loxilb-io#864 Initail support for lb source ranges

api/restapi/handler/firewall.go

@@ -35,7 +35,7 @@ func ConfigPostFW(params operations.PostConfigFirewallParams) middleware.Respond
 	Rules.DstPortMax = uint16(params.Attr.RuleArguments.MaxDestinationPort)
 	Rules.DstPortMin = uint16(params.Attr.RuleArguments.MinDestinationPort)
 	Rules.InPort = params.Attr.RuleArguments.PortName
-	Rules.Pref = uint16(params.Attr.RuleArguments.Preference)
+	Rules.Pref = uint32(params.Attr.RuleArguments.Preference)
 	Rules.Proto = uint8(params.Attr.RuleArguments.Protocol)
 	Rules.SrcIP = params.Attr.RuleArguments.SourceIP
 	Rules.SrcPortMax = uint16(params.Attr.RuleArguments.MaxSourcePort)
@@ -102,7 +102,7 @@ func ConfigDeleteFW(params operations.DeleteConfigFirewallParams) middleware.Res
 		Rules.InPort = *params.PortName
 	}
 	if params.Preference != nil {
-		Rules.Pref = uint16(*params.Preference)
+		Rules.Pref = uint32(*params.Preference)
 	}
 	if params.Protocol != nil {
 		Rules.Proto = uint8(*params.Protocol)
@@ -175,7 +175,6 @@ func ConfigGetFW(params operations.GetConfigFirewallAllParams) middleware.Respon
 		tmpOpts.ToIP = FW.Opts.ToIP
 		tmpOpts.ToPort = int64(FW.Opts.ToPort)
 		tmpOpts.Counter = FW.Opts.Counter
-
 		tmpResult.RuleArguments = &tmpRule
 		tmpResult.Opts = &tmpOpts
 

api/restapi/handler/loadbalancer.go

@@ -93,7 +93,7 @@ func ConfigDeleteLoadbalancer(params operations.DeleteConfigLoadbalancerHosturlH
 		lbServ.HostUrl = params.Hosturl
 	}
 	if params.Block != nil {
-		lbServ.BlockNum = uint16(*params.Block)
+		lbServ.BlockNum = uint32(*params.Block)
 	}
 	if params.Bgp != nil {
 		lbServ.Bgp = *params.Bgp
@@ -119,7 +119,7 @@ func ConfigDeleteLoadbalancerWithoutPath(params operations.DeleteConfigLoadbalan
 	lbServ.Proto = params.Proto
 	lbServ.HostUrl = ""
 	if params.Block != nil {
-		lbServ.BlockNum = uint16(*params.Block)
+		lbServ.BlockNum = uint32(*params.Block)
 	}
 	if params.Bgp != nil {
 		lbServ.Bgp = *params.Bgp
@@ -155,7 +155,7 @@ func ConfigGetLoadbalancer(params operations.GetConfigLoadbalancerAllParams) mid
 		tmpSvc.Bgp = lb.Serv.Bgp
 		tmpSvc.Port = int64(lb.Serv.ServPort)
 		tmpSvc.Protocol = lb.Serv.Proto
-		tmpSvc.Block = uint16(lb.Serv.BlockNum)
+		tmpSvc.Block = uint32(lb.Serv.BlockNum)
 		tmpSvc.Sel = int64(lb.Serv.Sel)
 		tmpSvc.Mode = int32(lb.Serv.Mode)
 		tmpSvc.Security = int32(lb.Serv.Security)

api/swagger.yml

@@ -3011,7 +3011,7 @@ definitions:
             description: value for Security mode (0-Plain, 1-HTTPs)
           block:
             type: integer
-            format: uint16
+            format: uint32
             description: block-number if any of this LB entry
           inactiveTimeOut:
             type: integer

common/common.go

@@ -431,7 +431,7 @@ type FwRuleArg struct {
 	// InPort - the incoming port
 	InPort string `json:"portName"`
 	// Pref - User preference for ordering
-	Pref uint16 `json:"preference"`
+	Pref uint32 `json:"preference"`
 }
 
 // FwRuleMod - Info related to a firewall entry
@@ -544,7 +544,7 @@ type LbServiceArg struct {
 	// Proto - the service protocol of the load-balancer rule
 	Proto string `json:"protocol"`
 	// BlockNum - An arbitrary block num to further segregate a service
-	BlockNum uint16 `json:"block"`
+	BlockNum uint32 `json:"block"`
 	// Sel - one of LbSelRr,LbSelHash, or LbSelHash
 	Sel EpSelect `json:"sel"`
 	// Bgp - export this rule with goBGP
@@ -604,6 +604,12 @@ type LbSecIPArg struct {
 	SecIP string `json:"secondaryIP"`
 }
 
