Merge pull request #31 from loxilb-io/src-chk

loxilb-io/loxilb#864 Initail support for lb source ranges
loxilb-io · Nov 19, 2024 · bd546dc · bd546dc
2 parents ea95f28 + ca8d63c
commit bd546dc
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 39 deletions.
diff --git a/cmd/create/create_firewall.go b/cmd/create/create_firewall.go
@@ -37,7 +37,7 @@ type CreateFirewallOptions struct {
 	Drop         bool
 	Trap         bool
 	Record       bool
-	Mark         int
+	Mark         uint32
 }
 
 func NewCreateFirewallCmd(restOptions *api.RESTOptions) *cobra.Command {
@@ -110,7 +110,7 @@ ex) loxicmd create firewall --firewallRule="sourceIP:1.2.3.2/32,destinationIP:2.
 	createFirewallCmd.Flags().BoolVarP(&o.Drop, "drop", "", false, "Drop any matching rule")
 	createFirewallCmd.Flags().BoolVarP(&o.Record, "record", "", false, "Record/Dump any matching rule")
 	createFirewallCmd.Flags().BoolVarP(&o.Trap, "trap", "", false, " Trap anything matching rule")
-	createFirewallCmd.Flags().IntVarP(&o.Mark, "setmark", "", 0, " Add a fw mark")
+	createFirewallCmd.Flags().Uint32VarP(&o.Mark, "setmark", "", 0, " Add a fw mark")
 	createFirewallCmd.Flags().StringSliceVar(&o.SnatArgs, "snat", o.SnatArgs, "SNAT any matching rule")
 	createFirewallCmd.MarkFlagRequired("firewallRule")
 	return createFirewallCmd
@@ -197,7 +197,7 @@ func GetFWOptionPairList(FirewallMods *api.FwRuleMod, o CreateFirewallOptions) e
 		}
 	}
 	FirewallMods.Opts.Record = o.Record
-	FirewallMods.Opts.Mark = o.Mark
+	FirewallMods.Opts.Mark = uint32(o.Mark)
 
 	return nil
 }

diff --git a/cmd/create/create_loadbalancer.go b/cmd/create/create_loadbalancer.go
@@ -33,24 +33,25 @@ import (
 )
 
 type CreateLoadBalancerOptions struct {
-	ExternalIP string
-	TCP        []string
-	UDP        []string
-	ICMP       bool
-	Mode       string
-	BGP        bool
-	Security   string
-	Monitor    bool
-	Attach     bool
-	Detach     bool
-	Timeout    uint32
-	Mark       uint16
-	SCTP       []string
-	Endpoints  []string
-	SecIPs     []string
-	Select     string
-	Name       string
-	Host       string
+	ExternalIP     string
+	TCP            []string
+	UDP            []string
+	ICMP           bool
+	Mode           string
+	BGP            bool
+	Security       string
+	Monitor        bool
+	Attach         bool
+	Detach         bool
+	Timeout        uint32
+	Mark           uint32
+	SCTP           []string
+	Endpoints      []string
+	SecIPs         []string
+	Select         string
+	Name           string
+	Host           string
+	AllowedSources []string
 }
 
 type CreateLoadBalancerResult struct {
@@ -138,7 +139,7 @@ func NewCreateLoadBalancerCmd(restOptions *api.RESTOptions) *cobra.Command {
 	o := CreateLoadBalancerOptions{}
 
 	var createLbCmd = &cobra.Command{
-		Use:   "lb IP [--select=<rr|hash|priority|persist>] [--tcp=<port>:<targetPort>] [--udp=<port>:<targetPort>] [--sctp=<port>:<targetPort>] [--icmp] [--mark=<val>] [--secips=<ip>,][--endpoints=<ip>:<weight>,] [--mode=<onearm|fullnat>] [--bgp] [--monitor] [--inatimeout=<to>] [--name=<service-name>] [--attachEP] [--detachEP] [--security=<https|e2ehttps|none>] [--host=<url>]",
+		Use:   "lb IP [--select=<rr|hash|priority|persist>] [--tcp=<port>:<targetPort>] [--udp=<port>:<targetPort>] [--sctp=<port>:<targetPort>] [--icmp] [--mark=<val>] [--secips=<ip>,] [--sources=<ip>,] [--endpoints=<ip>:<weight>,] [--mode=<onearm|fullnat>] [--bgp] [--monitor] [--inatimeout=<to>] [--name=<service-name>] [--attachEP] [--detachEP] [--security=<https|e2ehttps|none>] [--host=<url>]",
 		Short: "Create a LoadBalancer",
 		Long: `Create a LoadBalancer
 
