func checkACLs(t *testing.T, client ovsdb.Client,
connections []db.Connection, exp []ovsdb.ACL) {
syncACLs(client, connections)
actual, _ := client.ListACLs(lSwitch)
ovsdbKey := func(ovsdbIntf interface{}) interface{} {
return ovsdbIntf.(ovsdb.ACL).Core
}
if _, left, right := join.HashJoin(ovsdbACLSlice(actual), ovsdbACLSlice(exp),
ovsdbKey, ovsdbKey); len(left) != 0 || len(right) != 0 {
t.Errorf("Wrong ACLs: expected %v, got %v.", exp, actual)
}
}
func checkAddressSet(t *testing.T, client ovsdb.Client,
labels []db.Label, exp []ovsdb.AddressSet) {
syncAddressSets(client, labels)
actual, _ := client.ListAddressSets(lSwitch)
ovsdbKey := func(intf interface{}) interface{} {
addrSet := intf.(ovsdb.AddressSet)
// OVSDB returns the addresses in a non-deterministic order, so we
// sort them.
sort.Strings(addrSet.Addresses)
return addressSetKey{
name: addrSet.Name,
addresses: strings.Join(addrSet.Addresses, " "),
}
}
if _, lefts, rights := join.HashJoin(addressSlice(actual), addressSlice(exp),
ovsdbKey, ovsdbKey); len(lefts) != 0 || len(rights) != 0 {
t.Errorf("Wrong address sets: expected %v, got %v.", exp, actual)
}
}
func syncACLs(ovsdbClient ovsdb.Client, connections []db.Connection) {
ovsdbACLs, err := ovsdbClient.ListACLs(lSwitch)
if err != nil {
log.WithError(err).Error("Failed to list ACLs")
return
}
expACLs := directedACLs(ovsdb.ACL{
Core: ovsdb.ACLCore{
Action: "drop",
Match: "ip",
Priority: 0,
},
})
for _, conn := range connections {
if conn.From == stitch.PublicInternetLabel ||
conn.To == stitch.PublicInternetLabel {
continue
}
expACLs = append(expACLs, directedACLs(
ovsdb.ACL{
Core: ovsdb.ACLCore{
Action: "allow",
Match: matchString(conn),
Priority: 1,
},
})...)
}
ovsdbKey := func(ovsdbIntf interface{}) interface{} {
return ovsdbIntf.(ovsdb.ACL).Core
}
_, toCreate, toDelete := join.HashJoin(ovsdbACLSlice(expACLs),
ovsdbACLSlice(ovsdbACLs), ovsdbKey, ovsdbKey)
for _, acl := range toDelete {
if err := ovsdbClient.DeleteACL(lSwitch, acl.(ovsdb.ACL)); err != nil {
log.WithError(err).Warn("Error deleting ACL")
}
}
for _, intf := range toCreate {
acl := intf.(ovsdb.ACL).Core
if err := ovsdbClient.CreateACL(lSwitch, acl.Direction,
acl.Priority, acl.Match, acl.Action); err != nil {
log.WithError(err).Warn("Error adding ACL")
}
}
}
func syncAddressSets(ovsdbClient ovsdb.Client, labels []db.Label) {
ovsdbAddresses, err := ovsdbClient.ListAddressSets(lSwitch)
if err != nil {
log.WithError(err).Error("Failed to list address sets")
return
}
var expAddressSets []ovsdb.AddressSet
for _, l := range labels {
if l.Label == stitch.PublicInternetLabel {
continue
}
expAddressSets = append(expAddressSets,
ovsdb.AddressSet{
Name: addressSetName(l.Label),
Addresses: unique(append(l.ContainerIPs, l.IP)),
},
)
}
ovsdbKey := func(intf interface{}) interface{} {
addrSet := intf.(ovsdb.AddressSet)
// OVSDB returns the addresses in a non-deterministic order, so we
// sort them.
sort.Strings(addrSet.Addresses)
return addressSetKey{
name: addrSet.Name,
addresses: strings.Join(addrSet.Addresses, " "),
}
}
_, toCreate, toDelete := join.HashJoin(addressSlice(expAddressSets),
addressSlice(ovsdbAddresses), ovsdbKey, ovsdbKey)
for _, intf := range toDelete {
addr := intf.(ovsdb.AddressSet)
if err := ovsdbClient.DeleteAddressSet(lSwitch, addr.Name); err != nil {
log.WithError(err).Warn("Error deleting address set")
}
}
for _, intf := range toCreate {
addr := intf.(ovsdb.AddressSet)
if err := ovsdbClient.CreateAddressSet(
lSwitch, addr.Name, addr.Addresses); err != nil {
log.WithError(err).Warn("Error adding address set")
}
}
}