build(deps): bump the golang group across 1 directory with 7 updates

Bumps the golang group with 6 updates in the / directory: | Package | From | To | | --- | --- | --- | | [github.com/Microsoft/hcsshim](https://github.com/Microsoft/hcsshim) | `0.12.7` | `0.12.9` | | [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) | `2.20.2` | `2.22.0` | | [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.34.2` | `1.36.0` | | [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) | `1.11.0` | `1.11.1` | | [github.com/safchain/ethtool](https://github.com/safchain/ethtool) | `0.4.1` | `0.5.9` | | [sigs.k8s.io/knftables](https://github.com/kubernetes-sigs/knftables) | `0.0.17` | `0.0.18` | Updates `github.com/Microsoft/hcsshim` from 0.12.7 to 0.12.9 - [Release notes](https://github.com/Microsoft/hcsshim/releases) - [Commits](https://github.com/Microsoft/hcsshim/compare/v0.12.7...v0.12.9) Updates `github.com/onsi/ginkgo/v2` from 2.20.2 to 2.22.0 - [Release notes](https://github.com/onsi/ginkgo/releases) - [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/ginkgo/compare/v2.20.2...v2.22.0) Updates `github.com/onsi/gomega` from 1.34.2 to 1.36.0 - [Release notes](https://github.com/onsi/gomega/releases) - [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md) - [Commits](https://github.com/onsi/gomega/compare/v1.34.2...v1.36.0) Updates `github.com/opencontainers/selinux` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/opencontainers/selinux/releases) - [Commits](https://github.com/opencontainers/selinux/compare/v1.11.0...v1.11.1) Updates `github.com/safchain/ethtool` from 0.4.1 to 0.5.9 - [Release notes](https://github.com/safchain/ethtool/releases) - [Commits](https://github.com/safchain/ethtool/compare/v0.4.1...v0.5.9) Updates `golang.org/x/sys` from 0.26.0 to 0.27.0 - [Commits](https://github.com/golang/sys/compare/v0.26.0...v0.27.0) Updates `sigs.k8s.io/knftables` from 0.0.17 to 0.0.18 - [Changelog](https://github.com/kubernetes-sigs/knftables/blob/master/CHANGELOG.md) - [Commits](https://github.com/kubernetes-sigs/knftables/compare/v0.0.17...v0.0.18) --- updated-dependencies: - dependency-name: github.com/Microsoft/hcsshim dependency-type: direct:production update-type: version-update:semver-patch dependency-group: golang - dependency-name: github.com/onsi/ginkgo/v2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang - dependency-name: github.com/onsi/gomega dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang - dependency-name: github.com/opencontainers/selinux dependency-type: direct:production update-type: version-update:semver-patch dependency-group: golang - dependency-name: github.com/safchain/ethtool dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang - dependency-name: golang.org/x/sys dependency-type: direct:production update-type: version-update:semver-minor dependency-group: golang - dependency-name: sigs.k8s.io/knftables dependency-type: direct:production update-type: version-update:semver-patch dependency-group: golang ... Signed-off-by: dependabot[bot] <support@github.com>
2024-12-02 02:02:42 +00:00
parent 6de8a9853c
commit 3ffc42cdfd
167 changed files with 20766 additions and 1075 deletions
--- a/vendor/sigs.k8s.io/knftables/CHANGELOG.md
+++ b/vendor/sigs.k8s.io/knftables/CHANGELOG.md
@ -1,5 +1,16 @@
 # ChangeLog

+## v0.0.18
+
+- Added locking to `Fake` to allow it to be safely used concurrently.
+  (`@npinaeva`)
+
+- Added a `Flowtable` object, and `Fake` support for correctly parsing
+  flowtable references. (`@aojea`)
+
+- Fixed a bug in `Fake.ParseDump`, which accidentally required the
+  table to have a comment. (`@danwinship`)
+
 ## v0.0.17

 - `ListRules()` now accepts `""` for the chain name, meaning to list
--- a/vendor/sigs.k8s.io/knftables/README.md
+++ b/vendor/sigs.k8s.io/knftables/README.md
@ -134,6 +134,7 @@ The `Transaction` methods take arguments of type `knftables.Object`.
 The currently-supported objects are:

 - `Table`
+- `Flowtable`
 - `Chain`
 - `Rule`
 - `Set`
--- a/vendor/sigs.k8s.io/knftables/fake.go
+++ b/vendor/sigs.k8s.io/knftables/fake.go
@ -23,20 +23,27 @@ import (
 	"regexp"
 	"sort"
 	"strings"
+	"sync"
 )

