diff --git a/common/chains/npc.go b/common/chains/npc.go new file mode 100644 index 0000000000..1a9b9a3ddc --- /dev/null +++ b/common/chains/npc.go @@ -0,0 +1,12 @@ +package chains + +const ( + MainChain = "WEAVE-NPC" + DefaultChain = "WEAVE-NPC-DEFAULT" + IngressChain = "WEAVE-NPC-INGRESS" + + EgressChain = "WEAVE-NPC-EGRESS" + EgressDefaultChain = "WEAVE-NPC-EGRESS-DEFAULT" + EgressCustomChain = "WEAVE-NPC-EGRESS-CUSTOM" + EgressMarkChain = "WEAVE-NPC-EGRESS-ACCEPT" +) diff --git a/ipam/tracker/awsvpc.go b/ipam/tracker/awsvpc.go index fdd4f313c0..0e9d1e5ded 100644 --- a/ipam/tracker/awsvpc.go +++ b/ipam/tracker/awsvpc.go @@ -84,7 +84,7 @@ func NewAWSVPCTracker(bridgeName string) (*AWSVPCTracker, error) { func (t *AWSVPCTracker) HandleUpdate(prevRanges, currRanges []address.Range, local bool) error { t.debugf("replacing %q by %q; local(%t)", prevRanges, currRanges, local) - prev, curr := RemoveCommon(address.NewCIDRs(Merge(prevRanges)), address.NewCIDRs(Merge(currRanges))) + prev, curr := address.RemoveCommon(address.NewCIDRs(address.Merge(prevRanges)), address.NewCIDRs(address.Merge(currRanges))) // It might make sense to do the removal first and then add entries // because of the 50 routes limit. However, in such case a container might diff --git a/ipam/tracker/helpers_test.go b/ipam/tracker/helpers_test.go deleted file mode 100644 index dce74eecd7..0000000000 --- a/ipam/tracker/helpers_test.go +++ /dev/null @@ -1,52 +0,0 @@ -package tracker - -import ( - "testing" - - "github.com/stretchr/testify/require" - - "github.com/weaveworks/weave/net/address" -) - -var ( - r0to127 = cidr("10.0.0.0", "10.0.0.127") - r128to255 = cidr("10.0.0.128", "10.0.0.255") - r0to255 = cidr("10.0.0.0", "10.0.0.255") - r1dot0to255 = cidr("10.0.1.0", "10.0.1.255") - r2dot0to255 = cidr("10.0.2.0", "10.0.2.255") -) - -func TestRemoveCommon(t *testing.T) { - a := []address.CIDR{r0to127, r1dot0to255} - b := []address.CIDR{r1dot0to255, r2dot0to255} - newA, newB := RemoveCommon(a, b) - require.Equal(t, []address.CIDR{r0to127}, newA) - require.Equal(t, []address.CIDR{r2dot0to255}, newB) -} - -func TestMerge(t *testing.T) { - ranges := []address.Range{ - r0to127.Range(), - r128to255.Range(), - r2dot0to255.Range(), - } - require.Equal(t, []address.Range{r0to255.Range(), r2dot0to255.Range()}, Merge(ranges)) -} - -// Helper - -// TODO(mp) DRY with helpers of other tests. - -func ip(s string) address.Address { - addr, _ := address.ParseIP(s) - return addr -} - -// [start; end] -func cidr(start, end string) address.CIDR { - c := address.Range{Start: ip(start), End: ip(end) + 1}.CIDRs() - if len(c) != 1 { - panic("invalid cidr") - } - return c[0] -} diff --git a/ipam/tracker/helpers.go b/net/address/helpers.go similarity index 78% rename from ipam/tracker/helpers.go rename to net/address/helpers.go index b882300725..920e90874a 100644 --- a/ipam/tracker/helpers.go +++ b/net/address/helpers.go @@ -1,13 +1,9 @@ -package tracker - -import ( - "github.com/weaveworks/weave/net/address" -) +package address // Merge merges adjacent range entries. // The given slice has to be sorted in increasing order. -func Merge(r []address.Range) []address.Range { - var merged []address.Range +func Merge(r []Range) []Range { + var merged []Range for i := range r { if prev := len(merged) - 1; prev >= 0 && merged[prev].End == r[i].Start { @@ -22,7 +18,7 @@ func Merge(r []address.Range) []address.Range { // RemoveCommon filters out CIDR ranges which are contained in both a and b slices. // Both slices have to be sorted in increasing order. -func RemoveCommon(a, b []address.CIDR) (newA, newB []address.CIDR) { +func RemoveCommon(a, b []CIDR) (newA, newB []CIDR) { i, j := 0, 0 for i < len(a) && j < len(b) { diff --git a/net/address/helpers_test.go b/net/address/helpers_test.go new file mode 100644 index 0000000000..2ebd2d317e --- /dev/null +++ b/net/address/helpers_test.go @@ -0,0 +1,43 @@ +package address + +import ( + "testing" + + "github.com/stretchr/testify/require" +) + +var ( + r0to127 = cidr2("10.0.0.0", "10.0.0.127") + r128to255 = cidr2("10.0.0.128", "10.0.0.255") + r0to255 = cidr2("10.0.0.0", "10.0.0.255") + r1dot0to255 = cidr2("10.0.1.0", "10.0.1.255") + r2dot0to255 = cidr2("10.0.2.0", "10.0.2.255") +) + +func TestRemoveCommon(t *testing.T) { + a := []CIDR{r0to127, r1dot0to255} + b := []CIDR{r1dot0to255, r2dot0to255} + newA, newB := RemoveCommon(a, b) + require.Equal(t, []CIDR{r0to127}, newA) + require.Equal(t, []CIDR{r2dot0to255}, newB) +} + +func TestMerge(t *testing.T) { + ranges := []Range{ + r0to127.Range(), + r128to255.Range(), + r2dot0to255.Range(), + } + require.Equal(t, []Range{r0to255.Range(), r2dot0to255.Range()}, Merge(ranges)) +} + +// Helper + +// [start; end] +func cidr2(start, end string) CIDR { + c := Range{Start: ip(start), End: ip(end) + 1}.CIDRs() + if len(c) != 1 { + panic("invalid cidr") + } + return c[0] +} diff --git a/net/bridge.go b/net/bridge.go index 268e70c18c..bcad3a3186 100644 --- a/net/bridge.go +++ b/net/bridge.go @@ -11,14 +11,12 @@ import ( "github.com/pkg/errors" "github.com/sirupsen/logrus" "github.com/vishvananda/netlink" - "k8s.io/apimachinery/pkg/types" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/common/odp" - "github.com/weaveworks/weave/ipam/tracker" "github.com/weaveworks/weave/net/address" "github.com/weaveworks/weave/net/ipset" - "github.com/weaveworks/weave/npc" ) /* This code implements three possible configurations to connect @@ -513,12 +511,12 @@ func ConfigureIPTables(config *BridgeConfig, ips ipset.Interface) error { if config.NPC { // Steer traffic via the NPC. - if err = ensureChains(ipt, "filter", npc.MainChain, npc.EgressChain); err != nil { + if err = ensureChains(ipt, "filter", chains.MainChain, chains.EgressChain); err != nil { return err } // Steer egress traffic destined to local node. - if err = ipt.AppendUnique("filter", "INPUT", "-i", config.WeaveBridgeName, "-j", npc.EgressChain); err != nil { + if err = ipt.AppendUnique("filter", "INPUT", "-i", config.WeaveBridgeName, "-j", chains.EgressChain); err != nil { return err } fwdRules = append(fwdRules, @@ -527,11 +525,11 @@ func ConfigureIPTables(config *BridgeConfig, ips ipset.Interface) error { // ACCEPT in WEAVE-NPC-EGRESS chain {"-i", config.WeaveBridgeName, "-m", "comment", "--comment", "NOTE: this must go before '-j KUBE-FORWARD'", - "-j", npc.EgressChain}, + "-j", chains.EgressChain}, // The following rules are for ingress NPC processing {"-o", config.WeaveBridgeName, "-m", "comment", "--comment", "NOTE: this must go before '-j KUBE-FORWARD'", - "-j", npc.MainChain}, + "-j", chains.MainChain}, {"-o", config.WeaveBridgeName, "-m", "state", "--state", "NEW", "-j", "NFLOG", "--nflog-group", "86"}, {"-o", config.WeaveBridgeName, "-j", "DROP"}, }...) @@ -588,13 +586,13 @@ func ConfigureIPTables(config *BridgeConfig, ips ipset.Interface) error { type NoMasqLocalTracker struct { ips ipset.Interface - owner types.UID + owner ipset.UID } func NewNoMasqLocalTracker(ips ipset.Interface) *NoMasqLocalTracker { return &NoMasqLocalTracker{ ips: ips, - owner: types.UID(0), // dummy ipset owner + owner: ipset.UID(0), // dummy ipset owner } } @@ -607,9 +605,9 @@ func (t *NoMasqLocalTracker) HandleUpdate(prevRanges, currRanges []address.Range return nil } - prev, curr := tracker.RemoveCommon( - address.NewCIDRs(tracker.Merge(prevRanges)), - address.NewCIDRs(tracker.Merge(currRanges))) + prev, curr := address.RemoveCommon( + address.NewCIDRs(address.Merge(prevRanges)), + address.NewCIDRs(address.Merge(currRanges))) for _, cidr := range curr { if err := t.ips.AddEntry(t.owner, NoMasqLocalIpset, cidr.String(), ""); err != nil { diff --git a/net/ipset/ipset.go b/net/ipset/ipset.go index 4c0b748160..c835a8b21d 100644 --- a/net/ipset/ipset.go +++ b/net/ipset/ipset.go @@ -9,13 +9,14 @@ import ( "strings" "github.com/pkg/errors" - "k8s.io/apimachinery/pkg/types" ) type Name string type Type string +type UID string + const ( ListSet = Type("list:set") HashIP = Type("hash:ip") @@ -24,9 +25,9 @@ const ( type Interface interface { Create(ipsetName Name, ipsetType Type) error - AddEntry(user types.UID, ipsetName Name, entry string, comment string) error - DelEntry(user types.UID, ipsetName Name, entry string) error - EntryExists(user types.UID, ipsetName Name, entry string) bool + AddEntry(user UID, ipsetName Name, entry string, comment string) error + DelEntry(user UID, ipsetName Name, entry string) error + EntryExists(user UID, ipsetName Name, entry string) bool Exists(ipsetName Name) (bool, error) Flush(ipsetName Name) error Destroy(ipsetName Name) error @@ -50,7 +51,7 @@ type ipset struct { // There might be multiple users for the same ipset & entry pair because // events from k8s API server might be out of order causing duplicate IPs: // https://github.com/weaveworks/weave/issues/2792. - users map[entryKey]map[types.UID]struct{} + users map[entryKey]map[UID]struct{} } func New(logger *log.Logger, maxListSize int) Interface { @@ -58,7 +59,7 @@ func New(logger *log.Logger, maxListSize int) Interface { Logger: logger, enableComments: true, maxListSize: maxListSize, - users: make(map[entryKey]map[types.UID]struct{}), + users: make(map[entryKey]map[UID]struct{}), } // Check for comment support @@ -94,7 +95,7 @@ func (i *ipset) Create(ipsetName Name, ipsetType Type) error { return doExec(args...) } -func (i *ipset) AddEntry(user types.UID, ipsetName Name, entry string, comment string) error { +func (i *ipset) AddEntry(user UID, ipsetName Name, entry string, comment string) error { i.Logger.Printf("adding entry %s to %s of %s", entry, ipsetName, user) if !i.addUser(user, ipsetName, entry) { // already in the set @@ -110,7 +111,7 @@ func (i *ipset) AddEntry(user types.UID, ipsetName Name, entry string, comment s return doExec(args...) } -func (i *ipset) DelEntry(user types.UID, ipsetName Name, entry string) error { +func (i *ipset) DelEntry(user UID, ipsetName Name, entry string) error { i.Logger.Printf("deleting entry %s from %s of %s", entry, ipsetName, user) if !i.delUser(user, ipsetName, entry) { // still needed @@ -122,7 +123,7 @@ func (i *ipset) DelEntry(user types.UID, ipsetName Name, entry string) error { return doExec("del", string(ipsetName), entry) } -func (i *ipset) EntryExists(user types.UID, ipsetName Name, entry string) bool { +func (i *ipset) EntryExists(user UID, ipsetName Name, entry string) bool { return i.existUser(user, ipsetName, entry) } @@ -146,7 +147,7 @@ func (i *ipset) Flush(ipsetName Name) error { } func (i *ipset) FlushAll() error { - i.users = make(map[entryKey]map[types.UID]struct{}) + i.users = make(map[entryKey]map[UID]struct{}) return doExec("flush") } @@ -156,7 +157,7 @@ func (i *ipset) Destroy(ipsetName Name) error { } func (i *ipset) DestroyAll() error { - i.users = make(map[entryKey]map[types.UID]struct{}) + i.users = make(map[entryKey]map[UID]struct{}) return doExec("destroy") } @@ -179,12 +180,12 @@ func (i *ipset) List(prefix string) ([]Name, error) { } // Returns true if entry does not exist in ipset (entry has to be inserted into ipset). -func (i *ipset) addUser(user types.UID, ipsetName Name, entry string) bool { +func (i *ipset) addUser(user UID, ipsetName Name, entry string) bool { k := entryKey{ipsetName, entry} add := false if i.users[k] == nil { - i.users[k] = make(map[types.UID]struct{}) + i.users[k] = make(map[UID]struct{}) } if len(i.users[k]) == 0 { add = true @@ -195,7 +196,7 @@ func (i *ipset) addUser(user types.UID, ipsetName Name, entry string) bool { } // Returns true if user is the last owner of entry (entry has to be removed from ipset). -func (i *ipset) delUser(user types.UID, ipsetName Name, entry string) bool { +func (i *ipset) delUser(user UID, ipsetName