+// LbAllowedSrcIPArg - Allowed Src IPs
+type LbAllowedSrcIPArg struct {
+	// Prefix - Allowed Prefix
+	Prefix string `json:"prefix"`
+}
+
 // LbRuleMod - Info related to a load-balancer entry
 type LbRuleMod struct {
 	// Serv - service argument of type LbServiceArg

pkg/loxinet/apiclient.go

@@ -332,7 +332,7 @@ func (na *NetAPIStruct) NetLbRuleAdd(lm *cmn.LbRuleMod) (int, error) {
 	mh.mtx.Lock()
 	defer mh.mtx.Unlock()
 	var ips []string
-	ret, err := mh.zr.Rules.AddLbRule(lm.Serv, lm.SecIPs[:], lm.Eps[:])
+	ret, err := mh.zr.Rules.AddLbRule(lm.Serv, lm.SecIPs[:], nil, lm.Eps[:])
 	if err == nil && lm.Serv.Bgp {
 		if mh.bgp != nil {
 			ips = append(ips, lm.Serv.ServIP)

pkg/loxinet/dpbroker.go

@@ -293,9 +293,10 @@ type LBDpWorkQ struct {
 	ZoneNum   int
 	ServiceIP net.IP
 	L4Port    uint16
-	BlockNum  uint16
+	BlockNum  uint32
 	DsrMode   bool
 	CsumDis   bool
+	SrcCheck  bool
 	SecMode   SecT
 	HostURL   string
 	Proto     uint8
@@ -333,7 +334,7 @@ type DpCtInfo struct {
 	ServiceIP  net.IP `json:"serviceip"`
 	ServProto  string `json:"servproto"`
 	L4ServPort uint16 `json:"l4servproto"`
-	BlockNum   uint16 `json:"blocknum"`
+	BlockNum   uint32 `json:"blocknum"`
 	RuleID     uint32 `json:"ruleid"`
 }
 

pkg/loxinet/dpebpf_linux.go

@@ -952,10 +952,10 @@ func DpLBRuleMod(w *LBDpWorkQ) int {
 
 	key := new(natKey)
 
-	key.mark = C.ushort(w.BlockNum)
+	key.mark = C.uint(w.BlockNum)
 
 	if w.NatType == DpSnat {
-		key.mark |= 0x1000
+		key.mark |= SrcChkFwMark
 	} else {
 		key.daddr = [4]C.uint{0, 0, 0, 0}
 		if tk.IsNetIPv4(w.ServiceIP.String()) {
@@ -965,9 +965,9 @@ func DpLBRuleMod(w *LBDpWorkQ) int {
 			convNetIP2DPv6Addr(unsafe.Pointer(&key.daddr[0]), w.ServiceIP)
 			key.v6 = 1
 		}
-		key.mark = C.ushort(w.BlockNum)
+		key.mark = C.uint(w.BlockNum)
 		key.dport = C.ushort(tk.Htons(w.L4Port))
-		key.l4proto = C.uchar(w.Proto)
+		key.l4proto = C.ushort(w.Proto)
 		key.zone = C.ushort(w.ZoneNum)
 	}
 
@@ -1020,6 +1020,9 @@ func DpLBRuleMod(w *LBDpWorkQ) int {
 	if w.DsrMode {
 		dat.ca.oaux = 1
 	}
+	if w.SrcCheck {
+		dat.chksrc = 1
+	}
 
 	nxfa := (*nxfrmAct)(unsafe.Pointer(&dat.nxfrms[0]))
 
@@ -1053,7 +1056,7 @@ func DpLBRuleMod(w *LBDpWorkQ) int {
 		nxfa.inactive = 1
 	}
 
-	dat.nxfrm = C.ushort(len(w.endPoints))
+	dat.nxfrm = C.uchar(len(w.endPoints))
 	if w.CsumDis {
 		dat.cdis = 1
 	} else {

pkg/loxinet/loxinettest.go

@@ -289,7 +289,7 @@ func TestLoxinet(t *testing.T) {
 			Weight: 2,
 		},
 	}
-	_, err = mh.zr.Rules.AddLbRule(lbServ, nil, lbEps[:])
+	_, err = mh.zr.Rules.AddLbRule(lbServ, nil, nil, lbEps[:])
 	if err != nil {
 		t.Errorf("failed to add nat lb rule for 10.10.10.1\n")
 	}