Skip to content

Commit 27aeabf

Browse files
tpantelistpantelis
committed
Move nftables rule conversion functions to separate file
...to reduce file size. Signed-off-by: Tom Pantelis <[email protected]>
1 parent 7992f48 commit 27aeabf

File tree

2 files changed

+231
-203
lines changed

2 files changed

+231
-203
lines changed

pkg/packetfilter/nftables/nftables.go

Lines changed: 1 addition & 203 deletions
Original file line numberDiff line numberDiff line change
@@ -19,16 +19,12 @@ limitations under the License.
1919
package nftables
2020

2121
import (
22-
"bytes"
2322
"context"
2423
"slices"
25-
"strconv"
26-
"strings"
2724

2825
"github.com/pkg/errors"
2926
"github.com/submariner-io/admiral/pkg/log"
3027
"github.com/submariner-io/submariner/pkg/packetfilter"
31-
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
3228
k8snet "k8s.io/utils/net"
3329
"k8s.io/utils/ptr"
3430
logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -37,8 +33,7 @@ import (
3733

3834
const (
3935
/* Single table named 'submariner' is used for nftables configuration.*/
40-
submarinerTable = "submariner"
41-
serializedVersion = "1.0"
36+
submarinerTable = "submariner"
4237
)
4338

4439
var (
@@ -300,200 +295,3 @@ func (p *packetFilter) insertRuleAtPosition(chain string, rule *packetfilter.Rul
300295

301296
return errors.Wrap(err, "error inserting rule")
302297
}
303-
304-
func protoToRuleSpec(ruleSpec []string, proto packetfilter.RuleProto, dPort string) []string {
305-
switch proto {
306-
case packetfilter.RuleProtoUDP:
307-
ruleSpec = append(ruleSpec, "ip", "protocol", "udp")
308-
if dPort != "" {
309-
ruleSpec = append(ruleSpec, "udp", "dport", dPort)
310-
}
311-
case packetfilter.RuleProtoTCP:
312-
ruleSpec = append(ruleSpec, "ip", "protocol", "tcp")
313-
if dPort != "" {
314-
ruleSpec = append(ruleSpec, "tcp", "dport", dPort)
315-
}
316-
case packetfilter.RuleProtoICMP:
317-
ruleSpec = append(ruleSpec, "ip", "protocol", "icmp")
318-
case packetfilter.RuleProtoAll:
319-
case packetfilter.RuleProtoUndefined:
320-
}
321-
322-
return ruleSpec
323-
}
324-
325-
func mssClampToRuleSpec(ruleSpec []string, clampType packetfilter.MssClampType, mssValue string) []string {
326-
switch clampType {
327-
case packetfilter.UndefinedMSS:
328-
case packetfilter.ToPMTU:
329-
ruleSpec = append(ruleSpec, "size", "set", "rt", "mtu")
330-
case packetfilter.ToValue:
331-
ruleSpec = append(ruleSpec, "size", "set", mssValue)
332-
}
333-
334-
return ruleSpec
335-
}
336-
337-
func setToRuleSpec(ruleSpec []string, srcSetName, destSetName string) []string {
338-
if srcSetName != "" {
339-
ruleSpec = append(ruleSpec, "ip", "saddr", "@"+srcSetName)
340-
}
341-
342-
if destSetName != "" {
343-
ruleSpec = append(ruleSpec, "ip", "daddr", "@"+destSetName)
344-
}
345-
346-
return ruleSpec
347-
}
348-
349-
func toNftRuleSpec(rule *packetfilter.Rule) string {
350-
ruleSpec := protoToRuleSpec([]string{}, rule.Proto, rule.DPort)
351-
352-
if rule.SrcCIDR != "" {
353-
ruleSpec = append(ruleSpec, "ip", "saddr", rule.SrcCIDR)
354-
}
355-
356-
if rule.DestCIDR != "" {
357-
ruleSpec = append(ruleSpec, "ip", "daddr", rule.DestCIDR)
358-
}
359-
360-
if rule.MarkValue != "" && rule.Action != packetfilter.RuleActionMark {
361-
// syntax for MarkValue '0xc0000': meta mark & 0xc0000 == 0xc0000
362-
ruleSpec = append(ruleSpec, "meta", "mark", "&", rule.MarkValue, "==", rule.MarkValue)
363-
}
364-
365-
ruleSpec = setToRuleSpec(ruleSpec, rule.SrcSetName, rule.DestSetName)
366-
367-
if rule.OutInterface != "" {
368-
ruleSpec = append(ruleSpec, "oifname", rule.OutInterface)
369-
}
370-
371-
if rule.InInterface != "" {
372-
ruleSpec = append(ruleSpec, "iifname", rule.InInterface)
373-
}
374-
375-
if rule.Action == packetfilter.RuleActionMss {
376-
ruleSpec = append(ruleSpec, "tcp", "flags", "syn / syn,rst")
377-
}
378-
379-
ruleSpec = append(ruleSpec, "counter")
380-
ruleSpec = append(ruleSpec, ruleActionToStr[rule.Action]...)
381-
382-
if rule.Action == packetfilter.RuleActionJump {
383-
ruleSpec = append(ruleSpec, rule.TargetChain)
384-
}
385-
386-
if rule.SnatCIDR != "" {
387-
ruleSpec = append(ruleSpec, "to", rule.SnatCIDR)
388-
}
389-
390-
if rule.DnatCIDR != "" {
391-
ruleSpec = append(ruleSpec, "to", rule.DnatCIDR)
392-
}
393-
394-
ruleSpec = mssClampToRuleSpec(ruleSpec, rule.ClampType, rule.MssValue)
395-
396-
if rule.MarkValue != "" && rule.Action == packetfilter.RuleActionMark {
397-
// syntax for MarkValue '0xc0000': set mark | 0xc0000
398-
ruleSpec = append(ruleSpec, "set", "mark", "|", rule.MarkValue)
399-
}
400-
401-
str := strings.Join(ruleSpec, " ")
402-
403-
logger.V(log.TRACE).Infof("toNftRuleSpec: from %q to %q", rule, str)
404-
405-
return str
406-
}
407-
408-
func mustWriteString(buf *bytes.Buffer, s string) {
409-
_, err := buf.WriteString(s + " ")
410-
utilruntime.Must(err)
411-
}
412-
413-
func mustWriteUint32(buf *bytes.Buffer, i uint32) {
414-
mustWriteString(buf, strconv.FormatInt(int64(i), 10))
415-
}
416-
417-
func SerializeRule(rule *packetfilter.Rule) string {
418-
var buf bytes.Buffer
419-
420-
_, err := buf.WriteString(serializedVersion)
421-
utilruntime.Must(err)
422-
423-
mustWriteUint32(&buf, uint32(rule.Action))
424-
mustWriteUint32(&buf, uint32(rule.ClampType))
425-
mustWriteUint32(&buf, uint32(rule.Proto))
426-
427-
mustWriteString(&buf, rule.SrcSetName)
428-
mustWriteString(&buf, rule.DestSetName)
429-
mustWriteString(&buf, rule.SrcCIDR)
430-
mustWriteString(&buf, rule.DestCIDR)
431-
mustWriteString(&buf, rule.SnatCIDR)
432-
mustWriteString(&buf, rule.DnatCIDR)
433-
mustWriteString(&buf, rule.OutInterface)
434-
mustWriteString(&buf, rule.InInterface)
435-
mustWriteString(&buf, rule.DPort)
436-
mustWriteString(&buf, rule.TargetChain)
437-
mustWriteString(&buf, rule.MssValue)
438-
mustWriteString(&buf, rule.MarkValue)
439-
440-
str := buf.String()
441-
442-
logger.V(log.TRACE).Infof("SerializeRule: from %q to %q (%d)", rule, str, len(str))
443-
444-
return str
445-
}
446-
447-
func mustReadString(buf *bytes.Buffer) string {
448-
b, err := buf.ReadBytes(' ')
449-
utilruntime.Must(err)
450-
451-
return string(b[0 : len(b)-1])
452-
}
453-
454-
func mustReadUint32(buf *bytes.Buffer) uint32 {
455-
s := mustReadString(buf)
456-
u, err := strconv.ParseUint(s, 10, 32)
457-
utilruntime.Must(err)
458-
459-
return uint32(u)
460-
}
461-
462-
func DeserializeRule(s string) (*packetfilter.Rule, error) {
463-
rule := &packetfilter.Rule{}
464-
465-
buf := bytes.NewBufferString(s)
466-
467-
b := make([]byte, 3)
468-
469-
_, err := buf.Read(b)
470-
if err != nil {
471-
return nil, errors.Wrapf(err, "error deserializing rule %q", s)
472-
}
473-
474-
version := string(b)
475-
if version != serializedVersion {
476-
return nil, errors.Errorf("unable to deserialize rule from %q: invalid version %q", s, version)
477-
}
478-
479-
rule.Action = packetfilter.RuleAction(mustReadUint32(buf))
480-
rule.ClampType = packetfilter.MssClampType(mustReadUint32(buf))
481-
rule.Proto = packetfilter.RuleProto(mustReadUint32(buf))
482-
483-
rule.SrcSetName = mustReadString(buf)
484-
rule.DestSetName = mustReadString(buf)
485-
rule.SrcCIDR = mustReadString(buf)
486-
rule.DestCIDR = mustReadString(buf)
487-
rule.SnatCIDR = mustReadString(buf)
488-
rule.DnatCIDR = mustReadString(buf)
489-
rule.OutInterface = mustReadString(buf)
490-
rule.InInterface = mustReadString(buf)
491-
rule.DPort = mustReadString(buf)
492-
rule.TargetChain = mustReadString(buf)
493-
rule.MssValue = mustReadString(buf)
494-
rule.MarkValue = mustReadString(buf)
495-
496-
logger.V(log.TRACE).Infof("DeserializeRule: from %q to %q", s, rule)
497-
498-
return rule, nil
499-
}

0 commit comments

Comments
 (0)