Name, entry string) bool { k := entryKey{ipsetName, entry} oneLeft := len(i.users[k]) == 1 @@ -208,7 +209,7 @@ func (i *ipset) delUser(user types.UID, ipsetName Name, entry string) bool { return oneLeft && (len(i.users[k]) == 0) } -func (i *ipset) existUser(user types.UID, ipsetName Name, entry string) bool { +func (i *ipset) existUser(user UID, ipsetName Name, entry string) bool { _, ok := i.users[entryKey{ipsetName, entry}][user] return ok } diff --git a/npc/constants.go b/npc/constants.go index 6c94dcc9fc..07185f2c22 100644 --- a/npc/constants.go +++ b/npc/constants.go @@ -2,16 +2,7 @@ package npc const ( TableFilter = "filter" - - MainChain = "WEAVE-NPC" - DefaultChain = "WEAVE-NPC-DEFAULT" - IngressChain = "WEAVE-NPC-INGRESS" - - EgressChain = "WEAVE-NPC-EGRESS" - EgressDefaultChain = "WEAVE-NPC-EGRESS-DEFAULT" - EgressCustomChain = "WEAVE-NPC-EGRESS-CUSTOM" - EgressMarkChain = "WEAVE-NPC-EGRESS-ACCEPT" - EgressMark = "0x40000/0x40000" + EgressMark = "0x40000/0x40000" IpsetNamePrefix = "weave-" diff --git a/npc/controller.go b/npc/controller.go index ecba6056d0..09a7556f85 100644 --- a/npc/controller.go +++ b/npc/controller.go @@ -12,6 +12,7 @@ import ( "k8s.io/client-go/kubernetes" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/net/ipset" "github.com/weaveworks/weave/npc/iptables" ) @@ -62,7 +63,7 @@ func (npc *controller) onNewNsSelector(selector *selector) error { for _, ns := range npc.nss { if ns.namespace != nil { if selector.matchesNamespaceSelector(ns.namespace.ObjectMeta.Labels) { - if err := selector.addEntry(ns.namespace.ObjectMeta.UID, string(ns.allPods.ipsetName), namespaceComment(ns)); err != nil { + if err := selector.addEntry(nsuid(ns.namespace), string(ns.allPods.ipsetName), namespaceComment(ns)); err != nil { return err } } @@ -77,7 +78,7 @@ func (npc *controller) onNewNamespacePodsSelector(selector *selector) error { for _, pod := range ns.pods { if hasIP(pod) { if selector.matchesNamespacedPodSelector(pod.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels) { - if err := selector.addEntry(pod.ObjectMeta.UID, pod.Status.PodIP, podComment(pod)); err != nil { + if err := selector.addEntry(uid(pod), pod.Status.PodIP, podComment(pod)); err != nil { return err } @@ -157,7 +158,7 @@ func (npc *controller) AddNetworkPolicy(obj interface{}) error { } if egressNetworkPolicy { npc.defaultEgressDrop = true - if err := npc.ipt.Append(TableFilter, EgressChain, + if err := npc.ipt.Append(TableFilter, chains.EgressChain, "-m", "mark", "!", "--mark", EgressMark, "-j", "DROP"); err != nil { npc.defaultEgressDrop = false return fmt.Errorf("Failed to add iptable rule to drop egress traffic from the pods by default due to %s", err.Error()) @@ -262,3 +263,11 @@ func isEgressNetworkPolicy(obj interface{}) (bool, error) { } return false, errInvalidNetworkPolicyObjType } + +func uid(pod *coreapi.Pod) ipset.UID { + return ipset.UID(pod.UID) +} + +func nsuid(ns *coreapi.Namespace) ipset.UID { + return ipset.UID(ns.UID) +} diff --git a/npc/controller_test.go b/npc/controller_test.go index 618e453c7e..cf78241d24 100644 --- a/npc/controller_test.go +++ b/npc/controller_test.go @@ -8,11 +8,11 @@ import ( "github.com/pkg/errors" "github.com/stretchr/testify/require" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/net/ipset" coreapi "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/client-go/kubernetes/fake" ) @@ -20,7 +20,7 @@ import ( type mockSet struct { name ipset.Name setType ipset.Type - subSets map[string]map[types.UID]bool + subSets map[string]map[ipset.UID]bool } type mockIPSet struct { @@ -35,17 +35,17 @@ func (i *mockIPSet) Create(ipsetName ipset.Name, ipsetType ipset.Type) error { if _, ok := i.sets[string(ipsetName)]; ok { return errors.Errorf("ipset %s already exists", ipsetName) } - i.sets[string(ipsetName)] = mockSet{name: ipsetName, setType: ipsetType, subSets: make(map[string]map[types.UID]bool)} + i.sets[string(ipsetName)] = mockSet{name: ipsetName, setType: ipsetType, subSets: make(map[string]map[ipset.UID]bool)} return nil } -func (i *mockIPSet) AddEntry(user types.UID, ipsetName ipset.Name, entry string, comment string) error { +func (i *mockIPSet) AddEntry(user ipset.UID, ipsetName ipset.Name, entry string, comment string) error { log.Printf("adding entry %s to %s for %s", entry, ipsetName, user) if _, ok := i.sets[string(ipsetName)]; !ok { return errors.Errorf("%s does not exist", entry) } if i.sets[string(ipsetName)].subSets[entry] == nil { - i.sets[string(ipsetName)].subSets[entry] = make(map[types.UID]bool) + i.sets[string(ipsetName)].subSets[entry] = make(map[ipset.UID]bool) } if _, ok := i.sets[string(ipsetName)].subSets[entry][user]; ok { return errors.Errorf("user %s already owns entry %s", user, entry) @@ -55,7 +55,7 @@ func (i *mockIPSet) AddEntry(user types.UID, ipsetName ipset.Name, entry string, return nil } -func (i *mockIPSet) DelEntry(user types.UID, ipsetName ipset.Name, entry string) error { +func (i *mockIPSet) DelEntry(user ipset.UID, ipsetName ipset.Name, entry string) error { log.Printf("deleting entry %s from %s for %s", entry, ipsetName, user) if _, ok := i.sets[string(ipsetName)]; !ok { return errors.Errorf("ipset %s does not exist", ipsetName) @@ -72,7 +72,7 @@ func (i *mockIPSet) DelEntry(user types.UID, ipsetName ipset.Name, entry string) return nil } -func (i *mockIPSet) EntryExists(user types.UID, ipsetName ipset.Name, entry string) bool { +func (i *mockIPSet) EntryExists(user ipset.UID, ipsetName ipset.Name, entry string) bool { _, ok := i.sets[string(ipsetName)].subSets[entry][user] return ok } @@ -428,7 +428,7 @@ func TestOutOfOrderPodEvents(t *testing.T) { // Should be in default-allow as no netpol selects podBar require.True(t, m.entriesExist(ingressDefaultAllowIPSetName, podIP)) - require.True(t, m.EntryExists(podBar.ObjectMeta.UID, ingressDefaultAllowIPSetName, podIP)) + require.True(t, m.EntryExists(uid(podBar), ingressDefaultAllowIPSetName, podIP)) // Should