@@ -164,6 +165,7 @@ ex) loxicmd create lb 192.168.0.200 --tcp=80:32015 --endpoints=10.212.0.1:1,10.2
 	loxicmd create lb 192.168.0.200 --select=hash --tcp=80:32015 --endpoints=10.212.0.1:1,10.212.0.2:1,10.212.0.3:1
 	loxicmd create lb 192.168.0.200 --tcp=80:32015 --endpoints=10.212.0.1:1,10.212.0.2:1,10.212.0.3:1 --mode=dsr
 	loxicmd create lb 192.168.0.200 --sctp=37412:38412 --secips=192.168.0.201,192.168.0.202 --endpoints=10.212.0.1:1,10.212.0.2:1,10.212.0.3:1
+	loxicmd create lb 192.168.0.200 --tcp=80:32015 --endpoints=10.212.0.1:1,10.212.0.2:1,10.212.0.3:1 --sources=10.10.10.1/32
 
 	loxicmd create lb  2001::1 --tcp=2020:8080 --endpoints=4ffe::1:1,5ffe::1:1,6ffe::1:1
 	loxicmd create lb  2001::1 --tcp=2020:8080 --endpoints=31.31.31.1:1,32.32.32.1:1,33.33.33.1:1
@@ -262,6 +264,13 @@ ex) loxicmd create lb 192.168.0.200 --tcp=80:32015 --endpoints=10.212.0.1:1,10.2
 						lbModel.SecondaryIPs = append(lbModel.SecondaryIPs, sp)
 					}
 
+					for _, sip := range o.AllowedSources {
+						sp := api.LbAllowedSrcIPArg{
+							Prefix: sip,
+						}
+						lbModel.SrcIPs = append(lbModel.SrcIPs, sp)
+					}
+
 					resp, err := LoadbalancerAPICall(restOptions, lbModel)
 					if err != nil {
 						fmt.Printf("Error: %s\n", err.Error())
@@ -291,13 +300,14 @@ ex) loxicmd create lb 192.168.0.200 --tcp=80:32015 --endpoints=10.212.0.1:1,10.2
 	createLbCmd.Flags().StringSliceVar(&o.SecIPs, "secips", o.SecIPs, "Secondary IPs for SCTP multihoming rule specified as '<secondaryIP>'")
 	createLbCmd.Flags().StringVarP(&o.Select, "select", "", "rr", "Select the hash algorithm for the load balance.(ex) rr, hash, priority, persist, lc")
 	createLbCmd.Flags().Uint32VarP(&o.Timeout, "inatimeout", "", 0, "Specify the timeout (in seconds) after which a LB session will be reset for inactivity")
-	createLbCmd.Flags().Uint16VarP(&o.Mark, "mark", "", 0, "Specify the mark num to segregate a load-balancer VIP service")
+	createLbCmd.Flags().Uint32VarP(&o.Mark, "mark", "", 0, "Specify the mark num to segregate a load-balancer VIP service")
 	createLbCmd.Flags().StringSliceVar(&o.Endpoints, "endpoints", o.Endpoints, "Endpoints is pairs that can be specified as '<endpointIP>:<Weight>'")
 	createLbCmd.Flags().StringVarP(&o.Name, "name", "", o.Name, "Name for load balancer rule")
 	createLbCmd.Flags().BoolVarP(&o.Attach, "attachEP", "", false, "Attach endpoints to the load balancer rule")
 	createLbCmd.Flags().BoolVarP(&o.Detach, "detachEP", "", false, "Detach endpoints from the load balancer rule")
 	createLbCmd.Flags().StringVarP(&o.Security, "security", "", o.Security, "Security mode for load balancer rule")
 	createLbCmd.Flags().StringVarP(&o.Host, "host", "", o.Host, "Ingress Host URL Path")
+	createLbCmd.Flags().StringSliceVar(&o.AllowedSources, "sources", o.AllowedSources, "Allowed sources for this rule as '<allowedSources>'")
 
 	return createLbCmd
 }

diff --git a/cmd/get/get_firewall.go b/cmd/get/get_firewall.go
@@ -118,7 +118,7 @@ func MakeFirewallOptionToString(t api.FwOptArg) (ret string) {
 		ret += fmt.Sprintf(",Record")
 	}
 	if t.Mark != 0 {
-		ret += fmt.Sprintf(",FwMark(%d)", t.Mark)
+		ret += fmt.Sprintf(",FwMark(%v)", t.Mark)
 	}
 	return ret
 }

