ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

Compare commits

base: ITQC:v0.6.0-rc1
Branches Tags
ITQC:main ITQC:dependabot/go_modules/golang-b1fd1a5525 ITQC:remove-release-sh ITQC:dependabot/go_modules/golang.org/x/net-0.7.0 ITQC:release-1.1 ITQC:v0.7
ITQC:v1.6.1 ITQC:v1.6.2 ITQC:v1.6.0 ITQC:v1.5.1 ITQC:v1.5.0 ITQC:v1.4.1 ITQC:v1.4.0 ITQC:v1.3.0 ITQC:v1.2.0 ITQC:v1.1.1 ITQC:v1.1.0 ITQC:v1.0.1 ITQC:v1.0.0 ITQC:v1.0.0-rc1 ITQC:v0.9.1 ITQC:v0.9.0 ITQC:v0.8.7 ITQC:v0.8.6 ITQC:v0.8.5 ITQC:v0.8.4 ITQC:v0.8.3 ITQC:v0.8.2 ITQC:v0.7.6 ITQC:v0.8.1 ITQC:v0.8.0 ITQC:v0.7.5 ITQC:v0.7.4 ITQC:v0.7.3 ITQC:v0.7.2 ITQC:v0.7.1 ITQC:v0.7.0 ITQC:v0.7.0-rc2 ITQC:v0.7.0-rc1 ITQC:v0.6.0 ITQC:v0.6.0-rc2 ITQC:v0.6.0-rc1 ITQC:v0.3.0 ITQC:v0.3.0-rc3 ITQC:v0.3.0-rc2 ITQC:v0.3.0-rc1 ITQC:v0.3.0-rc0 ITQC:v0.2.3 ITQC:v0.2.2 ITQC:v0.2.1 ITQC:v0.2.0 ITQC:v0.2.0-rc1 ITQC:v0.2.0-rc0 ITQC:v0.1.0
..
compare: ITQC:v0.7.3
Branches Tags
ITQC:dependabot/go_modules/golang-b1fd1a5525 ITQC:main ITQC:remove-release-sh ITQC:dependabot/go_modules/golang.org/x/net-0.7.0 ITQC:release-1.1 ITQC:v0.7
ITQC:v1.6.1 ITQC:v1.6.2 ITQC:v1.6.0 ITQC:v1.5.1 ITQC:v1.5.0 ITQC:v1.4.1 ITQC:v1.4.0 ITQC:v1.3.0 ITQC:v1.2.0 ITQC:v1.1.1 ITQC:v1.1.0 ITQC:v1.0.1 ITQC:v1.0.0 ITQC:v1.0.0-rc1 ITQC:v0.9.1 ITQC:v0.9.0 ITQC:v0.8.7 ITQC:v0.8.6 ITQC:v0.8.5 ITQC:v0.8.4 ITQC:v0.8.3 ITQC:v0.8.2 ITQC:v0.7.6 ITQC:v0.8.1 ITQC:v0.8.0 ITQC:v0.7.5 ITQC:v0.7.4 ITQC:v0.7.3 ITQC:v0.7.2 ITQC:v0.7.1 ITQC:v0.7.0 ITQC:v0.7.0-rc2 ITQC:v0.7.0-rc1 ITQC:v0.6.0 ITQC:v0.6.0-rc2 ITQC:v0.6.0-rc1 ITQC:v0.3.0 ITQC:v0.3.0-rc3 ITQC:v0.3.0-rc2 ITQC:v0.3.0-rc1 ITQC:v0.3.0-rc0 ITQC:v0.2.3 ITQC:v0.2.2 ITQC:v0.2.1 ITQC:v0.2.0 ITQC:v0.2.0-rc1 ITQC:v0.2.0-rc0 ITQC:v0.1.0

85 Commits
v0.6.0-rc1 ... v0.7.3

Author SHA1 Message Date
Casey Callendrello
19f2f28178 Merge pull request #180 from squeed/v0.7-bump-iptables 
vendor: bump coreos/go-iptables
 2018-08-03 17:31:42 +02:00
Casey Callendrello
ffb78af3af vendor: bump coreos/go-iptables 
Pick up iptables-nftables support.
 2018-08-03 15:03:35 +02:00
Casey Callendrello
72b62babee Merge pull request #141 from squeed/missing-mac 
pkg/ip: re-fetch the created link to return creation-time parameters
 2018-04-12 11:09:35 +02:00
Casey Callendrello
26dafaa097 plugins/ptp: test for valid data in Interfaces field 2018-04-11 15:19:20 +02:00
Casey Callendrello
13e6a4b2ba plugins/bridge: Make stricter assertions about the return data 2018-04-11 15:10:39 +02:00
Casey Callendrello
00b072dd0b pkg/ip: re-fetch the created link to return creation-time parameters 
Fixes: #140
 2018-04-11 15:04:38 +02:00
Matt Dupre
dd8ff8a5cf Merge pull request #113 from nyren/master 
Explicitly enable IPv6 sysctl
 2018-02-14 16:11:11 +00:00
Ralf Nyren
08ec2995ba Explicitly enable IPv6 sysctl 
If CNI is about to configure an IPv6 address, make sure IPv6 is not
disabled through the "disable_ipv6" sysctl setting.

This is a workaround for Docker 17.06 and later which sets
disable_ipv6=1 for all interfaces even if ipv6 is enabled in Docker.
 2018-02-13 20:11:06 +01:00
Casey Callendrello
136399f078 Merge pull request #117 from dcbw/dhcp-cleanup 
dhcp plugin testcases and bug fixes
 2018-02-09 19:23:51 +01:00
Dan Williams
596480eadc dhcp: remove leases when they are released 
Don't lock around the Stop() operation though, as that may take
a while and block other operations.  That may mean we call Stop()
multiple times, but the Lease object should handle that correctly
itself.
 2018-02-08 11:17:38 -06:00
Dan Williams
61c3c42107 dhcp: don't try to close the lease stop channel multiple times 
Fixes: https://github.com/containernetworking/plugins/issues/105
 2018-02-08 11:17:38 -06:00
Dan Williams
b522ed6aae plugins/dhcp: add testcase 2018-02-08 11:17:38 -06:00
Dan Williams
26ef6e312d vendor: add d2g/dhcp4server 2018-02-07 12:48:08 -06:00
Casey Callendrello
461d433911 Merge pull request #116 from squeed/release-bump-go 
release: bump golang version
 2018-02-07 14:44:43 +01:00
Casey Callendrello
84a01001be release: bump golang version 2018-02-07 13:16:30 +01:00
Casey Callendrello
e2f063b534 Merge pull request #88 from lyft/ipvlan-master-intf-ipam 
ipvlan: support enslaving an interface returned by ipam
 2018-01-31 17:17:13 +01:00
Casey Callendrello
9e5836047c Merge pull request #104 from mzahorik/master 
Append default route and process route options in compliance with RFC 3442
 2018-01-31 15:08:57 +01:00
Matt Zahorik
808d4e20ae Append a default route to the CNI reply if there's a gateway advertised. 
Classless static routes (DHCP option 121) are now processed first.
If CSRs exist, static routes (DHCP option 33) and the gateway default
route are ignored as per RFC 3442.
 2018-01-26 10:06:26 -05:00
Paul Fisher
3468364f7e Merge branch 'master' into ipvlan-master-intf-ipam 2018-01-25 15:06:06 -08:00
Casey Callendrello
412b6d3128 Merge pull request #111 from s1061123/add_procfsprefx 
Add -hostprefix in DHCP daemon to run the daemon as container
 2018-01-25 12:00:51 +01:00
Tomofumi Hayashi
9604565b22 Add -hostprefix in DHCP daemon to run the daemon as container 
This diff adds -hostprefix option in dhcp daemon. This option
could be used to run dhcp daemon as container because container
cannot touch host's netns directly. The diff changes dhcp daemon
to touch procfs mounted to another path, like '/hostfs/proc'.
 2018-01-25 02:00:43 +09:00
Bryan Boreham
2a0736c748 Merge pull request #97 from oilbeater/fix/link-leak 
delete link and ip if err when cmdAdd to avoid resource leak.
 2018-01-24 16:38:44 +00:00
Casey Callendrello
2eba56ad52 Merge pull request #100 from squeed/range-arg 
ipam/host-local: Accept ip ranges as a runtime argument
 2018-01-24 15:45:39 +01:00
Casey Callendrello
d228f980e1 Merge pull request #103 from alice02/fix/skip_settleaddress 
pkg/ipam: Skip ip.SettleAddresses if only IPv4 is used
 2018-01-22 12:07:41 +01:00
Dan Williams
6aa21c431e Merge pull request #107 from zhsj/fix-ipforward 
pkg/ip: don't write to /proc/sys if ipforward enabled
 2018-01-20 21:38:23 -06:00
Casey Callendrello
c42470bc79 Merge pull request #110 from dcbw/host-device-honor-ifname 
host-device: respect CNI_IFNAME/args.IfName
 2018-01-19 19:05:29 +01:00
Dan Williams
ffc591e242 host-device: respect CNI_IFNAME/args.IfName 
On ADD save the host device's name into its IFLA_ALIAS property and
rename the device to the requested CNI_IFNAME inside the container
to conform to the CNI specification.  On DEL rename the device to
the original name and move it back into the host namespace.
 2018-01-17 14:30:22 -06:00
Shengjing Zhu
59f9976017 pkg/ip: don't write to /proc/sys if ipforward enabled 
This enables setup in a container env like systemd nspawn
where /proc/sys is mouted as read only.

