func checkACLs(t *testing.T, client ovsdb.Client, connections []db.Connection, exp []ovsdb.ACL) { syncACLs(client, connections) actual, _ := client.ListACLs(lSwitch) ovsdbKey := func(ovsdbIntf interface{}) interface{} { return ovsdbIntf.(ovsdb.ACL).Core } if _, left, right := join.HashJoin(ovsdbACLSlice(actual), ovsdbACLSlice(exp), ovsdbKey, ovsdbKey); len(left) != 0 || len(right) != 0 { t.Errorf("Wrong ACLs: expected %v, got %v.", exp, actual) } }
func checkAddressSet(t *testing.T, client ovsdb.Client, labels []db.Label, exp []ovsdb.AddressSet) { syncAddressSets(client, labels) actual, _ := client.ListAddressSets(lSwitch) ovsdbKey := func(intf interface{}) interface{} { addrSet := intf.(ovsdb.AddressSet) // OVSDB returns the addresses in a non-deterministic order, so we // sort them. sort.Strings(addrSet.Addresses) return addressSetKey{ name: addrSet.Name, addresses: strings.Join(addrSet.Addresses, " "), } } if _, lefts, rights := join.HashJoin(addressSlice(actual), addressSlice(exp), ovsdbKey, ovsdbKey); len(lefts) != 0 || len(rights) != 0 { t.Errorf("Wrong address sets: expected %v, got %v.", exp, actual) } }
func syncACLs(ovsdbClient ovsdb.Client, connections []db.Connection) { ovsdbACLs, err := ovsdbClient.ListACLs(lSwitch) if err != nil { log.WithError(err).Error("Failed to list ACLs") return } expACLs := directedACLs(ovsdb.ACL{ Core: ovsdb.ACLCore{ Action: "drop", Match: "ip", Priority: 0, }, }) for _, conn := range connections { if conn.From == stitch.PublicInternetLabel || conn.To == stitch.PublicInternetLabel { continue } expACLs = append(expACLs, directedACLs( ovsdb.ACL{ Core: ovsdb.ACLCore{ Action: "allow", Match: matchString(conn), Priority: 1, }, })...) } ovsdbKey := func(ovsdbIntf interface{}) interface{} { return ovsdbIntf.(ovsdb.ACL).Core } _, toCreate, toDelete := join.HashJoin(ovsdbACLSlice(expACLs), ovsdbACLSlice(ovsdbACLs), ovsdbKey, ovsdbKey) for _, acl := range toDelete { if err := ovsdbClient.DeleteACL(lSwitch, acl.(ovsdb.ACL)); err != nil { log.WithError(err).Warn("Error deleting ACL") } } for _, intf := range toCreate { acl := intf.(ovsdb.ACL).Core if err := ovsdbClient.CreateACL(lSwitch, acl.Direction, acl.Priority, acl.Match, acl.Action); err != nil { log.WithError(err).Warn("Error adding ACL") } } }
func syncAddressSets(ovsdbClient ovsdb.Client, labels []db.Label) { ovsdbAddresses, err := ovsdbClient.ListAddressSets(lSwitch) if err != nil { log.WithError(err).Error("Failed to list address sets") return } var expAddressSets []ovsdb.AddressSet for _, l := range labels { if l.Label == stitch.PublicInternetLabel { continue } expAddressSets = append(expAddressSets, ovsdb.AddressSet{ Name: addressSetName(l.Label), Addresses: unique(append(l.ContainerIPs, l.IP)), }, ) } ovsdbKey := func(intf interface{}) interface{} { addrSet := intf.(ovsdb.AddressSet) // OVSDB returns the addresses in a non-deterministic order, so we // sort them. sort.Strings(addrSet.Addresses) return addressSetKey{ name: addrSet.Name, addresses: strings.Join(addrSet.Addresses, " "), } } _, toCreate, toDelete := join.HashJoin(addressSlice(expAddressSets), addressSlice(ovsdbAddresses), ovsdbKey, ovsdbKey) for _, intf := range toDelete { addr := intf.(ovsdb.AddressSet) if err := ovsdbClient.DeleteAddressSet(lSwitch, addr.Name); err != nil { log.WithError(err).Warn("Error deleting address set") } } for _, intf := range toCreate { addr := intf.(ovsdb.AddressSet) if err := ovsdbClient.CreateAddressSet( lSwitch, addr.Name, addr.Addresses); err != nil { log.WithError(err).Warn("Error adding address set") } } }