*vipElem + srcMark *tk.Counter + lbSrcMap map[string]*allowedSrcElem epCs [MaxEndPointCheckers]epChecker wg sync.WaitGroup lepHID uint8 @@ -360,15 +372,17 @@ func RulesInit(zone *Zone) *RuleH { nRh.vipMap = make(map[string]*vipElem) nRh.epMap = make(map[string]*epHost) + nRh.lbSrcMap = make(map[string]*allowedSrcElem) + nRh.srcMark = tk.NewCounter(1, RtMaximumFw4s) nRh.tables[RtFw].tableMatch = RmMax - 1 nRh.tables[RtFw].tableType = RtMf nRh.tables[RtFw].eMap = make(map[string]*ruleEnt) - nRh.tables[RtFw].Mark = tk.NewCounter(1, RtMaximumFw4s) + nRh.tables[RtFw].Mark = utils.NewMarker(1, RtMaximumFw4s) nRh.tables[RtLB].tableMatch = RmL3Dst | RmL4Dst | RmL4Prot nRh.tables[RtLB].tableType = RtEm nRh.tables[RtLB].eMap = make(map[string]*ruleEnt) - nRh.tables[RtLB].Mark = tk.NewCounter(1, RtMaximumLbs) + nRh.tables[RtLB].Mark = utils.NewMarker(1, RtMaximumLbs) for i := 0; i < MaxEndPointCheckers; i++ { nRh.epCs[i].tD = make(chan bool) @@ -764,8 +778,6 @@ func (R *RuleH) Rules2Json() ([]byte, error) { return nil, err } bret = append(bret, js...) - fmt.Printf("js: %v\n", js) - fmt.Println(string(js)) } return bret, nil @@ -983,7 +995,7 @@ func (R *RuleH) GetLBRuleByServArgs(serv cmn.LbServiceArg) *ruleEnt { return R.tables[RtLB].eMap[rt.ruleKey()] } -// GetLBRuleSecIPs - Get secondary IPs for SCTP LB rule by its service args +// GetLBRuleSecIPs - Get secondary IPs for LB rule by its service args func (R *RuleH) GetLBRuleSecIPs(serv cmn.LbServiceArg) []string { var ipProto uint8 var ips []string @@ -1016,6 +1028,93 @@ func (R *RuleH) GetLBRuleSecIPs(serv cmn.LbServiceArg) []string { return ips } +func (R *RuleH) addAllowedLbSrc(CIDR string, lbMark uint32) *allowedSrcElem { + + _, srcPref, err := net.ParseCIDR(CIDR) + if err != nil { + tk.LogIt(tk.LogError, "allowed-cidr parse failed\n") + return nil + } + + if lbMark >= 14 { + tk.LogIt(tk.LogError, "allowed-src lbmark out-of-range\n") + return nil + } + + added := false + srcElem := R.lbSrcMap[CIDR] + if srcElem != nil { + srcElem.lbmark |= 1 << lbMark + srcElem.ref++ + added = true + goto addFw + } + + srcElem = new(allowedSrcElem) + srcElem.ref = 1 + srcElem.srcPref = srcPref + srcElem.lbmark = 1 << lbMark + srcElem.mark, err = R.srcMark.GetCounter() + if err != nil { + tk.LogIt(tk.LogError, "allowed-cidr failed to alloc id\n") + return nil + } + +addFw: + fwarg := cmn.FwRuleArg{SrcIP: srcPref.String(), DstIP: "0.0.0.0/0"} + fwOpts := cmn.FwOptArg{Allow: true, Mark: srcElem.lbmark | SrcChkFwMark} + _, err = R.AddFwRule(fwarg, fwOpts) + if err != nil { + if !strings.Contains(err.Error(), "fwrule-exists") { + R.srcMark.PutCounter(srcElem.mark) + tk.LogIt(tk.LogError, "allowed-src failed to add fw %s\n", err) + return nil + } + } + + if !added { + R.lbSrcMap[CIDR] = srcElem + } + + tk.LogIt(tk.LogInfo, "added allowed-cidr %s: 0x%x\n", srcPref.String(), srcElem.lbmark) + + return srcElem +} + +func (R *RuleH) deleteAllowedLbSrc(CIDR string, lbMark uint32) error { + srcElem := R.lbSrcMap[CIDR] + if srcElem == nil { + return errors.New("no such allowed src prefix") + } + + if lbMark >= 14 { + tk.LogIt(tk.LogError, "allowed-src lbmark out-of-range\n") + return nil + } + + srcElem.ref-- + + if srcElem.ref == 0 { + fwarg := cmn.FwRuleArg{SrcIP: srcElem.srcPref.String(), DstIP: "0.0.0.0/0"} + _, err := R.DeleteFwRule(fwarg) + if err != nil { + tk.LogIt(tk.LogError, "Failed to delete allowedSRC %s\n", srcElem.srcPref.String()) + } + R.srcMark.PutCounter(srcElem.mark) + delete(R.lbSrcMap, CIDR) + tk.LogIt(tk.LogInfo, "delete allowed-cidr %s\n", srcElem.srcPref.String()) + } else { + srcElem.lbmark &= ^(1 << lbMark) + fwarg := cmn.FwRuleArg{SrcIP: srcElem.srcPref.String()} + fwOpts := cmn.FwOptArg{Allow: true, Mark: srcElem.lbmark | SrcChkFwMark} + R.AddFwRule(fwarg, fwOpts) + tk.LogIt(tk.LogInfo, "updated allowed-cidr %s : 0x%x\n", srcElem.srcPref.String(), srcElem.lbmark) + + } + + return nil +} + func (R *RuleH) electEPSrc(r *ruleEnt) bool { var sip net.IP var e int @@ -1378,7 +1477,7 @@ func getLBConsolidatedEPs(oldEps []ruleLBEp, newEps []ruleLBEp, oper cmn.LBOp) ( // AddLbRule - Add a service LB rule. The service details are passed in serv argument, // and end-point information is passed in the slice servEndPoints. On success, // it will return 0 and nil error, else appropriate return code and error string will be set -func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, servEndPoints []cmn.LbEndPointArg) (int, error) { +func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, allowedSources []cmn.LbAllowedSrcIPArg, servEndPoints []cmn.LbEndPointArg) (int, error) { var lBActs ruleLBActs var nSecIP []ruleLBSIP var ipProto uint8 @@ -1396,6 +1495,8 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, se return RuleUnknownServiceErr, errors.New("malformed-service error") } + allowedSources = append(allowedSources, cmn.LbAllowedSrcIPArg{Prefix: "10.10.10.1/32"}) + privIP = nil if serv.PrivateIP != "" { privIP = net.ParseIP(serv.PrivateIP) @@ -1641,6 +1742,7 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, se r.managed = serv.Managed r.secIP = nSecIP r.secMode = serv.Security + // Per LB end-point health-check is supposed to be handled at kube-loxilb/CCM, // but it certain cases like stand-alone mode, loxilb can do its own // lb end-point health monitoring @@ -1653,11 +1755,23 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, se r.hChk.actChk = serv.Monitor r.act.action = &lBActs - r.ruleNum, err = R.tables[RtLB].Mark.GetCounter() + r.ruleNum, err = R.tables[RtLB].Mark.GetMarker() if err != nil { tk.LogIt(tk.LogError, "nat lb-rule - %s:%s hwm error\n", r.tuples.String(), r.act.String()) return RuleAllocErr, errors.New("rule-hwm error") } + for _, allowedSource := range allowedSources { + srcElem := R.addAllowedLbSrc(allowedSource.Prefix, uint32(r.ruleNum)) + if srcElem == nil { + R.tables[RtLB].Mark.ReleaseMarker(r.ruleNum) + for _, src := range r.srcList { + R.deleteAllowedLbSrc(src.srcPref.String(), uint32(r.ruleNum)) + } + tk.LogIt(tk.LogError, "nat