Signed-off-by: Shengjing Zhu <i@zhsj.me>
 2018-01-18 01:52:49 +08:00
Gabe Rosenhouse
c26961a990 Merge pull request #108 from jingax10/ipvlan_plugin_branch 
Update IPVLAN modes by adding l3s in README.
 2018-01-17 08:04:57 -08:00
Jing Ai
8ebea58550 Update IPVLAN modes by adding l3s in README. 2018-01-12 12:06:48 -08:00
alice02
97664d8a6a pkg/ipam: Skip ip.SettleAddresses if only IPv4 is used 
This change improves the performance of the ipam.ConfigureIface.
Some plugins are slow because of the ip.SettleAddress in ipam.ConfigureIface.
It seems to be only needed for IPv6, so should be skipped if only IPv4 is used.
 2017-12-26 16:48:57 +09:00
Paul Fisher
5c7e7c0913 ipvlan: support chaining for master interface and IP configuration 
For IP allocation schemes that cannot be interface agnostic, the
ipvlan plugin can be chained with an earlier plugin that handles this
logic. If "master" is omitted from the ipvlan configuration, then the
previous Result must contain a single interface name for the ipvlan
plugin to enslave. If "ipam" is omitted, then the previous Result is
used to configure the ipvlan interface.
 2017-12-23 10:59:48 -08:00
Casey Callendrello
b03d23a4fa ipam/host-local: Accept ip ranges as a runtime argument 
This allows for the runtime to dynamically request IP ranges.

Fixes: #95
 2017-12-11 13:51:01 +01:00
Casey Callendrello
03e316b07b Merge pull request #99 from rosenhouse/add-appveyor-badge 
README: add Windows CI badge
 2017-12-06 18:21:47 +01:00
Gabe Rosenhouse
ecdd827d3a README: add badge for appveyor (Windows CI) 2017-12-03 14:22:36 -08:00
oilbeater
1f02326d56 delete link and ip if err when cmdAdd to avoid resource leak. 2017-11-27 15:26:07 +08:00
Dan Williams
92c634042c Merge pull request #93 from squeed/host-device 
plugins/main/host-device: generate result, fix DEL, other cleanups
 2017-11-22 10:09:32 -06:00
Casey Callendrello
2c05055101 Merge pull request #81 from squeed/portmap-hairpin 
portmap: support hairpin, improve performance
 2017-11-15 17:34:35 +01:00
Casey Callendrello
5e830efb20 plugins/main/host-local: generate result, fix DEL, other cleanups 
This plugin needed some cleaning up: it didn't generate output, and
didn't test DEL. Add those things, plus a README.
 2017-11-15 16:00:32 +01:00
Gabe Rosenhouse
73fdc87395 Merge pull request #92 from squeed/host-device 
plugins/host_device: move to "main" folder
 2017-11-14 22:08:16 -08:00
Casey Callendrello
d07d2aaf71 plugins/host_device: move to "main" folder 2017-11-13 18:50:20 +01:00
Gabe Rosenhouse
6c2ef734c2 Merge pull request #77 from rakelkar/rakelkar/host-local-windows 
host-local: Update host-local IPAM to support Windows
 2017-11-13 07:37:10 -08:00
Rakesh Kelkar
47668f6d64 host-local: Update host-local IPAM to support Windows 2017-11-11 15:17:45 -08:00
Gabe Rosenhouse
fbced0cccb Merge pull request #84 from rosenhouse/add-windows-ci 
Enable Windows CI (Appveyor)
 2017-11-10 18:59:16 -08:00
Gabriel Rosenhouse
99f6be0319 Enable Windows CI (Appveyor) 
- start list of linux_only plugins; ignore them when testing on Windows
- Isolate linux-only code by filename suffix
- Remove stub (NotImplemented) functions
- other misc. fixes for Windows compatibility
 2017-11-10 08:09:29 -08:00
Casey Callendrello
b09e0d28a7 Merge pull request #89 from dcbw/del-link-by-name-addr-fix 
pkg/ip: don't return error from DelLinkByNameAddr() if no addresses exist
 2017-11-10 17:06:29 +01:00
Casey Callendrello
5576f3120e portmap: support hairpin, improve performance 
This change improves the performance of the portmap plugin and fixes
hairpin, when a container is mapped back to itself.

Performance is improved by using a multiport test to reduce rule
traversal, and by using a masquerade mark.

Hairpin is fixed by enabling masquerading for hairpin traffic.
 2017-11-10 16:56:52 +01:00
Dan Williams
449700f7ea pkg/ip: don't return error from DelLinkByNameAddr() if no addresses exist 
For some reason no addresses on the interface returned an error, despite
having a testcase that explicitly tested for success.
 2017-11-07 16:07:04 -06:00
Paul Fisher
4779f1d2bf ipvlan: support enslaving an interface returned by ipam 
For IP allocation schemes that cannot be interface agnostic, master can be set
to "ipam". In this configuration, the IPAM plugin is required to return a single
interface name for the ipvlan plugin to enslave.
 2017-11-01 10:14:04 -07:00
Gabe Rosenhouse
7f98c94613 Merge pull request #65 from rosenhouse/golang-to-1.9 
Golang versions: add 1.9, drop 1.7
 2017-10-18 15:36:34 -07:00
Gabriel Rosenhouse
596b44301b Vagrantfile: update to golang 1.9.1 2017-10-11 21:19:16 +02:00
Matt Dupre
0063a1b9d0 Merge pull request #78 from rmohr/dhcp 
Don't let DHCP IPAM plugin fail on missing lease
 2017-10-11 14:50:19 +01:00
Roman Mohr
cc71426592 Don't let DHCP delete fail on missing lease 
There are at least two reasons why a lease is not present:

