8cadff2b79
* CNI: bump to 1.0.1 This commit bumps the declared version of CNI in the Kilo manifests to 1.0.1. This is possible with no changes to the configuration lists because our simple configuration is not affected by any of the deprecations, and there was effectively no change between 0.4.0 and 1.0.0, other than the declaration of a stable API. Similarly, this commit also bumps the version of the CNI library and the plugins package. Bumping to CNI 1.0.0 will help ensure that Kilo stays compatible with container runtimes in the future. Signed-off-by: Lucas Servén Marín <lserven@gmail.com> * vendor: revendor Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
266 lines
8.1 KiB
Go
266 lines
8.1 KiB
Go
package netlink
|
|
|
|
import (
|
|
"github.com/vishvananda/netlink/nl"
|
|
"golang.org/x/sys/unix"
|
|
)
|
|
|
|
func selFromPolicy(sel *nl.XfrmSelector, policy *XfrmPolicy) {
|
|
sel.Family = uint16(nl.FAMILY_V4)
|
|
if policy.Dst != nil {
|
|
sel.Family = uint16(nl.GetIPFamily(policy.Dst.IP))
|
|
sel.Daddr.FromIP(policy.Dst.IP)
|
|
prefixlenD, _ := policy.Dst.Mask.Size()
|
|
sel.PrefixlenD = uint8(prefixlenD)
|
|
}
|
|
if policy.Src != nil {
|
|
sel.Saddr.FromIP(policy.Src.IP)
|
|
prefixlenS, _ := policy.Src.Mask.Size()
|
|
sel.PrefixlenS = uint8(prefixlenS)
|
|
}
|
|
sel.Proto = uint8(policy.Proto)
|
|
sel.Dport = nl.Swap16(uint16(policy.DstPort))
|
|
sel.Sport = nl.Swap16(uint16(policy.SrcPort))
|
|
if sel.Dport != 0 {
|
|
sel.DportMask = ^uint16(0)
|
|
}
|
|
if sel.Sport != 0 {
|
|
sel.SportMask = ^uint16(0)
|
|
}
|
|
sel.Ifindex = int32(policy.Ifindex)
|
|
}
|
|
|
|
// XfrmPolicyAdd will add an xfrm policy to the system.
|
|
// Equivalent to: `ip xfrm policy add $policy`
|
|
func XfrmPolicyAdd(policy *XfrmPolicy) error {
|
|
return pkgHandle.XfrmPolicyAdd(policy)
|
|
}
|
|
|
|
// XfrmPolicyAdd will add an xfrm policy to the system.
|
|
// Equivalent to: `ip xfrm policy add $policy`
|
|
func (h *Handle) XfrmPolicyAdd(policy *XfrmPolicy) error {
|
|
return h.xfrmPolicyAddOrUpdate(policy, nl.XFRM_MSG_NEWPOLICY)
|
|
}
|
|
|
|
// XfrmPolicyUpdate will update an xfrm policy to the system.
|
|
// Equivalent to: `ip xfrm policy update $policy`
|
|
func XfrmPolicyUpdate(policy *XfrmPolicy) error {
|
|
return pkgHandle.XfrmPolicyUpdate(policy)
|
|
}
|
|
|
|
// XfrmPolicyUpdate will update an xfrm policy to the system.
|
|
// Equivalent to: `ip xfrm policy update $policy`
|
|
func (h *Handle) XfrmPolicyUpdate(policy *XfrmPolicy) error {
|
|
return h.xfrmPolicyAddOrUpdate(policy, nl.XFRM_MSG_UPDPOLICY)
|
|
}
|
|
|
|
func (h *Handle) xfrmPolicyAddOrUpdate(policy *XfrmPolicy, nlProto int) error {
|
|
req := h.newNetlinkRequest(nlProto, unix.NLM_F_CREATE|unix.NLM_F_EXCL|unix.NLM_F_ACK)
|
|
|
|
msg := &nl.XfrmUserpolicyInfo{}
|
|
selFromPolicy(&msg.Sel, policy)
|
|
msg.Priority = uint32(policy.Priority)
|
|
msg.Index = uint32(policy.Index)
|
|
msg.Dir = uint8(policy.Dir)
|
|
msg.Action = uint8(policy.Action)
|
|
msg.Lft.SoftByteLimit = nl.XFRM_INF
|
|
msg.Lft.HardByteLimit = nl.XFRM_INF
|
|
msg.Lft.SoftPacketLimit = nl.XFRM_INF
|
|
msg.Lft.HardPacketLimit = nl.XFRM_INF
|
|
req.AddData(msg)
|
|
|
|
tmplData := make([]byte, nl.SizeofXfrmUserTmpl*len(policy.Tmpls))
|
|
for i, tmpl := range policy.Tmpls {
|
|
start := i * nl.SizeofXfrmUserTmpl
|
|
