loxilb-io#864 Initial support for lb source ranges

TrekkieCoder · Nov 19, 2024 · d0cea4d · d0cea4d
1 parent 81c0084
commit d0cea4d
Show file tree

Hide file tree

Showing 11 changed files with 160 additions and 14 deletions.
diff --git a/api/models/loadbalance_entry.go b/api/models/loadbalance_entry.go
diff --git a/api/restapi/embedded_spec.go b/api/restapi/embedded_spec.go
diff --git a/api/restapi/handler/cluster.go b/api/restapi/handler/cluster.go
@@ -28,7 +28,7 @@ import (
 func ConfigGetCIState(params operations.GetConfigCistateAllParams) middleware.Responder {
 	var result []*models.CIStatusGetEntry
 	result = make([]*models.CIStatusGetEntry, 0)
-	tk.LogIt(tk.LogDebug, "api: Status %s API called. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL)
+	tk.LogIt(tk.LogTrace, "api: Status %s API called. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL)
 	hasMod, err := ApiHooks.NetCIStateGet()
 	if err != nil {
 		tk.LogIt(tk.LogDebug, "api: Error occur : %v\n", err)

diff --git a/api/restapi/handler/loadbalancer.go b/api/restapi/handler/loadbalancer.go
@@ -58,6 +58,12 @@ func ConfigPostLoadbalancer(params operations.PostConfigLoadbalancerParams) midd
 		}
 	}
 
+	for _, data := range params.Attr.AllowedSources {
+		lbRules.SrcIPs = append(lbRules.SrcIPs, cmn.LbAllowedSrcIPArg{
+			Prefix: data.Prefix,
+		})
+	}
+
 	for _, data := range params.Attr.Endpoints {
 		lbRules.Eps = append(lbRules.Eps, cmn.LbEndPointArg{
 			EpIP:   data.EndpointIP,
@@ -176,6 +182,12 @@ func ConfigGetLoadbalancer(params operations.GetConfigLoadbalancerAllParams) mid
 			tmpLB.SecondaryIPs = append(tmpLB.SecondaryIPs, tmpSIP)
 		}
 
+		for _, src := range lb.SrcIPs {
+			tmpSIP := new(models.LoadbalanceEntryAllowedSourcesItems0)
+			tmpSIP.Prefix = src.Prefix
+			tmpLB.AllowedSources = append(tmpLB.AllowedSources, tmpSIP)
+		}
+
 		// Endpoints match
 		for _, ep := range lb.Eps {
 			tmpEp := new(models.LoadbalanceEntryEndpointsItems0)

diff --git a/api/restapi/handler/prometheus.go b/api/restapi/handler/prometheus.go
@@ -29,7 +29,7 @@ import (
 )
 
 func ConfigGetPrometheusCounter(params operations.GetMetricsParams) middleware.Responder {
-	tk.LogIt(tk.LogDebug, "api: Prometheus %s API called. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL)
+	tk.LogIt(tk.LogTrace, "api: Prometheus %s API called. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL)
 	if !options.Opts.Prometheus {
 		return operations.NewGetMetricsOK().WithPayload("Prometheus option is disabled.")
 	}
@@ -39,7 +39,7 @@ func ConfigGetPrometheusCounter(params operations.GetMetricsParams) middleware.R
 }
 
 func ConfigGetPrometheusOption(params operations.GetConfigMetricsParams) middleware.Responder {
-	tk.LogIt(tk.LogDebug, "[API] Prometheus %s API called. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL)
+	tk.LogIt(tk.LogTrace, "[API] Prometheus %s API called. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL)
 	return operations.NewGetConfigMetricsOK().WithPayload(&models.MetricsConfig{Prometheus: &options.Opts.Prometheus})
 }
 
@@ -54,7 +54,7 @@ func ConfigPostPrometheus(params operations.PostConfigMetricsParams) middleware.
 }
 
 func ConfigDeletePrometheus(params operations.DeleteConfigMetricsParams) middleware.Responder {
-	tk.LogIt(tk.LogDebug, "[API] Prometheus %s API called. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL)
+	tk.LogIt(tk.LogTrace, "[API] Prometheus %s API called. url : %s\n", params.HTTPRequest.Method, params.HTTPRequest.URL)
 	err := prometheus.Off()
 	if err != nil {
 		tk.LogIt(tk.LogDebug, "[API] Error occur : %v\n", err)

diff --git a/api/swagger.yml b/api/swagger.yml
@@ -3068,6 +3068,15 @@ definitions:
             secondaryIP:
               type: string
               description: IP address for secondary access
+
+      allowedSources:
+        type: array
+        description: values of allowed source IP
+        items:
+          properties:
+            prefix:
+              type: string
+              description: IP address for allowed source access
 