 // Fake is a fake implementation of Interface
 type Fake struct {
 	nftContext
+	// mutex is used to protect Table and LastTransaction.
+	// When Table and LastTransaction are accessed directly, the caller must acquire Fake.RLock
+	// and release when finished.
+	sync.RWMutex

 	nextHandle int

 	// Table contains the Interface's table. This will be `nil` until you `tx.Add()`
 	// the table.
+	// Make sure to acquire Fake.RLock before accessing Table in a concurrent environment.
 	Table *FakeTable

 	// LastTransaction is the last transaction passed to Run(). It will remain set until the
 	// next time Run() is called. (It is not affected by Check().)
+	// Make sure to acquire Fake.RLock before accessing LastTransaction in a concurrent environment.
 	LastTransaction *Transaction
 }

@ -44,6 +51,9 @@ type Fake struct {
 type FakeTable struct {
 	Table

+	// Flowtables contains the table's flowtables, keyed by name
+	Flowtables map[string]*FakeFlowtable
+
 	// Chains contains the table's chains, keyed by name
 	Chains map[string]*FakeChain

@ -54,6 +64,11 @@ type FakeTable struct {
 	Maps map[string]*FakeMap
 }

+// FakeFlowtable wraps Flowtable for the Fake implementation
+type FakeFlowtable struct {
+	Flowtable
+}
+
 // FakeChain wraps Chain for the Fake implementation
 type FakeChain struct {
 	Chain
@ -94,6 +109,8 @@ var _ Interface = &Fake{}

 // List is part of Interface.
 func (fake *Fake) List(_ context.Context, objectType string) ([]string, error) {
+	fake.RLock()
+	defer fake.RUnlock()
 	if fake.Table == nil {
 		return nil, notFoundError("no such table %q", fake.table)
 	}
@ -101,6 +118,10 @@ func (fake *Fake) List(_ context.Context, objectType string) ([]string, error) {
 	var result []string

 	switch objectType {
+	case "flowtable", "flowtables":
+		for name := range fake.Table.Flowtables {
+			result = append(result, name)
+		}
 	case "chain", "chains":
 		for name := range fake.Table.Chains {
 			result = append(result, name)
@ -123,6 +144,8 @@ func (fake *Fake) List(_ context.Context, objectType string) ([]string, error) {

 // ListRules is part of Interface
 func (fake *Fake) ListRules(_ context.Context, chain string) ([]*Rule, error) {
+	fake.RLock()
+	defer fake.RUnlock()
 	if fake.Table == nil {
 		return nil, notFoundError("no such table %q", fake.table)
 	}
@ -145,6 +168,8 @@ func (fake *Fake) ListRules(_ context.Context, chain string) ([]*Rule, error) {

 // ListElements is part of Interface
 func (fake *Fake) ListElements(_ context.Context, objectType, name string) ([]*Element, error) {
+	fake.RLock()
+	defer fake.RUnlock()
 	if fake.Table == nil {
 		return nil, notFoundError("no such %s %q", objectType, name)
 	}
@ -169,6 +194,8 @@ func (fake *Fake) NewTransaction() *Transaction {

 // Run is part of Interface
 func (fake *Fake) Run(_ context.Context, tx *Transaction) error {
+	fake.Lock()
+	defer fake.Unlock()
 	fake.LastTransaction = tx
 	updatedTable, err := fake.run(tx)
 	if err == nil {
@ -179,10 +206,13 @@ func (fake *Fake) Run(_ context.Context, tx *Transaction) error {

 // Check is part of Interface
 func (fake *Fake) Check(_ context.Context, tx *Transaction) error {
+	fake.RLock()
+	defer fake.RUnlock()
 	_, err := fake.run(tx)
 	return err
 }

+// must be called with fake.lock held
 func (fake *Fake) run(tx *Transaction) (*FakeTable, error) {
 	if tx.err != nil {
 		return nil, tx.err
@ -218,10 +248,11 @@ func (fake *Fake) run(tx *Transaction) (*FakeTable, error) {
 				table := *obj
 				table.Handle = PtrTo(fake.nextHandle)
 				updatedTable = &FakeTable{
-					Table:  table,
-					Chains: make(map[string]*FakeChain),
-					Sets:   make(map[string]*FakeSet),
-					Maps:   make(map[string]*FakeMap),
+					Table:      table,
+					Flowtables: make(map[string]*FakeFlowtable),
+					Chains:     make(map[string]*FakeChain),
+					Sets:       make(map[string]*FakeSet),
+					Maps:       make(map[string]*FakeMap),
 				}
 			case deleteVerb:
 				updatedTable = nil
@ -229,6 +260,29 @@ func (fake *Fake) run(tx *Transaction) (*FakeTable, error) {
 				return nil, fmt.Errorf("unhandled operation %q", op.verb)
 			}

+		case *Flowtable:
+			existingFlowtable := updatedTable.Flowtables[obj.Name]
+			err := checkExists(op.verb, "flowtable", obj.Name, existingFlowtable != nil)
+			if err != nil {
+				return nil, err
+			}
+			switch op.verb {
+			case addVerb, createVerb:
+				if existingFlowtable != nil {
+					continue
+				}
+				flowtable := *obj
+				flowtable.Handle = PtrTo(fake.nextHandle)
+				updatedTable.Flowtables[obj.Name] = &FakeFlowtable{
+					Flowtable: flowtable,
+				}
+			case deleteVerb:
+				// FIXME delete-by-handle
+				delete(updatedTable.Flowtables, obj.Name)
+			default:
+				return nil, fmt.Errorf("unhandled operation %q", op.verb)
+			}
+
 		case *Chain:
 			existingChain := updatedTable.Chains[obj.Name]
 			err := checkExists(op.verb, "chain", obj.Name, existingChain != nil)
@ -443,10 +497,14 @@ func checkRuleRefs(rule *Rule, table *FakeTable) error {
 	for i, word := range words {
 		if strings.HasPrefix(word, "@") {
 			name := word[1:]
-			if i > 0 && (words[i] == "map" || words[i] == "vmap") {
+			if i > 0 && (words[i-1] == "map" || words[i-1] == "vmap") {
 				if table.Maps[name] == nil {
 					return notFoundError("no such map %q", name)
 				}
+			} else if i > 0 && words[i-1] == "offload" {
+				if table.Flowtables[name] == nil {
+					return notFoundError("no such flowtable %q", name)
+				}
 			} else {
 				// recent nft lets you use a map in a set lookup
 				if table.Sets[name] == nil && table.Maps[name] == nil {
@ -480,6 +538,8 @@ func checkElementRefs(element *Element, table *FakeTable) error {

 // Dump dumps the current contents of fake, in a way that looks like an nft transaction.
 func (fake *Fake) Dump() string {
+	fake.RLock()
+	defer fake.RUnlock()
 	if fake.Table == nil {
 		return ""
 	}
@ -487,6 +547,7 @@ func (fake *Fake) Dump() string {
 	buf := &strings.Builder{}

 	table := fake.Table
+	flowtables := sortKeys(table.Flowtables)
 	chains := sortKeys(table.Chains)
 	sets := sortKeys(table.Sets)
 	maps := sortKeys(table.Maps)
@ -494,6 +555,10 @@ func (fake *Fake) Dump() string {
 	// Write out all of the object adds first.

 	table.writeOperation(addVerb, &fake.nftContext, buf)
+	for _, fname := range flowtables {
+		ft := table.Flowtables[fname]
+		ft.writeOperation(addVerb, &fake.nftContext, buf)
+	}
 	for _, cname := range chains {
 		ch := table.Chains[cname]
 		ch.writeOperation(addVerb, &fake.nftContext, buf)
@ -550,7 +615,7 @@ func (fake *Fake) ParseDump(data string) (err error) {
 		}
 	}()
 	tx := fake.NewTransaction()
-	commonRegexp := regexp.MustCompile(fmt.Sprintf(`add %s %s %s (.*)`, noSpaceGroup, fake.family, fake.table))
+	commonRegexp := regexp.MustCompile(fmt.Sprintf(`add ([^ ]*) %s %s( (.*))?`, fake.family, fake.table))

 	for i, line = range lines {
 		line = strings.TrimSpace(line)
@ -565,6 +630,8 @@ func (fake *Fake) ParseDump(data string) (err error) {
 		switch match[1] {
 		case "table":
 			obj = &Table{}
+		case "flowtable":
+			obj = &Flowtable{}
 		case "chain":
 			obj = &Chain{}
 		case "rule":
@ -578,7 +645,7 @@ func (fake *Fake) ParseDump(data string) (err error) {
 		default:
 			return fmt.Errorf("unknown object %s", match[1])
 		}
-		err = obj.parse(match[2])
+		err = obj.parse(match[3])
 		if err != nil {
 			return err
 		}
@ -623,10 +690,16 @@ func (table *FakeTable) copy() *FakeTable {
 	}

 	tcopy := &FakeTable{
-		Table:  table.Table,
-		Chains: make(map[string]*FakeChain),
-		Sets:   make(map[string]*FakeSet),
-		Maps:   make(map[string]*FakeMap),
+		Table:      table.Table,
+		Flowtables: make(map[string]*FakeFlowtable),
+		Chains:     make(map[string]*FakeChain),
+		Sets:       make(map[string]*FakeSet),
+		Maps:       make(map[string]*FakeMap),
+	}
+	for name, flowtable := range table.Flowtables {
+		tcopy.Flowtables[name] = &FakeFlowtable{
+			Flowtable: flowtable.Flowtable,
+		}
 	}
 	for name, chain := range table.Chains {
 		tcopy.Chains[name] = &FakeChain{
--- a/vendor/sigs.k8s.io/knftables/objects.go
+++ b/vendor/sigs.k8s.io/knftables/objects.go
@ -579,3 +579,80 @@ func (element *Element) parse(line string) error {
 	}
 	return nil
 }
+
+// Object implementation for Flowtable
+func (flowtable *Flowtable) validate(verb verb) error {
+	switch verb {
+	case addVerb, createVerb:
+		if flowtable.Name == "" {
+			return fmt.Errorf("no name specified for flowtable")
+		}
+		if flowtable.Handle != nil {
+			return fmt.Errorf("cannot specify Handle in %s operation", verb)
+		}
+	case deleteVerb:
+		if flowtable.Name == "" && flowtable.Handle == nil {
+			return fmt.Errorf("must specify either name or handle")
+		}
+	default:
+		return fmt.Errorf("%s is not implemented for flowtables", verb)
+	}
+
+	return nil
+}
+
+func (flowtable *Flowtable) writeOperation(verb verb, ctx *nftContext, writer io.Writer) {
+	// Special case for delete-by-handle
+	if verb == deleteVerb && flowtable.Handle != nil {
+		fmt.Fprintf(writer, "delete flowtable %s %s handle %d", ctx.family, ctx.table, *flowtable.Handle)
+		return
+	}
+
+	fmt.Fprintf(writer, "%s flowtable %s %s %s", verb, ctx.family, ctx.table, flowtable.Name)
+	if verb == addVerb || verb == createVerb {
+		fmt.Fprintf(writer, " {")
+
+		if flowtable.Priority != nil {
+			// since there is only one priority value allowed "filter" just use the value
+			// provided and not try to parse it.
+			fmt.Fprintf(writer, " hook ingress priority %s ;", *flowtable.Priority)
+		}
+
+		if len(flowtable.Devices) > 0 {
+			fmt.Fprintf(writer, " devices = { %s } ;", strings.Join(flowtable.Devices, ", "))
+		}
+
+		fmt.Fprintf(writer, " }")
+	}
+
+	fmt.Fprintf(writer, "\n")
+}
+
+// nft add flowtable inet example_table example_flowtable { hook ingress priority filter ; devices = { eth0 };  }
+var flowtableRegexp = regexp.MustCompile(fmt.Sprintf(
+	`%s(?: {(?: hook ingress priority %s ;)(?: devices = {(.*)} ;) })?`,
+	noSpaceGroup, noSpaceGroup))
+
+func (flowtable *Flowtable) parse(line string) error {
+	match := flowtableRegexp.FindStringSubmatch(line)
+	if match == nil {
+		return fmt.Errorf("failed parsing flowtableRegexp add command")
+	}
+	flowtable.Name = match[1]
+	if match[2] != "" {
+		flowtable.Priority = (*FlowtableIngressPriority)(&match[2])
+	}
+	// to avoid complex regular expressions the regex match everything between the brackets
+	// to match a single interface or a comma separated list of interfaces, and it is postprocessed
+	// here to remove the whitespaces.
+	if match[3] != "" {
+		devices := strings.Split(strings.TrimSpace(match[3]), ",")
+		for i := range devices {
+			devices[i] = strings.TrimSpace(devices[i])
+		}
+		if len(devices) > 0 {
+			flowtable.Devices = devices
+		}
+	}
+	return nil
+}
--- a/vendor/sigs.k8s.io/knftables/types.go
+++ b/vendor/sigs.k8s.io/knftables/types.go
@ -382,3 +382,30 @@ type Element struct {
 	// Comment is an optional comment for the element
 	Comment *string
 }
+
+type FlowtableIngressPriority string
+
+const (
+	// FilterIngressPriority is the priority for the filter value in the Ingress hook
+	// that stands for 0.
+	FilterIngressPriority FlowtableIngressPriority = "filter"
+)
+
+// Flowtable represents an nftables flowtable.
+// https://wiki.nftables.org/wiki-nftables/index.php/Flowtables
+type Flowtable struct {
+	// Name is the name of the flowtable.
+	Name string
+
+	// The Priority can be a signed integer or FlowtableIngressPriority which stands for 0.
+	// Addition and subtraction can be used to set relative priority, e.g. filter + 5 equals to 5.
+	Priority *FlowtableIngressPriority
+
+	// The Devices are specified as iifname(s) of the input interface(s) of the traffic
+	// that should be offloaded.
+	Devices []string
+
+	// Handle is an identifier that can be used to uniquely identify an object when
+	// deleting it. When adding a new object, this must be nil
+	Handle *int
+}