userTmpl := nl.DeserializeXfrmUserTmpl(tmplData[start : start+nl.SizeofXfrmUserTmpl])
|
|
userTmpl.XfrmId.Daddr.FromIP(tmpl.Dst)
|
|
userTmpl.Saddr.FromIP(tmpl.Src)
|
|
userTmpl.XfrmId.Proto = uint8(tmpl.Proto)
|
|
userTmpl.XfrmId.Spi = nl.Swap32(uint32(tmpl.Spi))
|
|
userTmpl.Mode = uint8(tmpl.Mode)
|
|
userTmpl.Reqid = uint32(tmpl.Reqid)
|
|
userTmpl.Optional = uint8(tmpl.Optional)
|
|
userTmpl.Aalgos = ^uint32(0)
|
|
userTmpl.Ealgos = ^uint32(0)
|
|
userTmpl.Calgos = ^uint32(0)
|
|
}
|
|
if len(tmplData) > 0 {
|
|
tmpls := nl.NewRtAttr(nl.XFRMA_TMPL, tmplData)
|
|
req.AddData(tmpls)
|
|
}
|
|
if policy.Mark != nil {
|
|
out := nl.NewRtAttr(nl.XFRMA_MARK, writeMark(policy.Mark))
|
|
req.AddData(out)
|
|
}
|
|
|
|
ifId := nl.NewRtAttr(nl.XFRMA_IF_ID, nl.Uint32Attr(uint32(policy.Ifid)))
|
|
req.AddData(ifId)
|
|
|
|
_, err := req.Execute(unix.NETLINK_XFRM, 0)
|
|
return err
|
|
}
|
|
|
|
// XfrmPolicyDel will delete an xfrm policy from the system. Note that
|
|
// the Tmpls are ignored when matching the policy to delete.
|
|
// Equivalent to: `ip xfrm policy del $policy`
|
|
func XfrmPolicyDel(policy *XfrmPolicy) error {
|
|
return pkgHandle.XfrmPolicyDel(policy)
|
|
}
|
|
|
|
// XfrmPolicyDel will delete an xfrm policy from the system. Note that
|
|
// the Tmpls are ignored when matching the policy to delete.
|
|
// Equivalent to: `ip xfrm policy del $policy`
|
|
func (h *Handle) XfrmPolicyDel(policy *XfrmPolicy) error {
|
|
_, err := h.xfrmPolicyGetOrDelete(policy, nl.XFRM_MSG_DELPOLICY)
|
|
return err
|
|
}
|
|
|
|
// XfrmPolicyList gets a list of xfrm policies in the system.
|
|
// Equivalent to: `ip xfrm policy show`.
|
|
// The list can be filtered by ip family.
|
|
func XfrmPolicyList(family int) ([]XfrmPolicy, error) {
|
|
return pkgHandle.XfrmPolicyList(family)
|
|
}
|
|
|
|
// XfrmPolicyList gets a list of xfrm policies in the system.
|
|
// Equivalent to: `ip xfrm policy show`.
|
|
// The list can be filtered by ip family.
|
|
func (h *Handle) XfrmPolicyList(family int) ([]XfrmPolicy, error) {
|
|
req := h.newNetlinkRequest(nl.XFRM_MSG_GETPOLICY, unix.NLM_F_DUMP)
|
|
|
|
msg := nl.NewIfInfomsg(family)
|
|
req.AddData(msg)
|
|
|
|
msgs, err := req.Execute(unix.NETLINK_XFRM, nl.XFRM_MSG_NEWPOLICY)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
var res []XfrmPolicy
|
|
for _, m := range msgs {
|
|
if policy, err := parseXfrmPolicy(m, family); err == nil {
|
|
res = append(res, *policy)
|
|
} else if err == familyError {
|
|
continue
|
|
} else {
|
|
return nil, err
|
|
}
|
|
}
|
|
return res, nil
|
|
}
|
|
|
|
// XfrmPolicyGet gets a the policy described by the index or selector, if found.
|
|
// Equivalent to: `ip xfrm policy get { SELECTOR | index INDEX } dir DIR [ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]`.
|
|
func XfrmPolicyGet(policy *XfrmPolicy) (*XfrmPolicy, error) {
|
|
return pkgHandle.XfrmPolicyGet(policy)
|
|
}
|
|
|
|
// XfrmPolicyGet gets a the policy described by the index or selector, if found.
|
|
// Equivalent to: `ip xfrm policy get { SELECTOR | index INDEX } dir DIR [ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]`.
|
|
func (h *Handle) XfrmPolicyGet(policy *XfrmPolicy) (*XfrmPolicy, error) {
|
|
return h.xfrmPolicyGetOrDelete(policy, nl.XFRM_MSG_GETPOLICY)
|
|
}
|
|
|
|
// XfrmPolicyFlush will flush the policies on the system.