 * The dhcp ipam daemon was restarted
 * On add the IPAM plugin failed

Don't fail the IPAM invocation when the lease is not present, to allow
proper device cleanup on CNI delete invocations.
 2017-10-11 14:29:16 +02:00
Casey Callendrello
e256564546 Merge pull request #74 from rosenhouse/host-device-fixes 
Host-device fixes
 2017-09-13 11:41:14 +02:00
Gabriel Rosenhouse
c238c93b5e host-device plugin: result is valid JSON 
test:
- feed valid config JSON to plugin
- execute plugin inside the namespace with the test device
 2017-09-12 21:01:58 -07:00
Gabriel Rosenhouse
25ca6ccb52 host-device: do not swallow netlink errors 2017-09-12 20:53:35 -07:00
Lantao Liu
5e46a66c89 Fix go get github.com/containernetworking/plugins. 
Signed-off-by: Lantao Liu <lantaol@google.com>
 2017-09-12 05:08:38 +00:00
Casey Callendrello
6be2e8a0e2 Merge pull request #3 from trusch/master 
added host-device plugin which adds a specified link to container
 2017-09-11 18:51:21 +02:00
Casey Callendrello
b24225fc17 Merge pull request #72 from rosenhouse/move-echosvr 
testing: move echosvr into testutils
 2017-09-07 14:22:03 +02:00
Gabriel Rosenhouse
d8f2fd7a3c testing: move echosvr into testutils 2017-09-06 19:10:48 -07:00
Dan Williams
1396ab0bab Merge pull request #63 from squeed/v6-fixes 
Fix ipmasq teardown on v6-only interfaces
 2017-09-06 15:36:24 -05:00
Dan Williams
92babd4a3d Merge pull request #71 from rosenhouse/fix-portmap-integ-test 
portmap integration test: echo server runs in separate process
 2017-09-06 13:13:03 -05:00
Casey Callendrello
7a62515407 pkg/ip: Fix ipmasq teardown on v6-only interfaces 2017-09-06 20:02:41 +02:00
Gabriel Rosenhouse
008024125a portmap integration test: echo server runs in separate process 
this way we're not mixing goroutines and namespaces
 2017-09-05 23:36:12 -07:00
Casey Callendrello
556e509097 Merge pull request #64 from rosenhouse/travis-ginkgo 
travis: run with ginkgo -p instead of go test
 2017-08-31 14:28:55 +02:00
Gabe Rosenhouse
dda9c2b1b0 travis: run with ginkgo -p instead of go test 
may help reduce test-pollution due to namespace-affinity

see http://onsi.github.io/ginkgo/#parallel-specs
 2017-08-30 20:22:12 -07:00
Gabe Rosenhouse
0e3df2961c Merge pull request #67 from rosenhouse/test-all-packages 
Test all packages
 2017-08-30 19:32:48 -07:00
Gabe Rosenhouse
e1ea7f5ecb Test all non-vendored packages 2017-08-30 14:47:10 -07:00
Gabe Rosenhouse
8fe8460c72 Merge pull request #66 from rosenhouse/filelock-vet 
host-local FileLock is used by value instead of by reference
 2017-08-30 08:21:28 -07:00
Gabe Rosenhouse
92e62b9f4d test.sh: cover host-local disk backend for go test and go vet 2017-08-30 06:52:29 -07:00
Gabe Rosenhouse
2f957864ea host-local disk backend store uses FileLock by reference 
- this change fixes go vet warnings for the package
 2017-08-30 06:52:29 -07:00
Gabe Rosenhouse
b49379d284 Merge pull request #62 from squeed/bridge-fixes 
bridge: various fixes
 2017-08-29 21:00:21 -07:00
Gabe Rosenhouse
9769434a13 Golang versions: add 1.9, drop 1.7 2017-08-29 20:15:50 -07:00
Casey Callendrello
a124fb36e6 bridge: various fixes 
* Don't set the MAC, send gratuitous arp instead
* Set the bridge's MAC to itself
* Only disable DAD when necessary
 2017-08-28 18:12:49 +02:00
Casey Callendrello
9fb22524a1 Merge pull request #54 from squeed/clean-build 
Release: clean the builddir when building
 2017-08-21 15:39:28 +02:00
Casey Callendrello
2d7d680874 Release: clean the builddir when building 2017-08-14 14:42:50 +02:00
Dan Williams
7480240de9 Merge pull request #50 from squeed/host-local-multi 
ipam/host-local: support sets of disjoint ranges
 2017-08-11 11:59:55 -05:00
Casey Callendrello
27d027a6d3 ipam/host-local: support sets of disjoint ranges 
In real-world address allocations, disjoint address ranges are common.
Therefore, the host-local allocator should support them.

This change still allows for multiple IPs in a single configuration, but
also allows for a "set of subnets."

Fixes: #45
 2017-08-09 19:02:08 +02:00
Dan Williams
5544d9ced0 Merge pull request #47 from dcbw/tuning-prev-result 
tuning: pass prevResult through
 2017-07-31 15:19:46 -05:00
Dan Williams
998a0f6c6a tuning: pass prevResult through 2017-07-26 14:39:01 -05:00
Tom Denham
20bc33abc5 Merge pull request #44 from verizonlabs/build-on-osx 
If we're on OS X then have Go cross compile for us
 2017-07-21 11:48:06 -07:00
Aaron Wood
bde6140771 If we're on OS X then have Go cross compile for us 2017-07-20 12:03:30 -04:00
Tino Rusch
ca3f28fa9e host-device: cleanup + completed tests; 2017-06-29 11:44:59 +02:00
Tino Rusch
f2faf549b4 [host-device] integrated getLink() function which maps either devicename, hw-addr or kernelpath to a link object; 2017-05-02 13:21:50 +02:00
Tino Rusch
6099d8c84c added host-device plugin which adds a specified link to the container network namespace; 2017-04-28 09:34:22 +02:00
193 changed files with 16733 additions and 1497 deletions
Expand all files Collapse all files

28
.appveyor.yml Normal file
View File

@ -0,0 +1,28 @@
clone_folder: c:\gopath\src\github.com\containernetworking\plugins
environment:
GOPATH: c:\gopath
install:
- echo %PATH%
- echo %GOPATH%
- set PATH=%GOPATH%\bin;c:\go\bin;%PATH%
- go version
- go env
build: off
test_script:
- ps: |
go list ./... | Select-String -Pattern (Get-Content "./plugins/linux_only.txt") -NotMatch > "to_test.txt"
echo "Will test:"
Get-Content "to_test.txt"
foreach ($pkg in Get-Content "to_test.txt") {
if ($pkg) {
echo $pkg
go test -v $pkg
if ($LastExitCode -ne 0) {
throw "test failed"
}
}
}

7
.travis.yml
View File

@ -3,12 +3,12 @@ sudo: required
dist: trusty
go:
- 1.7.x
- 1.8.x
- 1.9.x
env:
global:
- PATH=$GOROOT/bin:$PATH
- PATH=$GOROOT/bin:$GOPATH/bin:$PATH
matrix:
- TARGET=amd64
- TARGET=arm
@ -19,6 +19,9 @@ env:
matrix:
fast_finish: true
install:
- go get github.com/onsi/ginkgo/ginkgo
script:
- |
if [ "${TARGET}" == "amd64" ]; then

