util

package
v0.0.0-...-1da16c0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 14, 2025 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// UnspecifiedL4Protocol is used to create ACL for gressPolicy that
	// doesn't have port policies hence no protocols. The value "None" here is
	// used as the value in libovsdbops.PortPolicyProtocolKey DB Index and hence
	// that shouldn't be changed since it will cause a full ACL update during upgrades.
	UnspecifiedL4Protocol = "None"
	// UnspecifiedL4Match is used to create ACL for gressPolicy that
	// doesn't have port policies hence no L4Match. The value "None" here is used
	// as the value of l4MatchACLExtIdKey in acl external_ids_syncer for older ACLs.
	// This value shouldn't be changed.
	UnspecifiedL4Match = "None"
	// NamedPortL4MatchSuffix is used to create ACL for gressPolicy that
	// has named port policies.
	NamedPortL4MatchSuffix = "-namedPort"
)

ACL L4 Match Construct Utils

Variables

This section is empty.

Functions

func BuildACL

func BuildACL(dbIDs *libovsdbops.DbObjectIDs, priority int, match, action string, logLevels *ACLLoggingLevels,
	aclT ACLPipelineType) *nbdb.ACL

BuildACL should be used to build ACL instead of directly calling libovsdbops.BuildACL. It can properly set and reset log settings for ACL based on ACLLoggingLevels, and set acl.Name and acl.ExternalIDs based on given DbIDs

func BuildANPACL

func BuildANPACL(dbIDs *libovsdbops.DbObjectIDs, priority int, match, action string, aclT ACLPipelineType, logLevels *ACLLoggingLevels) *nbdb.ACL

func BuildPortGroup

func BuildPortGroup(pgIDs *ops.DbObjectIDs, ports []*nbdb.LogicalSwitchPort, acls []*nbdb.ACL) *nbdb.PortGroup

func ConvertK8sProtocolToOVNProtocol

func ConvertK8sProtocolToOVNProtocol(proto v1.Protocol) string

convertK8sProtocolToOVNProtocol returns the OVN syntax-specific protocol value for a v1.Protocol K8s type

func CreateDefaultRouteToExternal

func CreateDefaultRouteToExternal(nbClient libovsdbclient.Client, clusterRouter, gwRouterName string, clusterSubnets []config.CIDRNetworkEntry) error

CreateDefaultRouteToExternal is called only when IC=true. This function adds a "catch-all" kind of LRSR to ovn-cluster-router 100.64.0.2 100.88.0.2 dst-ip 100.64.0.3 100.88.0.3 dst-ip 100.64.0.4 100.64.0.4 dst-ip 10.244.0.0/24 100.88.0.2 dst-ip 10.244.1.0/24 100.88.0.3 dst-ip 10.244.2.0/24 100.64.0.4 src-ip 10.244.0.0/16 100.64.0.4 src-ip ----> This is the reroute added to send all traffic that did not match earlier LRSR's to outside the cluster This logic works under the assumption that we have all other paths covered via routes that exist with higher precedence prefix match On first look it may seem like we are sending out traffic that doesn't "fit/match" other routes which is true, but the intent is that if we don't know where to send the traffic within the cluster, then we make it leave the cluster (we have a flow on br-ex that protects us and drops it if its not supposed to be going outside). This is needed when IC=true to ensure traffic from the other node arriving at this remote node does not get dropped. This removes the need for per-pod LRSR for primaryEIP and secondaryEIP && ESVC add a per-pod LRP on each egressNode to override this LRSR and send it to it's management port. NOTE: Handle changes around this logic with care. This is being added intentionally. (TODO: FIXME): With this route, we are officially breaking support for IC with zones that have multiple-nodes NOTE: This route is exactly the same as what is added by pod-live-migration feature and we keep the route exactly same across the 3 features so that if the route already exists on the node, this is just a no-op

func DeleteAddrSetsWithoutACLRef

func DeleteAddrSetsWithoutACLRef(predicateIDs *libovsdbops.DbObjectIDs, nbClient libovsdbclient.Client) error

DeleteAddrSetsWithoutACLRef deletes the address sets related to the predicateIDs without any acl reference.

func DeleteSbdbMacBindingsWithIPs

func DeleteSbdbMacBindingsWithIPs(sbClient libovsdbclient.Client, ips ...string) error

DeleteSbdbMacBindingsWithIPs deletes mac bindings from the SBDB on any of the provided IPs. This method should only be used to remove legacy entries, as static mac bindings should be created in NBDB instead.

func ExtractPortAddresses

func ExtractPortAddresses(lsp *nbdb.LogicalSwitchPort) (net.HardwareAddr, []net.IP, error)

ExtractPortAddresses returns the MAC and IPs of the given logical switch port

func GetACLCount

func GetACLCount(nbClient libovsdbclient.Client, idsType *ops.ObjectIDsType, controllerName string) int

GetACLCount returns the number of ACLs owned by idsType/controllerName

func GetACLMatch

func GetACLMatch(portGroupName, match string, aclDir ACLDirection) string

func GetACLName

func GetACLName(dbIDs *libovsdbops.DbObjectIDs) string

acl.Name is cropped to 64 symbols and is used for logging. currently only egress firewall, gress network policy and default deny network policy ACLs are logged. Other ACLs don't need a name. Just a namespace name may be 63 symbols long, therefore some information may be cropped. Therefore, "feature" as "EF" for EgressFirewall and "NP" for network policy goes first, then namespace, then acl-related info.