diff --git a/cmd/get/type.go b/cmd/get/type.go
@@ -18,7 +18,7 @@ package get
 var (
 	CONNTRACK_TITLE         = []string{"destIP", "srcIP", "dPort", "sPort", "proto", "state", "act", "packets", "bytes"}
 	LOADBALANCER_TITLE      = []string{"Ext IP", "Port", "Proto", "Name", "Mark", "Sel", "Mode", "# of Endpoints", "Monitor"}
-	LOADBALANCER_WIDE_TITLE = []string{"Ext IP", "Sec IPs", "Host", "Port", "Proto", "Name", "Mark", "Sel", "Mode", "Endpoint", "EPort", "Weight", "State", "Counters"}
+	LOADBALANCER_WIDE_TITLE = []string{"Ext IP", "Sec IPs", "Sources", "Host", "Port", "Proto", "Name", "Mark", "Sel", "Mode", "Endpoint", "EPort", "Weight", "State", "Counters"}
 	SESSION_TITLE           = []string{"ident", "session IP"}
 	SESSION_WIDE_TITLE      = []string{"ident", "session IP", "access Network Tunnel", "core Network Tunnel"}
 	PORT_WIDE_TITLE         = []string{"index", "portname", "MAC", "link/state", "mtu", "isActive/bpf\nPort type", "Statistics", "L3Info", "L2Info", "Sync"}

diff --git a/pkg/api/firewall.go b/pkg/api/firewall.go
@@ -38,8 +38,8 @@ type FwOptArg struct {
 	Rdr     bool   `json:"redirect" yaml:"redirect"`
 	RdrPort string `json:"redirectPortName" yaml:"redirectPortName"`
 	// Allow - Allow any matching rule
-	Allow bool `json:"allow" yaml:"allow"`
-	Mark  int  `json:"fwMark" yaml:"fwMark"`
+	Allow bool   `json:"allow" yaml:"allow"`
+	Mark  uint32 `json:"fwMark" yaml:"fwMark"`
 	// Record - Record packets matching rule
 	Record bool `json:"record" yaml:"record"`
 	// DoSNAT - Do snat on matching rule

diff --git a/pkg/api/loadBalancer.go b/pkg/api/loadBalancer.go
@@ -36,25 +36,26 @@ type LbRuleModGet struct {
 type LoadBalancerModel struct {
 	Service      LoadBalancerService    `json:"serviceArguments" yaml:"serviceArguments"`
 	SecondaryIPs []LoadBalancerSecIp    `json:"secondaryIPs" yaml:"secondaryIPs"`
+	SrcIPs       []LbAllowedSrcIPArg    `json:"allowedSources" yaml:"allowedSources"`
 	Endpoints    []LoadBalancerEndpoint `json:"endpoints" yaml:"endpoints"`
 }
 
 type LoadBalancerService struct {
-	ExternalIP string   `json:"externalIP" yaml:"externalIP"`
-	Port       uint16   `json:"port"           yaml:"port" `
-	Protocol   string   `json:"protocol"       yaml:"protocol"`
-	Sel        EpSelect `json:"sel"            yaml:"sel"`
-	Mode       LbMode   `json:"mode"           yaml:"mode"`
-	BGP        bool     `json:"BGP"            yaml:"BGP"`
-	Monitor    bool     `json:"Monitor"        yaml:"Monitor"`
-	Timeout    uint32   `json:"inactiveTimeOut" yaml:"inactiveTimeOut"`
-	Block      uint16   `json:"block"          yaml:"block"`
-	Managed    bool     `json:"managed,omitempty" yaml:"managed"`
-	Name       string   `json:"name,omitempty" yaml:"name"`
+	ExternalIP string   `json:"externalIP"         yaml:"externalIP"`
+	Port       uint16   `json:"port"               yaml:"port" `
+	Protocol   string   `json:"protocol"           yaml:"protocol"`
+	Sel        EpSelect `json:"sel"                yaml:"sel"`
+	Mode       LbMode   `json:"mode"               yaml:"mode"`
+	BGP        bool     `json:"BGP"                yaml:"BGP"`
+	Monitor    bool     `json:"Monitor"            yaml:"Monitor"`
+	Timeout    uint32   `json:"inactiveTimeOut"    yaml:"inactiveTimeOut"`
+	Block      uint32   `json:"block"              yaml:"block"`
+	Managed    bool     `json:"managed,omitempty"  yaml:"managed"`
+	Name       string   `json:"name,omitempty"     yaml:"name"`
 	Snat       bool     `json:"snat,omitempty"`
 	Oper       LbOP     `json:"oper,omitempty"`
 	Security   LbSec    `json:"security,omitempty" yaml:"security"`
-	Host       string   `json:"host,omitempty" yaml:"path"`
+	Host       string   `json:"host,omitempty"     yaml:"path"`
 }
 
 type LoadBalancerEndpoint struct {
@@ -69,6 +70,11 @@ type LoadBalancerSecIp struct {
 	SecondaryIP string `json:"secondaryIP" yaml:"secondaryIP"`
 }
 
+type LbAllowedSrcIPArg struct {
+	// Prefix - Allowed Prefix
+	Prefix string `json:"prefix" yaml:"prefix"`
+}
+
 type ConfigurationLBFile struct {
 	TypeMeta   `yaml:",inline"`
 	ObjectMeta `yaml:"metadata,omitempty"`