26
Godeps/Godeps.json generated
View File

@ -1,11 +1,15 @@
{
"ImportPath": "github.com/containernetworking/plugins",
"GoVersion": "go1.7",
"GodepVersion": "v79",
"GodepVersion": "v80",
"Packages": [
"./..."
],
"Deps": [
{
"ImportPath": "github.com/alexflint/go-filemutex",
"Rev": "72bdc8eae2aef913234599b837f5dda445ca9bd9"
},
{
"ImportPath": "github.com/containernetworking/cni/libcni",
"Comment": "v0.6.0-rc1",
@ -43,8 +47,8 @@
},
{
"ImportPath": "github.com/coreos/go-iptables/iptables",
"Comment": "v0.2.0",
"Rev": "259c8e6a4275d497442c721fa52204d7a58bde8b"
"Comment": "v0.4.0",
"Rev": "47f22b0dd3355c0ba570ba12b0b8a36bf214c04b"
},
{
"ImportPath": "github.com/coreos/go-systemd/activation",
@ -59,6 +63,10 @@
"ImportPath": "github.com/d2g/dhcp4client",
"Rev": "bed07e1bc5b85f69c6f0fd73393aa35ec68ed892"
},
{
"ImportPath": "github.com/d2g/dhcp4server",
"Rev": "1b74244053681c90de5cf1af3d6b5c93b74e3abb"
},
{
"ImportPath": "github.com/j-keck/arping",
"Rev": "2cf9dc699c5640a7e2c81403a44127bf28033600"
@ -230,6 +238,18 @@
"ImportPath": "github.com/vishvananda/netns",
"Rev": "54f0e4339ce73702a0607f49922aaa1e749b418d"
},
{
"ImportPath": "golang.org/x/net/bpf",
"Rev": "e90d6d0afc4c315a0d87a568ae68577cc15149a0"
},
{
"ImportPath": "golang.org/x/net/internal/iana",
"Rev": "e90d6d0afc4c315a0d87a568ae68577cc15149a0"
},
{
"ImportPath": "golang.org/x/net/ipv4",
"Rev": "e90d6d0afc4c315a0d87a568ae68577cc15149a0"
},
{
"ImportPath": "golang.org/x/sys/unix",
"Rev": "076b546753157f758b316e59bcb51e6807c04057"

3
README.md
View File

@ -1,4 +1,5 @@
[![Build Status](https://travis-ci.org/containernetworking/plugins.svg?branch=master)](https://travis-ci.org/containernetworking/plugins)
[![Linux Build Status](https://travis-ci.org/containernetworking/plugins.svg?branch=master)](https://travis-ci.org/containernetworking/plugins)
[![Windows Build Status](https://ci.appveyor.com/api/projects/status/kcuubx0chr76ev86/branch/master?svg=true)](https://ci.appveyor.com/project/cni-bot/plugins/branch/master)
# plugins
Some CNI network plugins, maintained by the containernetworking team. For more information, see the individual READMEs.

2
Vagrantfile vendored
View File

@ -12,7 +12,7 @@ Vagrant.configure(2) do |config|
apt-get update -y || (sleep 40 && apt-get update -y)
apt-get install -y git
wget -qO- https://storage.googleapis.com/golang/go1.8.3.linux-amd64.tar.gz | tar -C /usr/local -xz
wget -qO- https://storage.googleapis.com/golang/go1.9.1.linux-amd64.tar.gz | tar -C /usr/local -xz
echo 'export GOPATH=/go' >> /root/.bashrc
echo 'export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin' >> /root/.bashrc

4
build.sh
View File

@ -1,6 +1,10 @@
#!/usr/bin/env bash
set -e
if [ "$(uname)" == "Darwin" ]; then
export GOOS=linux
fi
ORG_PATH="github.com/containernetworking"
export REPO_PATH="${ORG_PATH}/plugins"

0
pkg/ip/addr.go → pkg/ip/addr_linux.go
View File

6
pkg/ip/ipforward.go → pkg/ip/ipforward_linux.go
View File

@ -15,6 +15,7 @@
package ip
import (
"bytes"
"io/ioutil"
"github.com/containernetworking/cni/pkg/types/current"
@ -51,5 +52,10 @@ func EnableForward(ips []*current.IPConfig) error {
}
func echo1(f string) error {
if content, err := ioutil.ReadFile(f); err == nil {
if bytes.Equal(bytes.TrimSpace(content), []byte("1")) {
return nil
}
}
return ioutil.WriteFile(f, []byte("1"), 0644)
}

31
pkg/ip/ipforward_linux_test.go Normal file
View File

@ -0,0 +1,31 @@
package ip
import (
"io/ioutil"
"os"
"time"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
var _ = Describe("IpforwardLinux", func() {
It("echo1 must not write the file if content is 1", func() {
file, err := ioutil.TempFile(os.TempDir(), "containernetworking")
defer os.Remove(file.Name())
err = echo1(file.Name())
Expect(err).NotTo(HaveOccurred())
statBefore, err := file.Stat()
Expect(err).NotTo(HaveOccurred())
// take a duration here, otherwise next file modification operation time
// will be same as previous one.
time.Sleep(100 * time.Millisecond)
err = echo1(file.Name())
Expect(err).NotTo(HaveOccurred())
statAfter, err := file.Stat()
Expect(err).NotTo(HaveOccurred())
Expect(statBefore.ModTime()).To(Equal(statAfter.ModTime()))
})
})

11
pkg/ip/ipmasq.go → pkg/ip/ipmasq_linux.go
View File

@ -75,7 +75,16 @@ func SetupIPMasq(ipn *net.IPNet, chain string, comment string) error {
// TeardownIPMasq undoes the effects of SetupIPMasq
func TeardownIPMasq(ipn *net.IPNet, chain string, comment string) error {
ipt, err := iptables.New()
isV6 := ipn.IP.To4() == nil
var ipt *iptables.IPTables
var err error
if isV6 {
ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
} else {
ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
}
if err != nil {
return fmt.Errorf("failed to locate iptables: %v", err)
}

29
pkg/ip/link.go → pkg/ip/link_linux.go
View File

@ -42,8 +42,14 @@ func makeVethPair(name, peer string, mtu int) (netlink.Link, error) {
if err := netlink.LinkAdd(veth); err != nil {
return nil, err
}
// Re-fetch the link to get its creation-time parameters, e.g. index and mac
veth2, err := netlink.LinkByName(name)
if err != nil {
netlink.LinkDel(veth) // try and clean up the link if possible.
return nil, err
}
return veth, nil
return veth2, nil
}
func peerExists(name string) bool {
@ -158,6 +164,9 @@ func SetupVeth(contVethName string, mtu int, hostNS ns.NetNS) (net.Interface, ne
func DelLinkByName(ifName string) error {
iface, err := netlink.LinkByName(ifName)
if err != nil {
if err.Error() == "Link not found" {
return ErrLinkNotFound
}
return fmt.Errorf("failed to lookup %q: %v", ifName, err)
}
@ -168,9 +177,8 @@ func DelLinkByName(ifName string) error {
return nil
}
// DelLinkByNameAddr remove an interface returns its IP address
// of the specified family
func DelLinkByNameAddr(ifName string, family int) (*net.IPNet, error) {
// DelLinkByNameAddr remove an interface and returns its addresses
func DelLinkByNameAddr(ifName string) ([]*net.IPNet, error) {
iface, err := netlink.LinkByName(ifName)
if err != nil {
if err != nil && err.Error() == "Link not found" {
@ -179,8 +187,8 @@ func DelLinkByNameAddr(ifName string, family int) (*net.IPNet, error) {
return nil, fmt.Errorf("failed to lookup %q: %v", ifName, err)
}
addrs, err := netlink.AddrList(iface, family)
if err != nil || len(addrs) == 0 {
addrs, err := netlink.AddrList(iface, netlink.FAMILY_ALL)
if err != nil {
return nil, fmt.Errorf("failed to get IP addresses for %q: %v", ifName, err)
}
@ -188,7 +196,14 @@ func DelLinkByNameAddr(ifName string, family int) (*net.IPNet, error) {
return nil, fmt.Errorf("failed to delete %q: %v", ifName, err)
}
return addrs[0].IPNet, nil
out := []*net.IPNet{}
for _, addr := range addrs {
if addr.IP.IsGlobalUnicast() {
out = append(out, addr.IPNet)
}
}
return out, nil
}
func SetHWAddrByIP(ifName string, ip4 net.IP, ip6 net.IP) error {

13
pkg/ip/link_test.go → pkg/ip/link_linux_test.go
View File

@ -27,7 +27,6 @@ import (
"github.com/containernetworking/plugins/pkg/ns"
"github.com/vishvananda/netlink"
"github.com/vishvananda/netlink/nl"
)
func getHwAddr(linkname string) string {
@ -133,7 +132,7 @@ var _ = Describe("Link", func() {
defer GinkgoRecover()
// This string should match the expected error codes in the cmdDel functions of some of the plugins
_, err := ip.DelLinkByNameAddr("THIS_DONT_EXIST", netlink.FAMILY_V4)
_, err := ip.DelLinkByNameAddr("THIS_DONT_EXIST")
Expect(err).To(Equal(ip.ErrLinkNotFound))
return nil
@ -220,16 +219,14 @@ var _ = Describe("Link", func() {
})
})
It("DelLinkByNameAddr must throw an error for configured interfaces", func() {
It("DelLinkByNameAddr should return no IPs when no IPs are configured", func() {
_ = containerNetNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
// this will delete the host endpoint too
addr, err := ip.DelLinkByNameAddr(containerVethName, nl.FAMILY_V4)
Expect(err).To(HaveOccurred())
var ipNetNil *net.IPNet
Expect(addr).To(Equal(ipNetNil))
addr, err := ip.DelLinkByNameAddr(containerVethName)
Expect(err).NotTo(HaveOccurred())
Expect(addr).To(HaveLen(0))
return nil
})
})

6
pkg/ip/route_linux.go
View File

@ -39,3 +39,9 @@ func AddHostRoute(ipn *net.IPNet, gw net.IP, dev netlink.Link) error {
Gw: gw,
})
}
// AddDefaultRoute sets the default route on the given gateway.
func AddDefaultRoute(gw net.IP, dev netlink.Link) error {
_, defNet, _ := net.ParseCIDR("0.0.0.0/0")
return AddRoute(defNet, gw, dev)
}

71
pkg/ipam/ipam.go
View File

@ -15,16 +15,8 @@
package ipam
import (
"fmt"
"net"
"os"
"github.com/containernetworking/cni/pkg/invoke"
"github.com/containernetworking/cni/pkg/types"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ip"
"github.com/vishvananda/netlink"
)
func ExecAdd(plugin string, netconf []byte) (types.Result, error) {
@ -34,66 +26,3 @@ func ExecAdd(plugin string, netconf []byte) (types.Result, error) {
func ExecDel(plugin string, netconf []byte) error {
return invoke.DelegateDel(plugin, netconf)
}
// ConfigureIface takes the result of IPAM plugin and
// applies to the ifName interface
func ConfigureIface(ifName string, res *current.Result) error {
if len(res.Interfaces) == 0 {
return fmt.Errorf("no interfaces to configure")
}
link, err := netlink.LinkByName(ifName)
if err != nil {
return fmt.Errorf("failed to lookup %q: %v", ifName, err)
}
if err := netlink.LinkSetUp(link); err != nil {
return fmt.Errorf("failed to set %q UP: %v", ifName, err)
}
var v4gw, v6gw net.IP
for _, ipc := range res.IPs {
if ipc.Interface == nil {
continue
}
intIdx := *ipc.Interface
if intIdx < 0 || intIdx >= len(res.Interfaces) || res.Interfaces[intIdx].Name != ifName {
// IP address is for a different interface
return fmt.Errorf("failed to add IP addr %v to %q: invalid interface index", ipc, ifName)
}
addr := &netlink.Addr{IPNet: &ipc.Address, Label: ""}
if err = netlink.AddrAdd(link, addr); err != nil {
return fmt.Errorf("failed to add IP addr %v to %q: %v", ipc, ifName, err)
}
gwIsV4 := ipc.Gateway.To4() != nil
if gwIsV4 && v4gw == nil {
v4gw = ipc.Gateway
} else if !gwIsV4 && v6gw == nil {
v6gw = ipc.Gateway
}
}
ip.SettleAddresses(ifName, 10)
for _, r := range res.Routes {
routeIsV4 := r.Dst.IP.To4() != nil
gw := r.GW
if gw == nil {
if routeIsV4 && v4gw != nil {
gw = v4gw
} else if !routeIsV4 && v6gw != nil {
gw = v6gw
}
}
if err = ip.AddRoute(&r.Dst, gw, link); err != nil {
// we skip over duplicate routes as we assume the first one wins
if !os.IsExist(err) {
return fmt.Errorf("failed to add route '%v via %v dev %v': %v", r.Dst, gw, ifName, err)
}
}
}
return nil
}

121
pkg/ipam/ipam_linux.go Normal file
View File

@ -0,0 +1,121 @@
// Copyright 2015 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package ipam
import (
"fmt"
"net"
"os"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ip"
"github.com/containernetworking/plugins/pkg/utils/sysctl"
"github.com/vishvananda/netlink"
)
const (
DisableIPv6SysctlTemplate = "net.ipv6.conf.%s.disable_ipv6"
)
// ConfigureIface takes the result of IPAM plugin and
// applies to the ifName interface
func ConfigureIface(ifName string, res *current.Result) error {
if len(res.Interfaces) == 0 {
return fmt.Errorf("no interfaces to configure")
}
link, err := netlink.LinkByName(ifName)
if err != nil {
return fmt.Errorf("failed to lookup %q: %v", ifName, err)
}
if err := netlink.LinkSetUp(link); err != nil {
return fmt.Errorf("failed to set %q UP: %v", ifName, err)
}
var v4gw, v6gw net.IP
var has_enabled_ipv6 bool = false
for _, ipc := range res.IPs {
if ipc.Interface == nil {
continue
}
intIdx := *ipc.Interface
if intIdx < 0 || intIdx >= len(res.Interfaces) || res.Interfaces[intIdx].Name != ifName {
// IP address is for a different interface
return fmt.Errorf("failed to add IP addr %v to %q: invalid interface index", ipc, ifName)
}
// Make sure sysctl "disable_ipv6" is 0 if we are about to add
// an IPv6 address to the interface
if !has_enabled_ipv6 && ipc.Version == "6" {
// Enabled IPv6 for loopback "lo" and the interface
// being configured
for _, iface := range [2]string{"lo", ifName} {
ipv6SysctlValueName := fmt.Sprintf(DisableIPv6SysctlTemplate, iface)
// Read current sysctl value
value, err := sysctl.Sysctl(ipv6SysctlValueName)
if err != nil || value == "0" {
// FIXME: log warning if unable to read sysctl value
continue
}
// Write sysctl to enable IPv6
_, err = sysctl.Sysctl(ipv6SysctlValueName, "0")
if err != nil {
return fmt.Errorf("failed to enable IPv6 for interface %q (%s=%s): %v", iface, ipv6SysctlValueName, value, err)
}
}
has_enabled_ipv6 = true
}
addr := &netlink.Addr{IPNet: &ipc.Address, Label: ""}
if err = netlink.AddrAdd(link, addr); err != nil {
return fmt.Errorf("failed to add IP addr %v to %q: %v", ipc, ifName, err)
}
gwIsV4 := ipc.Gateway.To4() != nil
if gwIsV4 && v4gw == nil {
v4gw = ipc.Gateway
} else if !gwIsV4 && v6gw == nil {
v6gw = ipc.Gateway
}
}
if v6gw != nil {
ip.SettleAddresses(ifName, 10)
}
for _, r := range res.Routes {
routeIsV4 := r.Dst.IP.To4() != nil
gw := r.GW
if gw == nil {
if routeIsV4 && v4gw != nil {
gw = v4gw
} else if !routeIsV4 && v6gw != nil {
gw = v6gw
}
}
if err = ip.AddRoute(&r.Dst, gw, link); err != nil {
// we skip over duplicate routes as we assume the first one wins
if !os.IsExist(err) {
return fmt.Errorf("failed to add route '%v via %v dev %v': %v", r.Dst, gw, ifName, err)
}
}
}
return nil
}

