200 lines
4.4 KiB
Go
200 lines
4.4 KiB
Go
// Copyright 2019 the Kilo authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package ipset
|
|
|
|
import (
|
|
"bytes"
|
|
"fmt"
|
|
"net"
|
|
"os/exec"
|
|
"sync"
|
|
"time"
|
|
)
|
|
|
|
// Set represents an ipset.
|
|
// Set can safely be used concurrently.
|
|
type Set struct {
|
|
errors chan error
|
|
hosts map[string]struct{}
|
|
mu sync.Mutex
|
|
name string
|
|
subscribed bool
|
|
|
|
// Make these functions fields to allow
|
|
// for testing.
|
|
add func(string) error
|
|
del func(string) error
|
|
}
|
|
|
|
func setExists(name string) (bool, error) {
|
|
cmd := exec.Command("ipset", "list", "-n")
|
|
var stderr, stdout bytes.Buffer
|
|
cmd.Stderr = &stderr
|
|
cmd.Stdout = &stdout
|
|
if err := cmd.Run(); err != nil {
|
|
return false, fmt.Errorf("failed to check for set %s: %s", name, stderr.String())
|
|
}
|
|
return bytes.Contains(stdout.Bytes(), []byte(name)), nil
|
|
}
|
|
|
|
func hostInSet(set, name string) (bool, error) {
|
|
cmd := exec.Command("ipset", "list", set)
|
|
var stderr, stdout bytes.Buffer
|
|
cmd.Stderr = &stderr
|
|
cmd.Stdout = &stdout
|
|
if err := cmd.Run(); err != nil {
|
|
return false, fmt.Errorf("failed to check for host %s: %s", name, stderr.String())
|
|
}
|
|
return bytes.Contains(stdout.Bytes(), []byte(name)), nil
|
|
}
|
|
|
|
// New generates a new ipset.
|
|
func New(name string) *Set {
|
|
return &Set{
|
|
errors: make(chan error),
|
|
hosts: make(map[string]struct{}),
|
|
name: name,
|
|
|
|
add: func(ip string) error {
|
|
ok, err := hostInSet(name, ip)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if !ok {
|
|
cmd := exec.Command("ipset", "add", name, ip)
|
|
var stderr bytes.Buffer
|
|
cmd.Stderr = &stderr
|
|
if err := cmd.Run(); err != nil {
|
|
return fmt.Errorf("failed to add host %s to set %s: %s", ip, name, stderr.String())
|
|
}
|
|
}
|
|
return nil
|
|
},
|
|
del: func(ip string) error {
|
|
ok, err := hostInSet(name, ip)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if ok {
|
|
cmd := exec.Command("ipset", "del", name, ip)
|
|
var stderr bytes.Buffer
|
|
cmd.Stderr = &stderr
|
|
if err := cmd.Run(); err != nil {
|
|
return fmt.Errorf("failed to remove host %s from set %s: %s", ip, name, stderr.String())
|
|
}
|
|
}
|
|
return nil
|
|
},
|
|
}
|
|
}
|
|
|
|
// Run watches for changes to the ipset and reconciles
|
|
// the ipset against the desired state.
|
|
func (s *Set) Run(stop <-chan struct{}) (<-chan error, error) {
|
|
s.mu.Lock()
|
|
if s.subscribed {
|
|
s.mu.Unlock()
|
|
return s.errors, nil
|
|
}
|
|
// Ensure a given instance only subscribes once.
|
|
s.subscribed = true
|
|
s.mu.Unlock()
|
|
go func() {
|
|
defer close(s.errors)
|
|
for {
|
|
select {
|
|
case <-time.After(2 * time.Second):
|
|
case <-stop:
|
|
return
|
|
}
|
|
ok, err := setExists(s.name)
|
|
if err != nil {
|
|
nonBlockingSend(s.errors, err)
|
|
}
|
|
// The set does not exist so wait and try again later.
|
|
if !ok {
|
|
continue
|
|
}
|
|
s.mu.Lock()
|
|
for h := range s.hosts {
|
|
if err := s.add(h); err != nil {
|
|
nonBlockingSend(s.errors, err)
|
|
}
|
|
}
|
|
s.mu.Unlock()
|
|
}
|
|
}()
|
|
return s.errors, nil
|
|
}
|
|
|
|
// CleanUp will clean up any hosts added to the set.
|
|
func (s *Set) CleanUp() error {
|
|
s.mu.Lock()
|
|
defer s.mu.Unlock()
|
|
for h := range s.hosts {
|
|
if err := s.del(h); err != nil {
|
|
return err
|
|
}
|
|
delete(s.hosts, h)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Set idempotently overwrites any hosts previously defined
|
|
// for the ipset with the given hosts.
|
|
func (s *Set) Set(hosts []net.IP) error {
|
|
h := make(map[string]struct{})
|
|
for _, host := range hosts {
|
|
if host == nil {
|
|
continue
|
|
}
|
|
h[host.String()] = struct{}{}
|
|
}
|
|
exists, err := setExists(s.name)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
s.mu.Lock()
|
|
defer s.mu.Unlock()
|
|
for k := range s.hosts {
|
|
if _, ok := h[k]; !ok {
|
|
if exists {
|
|
if err := s.del(k); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
delete(s.hosts, k)
|
|
}
|
|
}
|
|
for k := range h {
|
|
if _, ok := s.hosts[k]; !ok {
|
|
if exists {
|
|
if err := s.add(k); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
s.hosts[k] = struct{}{}
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func nonBlockingSend(errors chan<- error, err error) {
|
|
select {
|
|
case errors <- err:
|
|
default:
|
|
}
|
|
}
|