be in run=bar ipset require.True(t, m.entriesExist(runBarIPSetName, podIP)) @@ -582,8 +582,8 @@ func TestEgressPolicyWithIPBlock(t *testing.T) { require.True(t, m.entriesExist(exceptIPSetName, "192.168.48.2/32")) // Each egress rule is represented as two iptables rules (-J MARK and -J RETURN). - require.Equal(t, 2, len(ipt.rules[EgressCustomChain])) - for rule := range ipt.rules[EgressCustomChain] { + require.Equal(t, 2, len(ipt.rules[chains.EgressCustomChain])) + for rule := range ipt.rules[chains.EgressCustomChain] { require.Contains(t, rule, "-d 192.168.48.0/24 -m set ! --match-set "+exceptIPSetName+" dst") } @@ -690,8 +690,8 @@ func TestIngressPolicyWithIPBlockAndPortSpecified(t *testing.T) { require.Equal(t, 1, len(m.sets[runBarIPSetName].subSets)) require.True(t, m.entriesExist(runBarIPSetName, barPodIP)) - require.Equal(t, 1, len(ipt.rules[IngressChain])) - for rule := range ipt.rules[IngressChain] { + require.Equal(t, 1, len(ipt.rules[chains.IngressChain])) + for rule := range ipt.rules[chains.IngressChain] { require.Contains(t, rule, "-s 192.168.48.4/32 -m set --match-set "+runBarIPSetName+" dst --dport 80") } } diff --git a/npc/ipblock.go b/npc/ipblock.go index 7d2579d058..0c66a22ef7 100644 --- a/npc/ipblock.go +++ b/npc/ipblock.go @@ -6,7 +6,6 @@ import ( "strings" networkingv1 "k8s.io/api/networking/v1" - "k8s.io/apimachinery/pkg/types" "github.com/weaveworks/weave/common" "github.com/weaveworks/weave/net/ipset" @@ -51,17 +50,17 @@ func (spec *ipBlockSpec) getRuleSpec(src bool) ([]string, string) { type ipBlockSet struct { ips ipset.Interface - users map[string]map[types.UID]struct{} + users map[string]map[ipset.UID]struct{} } func newIPBlockSet(ips ipset.Interface) *ipBlockSet { return &ipBlockSet{ ips: ips, - users: make(map[string]map[types.UID]struct{}), + users: make(map[string]map[ipset.UID]struct{}), } } -func (s *ipBlockSet) deprovision(user types.UID, current, desired map[string]*ipBlockSpec) error { +func (s *ipBlockSet) deprovision(user ipset.UID, current, desired map[string]*ipBlockSpec) error { for key, spec := range current { if key == "" { continue @@ -83,7 +82,7 @@ func (s *ipBlockSet) deprovision(user types.UID, current, desired map[string]*ip return nil } -func (s *ipBlockSet) provision(user types.UID, current, desired map[string]*ipBlockSpec) (err error) { +func (s *ipBlockSet) provision(user ipset.UID, current, desired map[string]*ipBlockSpec) (err error) { for key, spec := range desired { if key == "" { // No need to provision an ipBlock with empty list of excepted CIDRs @@ -106,7 +105,7 @@ func (s *ipBlockSet) provision(user types.UID, current, desired map[string]*ipBl } } - s.users[key] = make(map[types.UID]struct{}) + s.users[key] = make(map[ipset.UID]struct{}) } s.users[key][user] = struct{}{} } diff --git a/npc/namespace.go b/npc/namespace.go index 6423b4cdf9..c9184cff13 100644 --- a/npc/namespace.go +++ b/npc/namespace.go @@ -8,10 +8,10 @@ import ( extnapi "k8s.io/api/extensions/v1beta1" networkingv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/uuid" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/net/ipset" "github.com/weaveworks/weave/npc/iptables" ) @@ -25,10 +25,10 @@ type ns struct { name string // k8s Namespace name nodeName string // my node name namespace *coreapi.Namespace // k8s Namespace object - pods map[types.UID]*coreapi.Pod // k8s Pod objects by UID - policies map[types.UID]interface{} // k8s NetworkPolicy objects by UID + pods map[ipset.UID]*coreapi.Pod // k8s Pod objects by UID + policies map[ipset.UID]interface{} // k8s NetworkPolicy objects by UID - uid types.UID // surrogate UID to own allPods selector + uid ipset.UID // surrogate UID to own allPods selector allPods *selectorSpec // hash:ip ipset of all pod IPs in this namespace // stores IP addrs of pods which are not selected by any target podSelector of @@ -56,9 +56,9 @@ func newNS(name, nodeName string, ipt iptables.Interface, ips ipset.Interface, n name: name, namespace: namespaceObj, nodeName: nodeName, - pods: make(map[types.UID]*coreapi.Pod), - policies: make(map[types.UID]interface{}), - uid: uuid.NewUUID(), + pods: make(map[ipset.UID]*coreapi.Pod), + policies: make(map[ipset.UID]interface{}), + uid: ipset.UID(uuid.NewUUID()), allPods: allPods, nsSelectors: nsSelectors, namespacedPodsSelectors: namespacedPodsSelectors, @@ -99,7 +99,7 @@ func (ns *ns) onNewPodSelector(selector *selector) error { for _, pod := range ns.pods { if hasIP(pod) { if selector.matchesPodSelector(pod.ObjectMeta.Labels) { - if err := selector.addEntry(pod.ObjectMeta.UID, pod.Status.PodIP, podComment(pod)); err != nil { + if err := selector.addEntry(uid(pod), pod.Status.PodIP, podComment(pod)); err != nil { return err } @@ -115,7 +115,7 @@ func (ns *ns) onNewTargetPodSelector(selector *selector, policyType policyType) // Remove the pod from default-allow if dst podselector matches the pod ipset := ns.defaultAllowIPSetName(policyType) if selector.matchesPodSelector(pod.ObjectMeta.Labels) { - if err := ns.ips.DelEntry(pod.ObjectMeta.UID, ipset, pod.Status.PodIP); err != nil { + if err := ns.ips.DelEntry(uid(pod), ipset, pod.Status.PodIP); err != nil { return err } } @@ -151,7 +151,7 @@ func (ns *ns) addToDefaultAllowIfNoMatching(pod *coreapi.Pod, policyType policyT } if !found { ipset := ns.defaultAllowIPSetName(policyType) - if err := ns.ips.AddEntry(pod.ObjectMeta.UID, ipset, pod.Status.PodIP, podComment(pod)); err != nil { + if err := ns.ips.AddEntry(uid(pod), ipset, pod.Status.PodIP, podComment(pod)); err != nil { return err } } @@ -166,29 +166,29 @@ func (ns *ns) checkLocalPod(obj *coreapi.Pod) bool { } func (ns *ns) addPod(obj *coreapi.Pod) error { - ns.pods[obj.ObjectMeta.UID] = obj + ns.pods[uid(obj)] = obj if !hasIP(obj) { return