2
pkg/ipam/ipam_test.go → pkg/ipam/ipam_linux_test.go
View File

@ -39,7 +39,7 @@ func ipNetEqual(a, b *net.IPNet) bool {
return a.IP.Equal(b.IP)
}
var _ = Describe("IPAM Operations", func() {
var _ = Describe("ConfigureIface", func() {
var originalNS ns.NetNS
var ipv4, ipv6, routev4, routev6 *net.IPNet
var ipgw4, ipgw6, routegwv4, routegwv6 net.IP

178
pkg/ns/ns.go
View File

@ -1,178 +0,0 @@
// Copyright 2015 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package ns
import (
"fmt"
"os"
"runtime"
"sync"
"syscall"
)
type NetNS interface {
// Executes the passed closure in this object's network namespace,
// attempting to restore the original namespace before returning.
// However, since each OS thread can have a different network namespace,
// and Go's thread scheduling is highly variable, callers cannot
// guarantee any specific namespace is set unless operations that
// require that namespace are wrapped with Do(). Also, no code called
// from Do() should call runtime.UnlockOSThread(), or the risk
// of executing code in an incorrect namespace will be greater. See
// https://github.com/golang/go/wiki/LockOSThread for further details.
Do(toRun func(NetNS) error) error
// Sets the current network namespace to this object's network namespace.
// Note that since Go's thread scheduling is highly variable, callers
// cannot guarantee the requested namespace will be the current namespace
// after this function is called; to ensure this wrap operations that
// require the namespace with Do() instead.
Set() error
// Returns the filesystem path representing this object's network namespace
Path() string
// Returns a file descriptor representing this object's network namespace
Fd() uintptr
// Cleans up this instance of the network namespace; if this instance
// is the last user the namespace will be destroyed
Close() error
}
type netNS struct {
file *os.File
mounted bool
closed bool
}
// netNS implements the NetNS interface
var _ NetNS = &netNS{}
const (
// https://github.com/torvalds/linux/blob/master/include/uapi/linux/magic.h
NSFS_MAGIC = 0x6e736673
PROCFS_MAGIC = 0x9fa0
)
type NSPathNotExistErr struct{ msg string }
func (e NSPathNotExistErr) Error() string { return e.msg }
type NSPathNotNSErr struct{ msg string }
func (e NSPathNotNSErr) Error() string { return e.msg }
func IsNSorErr(nspath string) error {
stat := syscall.Statfs_t{}
if err := syscall.Statfs(nspath, &stat); err != nil {
if os.IsNotExist(err) {
err = NSPathNotExistErr{msg: fmt.Sprintf("failed to Statfs %q: %v", nspath, err)}
} else {
err = fmt.Errorf("failed to Statfs %q: %v", nspath, err)
}
return err
}
switch stat.Type {
case PROCFS_MAGIC, NSFS_MAGIC:
return nil
default:
return NSPathNotNSErr{msg: fmt.Sprintf("unknown FS magic on %q: %x", nspath, stat.Type)}
}
}
// Returns an object representing the namespace referred to by @path
func GetNS(nspath string) (NetNS, error) {
err := IsNSorErr(nspath)
if err != nil {
return nil, err
}
fd, err := os.Open(nspath)
if err != nil {
return nil, err
}
return &netNS{file: fd}, nil
}
func (ns *netNS) Path() string {
return ns.file.Name()
}
func (ns *netNS) Fd() uintptr {
return ns.file.Fd()
}
func (ns *netNS) errorIfClosed() error {
if ns.closed {
return fmt.Errorf("%q has already been closed", ns.file.Name())
}
return nil
}
func (ns *netNS) Do(toRun func(NetNS) error) error {
if err := ns.errorIfClosed(); err != nil {
return err
}
containedCall := func(hostNS NetNS) error {
threadNS, err := GetCurrentNS()
if err != nil {
return fmt.Errorf("failed to open current netns: %v", err)
}
defer threadNS.Close()
// switch to target namespace
if err = ns.Set(); err != nil {
return fmt.Errorf("error switching to ns %v: %v", ns.file.Name(), err)
}
defer threadNS.Set() // switch back
return toRun(hostNS)
}
// save a handle to current network namespace
hostNS, err := GetCurrentNS()
if err != nil {
return fmt.Errorf("Failed to open current namespace: %v", err)
}
defer hostNS.Close()
var wg sync.WaitGroup
wg.Add(1)
var innerError error
go func() {
defer wg.Done()
runtime.LockOSThread()
innerError = containedCall(hostNS)
}()
wg.Wait()
return innerError
}
// WithNetNSPath executes the passed closure under the given network
// namespace, restoring the original namespace afterwards.
func WithNetNSPath(nspath string, toRun func(NetNS) error) error {
ns, err := GetNS(nspath)
if err != nil {
return err
}
defer ns.Close()
return ns.Do(toRun)
}

156
pkg/ns/ns_linux.go
View File

@ -21,6 +21,7 @@ import (
"path"
"runtime"
"sync"
"syscall"
"golang.org/x/sys/unix"
)
@ -147,3 +148,158 @@ func (ns *netNS) Set() error {
return nil
}
type NetNS interface {
// Executes the passed closure in this object's network namespace,
// attempting to restore the original namespace before returning.
// However, since each OS thread can have a different network namespace,
// and Go's thread scheduling is highly variable, callers cannot
// guarantee any specific namespace is set unless operations that
// require that namespace are wrapped with Do(). Also, no code called
// from Do() should call runtime.UnlockOSThread(), or the risk
// of executing code in an incorrect namespace will be greater. See
// https://github.com/golang/go/wiki/LockOSThread for further details.
Do(toRun func(NetNS) error) error
// Sets the current network namespace to this object's network namespace.
// Note that since Go's thread scheduling is highly variable, callers
// cannot guarantee the requested namespace will be the current namespace
// after this function is called; to ensure this wrap operations that
// require the namespace with Do() instead.
Set() error
// Returns the filesystem path representing this object's network namespace
Path() string
// Returns a file descriptor representing this object's network namespace
Fd() uintptr
// Cleans up this instance of the network namespace; if this instance
// is the last user the namespace will be destroyed
Close() error
}
type netNS struct {
file *os.File
mounted bool
closed bool
}
// netNS implements the NetNS interface
var _ NetNS = &netNS{}
const (
// https://github.com/torvalds/linux/blob/master/include/uapi/linux/magic.h
NSFS_MAGIC = 0x6e736673
PROCFS_MAGIC = 0x9fa0
)
type NSPathNotExistErr struct{ msg string }
func (e NSPathNotExistErr) Error() string { return e.msg }
type NSPathNotNSErr struct{ msg string }
func (e NSPathNotNSErr) Error() string { return e.msg }
func IsNSorErr(nspath string) error {
stat := syscall.Statfs_t{}
if err := syscall.Statfs(nspath, &stat); err != nil {
if os.IsNotExist(err) {
err = NSPathNotExistErr{msg: fmt.Sprintf("failed to Statfs %q: %v", nspath, err)}
} else {
err = fmt.Errorf("failed to Statfs %q: %v", nspath, err)
}
return err
}
switch stat.Type {
case PROCFS_MAGIC, NSFS_MAGIC:
return nil
default:
return NSPathNotNSErr{msg: fmt.Sprintf("unknown FS magic on %q: %x", nspath, stat.Type)}
}
}
// Returns an object representing the namespace referred to by @path
func GetNS(nspath string) (NetNS, error) {
err := IsNSorErr(nspath)
if err != nil {
return nil, err
}
fd, err := os.Open(nspath)
if err != nil {
return nil, err
}
return &netNS{file: fd}, nil
}
func (ns *netNS) Path() string {
return ns.file.Name()
}
func (ns *netNS) Fd() uintptr {
return ns.file.Fd()
}
func (ns *netNS) errorIfClosed() error {
if ns.closed {
return fmt.Errorf("%q has already been closed", ns.file.Name())
}
return nil
}
func (ns *netNS) Do(toRun func(NetNS) error) error {
if err := ns.errorIfClosed(); err != nil {
return err
}
containedCall := func(hostNS NetNS) error {
threadNS, err := GetCurrentNS()
if err != nil {
return fmt.Errorf("failed to open current netns: %v", err)
}
defer threadNS.Close()
// switch to target namespace
if err = ns.Set(); err != nil {
return fmt.Errorf("error switching to ns %v: %v", ns.file.Name(), err)
}
defer threadNS.Set() // switch back
return toRun(hostNS)
}
// save a handle to current network namespace
hostNS, err := GetCurrentNS()
if err != nil {
return fmt.Errorf("Failed to open current namespace: %v", err)
}
defer hostNS.Close()
var wg sync.WaitGroup
wg.Add(1)
var innerError error
go func() {
defer wg.Done()
runtime.LockOSThread()
innerError = containedCall(hostNS)
}()
wg.Wait()
return innerError
}
// WithNetNSPath executes the passed closure under the given network
// namespace, restoring the original namespace afterwards.
func WithNetNSPath(nspath string, toRun func(NetNS) error) error {
ns, err := GetNS(nspath)
if err != nil {
return err
}
defer ns.Close()
return ns.Do(toRun)
}

0
pkg/ns/ns_test.go → pkg/ns/ns_linux_test.go
View File

74
pkg/testutils/echosvr/echosvr_test.go Normal file
View File

@ -0,0 +1,74 @@
package main_test
import (
"fmt"
"io/ioutil"
"net"
"os/exec"
"strings"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/onsi/gomega/gbytes"
"github.com/onsi/gomega/gexec"
)
var binaryPath string
var _ = SynchronizedBeforeSuite(func() []byte {
binaryPath, err := gexec.Build("github.com/containernetworking/plugins/pkg/testutils/echosvr")
Expect(err).NotTo(HaveOccurred())
return []byte(binaryPath)
}, func(data []byte) {
binaryPath = string(data)
})
var _ = SynchronizedAfterSuite(func() {}, func() {
gexec.CleanupBuildArtifacts()
})
var _ = Describe("Echosvr", func() {
var session *gexec.Session
BeforeEach(func() {
var err error
cmd := exec.Command(binaryPath)
session, err = gexec.Start(cmd, GinkgoWriter, GinkgoWriter)
Expect(err).NotTo(HaveOccurred())
})
AfterEach(func() {
session.Kill().Wait()
})
It("starts and doesn't terminate immediately", func() {
Consistently(session).ShouldNot(gexec.Exit())
})
tryConnect := func() (net.Conn, error) {
programOutput := session.Out.Contents()
addr := strings.TrimSpace(string(programOutput))
conn, err := net.Dial("tcp", addr)
if err != nil {
return nil, err
}
return conn, err
}
It("prints its listening address to stdout", func() {
Eventually(session.Out).Should(gbytes.Say("\n"))
conn, err := tryConnect()
Expect(err).NotTo(HaveOccurred())
conn.Close()
})
It("will echo data back to us", func() {
Eventually(session.Out).Should(gbytes.Say("\n"))
conn, err := tryConnect()
Expect(err).NotTo(HaveOccurred())
defer conn.Close()
fmt.Fprintf(conn, "hello")
Expect(ioutil.ReadAll(conn)).To(Equal([]byte("hello")))
})
})

13
pkg/testutils/echosvr/init_test.go Normal file
View File

@ -0,0 +1,13 @@
package main_test
import (
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"testing"
)
func TestEchosvr(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Testutils Echosvr Suite")
}

38
pkg/testutils/echosvr/main.go Normal file
View File

@ -0,0 +1,38 @@
// Echosvr is a simple TCP echo server
//
// It prints its listen address on stdout
// 127.0.0.1:xxxxx
// A test should wait for this line, parse it
// and may then attempt to connect.
package main
import (
"fmt"
"net"
)
func main() {
listener, err := net.Listen("tcp", ":")
if err != nil {
panic(err)
}
_, port, err := net.SplitHostPort(listener.Addr().String())
if err != nil {
panic(err)
}
fmt.Printf("127.0.0.1:%s\n", port)
for {
conn, err := listener.Accept()
if err != nil {
panic(err)
}
go handleConnection(conn)
}
}
func handleConnection(conn net.Conn) {
buf := make([]byte, 512)
nBytesRead, _ := conn.Read(buf)
conn.Write(buf[0:nBytesRead])
conn.Close()
}

1
plugins/ipam/dhcp/README.md
View File

@ -18,6 +18,7 @@ $ ./dhcp daemon
If given `-pidfile <path>` arguments after 'daemon', the dhcp plugin will write
its PID to the given file.
If given `-hostprefix <prefix>` arguments after 'daemon', the dhcp plugin will use this prefix for netns as `<prefix>/<original netns>`. It could be used in case of running dhcp daemon as container.
Alternatively, you can use systemd socket activation protocol.
Be sure that the .socket file uses /run/cni/dhcp.sock as the socket path.