func GetACLTier

func GetACLTier(dbIDs *libovsdbops.DbObjectIDs) int

func GetAddressSetCount

func GetAddressSetCount(nbClient libovsdbclient.Client, idsType *ops.ObjectIDsType, controllerName string) int

GetAddressSetCount returns the number of AddressSets owned by idsType/controllerName

func GetL3L4MatchesFromNamedPorts

func GetL3L4MatchesFromNamedPorts(ruleNamedPorts map[string][]NamedNetworkPolicyPort) map[string]string

GetL3L4MatchesFromNamedPorts returns a map that has protocol as the key and the corresponding L3L4NamedPort ACL Match as its value

func GetL4MatchesFromNetworkPolicyPorts

func GetL4MatchesFromNetworkPolicyPorts(rulePorts []*NetworkPolicyPort) map[string]string

GetL4MatchesFromNetworkPolicyPorts accepts a list of NetworkPolicyPorts cache and constructs l4Matches for each protocol type It returns a map that has protocol as the key and the l4Match as the value If len(rulePorts)==0; it returns map["None"] = "None" which means there is no L4 match

func GetLRPAddrs

func GetLRPAddrs(nbClient client.Client, portName string) ([]*net.IPNet, error)

GetLRPAddrs returns the addresses for the given logical router port

func GetNBZone

func GetNBZone(nbClient libovsdbclient.Client) (string, error)

GetNBZone returns the zone name configured in the OVN Northbound database. If the zone name is not configured, it returns the default zone name - "global" It retuns error if there is no NBGlobal row.

func GetPortGroupName

func GetPortGroupName(dbIDs *ops.DbObjectIDs) string

func JoinACLName

func JoinACLName(substrings ...string) string

func UpdateACLLogging

func UpdateACLLogging(nbClient libovsdbclient.Client, ACLs []*nbdb.ACL, aclLogging *ACLLoggingLevels) error

func UpdateACLLoggingWithPredicate

func UpdateACLLoggingWithPredicate(nbClient libovsdbclient.Client, p func(*nbdb.ACL) bool, aclLogging *ACLLoggingLevels) error

UpdateACLLoggingWithPredicate finds all ACLs based on a given predicate, updates log settings, then transacts these changes with a single transaction.

func UpdateNodeSwitchExcludeIPs

func UpdateNodeSwitchExcludeIPs(nbClient libovsdbclient.Client, mgmtIfName, switchName, nodeName string, subnet *net.IPNet) error

UpdateNodeSwitchExcludeIPs should be called after adding the management port and after adding the hybrid overlay port, and ensures that each port's IP is added to the logical switch's exclude_ips. This prevents ovn-northd log spam about duplicate IP addresses. See https://github.com/ovn-org/ovn-kubernetes/pull/779

Types

type ACLDirection

type ACLDirection string
const (
	ACLEgress  ACLDirection = "Egress"
	ACLIngress ACLDirection = "Ingress"
)

type ACLLoggingLevels

type ACLLoggingLevels struct {
	Allow string `json:"allow,omitempty"`
	Deny  string `json:"deny,omitempty"`
	Pass  string `json:"pass,omitempty"`
}

ACL logging severity levels

type ACLPipelineType

type ACLPipelineType string

aclPipelineType defines when ACLs will be applied (direction and pipeline stage). All acls of the same type will be sorted by priority, priorities for different types are independent.

const (
	// LportIngress will be converted to direction="to-lport" ACL
	LportIngress ACLPipelineType = "to-lport"
	// LportEgressAfterLB will be converted to direction="from-lport", options={"apply-after-lb": "true"} ACL
	LportEgressAfterLB ACLPipelineType = "from-lport-after-lb"
	// LportEgress will be converted to direction="from-lport", matched before loadbalancing
	LportEgress ACLPipelineType = "from-lport"
)

func ACLDirectionToACLPipeline

func ACLDirectionToACLPipeline(aclDir ACLDirection) ACLPipelineType

func PolicyTypeToAclPipeline

func PolicyTypeToAclPipeline(policyType knet.PolicyType) ACLPipelineType

type NamedNetworkPolicyPort

type NamedNetworkPolicyPort struct {
	L4Protocol    string // will store the port's L4 protocol in OVN protocol format
	L4PodPort     string // will store portNumber for the corresponding port name for the corresponding PodIP or LSP
	L3PodIP       string // will store the podIP for the corresponding port name for the corresponding PodPort => used for egressACL
	L3PodIPFamily string // will store whether this is ip4 or ip6 podIP
}

NamedNetworkPolicyPort is an internal representation of namedPort type in anpapi.AdminNetworkPolicyPort in a useful representation format for the caches

type NetworkPolicyPort

type NetworkPolicyPort struct {
	Protocol string // will store the OVN protocol string syntax for the corresponding K8s protocol
	Port     int32  // will store startPort if its a range
	EndPort  int32  // will store 0 if its not a range
}

NetworkPolicyPort is an internal representation of knet.NetworkPolicyPort and anpapi.AdminNetworkPolicyPort in a simpler representation format for the caches

func GetNetworkPolicyPort

func GetNetworkPolicyPort(proto v1.Protocol, port, endPort int32) *NetworkPolicyPort

GetNetworkPolicyPort returns an internal NetworkPolicyPort struct It also sets the provided protocol, port and endPort fields

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL