ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

Add Check support to firewall meta plugin, test cases

Browse Source
This commit is contained in:
Michael Cambria
2019-04-08 17:45:44 -04:00
parent 95be5da5e2
commit d47387c6fe
7 changed files with 450 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
plugins/meta/firewall/firewalld.go
View File

@ -18,6 +18,7 @@ import (
"fmt"
"strings"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/godbus/dbus"
)
@ -31,6 +32,7 @@ const (
firewalldZoneInterface = "org.fedoraproject.FirewallD1.zone"
firewalldAddSourceMethod = "addSource"
firewalldRemoveSourceMethod = "removeSource"
firewalldQuerySourceMethod = "querySource"
errZoneAlreadySet = "ZONE_ALREADY_SET"
)
@ -80,8 +82,8 @@ func newFirewalldBackend(conf *FirewallNetConf) (FirewallBackend, error) {
return backend, nil
}
func (fb *fwdBackend) Add(conf *FirewallNetConf) error {
for _, ip := range conf.PrevResult.IPs {
func (fb *fwdBackend) Add(conf *FirewallNetConf, result *current.Result) error {
for _, ip := range result.IPs {
ipStr := ipString(ip.Address)
// Add a firewalld rule which assigns the given source IP to the given zone
firewalldObj := fb.conn.Object(firewalldName, firewalldPath)
@ -95,8 +97,8 @@ func (fb *fwdBackend) Add(conf *FirewallNetConf) error {
return nil
}
func (fb *fwdBackend) Del(conf *FirewallNetConf) error {
for _, ip := range conf.PrevResult.IPs {
func (fb *fwdBackend) Del(conf *FirewallNetConf, result *current.Result) error {
for _, ip := range result.IPs {
ipStr := ipString(ip.Address)
// Remove firewalld rules which assigned the given source IP to the given zone
firewalldObj := fb.conn.Object(firewalldName, firewalldPath)
@ -105,3 +107,16 @@ func (fb *fwdBackend) Del(conf *FirewallNetConf) error {
}
return nil
}
func (fb *fwdBackend) Check(conf *FirewallNetConf, result *current.Result) error {
for _, ip := range result.IPs {
ipStr := ipString(ip.Address)
// Check for a firewalld rule for the given source IP to the given zone
firewalldObj := fb.conn.Object(firewalldName, firewalldPath)
var res bool
if err := firewalldObj.Call(firewalldZoneInterface+"."+firewalldQuerySourceMethod, 0, conf.FirewalldZone, ipStr).Store(&res); err != nil {
return fmt.Errorf("failed to find the address %v in %v zone", ipStr, conf.FirewalldZone)
}
}
return nil
}