acl

package
v0.7.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 26, 2024 License: Apache-2.0 Imports: 31 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ReservedNetworkSubects = []string{"internal", "external"}

ReservedNetworkSubects contains a list of reserved network peer names (those starting with @ character) that cannot be used when to name peering connections. Otherwise peer connections wouldn't be able to be referenced in ACL rules using the "@<peer name>" format without the potential of conflicts.

View Source 
var ValidActions = []string{"allow", "drop", "reject"}

ValidActions defines valid actions for rules.

Functions

func Create 

func Create(s *state.State, projectName string, aclInfo *api.NetworkACLsPost) error

Create validates supplied record and creates new Network ACL record in the database.

func Exists 

func Exists(s *state.State, projectName string, name ...string) error

Exists checks the ACL name(s) provided exists in the project. If multiple names are provided, also checks that duplicate names aren't specified in the list.

func FirewallApplyACLRules 

func FirewallApplyACLRules(s *state.State, logger logger.Logger, aclProjectName string, aclNet NetworkACLUsage) error

FirewallApplyACLRules applies ACL rules to network firewall.

func NetworkUsage 

func NetworkUsage(s *state.State, aclProjectName string, aclNames []string, aclNets map[string]NetworkACLUsage) error

NetworkUsage populates the provided aclNets map with networks that are using any of the specified ACLs.

func OVNACLNetworkPortGroupName 

func OVNACLNetworkPortGroupName(networkACLID int64, networkID int64) ovn.OVNPortGroup

OVNACLNetworkPortGroupName returns the port group name for a Network ACL ID and Network ID.

func OVNACLPortGroupName 

func OVNACLPortGroupName(networkACLID int64) ovn.OVNPortGroup

OVNACLPortGroupName returns the port group name for a Network ACL ID.

func OVNApplyInstanceNICDefaultRules 

func OVNApplyInstanceNICDefaultRules(client *ovn.NB, switchPortGroup ovn.OVNPortGroup, logPrefix string, nicPortName ovn.OVNSwitchPort, ingressAction string, ingressLogged bool, egressAction string, egressLogged bool) error

OVNApplyInstanceNICDefaultRules applies instance NIC default rules to per-network port group.

func OVNApplyNetworkBaselineRules 

func OVNApplyNetworkBaselineRules(client *ovn.NB, switchName ovn.OVNSwitch, routerPortName ovn.OVNSwitchPort, intRouterIPs []*net.IPNet, dnsIPs []net.IP) error

OVNApplyNetworkBaselineRules applies preset baseline logical switch rules to a allow access to network services.

func OVNEnsureACLs 

func OVNEnsureACLs(s *state.State, l logger.Logger, client *ovn.NB, aclProjectName string, aclNameIDs map[string]int64, aclNets map[string]NetworkACLUsage, aclNames []string, reapplyRules bool) (revert.Hook, error)

OVNEnsureACLs ensures that the requested aclNames exist as OVN port groups (creates & applies ACL rules if not), If reapplyRules is true then the current ACL rules in the database are applied to the existing port groups rather than just new ones. Any ACLs referenced in the requested ACLs rules are also created as empty OVN port groups if needed. If a requested ACL exists, but has no ACL rules applied, then the current rules are loaded out of the database and applied. For each network provided in aclNets, the network specific port group for each ACL is checked for existence (it is created & applies network specific ACL rules if not). Returns a revert fail function that can be used to undo this function if a subsequent step fails.

func OVNIntSwitchName 

func OVNIntSwitchName(networkID int64) ovn.OVNSwitch

OVNIntSwitchName returns the internal logical switch name for a Network ID.

func OVNIntSwitchPortGroupAddressSetPrefix 

func OVNIntSwitchPortGroupAddressSetPrefix(networkID int64) ovn.OVNAddressSet

OVNIntSwitchPortGroupAddressSetPrefix returns the internal switch routes address set prefix for a Network ID.

func OVNIntSwitchPortGroupName 

func OVNIntSwitchPortGroupName(networkID int64) ovn.OVNPortGroup

OVNIntSwitchPortGroupName returns the port group name for a Network ID.

func OVNIntSwitchRouterPortName 

func OVNIntSwitchRouterPortName(networkID int64) ovn.OVNSwitchPort

OVNIntSwitchRouterPortName returns OVN logical internal switch router port name.

func OVNNetworkPrefix 

func OVNNetworkPrefix(networkID int64) string

OVNNetworkPrefix returns the prefix used for OVN entities related to a Network ID.

func OVNPortGroupDeleteIfUnused 

func OVNPortGroupDeleteIfUnused(s *state.State, l logger.Logger, client *ovn.NB, aclProjectName string, ignoreUsageType any, ignoreUsageNicName string, keepACLs ...string) error

OVNPortGroupDeleteIfUnused deletes unused port groups. Accepts optional ignoreUsageType and ignoreUsageNicName arguments, allowing the used by logic to ignore an instance/profile NIC or network (useful if config not applied to database yet). Also accepts optional list of ACLs to explicitly consider in use by OVN. The combination of ignoring the specifified usage type and explicit keep ACLs allows the caller to ensure that the desired ACLs are considered unused by the usage type even if the referring config has not yet been removed from the database.

func OVNPortGroupInstanceNICSchedule 

func OVNPortGroupInstanceNICSchedule(portUUID ovn.OVNSwitchPortUUID, changeSet map[ovn.OVNPortGroup][]ovn.OVNSwitchPortUUID, portGroups ...ovn.OVNPortGroup)

OVNPortGroupInstanceNICSchedule adds the specified NIC port to the specified port groups in the changeSet.

func UsedBy 

func UsedBy(s *state.State, aclProjectName string, usageFunc func(ctx context.Context, tx *db.ClusterTx, matchedACLNames []string, usageType any, nicName string, nicConfig map[string]string) error, matchACLNames ...string) error

UsedBy finds all networks, profiles and instance NICs that use any of the specified ACLs and executes usageFunc once for each resource using one or more of the ACLs with info about the resource and matched ACLs being used.

func ValidName 

func ValidName(name string) error

ValidName checks the ACL name is valid.

Types

type NetworkACL 

type NetworkACL interface {

	// Info.
	ID() int64
	Project() string
	Info() *api.NetworkACL
	Etag() []any
	UsedBy() ([]string, error)

	// GetLog.
	GetLog(clientType request.ClientType) (string, error)

	// Modifications.
	Update(config *api.NetworkACLPut, clientType request.ClientType) error
	Rename(newName string) error
	Delete() error
	// contains filtered or unexported methods
}

NetworkACL represents a Network ACL.

func LoadByName 

func LoadByName(s *state.State, projectName string, name string) (NetworkACL, error)

LoadByName loads and initialises a Network ACL from the database by project and name.

type NetworkACLUsage 

type NetworkACLUsage struct {
	ID     int64
	Name   string
	Type   string
	Config map[string]string
}

NetworkACLUsage info about a network and what ACL it uses.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.