   RouteEntry:
     type: object

diff --git a/common/common.go b/common/common.go
@@ -616,6 +616,8 @@ type LbRuleMod struct {
 	Serv LbServiceArg `json:"serviceArguments"`
 	// SecIPs - Secondary IPs for SCTP multi-homed service
 	SecIPs []LbSecIPArg `json:"secondaryIPs"`
+	// SrcIPs - Allowed Source IPs
+	SrcIPs []LbAllowedSrcIPArg `json:"allowedSources"`
 	// Eps - slice containing LbEndPointArg
 	Eps []LbEndPointArg `json:"endpoints"`
 }

diff --git a/loxilb-ebpf b/loxilb-ebpf
diff --git a/pkg/loxinet/apiclient.go b/pkg/loxinet/apiclient.go
@@ -18,7 +18,6 @@ package loxinet
 
 import (
 	"errors"
-
 	cmn "github.com/loxilb-io/loxilb/common"
 	tk "github.com/loxilb-io/loxilib"
 )
@@ -332,7 +331,7 @@ func (na *NetAPIStruct) NetLbRuleAdd(lm *cmn.LbRuleMod) (int, error) {
 	mh.mtx.Lock()
 	defer mh.mtx.Unlock()
 	var ips []string
-	ret, err := mh.zr.Rules.AddLbRule(lm.Serv, lm.SecIPs[:], nil, lm.Eps[:])
+	ret, err := mh.zr.Rules.AddLbRule(lm.Serv, lm.SecIPs[:], lm.SrcIPs[:], lm.Eps[:])
 	if err == nil && lm.Serv.Bgp {
 		if mh.bgp != nil {
 			ips = append(ips, lm.Serv.ServIP)

diff --git a/pkg/loxinet/dpebpf_linux.go b/pkg/loxinet/dpebpf_linux.go
@@ -955,7 +955,7 @@ func DpLBRuleMod(w *LBDpWorkQ) int {
 	key.mark = C.uint(w.BlockNum)
 
 	if w.NatType == DpSnat {
-		key.mark |= SrcChkFwMark
+		key.mark |= SnatFwMark
 	} else {
 		key.daddr = [4]C.uint{0, 0, 0, 0}
 		if tk.IsNetIPv4(w.ServiceIP.String()) {
@@ -969,6 +969,7 @@ func DpLBRuleMod(w *LBDpWorkQ) int {
 		key.dport = C.ushort(tk.Htons(w.L4Port))
 		key.l4proto = C.ushort(w.Proto)
 		key.zone = C.ushort(w.ZoneNum)
+
 	}
 
 	dat := new(proxyActs)
@@ -1823,10 +1824,11 @@ func (e *DpEbpfH) DpFwRuleMod(w *FwDpWorkQ) int {
 		} else if w.FwType == DpFwTrap {
 			fwe.fwa.ca.act_type = C.DP_SET_TOCP
 		}
-		fwe.fwa.ca.mark = C.ushort(w.FwVal2)
+		fwe.fwa.ca.mark = C.uint(w.FwVal2)
 		if w.FwRecord {
 			fwe.fwa.ca.record = C.ushort(1)
 		}
+
 		ret := C.llb_add_map_elem(C.LL_DP_FW4_MAP, unsafe.Pointer(fwe), unsafe.Pointer(nil))
 		if ret != 0 {
 			tk.LogIt(tk.LogError, "ebpf fw error\n")
@@ -1986,7 +1988,7 @@ func dpCTMapNotifierWorker(cti *DpCtInfo) {
 	mh.dpEbpf.mtx.Lock()
 	defer mh.dpEbpf.mtx.Unlock()
 
-	if addOp == false {
+	if !addOp {
 		cti = mh.dpEbpf.ctMap[cti.Key()]
 		if cti == nil || cti.Deleted > 0 {
 			return

diff --git a/pkg/loxinet/rules.go b/pkg/loxinet/rules.go
@@ -827,6 +827,10 @@ func (R *RuleH) GetLBRule() ([]cmn.LbRuleMod, error) {
 			ret.SecIPs = append(ret.SecIPs, cmn.LbSecIPArg{SecIP: sip.sIP.String()})
 		}
 
+		for _, src := range data.srcList {
+			ret.SrcIPs = append(ret.SrcIPs, cmn.LbAllowedSrcIPArg{Prefix: src.srcPref.String()})
+		}
+
 		data.DP(DpStatsGetImm)
 
 		// Make Endpoints
@@ -1495,8 +1499,6 @@ func (R *RuleH) AddLbRule(serv cmn.LbServiceArg, servSecIPs []cmn.LbSecIPArg, al
 		return RuleUnknownServiceErr, errors.New("malformed-service error")
 	}
 
-	allowedSources = append(allowedSources, cmn.LbAllowedSrcIPArg{Prefix: "10.10.10.1/32"})
-
 	privIP = nil
 	if serv.PrivateIP != "" {
 		privIP = net.ParseIP(serv.PrivateIP)
@@ -2076,8 +2078,7 @@ func (R *RuleH) AddFwRule(fwRule cmn.FwRuleArg, fwOptArgs cmn.FwOptArg) (int, er
 			return RuleArgsErr, errors.New("rule-snat error")
 		}
 
-		fwOpts.opt.fwMark = uint32(uint16((r.ruleNum) | SnatFwMark))
-
+		fwOpts.opt.fwMark = uint32(r.ruleNum) | SnatFwMark
 	}
 
 	tk.LogIt(tk.LogDebug, "fw-rule added - %d:%s-%s\n", r.ruleNum, r.tuples.String(), r.act.String())
+1 −1		common/common_pdi.c
+3 −3		common/llb_dp_mdi.h
+7 −6		common/llb_dpapi.h
+3 −3		common/pdi.h
+12 −2		kernel/llb_kern_natlbfwd.c