lb-rule - %s:%s allowedSRC error\n", r.tuples.String(), r.act.String()) + return RuleAllocErr, errors.New("rule-allowed-src error") + } + r.srcList = append(r.srcList, srcElem) + } r.sT = time.Now() r.iTO = serv.InactiveTimeout r.bgp = serv.Bgp @@ -1682,14 +1796,13 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, se } } - tk.LogIt(tk.LogDebug, "lb-rule added - %d:%s-%s\n", r.ruleNum, r.tuples.String(), r.act.String()) - R.tables[RtLB].eMap[rt.ruleKey()] = r if r.ruleNum < RtMaximumLbs { R.tables[RtLB].rArr[r.ruleNum] = r } R.addVIPSys(r) r.DP(DpCreate) + tk.LogIt(tk.LogDebug, "lb-rule added - %d:%s-%s\n", r.ruleNum, r.tuples.String(), r.act.String()) return 0, nil } @@ -1747,7 +1860,7 @@ func (R *RuleH) DeleteLbRule(serv cmn.LbServiceArg) (int, error) { return RuleNotExistsErr, errors.New("no-rule error") } - defer R.tables[RtLB].Mark.PutCounter(rule.ruleNum) + defer R.tables[RtLB].Mark.ReleaseMarker(rule.ruleNum) eEps := rule.act.action.(*ruleLBActs).endPoints activatedProbe := false @@ -1759,6 +1872,11 @@ func (R *RuleH) DeleteLbRule(serv cmn.LbServiceArg) (int, error) { R.unFoldRecursiveEPs(rule) } + for _, srcElem := range rule.srcList { + R.deleteAllowedLbSrc(srcElem.srcPref.String(), uint32(rule.ruleNum)) + } + rule.srcList = nil + delete(R.tables[RtLB].eMap, rt.ruleKey()) if rule.ruleNum < RtMaximumLbs { R.tables[RtLB].rArr[rule.ruleNum] = nil @@ -1841,12 +1959,13 @@ func (R *RuleH) AddFwRule(fwRule cmn.FwRuleArg, fwOptArgs cmn.FwOptArg) (int, er // Validate rule args _, dNetAddr, err := net.ParseCIDR(fwRule.DstIP) if err != nil { - return RuleTupleErr, errors.New("malformed-rule error") + return RuleTupleErr, errors.New("malformed-rule dst error") } _, sNetAddr, err := net.ParseCIDR(fwRule.SrcIP) if err != nil { - return RuleTupleErr, errors.New("malformed-rule error") + fmt.Printf("src parse failure %s\n", err) + return RuleTupleErr, errors.New("malformed-rule src error") } l3dst := ruleIPTuple{*dNetAddr} @@ -1883,6 +2002,10 @@ func (R *RuleH) AddFwRule(fwRule cmn.FwRuleArg, fwOptArgs cmn.FwOptArg) (int, er eFw := R.tables[RtFw].eMap[rt.ruleKey()] if eFw != nil { + if fwOpts.opt.fwMark != fwOptArgs.Mark { + fwOpts.opt.fwMark = fwOptArgs.Mark + eFw.Fw2DP(DpCreate) + } // If a FW rule already exists return RuleExistsErr, errors.New("fwrule-exists error") } @@ -1925,7 +2048,7 @@ func (R *RuleH) AddFwRule(fwRule cmn.FwRuleArg, fwOptArgs cmn.FwOptArg) (int, er } r.act.action = &fwOpts - r.ruleNum, err = R.tables[RtFw].Mark.GetCounter() + r.ruleNum, err = R.tables[RtFw].Mark.GetMarker() if err != nil { tk.LogIt(tk.LogError, "fw-rule - %s:%s mark error\n", r.tuples.String(), r.act.String()) return RuleAllocErr, errors.New("rule-mark error") @@ -1938,7 +2061,7 @@ func (R *RuleH) AddFwRule(fwRule cmn.FwRuleArg, fwOptArgs cmn.FwOptArg) (int, er servArg.ServIP = "0.0.0.0" servArg.ServPort = 0 servArg.Proto = "none" - servArg.BlockNum = uint16(r.ruleNum) | 0x1000 + servArg.BlockNum = uint32(r.ruleNum) | SnatFwMark servArg.Sel = cmn.LbSelRr servArg.Mode = cmn.LBModeDefault servArg.Snat = true @@ -1947,13 +2070,13 @@ func (R *RuleH) AddFwRule(fwRule cmn.FwRuleArg, fwOptArgs cmn.FwOptArg) (int, er snatEP := []cmn.LbEndPointArg{{EpIP: fwOpts.opt.snatIP, EpPort: fwOpts.opt.snatPort}} - _, err := R.AddLbRule(servArg, nil, snatEP) + _, err := R.AddLbRule(servArg, nil, nil, snatEP) if err != nil { tk.LogIt(tk.LogError, "fw-rule - %s:%s (%s) snat create error\n", r.tuples.String(), r.act.String(), err) return RuleArgsErr, errors.New("rule-snat error") } - fwOpts.opt.fwMark = uint32(uint16((r.ruleNum) | 0x1000)) + fwOpts.opt.fwMark = uint32(uint16((r.ruleNum) | SnatFwMark)) } @@ -1977,12 +2100,12 @@ func (R *RuleH) DeleteFwRule(fwRule cmn.FwRuleArg) (int, error) { // Vaildate rule args _, dNetAddr, err := net.ParseCIDR(fwRule.DstIP) if err != nil { - return RuleTupleErr, errors.New("malformed-rule error") + return RuleTupleErr, errors.New("malformed-rule dst error") } _, sNetAddr, err := net.ParseCIDR(fwRule.SrcIP) if err != nil { - return RuleTupleErr, errors.New("malformed-rule error") + return RuleTupleErr, errors.New("malformed-rule src error") } l3dst := ruleIPTuple{*dNetAddr} @@ -2027,7 +2150,7 @@ func (R *RuleH) DeleteFwRule(fwRule cmn.FwRuleArg) (int, error) { servArg.ServIP = "0.0.0.0" servArg.ServPort = 0 servArg.Proto = "none" - servArg.BlockNum = uint16(rule.ruleNum) | 0x1000 + servArg.BlockNum = uint32(rule.ruleNum) | SnatFwMark servArg.Sel = cmn.LbSelRr servArg.Mode = cmn.LBModeDefault servArg.Snat = true @@ -2043,7 +2166,7 @@ func (R *RuleH) DeleteFwRule(fwRule cmn.FwRuleArg) (int, error) { } } - defer R.tables[RtFw].Mark.PutCounter(rule.ruleNum) + defer R.tables[RtFw].Mark.ReleaseMarker(rule.ruleNum) delete(R.tables[RtFw].eMap, rt.ruleKey()) @@ -2579,7 +2702,6 @@ func (R *RuleH) RuleDestructAll() { R.DeleteFwRule(fwr) } - return } // VIP2DP - Sync state of nat-rule for local sock VIP-port rewrite @@ -2634,6 +2756,9 @@ func (r *ruleEnt) LB2DP(work DpWorkT) int { nWork.InActTo = uint64(r.iTO) nWork.PersistTo = uint64(r.pTO) nWork.HostURL = r.tuples.path + if len(r.srcList) > 0 { + nWork.SrcCheck = true + } if r.act.actType == RtActDnat { nWork.NatType = DpDnat @@ -2838,7 +2963,7 @@ func (r *ruleEnt) Fw2DP(work DpWorkT) int { } nWork.Proto = r.tuples.l4Prot.val nWork.Mark = int(r.ruleNum) - nWork.Pref = r.tuples.pref + nWork.Pref = uint16(r.tuples.pref) switch at := r.act.action.(type) { case *ruleFwOpts: diff --git a/pkg/loxinet/xsync_server.go b/pkg/loxinet/xsync_server.go index fd118caa..02fca650 100644 --- a/pkg/loxinet/xsync_server.go +++ b/pkg/loxinet/xsync_server.go @@ -154,7 +154,7 @@ func (ci *CtInfo) ConvertToDpCtInfo() DpCtInfo { Packets: uint64(ci.Packets), Bytes: uint64(ci.Bytes), Deleted: int(ci.Deleted), PKey: ci.Pkey, PVal: ci.Pval, XSync: ci.Xsync, ServiceIP: ci.Serviceip, ServProto: ci.Servproto, - L4ServPort: uint16(ci.L4Servport), BlockNum: uint16(ci.Blocknum), + L4ServPort: uint16(ci.L4Servport), BlockNum: uint32(ci.Blocknum), } return cti }