Add an ability to choose IPAM policy

.golangci.yml

@@ -37,7 +37,7 @@ linters-settings:
     threshold: 150
   funlen:
     Lines: 175
-    Statements: 85
+    Statements: 90
   goconst:
     min-len: 2
     min-occurrences: 2

README.md

@@ -25,6 +25,7 @@ docker build .
 * `NSM_CONNECT_TO`               - url to connect to (default: "unix:///var/lib/networkservicemesh/nsm.io.sock")
 * `NSM_MAX_TOKEN_LIFETIME`       - maximum lifetime of tokens (default: "10m")
 * `NSM_REGISTRY_CLIENT_POLICIES` - paths to files and directories that contain registry client policies (default: "etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/client/.*.rego")
+* `NSM_IPAM_POLICY`              - polite, strict. Polite policy accepts any addresses sent by client. Strict policy resets ip_context if any of the client's addresses doesn't match endpoint's CIDR (default: "polite")
 * `NSM_SERVICE_NAMES`            - Name of provided services (default: "icmp-responder")
 * `NSM_PAYLOAD`                  - Name of provided service payload (default: "ETHERNET")
 * `NSM_LABELS`                   - Endpoint labels

go.mod

@@ -8,8 +8,8 @@ require (
 	github.com/edwarnicke/grpcfd v1.1.4
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/networkservicemesh/api v1.13.4-0.20240815101554-fdbfcd84fd0e
-	github.com/networkservicemesh/sdk v0.5.1-0.20240819093036-ae25bb43f39a
-	github.com/networkservicemesh/sdk-sriov v0.0.0-20240819093621-8447a4a3f199
+	github.com/networkservicemesh/sdk v0.5.1-0.20240820090035-6fad31a9f0aa
+	github.com/networkservicemesh/sdk-sriov v0.0.0-20240117141758-43f62c9df101
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spiffe/go-spiffe/v2 v2.1.7

go.sum

@@ -105,10 +105,10 @@ github.com/miekg/dns v1.1.50 h1:DQUfb9uc6smULcREF09Uc+/Gd46YWqJd5DbpPE9xkcA=
 github.com/miekg/dns v1.1.50/go.mod h1:e3IlAVfNqAllflbibAZEWOXOQ+Ynzk/dDozDxY7XnME=
 github.com/networkservicemesh/api v1.13.4-0.20240815101554-fdbfcd84fd0e h1:Fs34ZZN+bujq5OQEQUpxm0gYQ3g7uSCkcKcoUt70Be0=
 github.com/networkservicemesh/api v1.13.4-0.20240815101554-fdbfcd84fd0e/go.mod h1:B8FmS3XZ7NZY7ZEtdcNg2NHYppDHlr4kl4eecdZN9eI=
-github.com/networkservicemesh/sdk v0.5.1-0.20240819093036-ae25bb43f39a h1:yGa3JaE4yLKzKTefxu/5sT7ESFmIxj2Ai0VnxvQ69co=
-github.com/networkservicemesh/sdk v0.5.1-0.20240819093036-ae25bb43f39a/go.mod h1:nz2VJ3l/UDvsEusdIZf7OMxC7zLrRCV1PuziPjxJeVE=
-github.com/networkservicemesh/sdk-sriov v0.0.0-20240819093621-8447a4a3f199 h1:wUo1fWJAZ5RkW0FaZ1DekwOKKCe6zhjJrBcQdGGfUBw=
-github.com/networkservicemesh/sdk-sriov v0.0.0-20240819093621-8447a4a3f199/go.mod h1:pMxDdhmCcfwQFrtcljU5CmSFyrCMsbAlH6dZjb5BjGU=
+github.com/networkservicemesh/sdk v0.5.1-0.20240820090035-6fad31a9f0aa h1:+/bYBzySJJLgnCSjR8SLHsA+r6PYmAusUbka/W/bw5w=
+github.com/networkservicemesh/sdk v0.5.1-0.20240820090035-6fad31a9f0aa/go.mod h1:nz2VJ3l/UDvsEusdIZf7OMxC7zLrRCV1PuziPjxJeVE=
+github.com/networkservicemesh/sdk-sriov v0.0.0-20240117141758-43f62c9df101 h1:W5+jo/V7S24ll+GYyE6H+3pegDGyH1UYIAwRdbFRlq0=
+github.com/networkservicemesh/sdk-sriov v0.0.0-20240117141758-43f62c9df101/go.mod h1:Pc/BcobqUlQ6XhiirKc4d5biBLL8+BF2TAAFsjZWRXA=
 github.com/open-policy-agent/opa v0.44.0 h1:sEZthsrWBqIN+ShTMJ0Hcz6a3GkYsY4FaB2S/ou2hZk=
 github.com/open-policy-agent/opa v0.44.0/go.mod h1:YpJaFIk5pq89n/k72c1lVvfvR5uopdJft2tMg1CW/yU=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

internal/pkg/imports/imports_linux.go

@@ -25,6 +25,8 @@ import (
 	_ "github.com/networkservicemesh/sdk/pkg/networkservice/common/policyroute"
 	_ "github.com/networkservicemesh/sdk/pkg/networkservice/connectioncontext/dnscontext"
 	_ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/groupipam"
+	_ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam"
+	_ "github.com/networkservicemesh/sdk/pkg/networkservice/ipam/strictipam"
 	_ "github.com/networkservicemesh/sdk/pkg/registry/chains/client"
 	_ "github.com/networkservicemesh/sdk/pkg/registry/common/authorize"
 	_ "github.com/networkservicemesh/sdk/pkg/registry/common/begin"
@@ -64,10 +66,12 @@ import (
 	_ "google.golang.org/grpc/credentials"
 	_ "google.golang.org/grpc/health/grpc_health_v1"
 	_ "gopkg.in/yaml.v2"
+	_ "net"
 	_ "net/url"
 	_ "os"
 	_ "os/signal"
 	_ "path/filepath"
+	_ "strings"
 	_ "sync/atomic"
 	_ "syscall"
 	_ "testing"

main.go

@@ -29,10 +29,12 @@ import (
 	"context"
 	"crypto/tls"
 	"fmt"
+	"net"
 	"net/url"
 	"os"
 	"os/signal"
 	"path/filepath"
+	"strings"
 	"sync/atomic"
 	"syscall"
 	"time"
@@ -65,6 +67,8 @@ import (
 	"github.com/networkservicemesh/sdk/pkg/networkservice/common/policyroute"
 	"github.com/networkservicemesh/sdk/pkg/networkservice/connectioncontext/dnscontext"
 	"github.com/networkservicemesh/sdk/pkg/networkservice/ipam/groupipam"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/ipam/strictipam"
 	registryclient "github.com/networkservicemesh/sdk/pkg/registry/chains/client"
 	registryauthorize "github.com/networkservicemesh/sdk/pkg/registry/common/authorize"
 	"github.com/networkservicemesh/sdk/pkg/registry/common/clientinfo"
@@ -90,6 +94,7 @@ type Config struct {
 	ConnectTo              url.URL           `default:"unix:///var/lib/networkservicemesh/nsm.io.sock" desc:"url to connect to" split_words:"true"`
 	MaxTokenLifetime       time.Duration     `default:"10m" desc:"maximum lifetime of tokens" split_words:"true"`
 	RegistryClientPolicies []string          `default:"etc/nsm/opa/common/.*.rego,etc/nsm/opa/registry/.*.rego,etc/nsm/opa/client/.*.rego" desc:"paths to files and directories that contain registry client policies" split_words:"true"`
+	IPAMPolicy             ipamPolicyFunc    `default:"polite" desc:"defines NSE's IPAM Policy. Possible values: polite, strict. Polite policy accepts any addresses sent by client. Strict policy resets ip_context if any of the client's addresses doesn't match endpoint's CIDR." split_words:"true"`
 	ServiceNames           []string          `default:"icmp-responder" desc:"Name of provided services" split_words:"true"`
 	Payload                string            `default:"ETHERNET" desc:"Name of provided service payload" split_words:"true"`
 	Labels                 map[string]string `default:"" desc:"Endpoint labels"`
@@ -106,6 +111,23 @@ type Config struct {
 	PprofListenOn          string            `default:"localhost:6060" desc:"pprof URL to ListenAndServe" split_words:"true"`
 }
 
+type ipamPolicyFunc func(...*net.IPNet) networkservice.NetworkServiceServer
+
+// Decode takes a string IPAM Policy and returns the IPAM Policy func
+func (f *ipamPolicyFunc) Decode(policy string) error {
+	switch strings.ToLower(policy) {
+	case "strict":
+		*f = func(prefixes ...*net.IPNet) networkservice.NetworkServiceServer {
+			return strictipam.NewServer(point2pointipam.NewServer, prefixes...)
+		}
+		return nil
+	case "polite":
+		*f = point2pointipam.NewServer
+		return nil
+	}
+	return errors.Errorf("not a valid IPAM Policy: %s", policy)
+}
+
 // Process prints and processes env to config
 func (c *Config) Process() error {
 	if err := envconfig.Usage("nsm", c); err != nil {
@@ -223,7 +245,7 @@ func main() {
 		endpoint.WithAuthorizeServer(authorize.NewServer()),
 		endpoint.WithAdditionalFunctionality(
 			onidle.NewServer(ctx, cancel, config.IdleTimeout),
-			groupipam.NewServer(config.CidrPrefix),
+			groupipam.NewServer(config.CidrPrefix, groupipam.WithCustomIPAMServer(config.IPAMPolicy)),
 			policyroute.NewServer(newPolicyRoutesGetter(ctx, config.PBRConfigPath).Get),
 			mechanisms.NewServer(map[string]networkservice.NetworkServiceServer{
 				kernelmech.MECHANISM: kernel.NewServer(),