func (s *CommonSuite) TestReservedID(c *C) {
i1 := labels.GetID("host")
c.Assert(i1, Equals, labels.ID_HOST)
c.Assert(i1.String(), Equals, "host")
i2 := labels.GetID("world")
c.Assert(i2, Equals, labels.ID_WORLD)
c.Assert(i2.String(), Equals, "world")
c.Assert(labels.GetID("unknown"), Equals, labels.ID_UNKNOWN)
unknown := labels.ReservedID(700)
c.Assert(unknown.String(), Equals, "")
}
func getSecID(ctx *cli.Context) {
if ctx.Bool("list") {
for k, v := range labels.ResDec {
fmt.Printf("%-15s %3d\n", k, v)
}
return
}
lbl := ctx.Args().First()
if id := labels.GetID(lbl); id != labels.ID_UNKNOWN {
fmt.Printf("%d\n", id)
} else {
os.Exit(1)
}
}
func updatePolicyKey(ctx *cli.Context, add bool) {
if len(ctx.Args()) < 2 {
fmt.Fprintf(os.Stderr, "Incorrect number of arguments.\n")
return
}
lbl := ctx.Args().Get(0)
if lbl != "" {
if id := labels.GetID(lbl); id != labels.ID_UNKNOWN {
lbl = "reserved_" + strconv.FormatUint(uint64(id), 10)
}
} else {
fmt.Fprintf(os.Stderr, "Need ID or label\n")
return
}
file := common.PolicyMapPath + lbl
policyMap, _, err := policymap.OpenMap(file)
if err != nil {
fmt.Fprintf(os.Stderr, "Could not open policymap '%s' : %s", file, err)
return
}
peer_lbl, err := strconv.ParseUint(ctx.Args().Get(1), 10, 32)
if add == true {
err = policyMap.AllowConsumer(uint32(peer_lbl))
} else {
err = policyMap.DeleteConsumer(uint32(peer_lbl))
}
if err != nil {
fmt.Fprintf(os.Stderr, "allow label %d failed for %s", peer_lbl, lbl)
return
}
}
func (d *Daemon) init() error {
globalsDir := filepath.Join(d.conf.RunDir, "globals")
if err := os.MkdirAll(globalsDir, 0755); err != nil {
log.Fatalf("Could not create runtime directory %s: %s", globalsDir, err)
}
if err := os.Chdir(d.conf.RunDir); err != nil {
log.Fatalf("Could not change to runtime directory %s: \"%s\"",
d.conf.RunDir, err)
}
f, err := os.Create("./globals/node_config.h")
if err != nil {
log.Warningf("Failed to create node configuration file: %s", err)
return err
}
fw := bufio.NewWriter(f)
hostIP := d.conf.NodeAddress.IPv6Address.HostIP()
fmt.Fprintf(fw, ""+
"/*\n"+
" * Node-IPv6: %s\n"+
" * Host-IPv6: %s\n",
d.conf.NodeAddress.IPv6Address.IP().String(),
hostIP.String())
if d.conf.IPv4Enabled {
fmt.Fprintf(fw, ""+
" * Host-IPv4: %s\n"+
" */\n\n"+
"#define ENABLE_IPV4\n",
d.conf.NodeAddress.IPv4Address.IP().String())
} else {
fw.WriteString(" */\n\n")
}
fmt.Fprintf(fw, "#define NODE_ID %#x\n", d.conf.NodeAddress.IPv6Address.NodeID())
fw.WriteString(common.FmtDefineArray("ROUTER_IP", d.conf.NodeAddress.IPv6Address))
ipv4GW := d.conf.NodeAddress.IPv4Address
fmt.Fprintf(fw, "#define IPV4_GATEWAY %#x\n", binary.LittleEndian.Uint32(ipv4GW))
ipv4Range := d.conf.NodeAddress.IPv4AllocRange()
fmt.Fprintf(fw, "#define IPV4_RANGE %#x\n", binary.LittleEndian.Uint32(ipv4Range.IP))
fmt.Fprintf(fw, "#define IPV4_MASK %#x\n", binary.LittleEndian.Uint32(ipv4Range.Mask))
ipv4ClusterRange := d.conf.NodeAddress.IPv4ClusterRange()
fmt.Fprintf(fw, "#define IPV4_CLUSTER_RANGE %#x\n", binary.LittleEndian.Uint32(ipv4ClusterRange.IP))
fmt.Fprintf(fw, "#define IPV4_CLUSTER_MASK %#x\n", binary.LittleEndian.Uint32(ipv4ClusterRange.Mask))
