Merge pull request #247 from Nordix/flow-match

Add Byte Matches support in Flows

Author: LionelJouin

api/nsp/v1/model.pb.go

@@ -60,6 +60,8 @@ message Flow {
     repeated Vip vips = 8;
     // The port that the application listens on, or 0 if not used
     uint32 localPort = 9;
+    // Bytes in L4 header
+    repeated string byteMatches = 10;
 }
 
 message Vip {

api/nsp/v1/model.proto

@@ -134,7 +134,8 @@ func (f *Flow) DeepEquals(f2 *Flow) bool {
 		compareSlice(f.GetProtocols(), f2.GetProtocols()) &&
 		compareSlice(f.GetSourcePortRanges(), f2.GetSourcePortRanges()) &&
 		compareSlice(f.GetSourceSubnets(), f2.GetSourceSubnets()) &&
-		compareSlice(vipsToSlice(f.GetVips()), vipsToSlice(f2.GetVips()))
+		compareSlice(vipsToSlice(f.GetVips()), vipsToSlice(f2.GetVips())) &&
+		compareSlice(f.GetByteMatches(), f2.GetByteMatches())
 }
 
 // compareSlice -

api/nsp/v1/utils.go

@@ -110,6 +110,7 @@ func ConvertFlows(flows []*Flow, streams []*nspAPI.Stream, vips []*nspAPI.Vip) [
 			Stream:                s,
 			Vips:                  getVips(flow.Vips, vips),
 			LocalPort:             uint32(flow.LocalPort),
+			ByteMatches:           flow.ByteMatches,
 		})
 	}
 	return resFlows

pkg/configuration/reader/converter.go

@@ -1,5 +1,5 @@
 /*
-Copyright (c) 2021 Nordix Foundation
+Copyright (c) 2021-2022 Nordix Foundation
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -52,6 +52,7 @@ type Flow struct {
 	Priority              int32    `yaml:"priority"`
 	Stream                string   `yaml:"stream"`
 	LocalPort             uint16   `yaml:"local-port,omitempty"`
+	ByteMatches           []string `yaml:"byte-matches,omitempty"`
 }
 
 type VipList struct {

pkg/configuration/reader/model.go

@@ -0,0 +1,30 @@
+/*
+Copyright (c) 2022 Nordix Foundation
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package reader
+
+import (
+	"regexp"
+)
+
+const (
+	ByteMatchPattern = `^(sctp|tcp|udp)\[[0-9]+ *: *[124]\]( *& *0x[0-9a-f]+)? *= *([0-9]+|0x[0-9a-f]+)$`
+)
+
+func ValidByteMatch(byteMatch string) bool {
+	res, _ := regexp.MatchString(ByteMatchPattern, byteMatch)
+	return res
+}

pkg/configuration/reader/validation.go

@@ -244,6 +244,9 @@ func (n *nfqlb) SetFlow(flow *nspAPI.Flow) error {
 	if sports := flow.GetSourcePortRanges(); sports != nil && !n.anyPortRange(sports) {
 		args = append(args, fmt.Sprintf("--sports=%v", strings.Join(sports, ",")))
 	}
+	if byteMatches := flow.GetByteMatches(); byteMatches != nil {
+		args = append(args, fmt.Sprintf("--match=%v", strings.Join(byteMatches, ",")))
+	}
 
 	cmd := exec.CommandContext(
 		ctx,