nil } - foundIngress, foundEgress, err := ns.podSelectors.addToMatchingPodSelector(obj.ObjectMeta.UID, obj.ObjectMeta.Labels, obj.Status.PodIP, podComment(obj)) + foundIngress, foundEgress, err := ns.podSelectors.addToMatchingPodSelector(uid(obj), obj.ObjectMeta.Labels, obj.Status.PodIP, podComment(obj)) if err != nil { return err } // If there are no matching target selectors, add the pod to default-allow if !foundIngress { - if err := ns.ips.AddEntry(obj.ObjectMeta.UID, ns.ingressDefaultAllowIPSet, obj.Status.PodIP, podComment(obj)); err != nil { + if err := ns.ips.AddEntry(uid(obj), ns.ingressDefaultAllowIPSet, obj.Status.PodIP, podComment(obj)); err != nil { return err } } if !foundEgress { - if err := ns.ips.AddEntry(obj.ObjectMeta.UID, ns.egressDefaultAllowIPSet, obj.Status.PodIP, podComment(obj)); err != nil { + if err := ns.ips.AddEntry(uid(obj), ns.egressDefaultAllowIPSet, obj.Status.PodIP, podComment(obj)); err != nil { return err } } - err = ns.namespacedPodsSelectors.addToMatchingNamespacedPodSelector(obj.ObjectMeta.UID, obj.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels, obj.Status.PodIP, podComment(obj)) + err = ns.namespacedPodsSelectors.addToMatchingNamespacedPodSelector(uid(obj), obj.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels, obj.Status.PodIP, podComment(obj)) if err != nil { return err } @@ -197,44 +197,44 @@ func (ns *ns) addPod(obj *coreapi.Pod) error { } func (ns *ns) updatePod(oldObj, newObj *coreapi.Pod) error { - delete(ns.pods, oldObj.ObjectMeta.UID) - ns.pods[newObj.ObjectMeta.UID] = newObj + delete(ns.pods, uid(oldObj)) + ns.pods[uid(newObj)] = newObj if !hasIP(oldObj) && !hasIP(newObj) { return nil } if hasIP(oldObj) && !hasIP(newObj) { - if err := ns.ips.DelEntry(oldObj.ObjectMeta.UID, ns.ingressDefaultAllowIPSet, oldObj.Status.PodIP); err != nil { + if err := ns.ips.DelEntry(uid(oldObj), ns.ingressDefaultAllowIPSet, oldObj.Status.PodIP); err != nil { return err } - if err := ns.ips.DelEntry(oldObj.ObjectMeta.UID, ns.egressDefaultAllowIPSet, oldObj.Status.PodIP); err != nil { + if err := ns.ips.DelEntry(uid(oldObj), ns.egressDefaultAllowIPSet, oldObj.Status.PodIP); err != nil { return err } - if err := ns.namespacedPodsSelectors.delFromMatchingNamespacedPodSelector(oldObj.ObjectMeta.UID, oldObj.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels, oldObj.Status.PodIP); err != nil { + if err := ns.namespacedPodsSelectors.delFromMatchingNamespacedPodSelector(uid(oldObj), oldObj.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels, oldObj.Status.PodIP); err != nil { return err } - return ns.podSelectors.delFromMatchingPodSelector(oldObj.ObjectMeta.UID, oldObj.ObjectMeta.Labels, oldObj.Status.PodIP) + return ns.podSelectors.delFromMatchingPodSelector(uid(oldObj), oldObj.ObjectMeta.Labels, oldObj.Status.PodIP) } if !hasIP(oldObj) && hasIP(newObj) { - foundIngress, foundEgress, err := ns.podSelectors.addToMatchingPodSelector(newObj.ObjectMeta.UID, newObj.ObjectMeta.Labels, newObj.Status.PodIP, podComment(newObj)) + foundIngress, foundEgress, err := ns.podSelectors.addToMatchingPodSelector(uid(newObj), newObj.ObjectMeta.Labels, newObj.Status.PodIP, podComment(newObj)) if err != nil { return err } if !foundIngress { - if err := ns.ips.AddEntry(newObj.ObjectMeta.UID, ns.ingressDefaultAllowIPSet, newObj.Status.PodIP, podComment(newObj)); err != nil { + if err := ns.ips.AddEntry(uid(newObj), ns.ingressDefaultAllowIPSet, newObj.Status.PodIP, podComment(newObj)); err != nil { return err } } if !foundEgress { - if err := ns.ips.AddEntry(newObj.ObjectMeta.UID, ns.egressDefaultAllowIPSet, newObj.Status.PodIP, podComment(newObj)); err != nil { + if err := ns.ips.AddEntry(uid(newObj), ns.egressDefaultAllowIPSet, newObj.Status.PodIP, podComment(newObj)); err != nil { return err } } - err = ns.namespacedPodsSelectors.addToMatchingNamespacedPodSelector(newObj.ObjectMeta.UID, newObj.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels, newObj.Status.PodIP, podComment(newObj)) + err = ns.namespacedPodsSelectors.addToMatchingNamespacedPodSelector(uid(newObj), newObj.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels, newObj.Status.PodIP, podComment(newObj)) if err != nil { return err } @@ -261,12 +261,12 @@ func (ns *ns) updatePod(oldObj, newObj *coreapi.Pod) error { continue } if oldMatch { - if err := ps.delEntry(oldObj.ObjectMeta.UID, oldObj.Status.PodIP); err != nil { + if err := ps.delEntry(uid(oldObj), oldObj.Status.PodIP); err != nil { return err } } if newMatch { - if err := ps.addEntry(newObj.ObjectMeta.UID, newObj.Status.PodIP, podComment(newObj)); err != nil { + if err := ps.addEntry(uid(newObj), newObj.Status.PodIP, podComment(newObj)); err != nil { return err } } @@ -285,12 +285,12 @@ func (ns *ns) updatePod(oldObj, newObj *coreapi.Pod) error { continue } if oldMatch { - if err := ps.delEntry(oldObj.ObjectMeta.UID, oldObj.Status.PodIP); err != nil { + if err := ps.delEntry(uid(oldObj), oldObj.Status.PodIP); err != nil { return err } } if newMatch { - if err := ps.addEntry(newObj.ObjectMeta.UID, newObj.Status.PodIP, podComment(newObj)); err != nil { + if err := ps.addEntry(uid(newObj), newObj.Status.PodIP, podComment(newObj)); err != nil { return err } } @@ -305,7 +305,7 @@ func (ns *ns) addOrRemoveToDefaultAllowIPSet(ps *selector, oldObj, newObj *corea if ns.podSelectors.targetSelectorExist(ps, policyType) { switch { case !oldMatch && newMatch: - if err := ns.ips.DelEntry(oldObj.ObjectMeta.UID, ipset, oldObj.Status.PodIP); err != nil { + if err := ns.ips.DelEntry(uid(oldObj), ipset, oldObj.Status.PodIP); err != nil { return err } case oldMatch && !newMatch: @@ -318,22 +318,22 @@ func (ns *ns) addOrRemoveToDefaultAllowIPSet(ps *selector, oldObj, newObj *corea } func (ns *ns) deletePod(obj *coreapi.Pod) error { - delete(ns.pods, obj.ObjectMeta.UID) + delete(ns.pods, uid(obj)) if !hasIP(obj) { return nil } - if err := ns.ips.DelEntry(obj.ObjectMeta.UID, ns.ingressDefaultAllowIPSet, obj.Status.PodIP); err != nil { + if err := ns.ips.DelEntry(uid(obj), ns.ingressDefaultAllowIPSet, obj.Status.PodIP); err != nil { return err } - if err := ns.ips.DelEntry(obj.ObjectMeta.UID, ns.egressDefaultAllowIPSet, obj.Status.PodIP); err != nil { + if err := ns.ips.DelEntry(uid(obj), ns.egressDefaultAllowIPSet, obj.Status.PodIP); err != nil { return err } - if err := ns.podSelectors.delFromMatchingPodSelector(obj.ObjectMeta.UID, obj.ObjectMeta.Labels, obj.Status.PodIP); err != nil { + if err := ns.podSelectors.delFromMatchingPodSelector(uid(obj), obj.ObjectMeta.Labels, obj.Status.PodIP); err != nil { return err } - if err := ns.namespacedPodsSelectors.delFromMatchingNamespacedPodSelector(obj.ObjectMeta.UID, obj.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels, obj.Status.PodIP); err != nil { + if err := ns.namespacedPodsSelectors.delFromMatchingNamespacedPodSelector(uid(obj), obj.ObjectMeta.Labels, ns.namespace.ObjectMeta.Labels, obj.Status.PodIP); err != nil { return err } return nil @@ -441,12 +441,12 @@ func (ns *ns) updateDefaultAllowIPSetEntry(oldObj, newObj *coreapi.Pod, ipsetNam // Instead of iterating over all selectors we check whether old pod IP // has been inserted into default-allow ipset to decide whether the IP // in the ipset has to be updated. - if ns.ips.EntryExists(oldObj.ObjectMeta.UID, ipsetName, oldObj.Status.PodIP) { + if ns.ips.EntryExists(uid(oldObj), ipsetName, oldObj.Status.PodIP) { - if err := ns.ips.DelEntry(oldObj.ObjectMeta.UID, ipsetName, oldObj.Status.PodIP); err != nil { + if err := ns.ips.DelEntry(uid(oldObj), ipsetName, oldObj.Status.PodIP); err != nil { return err } - if err := ns.ips.AddEntry(newObj.ObjectMeta.UID, ipsetName, newObj.Status.PodIP, podComment(newObj)); err != nil { + if err := ns.ips.AddEntry(uid(newObj), ipsetName, newObj.Status.PodIP, podComment(newObj)); err != nil { return err } } @@ -455,12 +455,12 @@ func (ns *ns) updateDefaultAllowIPSetEntry(oldObj, newObj *coreapi.Pod, ipsetNam func bypassRules(namespace string, ingress, egress ipset.Name) map[string][][]string { return map[string][][]string{ - DefaultChain: { + chains.DefaultChain: { {"-m", "set", "--match-set", string(ingress), "dst", "-j", "ACCEPT", "-m", "comment", "--comment", "DefaultAllow ingress isolation for namespace: " + namespace}, }, - EgressDefaultChain: { - {"-m", "set", "--match-set", string(egress), "src", "-j", EgressMarkChain, + chains.EgressDefaultChain: { + {"-m", "set", "--match-set", string(egress), "src", "-j", chains.EgressMarkChain, "-m", "comment", "--comment", "DefaultAllow egress isolation for namespace: " + namespace}, {"-m", "set", "--match-set", string(egress), "src", "-j", "RETURN", "-m", "comment", "--comment", "DefaultAllow egress isolation for namespace: " + namespace}, @@ -503,7 +503,7 @@ func (ns *ns) addNamespace(obj *coreapi.Namespace) error { } // Add namespace ipset to matching namespace selectors - err := ns.nsSelectors.addToMatchingNamespaceSelector(obj.ObjectMeta.UID, obj.ObjectMeta.Labels, string(ns.allPods.ipsetName), namespaceComment(ns)) + err := ns.nsSelectors.addToMatchingNamespaceSelector(nsuid(obj), obj.ObjectMeta.Labels, string(ns.allPods.ipsetName), namespaceComment(ns)) return err } @@ -519,12 +519,12 @@ func (ns *ns) updateNamespace(oldObj, newObj *coreapi.Namespace) error { continue } if oldMatch { - if err := selector.delEntry(ns.namespace.ObjectMeta.UID, string(ns.allPods.ipsetName)); err != nil { + if err := selector.delEntry(nsuid(ns.namespace), string(ns.allPods.ipsetName)); err != nil { return err } } if newMatch { - if err := selector.addEntry(ns.namespace.ObjectMeta.UID, string(ns.allPods.ipsetName), namespaceComment(ns)); err != nil { + if err := selector.addEntry(nsuid(ns.namespace), string(ns.allPods.ipsetName), namespaceComment(ns)); err != nil { return err } } @@ -543,7 +543,7 @@ func (ns *ns) deleteNamespace(obj *coreapi.Namespace) error { } // Remove namespace ipset from any matching namespace selectors - err := ns.nsSelectors.delFromMatchingNamespaceSelector(obj.ObjectMeta.UID, obj.ObjectMeta.Labels, string(ns.allPods.ipsetName)) + err := ns.nsSelectors.delFromMatchingNamespaceSelector(nsuid(obj), obj.ObjectMeta.Labels, string(ns.allPods.ipsetName)) if err != nil { return err } @@ -593,7 +593,7 @@ func (ns *ns) defaultAllowIPSetName(pt policyType) ipset.Name { } func (ns *ns) analyse(obj interface{}) ( - uid types.UID, + uid ipset.UID, rules map[string]*ruleSpec, nsSelectors, podSelectors, namespacedPodsSelectors map[string]*selectorSpec, ipBlocks map[string]*ipBlockSpec, @@ -601,9 +601,9 @@ func (ns *ns) analyse(obj interface{}) ( switch p := obj.(type) { case *extnapi.NetworkPolicy: - uid = p.ObjectMeta.UID + uid = ipset.UID(p.ObjectMeta.UID) case *networkingv1.NetworkPolicy: - uid = p.ObjectMeta.UID + uid = ipset.UID(p.ObjectMeta.UID) default: err = errInvalidNetworkPolicyObjType return diff --git a/npc/rule.go b/npc/rule.go index 1edee7701e..b4d974ea4b 100644 --- a/npc/rule.go +++ b/npc/rule.go @@ -5,9 +5,9 @@ import ( "reflect" "strings" - "k8s.io/apimachinery/pkg/types" - "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" + "github.com/weaveworks/weave/net/ipset" "github.com/weaveworks/weave/npc/iptables" ) @@ -55,9 +55,9 @@ func newRuleSpec(policyType policyType, proto *string, srcHost, dstHost ruleHost func (spec *ruleSpec) iptChain() string { if spec.policyType == policyTypeEgress { - return EgressCustomChain + return chains.EgressCustomChain } - return IngressChain + return chains.IngressChain } func (spec *ruleSpec) iptRuleSpecs() [][]string { @@ -71,7 +71,7 @@ func (spec *ruleSpec) iptRuleSpecs() [][]string { // policyTypeEgress ruleMark := make([]string, len(spec.args)) copy(ruleMark, spec.args) - ruleMark = append(ruleMark, "-j", EgressMarkChain) + ruleMark = append(ruleMark, "-j", chains.EgressMarkChain) ruleReturn := make([]string, len(spec.args)) copy(ruleReturn, spec.args) ruleReturn = append(ruleReturn, "-j", "RETURN") @@ -80,14 +80,14 @@ func (spec *ruleSpec) iptRuleSpecs() [][]string { type ruleSet struct { ipt iptables.Interface - users map[string]map[types.UID]struct{} + users map[string]map[ipset.UID]struct{} } func newRuleSet(ipt iptables.Interface) *ruleSet { - return &ruleSet{ipt, make(map[string]map[types.UID]struct{})} + return &ruleSet{ipt, make(map[string]map[ipset.UID]struct{})} } -func (rs *ruleSet) deprovision(user types.UID, current, desired map[string]*ruleSpec) error { +func (rs *ruleSet) deprovision(user ipset.UID, current, desired map[string]*ruleSpec) error { for key, spec := range current { if _, found := desired[key]; !found { delete(rs.users[key], user) @@ -108,7 +108,7 @@ func (rs *ruleSet) deprovision(user types.UID, current, desired map[string]*rule return nil } -func (rs *ruleSet) provision(user types.UID, current, desired map[string]*ruleSpec) error { +func (rs *ruleSet) provision(user ipset.UID, current, desired map[string]*ruleSpec) error { for key, spec := range desired { if _, found := current[key]; !found { if _, found := rs.users[key]; !found { @@ -119,7 +119,7 @@ func (rs *ruleSet) provision(user types.UID, current, desired map[string]*ruleSp return err } } - rs.users[key] = make(map[types.UID]struct{}) + rs.users[key] = make(map[ipset.UID]struct{}) } rs.users[key][user] = struct{}{} } diff --git a/npc/selector.go b/npc/selector.go index 1be5f9aa47..e6738a305f 100644 --- a/npc/selector.go +++ b/npc/selector.go @@ -5,7 +5,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" - "k8s.io/apimachinery/pkg/types" "github.com/weaveworks/weave/common" "github.com/weaveworks/weave/net/ipset" @@ -87,11 +86,11 @@ func (s *selector) matchesNamespacedPodSelector(podsLabelMap, namespaceLabelMap return s.spec.podSelector.Matches(labels.Set(podsLabelMap)) && s.spec.namespaceSelector.Matches(labels.Set(namespaceLabelMap)) } -func (s *selector) addEntry(user types.UID, entry string, comment string) error { +func (s *selector) addEntry(user ipset.UID, entry string, comment string) error { return s.ips.AddEntry(user, s.spec.ipsetName, entry, comment) } -func (s *selector) delEntry(user types.UID, entry string) error { +func (s *selector) delEntry(user ipset.UID, entry string) error { return s.ips.DelEntry(user, s.spec.ipsetName, entry) } @@ -107,7 +106,7 @@ type selectorSet struct { // invoked after the last instance of target selector has been deprovisioned onDestroyTargetSelector selectorWithPolicyTypeFn - users map[string]map[types.UID]struct{} // list of users per selector + users map[string]map[ipset.UID]struct{} // list of users per selector entries map[string]*selector // We need to keep track of target selector instances to be able to invoke @@ -122,12 +121,12 @@ func newSelectorSet(ips ipset.Interface, onNewSelector selectorFn, onNewTargetSe onNewSelector: onNewSelector, onNewTargetSelector: onNewTargetSelector, onDestroyTargetSelector: onDestroyTargetSelector, - users: make(map[string]map[types.UID]struct{}), + users: make(map[string]map[ipset.UID]struct{}), entries: make(map[string]*selector), targetSelectorsCount: make(map[string]map[policyType]int)} } -func (ss *selectorSet) addToMatchingPodSelector(user types.UID, podLabelsMap map[string]string, entry string, comment string) (bool, bool, error) { +func (ss *selectorSet) addToMatchingPodSelector(user ipset.UID, podLabelsMap map[string]string, entry string, comment string) (bool, bool, error) { foundIngress := false foundEgress := false for _, s := range ss.entries { @@ -146,7 +145,7 @@ func (ss *selectorSet) addToMatchingPodSelector(user types.UID, podLabelsMap map return foundIngress, foundEgress, nil } -func (ss *selectorSet) addToMatchingNamespaceSelector(user types.UID, namespaceLabelsMap map[string]string, entry string, comment string) error { +func (ss *selectorSet) addToMatchingNamespaceSelector(user ipset.UID, namespaceLabelsMap map[string]string, entry string, comment string) error { for _, s := range ss.entries { if s.matchesNamespaceSelector(namespaceLabelsMap) { if err := s.addEntry(user, entry, comment); err != nil { @@ -157,7 +156,7 @@ func (ss *selectorSet) addToMatchingNamespaceSelector(user types.UID, namespaceL return nil } -func (ss *selectorSet) addToMatchingNamespacedPodSelector(user types.UID, podLabelsMap map[string]string, namespaceLabelsMap map[string]string, entry string, comment string) error { +func (ss *selectorSet) addToMatchingNamespacedPodSelector(user ipset.UID, podLabelsMap map[string]string, namespaceLabelsMap map[string]string, entry string, comment string) error { for _, s := range ss.entries { if s.matchesNamespacedPodSelector(podLabelsMap, namespaceLabelsMap) { if err := s.addEntry(user, entry, comment); err != nil { @@ -168,7 +167,7 @@ func (ss *selectorSet) addToMatchingNamespacedPodSelector(user types.UID, podLab return nil } -func (ss *selectorSet) delFromMatchingPodSelector(user types.UID, podLabelsMap map[string]string, entry string) error { +func (ss *selectorSet) delFromMatchingPodSelector(user ipset.UID, podLabelsMap map[string]string, entry string) error { for _, s := range ss.entries { if s.matchesPodSelector(podLabelsMap) { if err := s.delEntry(user, entry); err != nil { @@ -179,7 +178,7 @@ func (ss *selectorSet) delFromMatchingPodSelector(user types.UID, podLabelsMap m return nil } -func (ss *selectorSet) delFromMatchingNamespaceSelector(user types.UID, namespaceLabelsMap map[string]string, entry string) error { +func (ss *selectorSet) delFromMatchingNamespaceSelector(user ipset.UID, namespaceLabelsMap map[string]string, entry string) error { for _, s := range ss.entries { if