policysets

package
v1.11.0-cni-plu...-ca80474 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 10, 2025 License: Apache-2.0, Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// Priority used for rule that allows host to endpoint traffic.
	HostToEndpointRulePriority uint16 = 900
	// Start of range of priorities used for policy set rules.
	PolicyRuleBasePriority uint16 = 1000
	// Max policy priority value.
	PolicyRuleMaxPriority uint16 = 65000
	// prefix to use for all policy names
	PolicyNamePrefix string = "policy-"
	// prefix to use for all profile names
	ProfileNamePrefix string = "profile-"
)
View Source
const (
	ActionPass hns.ActionType = "pass"
)
View Source
const (
	// static rule file name
	StaticFileName = "static-rules.json"
)

Variables

View Source
var (
	ErrNotSupported = errors.New("rule contained unsupported feature")
	ErrRuleIsNoOp   = errors.New("rule is a no-op")
	ErrMissingIPSet = errors.New("rule referenced a missing IP set")
)
View Source
var (
	ErrNoRuleSpecified = errors.New("no rule specified")
)

Functions

func SplitIPList

func SplitIPList(ipAddrs []string, chunkSize int) (splits [][]string)

This function will create chunks of IP addresses/Cidr with chunksize

func SplitPortList

func SplitPortList(ports []*proto.PortRange, chunkSize int) (splits [][]*proto.PortRange)

This function will create chunks of ports/ports range with chunksize

Types

type FileReader

type FileReader string

func (FileReader) ReadData

func (f FileReader) ReadData() ([]byte, error)

type HNSAPI

type HNSAPI interface {
	GetHNSSupportedFeatures() hns.HNSSupportedFeatures
}

HNSAPI in an interface containing only the parts of the HNS API that we use here.

type IPSetCache

type IPSetCache interface {
	GetIPSetMembers(ipsetID string) []string
}

IPSetCache is our interface to the IP sets tracker.

type PolicySetMetadata

type PolicySetMetadata struct {
	SetId string
	Type  PolicySetType
}

PolicySetMetadata contains the metadata for a particular Policy set, such as its name and type.

type PolicySetType

type PolicySetType string

PolicySetType constants for the different kinds of Policy set.

const (
	PolicySetTypePolicy  PolicySetType = "policy"
	PolicySetTypeProfile PolicySetType = "profile"
)

func (PolicySetType) SetType

func (t PolicySetType) SetType() string

type PolicySets

type PolicySets struct {
	IpSets []IPSetCache
	// contains filtered or unexported fields
}

PolicySets manages a whole plane of policies/profiles

func NewPolicySets

func NewPolicySets(hns HNSAPI, ipsets []IPSetCache, reader StaticRulesReader) *PolicySets

func (*PolicySets) AddOrReplacePolicySet

func (s *PolicySets) AddOrReplacePolicySet(setId string, policy interface{})

AddOrReplacePolicySet is responsible for the creation (or replacement) of a Policy set and it is capable of processing either Profiles or Policies from the datastore.

func (*PolicySets) GetPolicySetRules

func (s *PolicySets) GetPolicySetRules(setIds []string, isInbound, endOfTierDrop bool) (rules []*hns.ACLPolicy)

GetPolicySetRules receives a list of Policy set ids and it computes the complete set of resultant HNS rules that are needed to enforce all of the Policy sets for the specified direction.

func (*PolicySets) NewHostRule

func (s *PolicySets) NewHostRule(isInbound bool) *hns.ACLPolicy

NewHostRule returns a new hns rule object scoped to the host.

func (*PolicySets) NewRule

func (s *PolicySets) NewRule(isInbound bool, priority uint16) *hns.ACLPolicy

NewRule returns a new HNS switch rule object instantiated with default values.

func (*PolicySets) ProcessIpSetUpdate

func (s *PolicySets) ProcessIpSetUpdate(ipSetId string) []string

ProcessIpSetUpdate locates any Policy set(s) which reference the provided IP set, and causes those Policy sets to be recomputed (to ensure any rule address conditions are using the latest address values from the IP set). A list of the Policy sets which were found and recomputed are is returned to the caller.

func (*PolicySets) RemovePolicySet

func (s *PolicySets) RemovePolicySet(setId string)

RemovePolicySet is responsible for the removal of a Policy set

type PolicySetsDataplane

type PolicySetsDataplane interface {
	AddOrReplacePolicySet(setId string, policy interface{})
	RemovePolicySet(setId string)
	NewRule(isInbound bool, priority uint16) *hns.ACLPolicy
	GetPolicySetRules(setIds []string, isInbound, endOfTierDrop bool) (rules []*hns.ACLPolicy)
	ProcessIpSetUpdate(ipSetId string) []string
	NewHostRule(bool) *hns.ACLPolicy
}

PolicySetsDataplane is a interface for managing a plane of policySet objects

type StaticRulesReader

type StaticRulesReader interface {
	ReadData() ([]byte, error)
}

staticRulesReader is a wrapper to read a file. So we can have a mock reader for UT.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL