spoofcheck: Make use of go-nft's ApplyConfigEcho()
Store the relevant applied config part for later to extract the rule to delete from there instead of having to list the ruleset. This is much faster especially with large rulesets. Signed-off-by: Phil Sutter <psutter@redhat.com>
This commit is contained in:
Phil Sutter
@ -30,7 +30,7 @@ const (
|
||||
)
|
||||
|
||||
type NftConfigurer interface {
|
||||
Apply(*nft.Config) error
|
||||
Apply(*nft.Config) (*nft.Config, error)
|
||||
Read(filterCommands ...string) (*nft.Config, error)
|
||||
}
|
||||
|
||||
@ -39,12 +39,16 @@ type SpoofChecker struct {
|
||||
macAddress string
|
||||
refID string
|
||||
configurer NftConfigurer
|
||||
rulestore *nft.Config
|
||||
}
|
||||
|
||||
type defaultNftConfigurer struct{}
|
||||
|
||||
func (dnc defaultNftConfigurer) Apply(cfg *nft.Config) error {
|
||||
return nft.ApplyConfig(cfg)
|
||||
func (dnc defaultNftConfigurer) Apply(cfg *nft.Config) (*nft.Config, error) {
|
||||
const timeout = 55 * time.Second
|
||||
ctxWithTimeout, cancelFunc := context.WithTimeout(context.Background(), timeout)
|
||||
defer cancelFunc()
|
||||
return nft.ApplyConfigEcho(ctxWithTimeout, cfg)
|
||||
}
|
||||
|
||||
func (dnc defaultNftConfigurer) Read(filterCommands ...string) (*nft.Config, error) {
|
||||
@ -59,7 +63,7 @@ func NewSpoofChecker(iface, macAddress, refID string) *SpoofChecker {
|
||||
}
|
||||
|
||||
func NewSpoofCheckerWithConfigurer(iface, macAddress, refID string, configurer NftConfigurer) *SpoofChecker {
|
||||
return &SpoofChecker{iface, macAddress, refID, configurer}
|
||||
return &SpoofChecker{iface, macAddress, refID, configurer, nil}
|
||||
}
|
||||
|
||||
// Setup applies nftables configuration to restrict traffic
|
||||
@ -88,7 +92,7 @@ func (sc *SpoofChecker) Setup() error {
|
||||
macChain := sc.macChain(ifaceChain.Name)
|
||||
baseConfig.AddChain(macChain)
|
||||
|
||||
if err := sc.configurer.Apply(baseConfig); err != nil {
|
||||
if _, err := sc.configurer.Apply(baseConfig); err != nil {
|
||||
return fmt.Errorf("failed to setup spoof-check: %v", err)
|
||||
}
|
||||
|
||||
@ -102,37 +106,51 @@ func (sc *SpoofChecker) Setup() error {
|
||||
rulesConfig.AddRule(sc.matchMacRule(macChain.Name))
|
||||
rulesConfig.AddRule(sc.dropRule(macChain.Name))
|
||||
|
||||
if err := sc.configurer.Apply(rulesConfig); err != nil {
|
||||
rulestore, err := sc.configurer.Apply(rulesConfig)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to setup spoof-check: %v", err)
|
||||
}
|
||||
sc.rulestore = rulestore
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func (sc *SpoofChecker) findPreroutingRule(ruleToFind *schema.Rule) ([]*schema.Rule, error) {
|
||||
ruleset := sc.rulestore
|
||||
if ruleset == nil {
|
||||
chain, err := sc.configurer.Read(listChainBridgeNatPrerouting()...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ruleset = chain
|
||||
}
|
||||
return ruleset.LookupRule(ruleToFind), nil
|
||||
}
|
||||
|
||||
// Teardown removes the interface and mac-address specific chains and their rules.
|
||||
// The table and base-chain are expected to survive while the base-chain rule that matches the
|
||||
// interface is removed.
|
||||
func (sc *SpoofChecker) Teardown() error {
|
||||
ifaceChain := sc.ifaceChain()
|
||||
currentConfig, ifaceMatchRuleErr := sc.configurer.Read(listChainBridgeNatPrerouting()...)
|
||||
if ifaceMatchRuleErr == nil {
|
||||
expectedRuleToFind := sc.matchIfaceJumpToChainRule(preRoutingBaseChainName, ifaceChain.Name)
|
||||
// It is safer to exclude the statement matching, avoiding cases where a current statement includes
|
||||
// additional default entries (e.g. counters).
|
||||
ruleToFindExcludingStatements := *expectedRuleToFind
|
||||
ruleToFindExcludingStatements.Expr = nil
|
||||
rules := currentConfig.LookupRule(&ruleToFindExcludingStatements)
|
||||
if len(rules) > 0 {
|
||||
c := nft.NewConfig()
|
||||
for _, rule := range rules {
|
||||
c.DeleteRule(rule)
|
||||
}
|
||||
if err := sc.configurer.Apply(c); err != nil {
|
||||
ifaceMatchRuleErr = fmt.Errorf("failed to delete iface match rule: %v", err)
|
||||
}
|
||||
} else {
|
||||
fmt.Fprintf(os.Stderr, "spoofcheck/teardown: unable to detect iface match rule for deletion: %+v", expectedRuleToFind)
|
||||
expectedRuleToFind := sc.matchIfaceJumpToChainRule(preRoutingBaseChainName, ifaceChain.Name)
|
||||
// It is safer to exclude the statement matching, avoiding cases where a current statement includes
|
||||
// additional default entries (e.g. counters).
|
||||
ruleToFindExcludingStatements := *expectedRuleToFind
|
||||
ruleToFindExcludingStatements.Expr = nil
|
||||
|
||||
rules, ifaceMatchRuleErr := sc.findPreroutingRule(&ruleToFindExcludingStatements)
|
||||
if ifaceMatchRuleErr == nil && len(rules) > 0 {
|
||||
c := nft.NewConfig()
|
||||
for _, rule := range rules {
|
||||
c.DeleteRule(rule)
|
||||
}
|
||||
if _, err := sc.configurer.Apply(c); err != nil {
|
||||
ifaceMatchRuleErr = fmt.Errorf("failed to delete iface match rule: %v", err)
|
||||
}
|
||||
// Drop the cache, it should contain deleted rule(s) now
|
||||
sc.rulestore = nil
|
||||
} else {
|
||||
fmt.Fprintf(os.Stderr, "spoofcheck/teardown: unable to detect iface match rule for deletion: %+v", expectedRuleToFind)
|
||||
}
|
||||
|
||||
regularChainsConfig := nft.NewConfig()
|
||||
@ -140,7 +158,7 @@ func (sc *SpoofChecker) Teardown() error {
|
||||
regularChainsConfig.DeleteChain(sc.macChain(ifaceChain.Name))
|
||||
|
||||
var regularChainsErr error
|
||||
if err := sc.configurer.Apply(regularChainsConfig); err != nil {
|
||||
if _, err := sc.configurer.Apply(regularChainsConfig); err != nil {
|
||||
regularChainsErr = fmt.Errorf("failed to delete regular chains: %v", err)
|
||||
}
|
||||
|
||||
|
||||
@ -113,6 +113,25 @@ var _ = Describe("spoofcheck", func() {
|
||||
)))
|
||||
})
|
||||
})
|
||||
|
||||
Context("echo", func() {
|
||||
It("succeeds, no read called", func() {
|
||||
c := configurerStub{}
|
||||
sc := link.NewSpoofCheckerWithConfigurer(iface, mac, id, &c)
|
||||
Expect(sc.Setup()).To(Succeed())
|
||||
Expect(sc.Teardown()).To(Succeed())
|
||||
Expect(c.readCalled).To(BeFalse())
|
||||
})
|
||||
|
||||
It("succeeds, fall back to config read", func() {
|
||||
c := configurerStub{applyReturnNil: true}
|
||||
sc := link.NewSpoofCheckerWithConfigurer(iface, mac, id, &c)
|
||||
Expect(sc.Setup()).To(Succeed())
|
||||
c.readConfig = c.applyConfig[0]
|
||||
Expect(sc.Teardown()).To(Succeed())
|
||||
Expect(c.readCalled).To(BeTrue())
|
||||
})
|
||||
})
|
||||
})
|
||||
|
||||
func assertExpectedRegularChainsDeletionInTeardownConfig(action configurerStub) {
|
||||
@ -274,21 +293,28 @@ type configurerStub struct {
|
||||
failFirstApplyConfig bool
|
||||
failSecondApplyConfig bool
|
||||
failReadConfig bool
|
||||
|
||||
applyReturnNil bool
|
||||
readCalled bool
|
||||
}
|
||||
|
||||
func (a *configurerStub) Apply(c *nft.Config) error {
|
||||
func (a *configurerStub) Apply(c *nft.Config) (*nft.Config, error) {
|
||||
a.applyCounter++
|
||||
if a.failFirstApplyConfig && a.applyCounter == 1 {
|
||||
return fmt.Errorf(errorFirstApplyText)
|
||||
return nil, fmt.Errorf(errorFirstApplyText)
|
||||
}
|
||||
if a.failSecondApplyConfig && a.applyCounter == 2 {
|
||||
return fmt.Errorf(errorSecondApplyText)
|
||||
return nil, fmt.Errorf(errorSecondApplyText)
|
||||
}
|
||||
a.applyConfig = append(a.applyConfig, c)
|
||||
return nil
|
||||
if a.applyReturnNil {
|
||||
return nil, nil
|
||||
}
|
||||
return c, nil
|
||||
}
|
||||
|
||||
func (a *configurerStub) Read(_ ...string) (*nft.Config, error) {
|
||||
a.readCalled = true
|
||||
if a.failReadConfig {
|
||||
return nil, fmt.Errorf(errorReadText)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user