s.matchesNamespaceSelector(namespaceLabelsMap) { if err := s.delEntry(user, entry); err != nil { @@ -190,7 +189,7 @@ func (ss *selectorSet) delFromMatchingNamespaceSelector(user types.UID, namespac return nil } -func (ss *selectorSet) delFromMatchingNamespacedPodSelector(user types.UID, podLabelsMap map[string]string, namespaceLabelsMap map[string]string, entry string) error { +func (ss *selectorSet) delFromMatchingNamespacedPodSelector(user ipset.UID, podLabelsMap map[string]string, namespaceLabelsMap map[string]string, entry string) error { for _, s := range ss.entries { if s.matchesNamespacedPodSelector(podLabelsMap, namespaceLabelsMap) { if err := s.delEntry(user, entry); err != nil { @@ -205,7 +204,7 @@ func (ss *selectorSet) targetSelectorExist(s *selector, policyType policyType) b return ss.targetSelectorsCount[s.spec.key][policyType] > 0 } -func (ss *selectorSet) deprovision(user types.UID, current, desired map[string]*selectorSpec) error { +func (ss *selectorSet) deprovision(user ipset.UID, current, desired map[string]*selectorSpec) error { for key, spec := range current { if _, found := desired[key]; !found { delete(ss.users[key], user) @@ -233,7 +232,7 @@ func (ss *selectorSet) deprovision(user types.UID, current, desired map[string]* return nil } -func (ss *selectorSet) provision(user types.UID, current, desired map[string]*selectorSpec) error { +func (ss *selectorSet) provision(user ipset.UID, current, desired map[string]*selectorSpec) error { for key, spec := range desired { if _, found := current[key]; !found { selector := &selector{ss.ips, spec} @@ -246,7 +245,7 @@ func (ss *selectorSet) provision(user types.UID, current, desired map[string]*se if err := ss.onNewSelector(selector); err != nil { return err } - ss.users[key] = make(map[types.UID]struct{}) + ss.users[key] = make(map[ipset.UID]struct{}) ss.entries[key] = selector } ss.users[key][user] = struct{}{} diff --git a/prog/weave-npc/main.go b/prog/weave-npc/main.go index 22e4e556a5..ab6ffebae2 100644 --- a/prog/weave-npc/main.go +++ b/prog/weave-npc/main.go @@ -17,6 +17,7 @@ import ( "k8s.io/client-go/tools/cache" "github.com/weaveworks/weave/common" + "github.com/weaveworks/weave/common/chains" "github.com/weaveworks/weave/net" "github.com/weaveworks/weave/net/ipset" "github.com/weaveworks/weave/npc" @@ -52,27 +53,27 @@ func makeController(getter cache.Getter, resource string, func resetIPTables(ipt *iptables.IPTables) error { // Flush chains first so there are no refs to extant ipsets - if err := ipt.ClearChain(npc.TableFilter, npc.IngressChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.IngressChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.DefaultChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.DefaultChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.MainChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.MainChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.EgressMarkChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.EgressMarkChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.EgressCustomChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.EgressCustomChain); err != nil { return err } - if err := ipt.ClearChain(npc.TableFilter, npc.EgressDefaultChain); err != nil { + if err := ipt.ClearChain(npc.TableFilter, chains.EgressDefaultChain); err != nil { return err } @@ -121,35 +122,35 @@ func resetIPSets(ips ipset.Interface) error { func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error { // Configure main chain static rules - if err := ipt.Append(npc.TableFilter, npc.MainChain, + if err := ipt.Append(npc.TableFilter, chains.MainChain, "-m", "state", "--state", "RELATED,ESTABLISHED", "-j", "ACCEPT"); err != nil { return err } if allowMcast { - if err := ipt.Append(npc.TableFilter, npc.MainChain, + if err := ipt.Append(npc.TableFilter, chains.MainChain, "-d", "224.0.0.0/4", "-j", "ACCEPT"); err != nil { return err } } // If the destination address is not any of the local pods, let it through - if err := ipt.Append(npc.TableFilter, npc.MainChain, + if err := ipt.Append(npc.TableFilter, chains.MainChain, "-m", "physdev", "--physdev-is-bridged", "--physdev-out="+bridgePortName, "-j", "ACCEPT"); err != nil { return err } - if err := ipt.Append(npc.TableFilter, npc.MainChain, - "-m", "state", "--state", "NEW", "-j", string(npc.DefaultChain)); err != nil { + if err := ipt.Append(npc.TableFilter, chains.MainChain, + "-m", "state", "--state", "NEW", "-j", chains.DefaultChain); err != nil { return err } - if err := ipt.Append(npc.TableFilter, npc.MainChain, - "-m", "state", "--state", "NEW", "-j", string(npc.IngressChain)); err != nil { + if err := ipt.Append(npc.TableFilter, chains.MainChain, + "-m", "state", "--state", "NEW", "-j", chains.IngressChain); err != nil { return err } - if err := ipt.Append(npc.TableFilter, npc.EgressMarkChain, + if err := ipt.Append(npc.TableFilter, chains.EgressMarkChain, "-j", "MARK", "--set-xmark", npc.EgressMark); err != nil { return err } @@ -187,11 +188,11 @@ func createBaseRules(ipt *iptables.IPTables, ips ipset.Interface) error { ruleSpecs = append(ruleSpecs, []string{"-d", "224.0.0.0/4", "-j", "RETURN"}) } ruleSpecs = append(ruleSpecs, [][]string{ - {"-m", "state", "--state", "NEW", "-j", string(npc.EgressDefaultChain)}, - {"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", string(npc.EgressCustomChain)}, + {"-m", "state", "--state", "NEW", "-j", chains.EgressDefaultChain}, + {"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", chains.EgressCustomChain}, {"-m", "state", "--state", "NEW", "-m", "mark", "!", "--mark", npc.EgressMark, "-j", "NFLOG", "--nflog-group", "86"}, }...) - if err := net.AddChainWithRules(ipt, npc.TableFilter, npc.EgressChain, ruleSpecs); err != nil { + if err := net.AddChainWithRules(ipt, npc.TableFilter, chains.EgressChain, ruleSpecs); err != nil { return err }