if nat46Range := d.conf.NAT46Prefix; nat46Range != nil {
fw.WriteString(common.FmtDefineAddress("NAT46_PREFIX", nat46Range.IP))
}
fw.WriteString(common.FmtDefineAddress("HOST_IP", hostIP))
fmt.Fprintf(fw, "#define HOST_ID %d\n", labels.GetID(labels.ID_NAME_HOST))
fmt.Fprintf(fw, "#define WORLD_ID %d\n", labels.GetID(labels.ID_NAME_WORLD))
fw.Flush()
f.Close()
if !d.conf.DryMode {
d.conf.OptsMU.RLock()
if err := d.compileBase(); err != nil {
d.conf.OptsMU.RUnlock()
return err
}
d.conf.OptsMU.RUnlock()
d.conf.LXCMap, err = lxcmap.OpenMap(common.BPFMap)
if err != nil {
log.Warningf("Could not create BPF map '%s': %s", common.BPFMap, err)
return err
}
if _, err := lbmap.Service6Map.OpenOrCreate(); err != nil {
return err
}
if _, err := lbmap.RevNat6Map.OpenOrCreate(); err != nil {
return err
}
if d.conf.IPv4Enabled {
if _, err := lbmap.Service4Map.OpenOrCreate(); err != nil {
return err
}
if _, err := lbmap.RevNat4Map.OpenOrCreate(); err != nil {
return err
}
}
// Clean all lb entries
if !d.conf.RestoreState {
if err := d.SVCDeleteAll(); err != nil {
return err
}
}
}
return nil
}
func dumpMap(ctx *cli.Context) {
lbl := ctx.Args().First()
printIDs := ctx.Bool("id")
if lbl != "" {
if id := labels.GetID(lbl); id != labels.ID_UNKNOWN {
lbl = "reserved_" + strconv.FormatUint(uint64(id), 10)
}
} else {
fmt.Fprintf(os.Stderr, "Need ID or label\n")
return
}
file := common.PolicyMapPath + lbl
fd, err := bpf.ObjGet(file)
if err != nil {
fmt.Fprintf(os.Stderr, "%s\n", err)
return
}
m := policymap.PolicyMap{Fd: fd}
statsMap, err := m.DumpToSlice()
if err != nil {
fmt.Fprintf(os.Stderr, "Error while opening bpf Map: %s\n", err)
return
}
labelsID := map[uint32]*labels.SecCtxLabel{}
w := tabwriter.NewWriter(os.Stdout, 5, 0, 3, ' ', 0)
const (
labelsIDTitle = "LABEL ID"
labelsDesTitle = "LABELS (source:key[=value])"
actionTitle = "ACTION"
bytesTitle = "BYTES"
packetsTitle = "PACKETS"
)
for _, stat := range statsMap {
if !printIDs {
secCtxLbl, err := client.GetLabels(stat.ID)
if err != nil {
fmt.Fprintf(os.Stderr, "Was impossible to retrieve label ID %d: %s\n",
stat.ID, err)
}
if secCtxLbl == nil {
fmt.Fprintf(os.Stderr, "Label with ID %d was not found\n",
stat.ID)
}
labelsID[stat.ID] = secCtxLbl
}
}
if printIDs {
fmt.Fprintf(w, "%s\t%s\t%s\t%s\t\n", labelsIDTitle, actionTitle, bytesTitle, packetsTitle)
} else {
fmt.Fprintf(w, "%s\t%s\t%s\t%s\t\n", labelsDesTitle, actionTitle, bytesTitle, packetsTitle)
}
for _, stat := range statsMap {
act := policy.ConsumableDecision(stat.Action)
if printIDs {
fmt.Fprintf(w, "%d\t%s\t%d\t%d\t\n", stat.ID, act.String(), stat.Bytes, stat.Packets)
} else if lbls := labelsID[stat.ID]; lbls != nil {
first := true
for _, lbl := range lbls.Labels {
if first {
fmt.Fprintf(w, "%s\t%s\t%d\t%d\t\n", lbl, act.String(), stat.Bytes, stat.Packets)
first = false
} else {
fmt.Fprintf(w, "%s\t\t\t\t\t\n", lbl)
}
}
} else {
fmt.Fprintf(w, "%d\t%s\t%d\t%d\t\n", stat.ID, act.String(), stat.Bytes, stat.Packets)
}
}
w.Flush()
if len(statsMap) == 0 {
fmt.Printf("Policy stats empty. Perhaps the policy enforcement is disabled?\n")
}
}