|
|
// Equivalent to: `ip xfrm policy flush`
|
|
func XfrmPolicyFlush() error {
|
|
return pkgHandle.XfrmPolicyFlush()
|
|
}
|
|
|
|
// XfrmPolicyFlush will flush the policies on the system.
|
|
// Equivalent to: `ip xfrm policy flush`
|
|
func (h *Handle) XfrmPolicyFlush() error {
|
|
req := h.newNetlinkRequest(nl.XFRM_MSG_FLUSHPOLICY, unix.NLM_F_ACK)
|
|
_, err := req.Execute(unix.NETLINK_XFRM, 0)
|
|
return err
|
|
}
|
|
|
|
func (h *Handle) xfrmPolicyGetOrDelete(policy *XfrmPolicy, nlProto int) (*XfrmPolicy, error) {
|
|
req := h.newNetlinkRequest(nlProto, unix.NLM_F_ACK)
|
|
|
|
msg := &nl.XfrmUserpolicyId{}
|
|
selFromPolicy(&msg.Sel, policy)
|
|
msg.Index = uint32(policy.Index)
|
|
msg.Dir = uint8(policy.Dir)
|
|
req.AddData(msg)
|
|
|
|
if policy.Mark != nil {
|
|
out := nl.NewRtAttr(nl.XFRMA_MARK, writeMark(policy.Mark))
|
|
req.AddData(out)
|
|
}
|
|
|
|
ifId := nl.NewRtAttr(nl.XFRMA_IF_ID, nl.Uint32Attr(uint32(policy.Ifid)))
|
|
req.AddData(ifId)
|
|
|
|
resType := nl.XFRM_MSG_NEWPOLICY
|
|
if nlProto == nl.XFRM_MSG_DELPOLICY {
|
|
resType = 0
|
|
}
|
|
|
|
msgs, err := req.Execute(unix.NETLINK_XFRM, uint16(resType))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if nlProto == nl.XFRM_MSG_DELPOLICY {
|
|
return nil, err
|
|
}
|
|
|
|
return parseXfrmPolicy(msgs[0], FAMILY_ALL)
|
|
}
|
|
|
|
func parseXfrmPolicy(m []byte, family int) (*XfrmPolicy, error) {
|
|
msg := nl.DeserializeXfrmUserpolicyInfo(m)
|
|
|
|
// This is mainly for the policy dump
|
|
if family != FAMILY_ALL && family != int(msg.Sel.Family) {
|
|
return nil, familyError
|
|
}
|
|
|
|
var policy XfrmPolicy
|
|
|
|
policy.Dst = msg.Sel.Daddr.ToIPNet(msg.Sel.PrefixlenD)
|
|
policy.Src = msg.Sel.Saddr.ToIPNet(msg.Sel.PrefixlenS)
|
|
policy.Proto = Proto(msg.Sel.Proto)
|
|
policy.DstPort = int(nl.Swap16(msg.Sel.Dport))
|
|
policy.SrcPort = int(nl.Swap16(msg.Sel.Sport))
|
|
policy.Ifindex = int(msg.Sel.Ifindex)
|
|
policy.Priority = int(msg.Priority)
|
|
policy.Index = int(msg.Index)
|
|
policy.Dir = Dir(msg.Dir)
|
|
policy.Action = PolicyAction(msg.Action)
|
|
|
|
attrs, err := nl.ParseRouteAttr(m[msg.Len():])
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, attr := range attrs {
|
|
switch attr.Attr.Type {
|
|
case nl.XFRMA_TMPL:
|
|
max := len(attr.Value)
|
|
for i := 0; i < max; i += nl.SizeofXfrmUserTmpl {
|
|
var resTmpl XfrmPolicyTmpl
|
|
tmpl := nl.DeserializeXfrmUserTmpl(attr.Value[i : i+nl.SizeofXfrmUserTmpl])
|
|
resTmpl.Dst = tmpl.XfrmId.Daddr.ToIP()
|
|
resTmpl.Src = tmpl.Saddr.ToIP()
|
|
resTmpl.Proto = Proto(tmpl.XfrmId.Proto)
|
|
resTmpl.Mode = Mode(tmpl.Mode)
|
|
resTmpl.Spi = int(nl.Swap32(tmpl.XfrmId.Spi))
|
|
resTmpl.Reqid = int(tmpl.Reqid)
|
|
resTmpl.Optional = int(tmpl.Optional)
|
|
policy.Tmpls = append(policy.Tmpls, resTmpl)
|
|
}
|
|
case nl.XFRMA_MARK:
|
|
mark := nl.DeserializeXfrmMark(attr.Value[:])
|
|
policy.Mark = new(XfrmMark)
|
|
policy.Mark.Value = mark.Value
|
|
policy.Mark.Mask = mark.Mask
|
|
case nl.XFRMA_IF_ID:
|
|
policy.Ifid = int(native.Uint32(attr.Value))
|
|
}
|
|
}
|
|
|
|
return &policy, nil
|
|
}
|