예제 #1
0
func checkACLs(t *testing.T, client ovsdb.Client,
	connections []db.Connection, exp []ovsdb.ACL) {

	syncACLs(client, connections)

	actual, _ := client.ListACLs(lSwitch)

	ovsdbKey := func(ovsdbIntf interface{}) interface{} {
		return ovsdbIntf.(ovsdb.ACL).Core
	}
	if _, left, right := join.HashJoin(ovsdbACLSlice(actual), ovsdbACLSlice(exp),
		ovsdbKey, ovsdbKey); len(left) != 0 || len(right) != 0 {
		t.Errorf("Wrong ACLs: expected %v, got %v.", exp, actual)
	}
}
예제 #2
0
func checkAddressSet(t *testing.T, client ovsdb.Client,
	labels []db.Label, exp []ovsdb.AddressSet) {

	syncAddressSets(client, labels)
	actual, _ := client.ListAddressSets(lSwitch)

	ovsdbKey := func(intf interface{}) interface{} {
		addrSet := intf.(ovsdb.AddressSet)
		// OVSDB returns the addresses in a non-deterministic order, so we
		// sort them.
		sort.Strings(addrSet.Addresses)
		return addressSetKey{
			name:      addrSet.Name,
			addresses: strings.Join(addrSet.Addresses, " "),
		}
	}
	if _, lefts, rights := join.HashJoin(addressSlice(actual), addressSlice(exp),
		ovsdbKey, ovsdbKey); len(lefts) != 0 || len(rights) != 0 {
		t.Errorf("Wrong address sets: expected %v, got %v.", exp, actual)
	}
}
예제 #3
0
파일: acl.go 프로젝트: NetSys/quilt
func syncACLs(ovsdbClient ovsdb.Client, connections []db.Connection) {
	ovsdbACLs, err := ovsdbClient.ListACLs(lSwitch)
	if err != nil {
		log.WithError(err).Error("Failed to list ACLs")
		return
	}

	expACLs := directedACLs(ovsdb.ACL{
		Core: ovsdb.ACLCore{
			Action:   "drop",
			Match:    "ip",
			Priority: 0,
		},
	})

	for _, conn := range connections {
		if conn.From == stitch.PublicInternetLabel ||
			conn.To == stitch.PublicInternetLabel {
			continue
		}
		expACLs = append(expACLs, directedACLs(
			ovsdb.ACL{
				Core: ovsdb.ACLCore{
					Action:   "allow",
					Match:    matchString(conn),
					Priority: 1,
				},
			})...)
	}

	ovsdbKey := func(ovsdbIntf interface{}) interface{} {
		return ovsdbIntf.(ovsdb.ACL).Core
	}
	_, toCreate, toDelete := join.HashJoin(ovsdbACLSlice(expACLs),
		ovsdbACLSlice(ovsdbACLs), ovsdbKey, ovsdbKey)

	for _, acl := range toDelete {
		if err := ovsdbClient.DeleteACL(lSwitch, acl.(ovsdb.ACL)); err != nil {
			log.WithError(err).Warn("Error deleting ACL")
		}
	}

	for _, intf := range toCreate {
		acl := intf.(ovsdb.ACL).Core
		if err := ovsdbClient.CreateACL(lSwitch, acl.Direction,
			acl.Priority, acl.Match, acl.Action); err != nil {
			log.WithError(err).Warn("Error adding ACL")
		}
	}
}
예제 #4
0
파일: acl.go 프로젝트: NetSys/quilt
func syncAddressSets(ovsdbClient ovsdb.Client, labels []db.Label) {
	ovsdbAddresses, err := ovsdbClient.ListAddressSets(lSwitch)
	if err != nil {
		log.WithError(err).Error("Failed to list address sets")
		return
	}

	var expAddressSets []ovsdb.AddressSet
	for _, l := range labels {
		if l.Label == stitch.PublicInternetLabel {
			continue
		}
		expAddressSets = append(expAddressSets,
			ovsdb.AddressSet{
				Name:      addressSetName(l.Label),
				Addresses: unique(append(l.ContainerIPs, l.IP)),
			},
		)
	}
	ovsdbKey := func(intf interface{}) interface{} {
		addrSet := intf.(ovsdb.AddressSet)
		// OVSDB returns the addresses in a non-deterministic order, so we
		// sort them.
		sort.Strings(addrSet.Addresses)
		return addressSetKey{
			name:      addrSet.Name,
			addresses: strings.Join(addrSet.Addresses, " "),
		}
	}
	_, toCreate, toDelete := join.HashJoin(addressSlice(expAddressSets),
		addressSlice(ovsdbAddresses), ovsdbKey, ovsdbKey)

	for _, intf := range toDelete {
		addr := intf.(ovsdb.AddressSet)
		if err := ovsdbClient.DeleteAddressSet(lSwitch, addr.Name); err != nil {
			log.WithError(err).Warn("Error deleting address set")
		}
	}

	for _, intf := range toCreate {
		addr := intf.(ovsdb.AddressSet)
		if err := ovsdbClient.CreateAddressSet(
			lSwitch, addr.Name, addr.Addresses); err != nil {
			log.WithError(err).Warn("Error adding address set")
		}
	}
}