23
plugins/ipam/dhcp/daemon.go
View File

@ -39,8 +39,9 @@ const resendCount = 3
var errNoMoreTries = errors.New("no more tries")
type DHCP struct {
mux sync.Mutex
leases map[string]*DHCPLease
mux sync.Mutex
leases map[string]*DHCPLease
hostNetnsPrefix string
}
func newDHCP() *DHCP {
@ -58,7 +59,8 @@ func (d *DHCP) Allocate(args *skel.CmdArgs, result *current.Result) error {
}
clientID := args.ContainerID + "/" + conf.Name
l, err := AcquireLease(clientID, args.Netns, args.IfName)
hostNetns := d.hostNetnsPrefix + args.Netns
l, err := AcquireLease(clientID, hostNetns, args.IfName)
if err != nil {
return err
}
@ -91,10 +93,10 @@ func (d *DHCP) Release(args *skel.CmdArgs, reply *struct{}) error {
if l := d.getLease(args.ContainerID, conf.Name); l != nil {
l.Stop()
return nil
d.clearLease(args.ContainerID, conf.Name)
}
return fmt.Errorf("lease not found: %v/%v", args.ContainerID, conf.Name)
return nil
}
func (d *DHCP) getLease(contID, netName string) *DHCPLease {
@ -117,6 +119,14 @@ func (d *DHCP) setLease(contID, netName string, l *DHCPLease) {
d.leases[contID+netName] = l
}
func (d *DHCP) clearLease(contID, netName string) {
d.mux.Lock()
defer d.mux.Unlock()
// TODO(eyakubovich): hash it to avoid collisions
delete(d.leases, contID+netName)
}
func getListener() (net.Listener, error) {
l, err := activation.Listeners(true)
if err != nil {
@ -141,7 +151,7 @@ func getListener() (net.Listener, error) {
}
}
func runDaemon(pidfilePath string) error {
func runDaemon(pidfilePath string, hostPrefix string) error {
// since other goroutines (on separate threads) will change namespaces,
// ensure the RPC server does not get scheduled onto those
runtime.LockOSThread()
@ -162,6 +172,7 @@ func runDaemon(pidfilePath string) error {
}
dhcp := newDHCP()
dhcp.hostNetnsPrefix = hostPrefix
rpc.Register(dhcp)
rpc.HandleHTTP()
http.Serve(l, nil)

16
pkg/ip/route.go → plugins/ipam/dhcp/dhcp_suite_test.go
View File

@ -1,4 +1,4 @@
// Copyright 2015 CNI authors
// Copyright 2016 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@ -12,16 +12,16 @@
// See the License for the specific language governing permissions and
// limitations under the License.
package ip
package main
import (
"net"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/vishvananda/netlink"
"testing"
)
// AddDefaultRoute sets the default route on the given gateway.
func AddDefaultRoute(gw net.IP, dev netlink.Link) error {
_, defNet, _ := net.ParseCIDR("0.0.0.0/0")
return AddRoute(defNet, gw, dev)
func TestDHCP(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "DHCP Suite")
}

319
plugins/ipam/dhcp/dhcp_test.go Normal file
View File

@ -0,0 +1,319 @@
// Copyright 2015 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"fmt"
"net"
"os"
"os/exec"
"sync"
"time"
"github.com/containernetworking/cni/pkg/skel"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containernetworking/plugins/pkg/testutils"
"github.com/vishvananda/netlink"
"github.com/d2g/dhcp4"
"github.com/d2g/dhcp4server"
"github.com/d2g/dhcp4server/leasepool"
"github.com/d2g/dhcp4server/leasepool/memorypool"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
func dhcpServerStart(netns ns.NetNS, leaseIP, serverIP net.IP, stopCh <-chan bool) (*sync.WaitGroup, error) {
// Add the expected IP to the pool
lp := memorypool.MemoryPool{}
err := lp.AddLease(leasepool.Lease{IP: dhcp4.IPAdd(net.IPv4(192, 168, 1, 5), 0)})
if err != nil {
return nil, fmt.Errorf("error adding IP to DHCP pool: %v", err)
}
dhcpServer, err := dhcp4server.New(
net.IPv4(192, 168, 1, 1),
&lp,
dhcp4server.SetLocalAddr(net.UDPAddr{IP: net.IPv4(0, 0, 0, 0), Port: 67}),
dhcp4server.SetRemoteAddr(net.UDPAddr{IP: net.IPv4bcast, Port: 68}),
dhcp4server.LeaseDuration(time.Minute*15),
)
if err != nil {
return nil, fmt.Errorf("failed to create DHCP server: %v", err)
}
stopWg := sync.WaitGroup{}
stopWg.Add(2)
startWg := sync.WaitGroup{}
startWg.Add(2)
// Run DHCP server in a goroutine so it doesn't block the main thread
go func() {
defer GinkgoRecover()
err = netns.Do(func(ns.NetNS) error {
startWg.Done()
if err := dhcpServer.ListenAndServe(); err != nil {
// Log, but don't trap errors; the server will
// always report an error when stopped
GinkgoT().Logf("DHCP server finished with error: %v", err)
}
return nil
})
stopWg.Done()
// Trap any errors after the Done, to allow the main test thread
// to continue and clean up. Otherwise the test hangs.
Expect(err).NotTo(HaveOccurred())
}()
// Stop DHCP server in another goroutine for the same reason
go func() {
startWg.Done()
<-stopCh
dhcpServer.Shutdown()
stopWg.Done()
}()
startWg.Wait()
return &stopWg, nil
}
const (
hostVethName string = "dhcp0"
contVethName string = "eth0"
pidfilePath string = "/var/run/cni/dhcp-client.pid"
)
var _ = BeforeSuite(func() {
os.Remove(socketPath)
os.Remove(pidfilePath)
})
var _ = AfterSuite(func() {
os.Remove(socketPath)
os.Remove(pidfilePath)
})
var _ = Describe("DHCP Operations", func() {
var originalNS, targetNS ns.NetNS
var dhcpServerStopCh chan bool
var dhcpServerDone *sync.WaitGroup
var clientCmd *exec.Cmd
BeforeEach(func() {
dhcpServerStopCh = make(chan bool)
// Create a new NetNS so we don't modify the host
var err error
originalNS, err = ns.NewNS()
Expect(err).NotTo(HaveOccurred())
targetNS, err = ns.NewNS()
Expect(err).NotTo(HaveOccurred())
serverIP := net.IPNet{
IP: net.IPv4(192, 168, 1, 1),
Mask: net.IPv4Mask(255, 255, 255, 0),
}
// Create a veth pair in the "host" (original) NS
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
err = netlink.LinkAdd(&netlink.Veth{
LinkAttrs: netlink.LinkAttrs{
Name: hostVethName,
},
PeerName: contVethName,
})
Expect(err).NotTo(HaveOccurred())
host, err := netlink.LinkByName(hostVethName)
Expect(err).NotTo(HaveOccurred())
err = netlink.LinkSetUp(host)
Expect(err).NotTo(HaveOccurred())
err = netlink.AddrAdd(host, &netlink.Addr{IPNet: &serverIP})
Expect(err).NotTo(HaveOccurred())
err = netlink.RouteAdd(&netlink.Route{
LinkIndex: host.Attrs().Index,
Scope: netlink.SCOPE_UNIVERSE,
Dst: &net.IPNet{
IP: net.IPv4(0, 0, 0, 0),
Mask: net.IPv4Mask(0, 0, 0, 0),
},
})
cont, err := netlink.LinkByName(contVethName)
Expect(err).NotTo(HaveOccurred())
err = netlink.LinkSetNsFd(cont, int(targetNS.Fd()))
Expect(err).NotTo(HaveOccurred())
return nil
})
Expect(err).NotTo(HaveOccurred())
// Move the container side to the container's NS
err = targetNS.Do(func(_ ns.NetNS) error {
defer GinkgoRecover()
link, err := netlink.LinkByName(contVethName)
Expect(err).NotTo(HaveOccurred())
err = netlink.LinkSetUp(link)
Expect(err).NotTo(HaveOccurred())
return nil
})
// Start the DHCP server
dhcpServerDone, err = dhcpServerStart(originalNS, net.IPv4(192, 168, 1, 5), serverIP.IP, dhcpServerStopCh)
Expect(err).NotTo(HaveOccurred())
// Start the DHCP client daemon
os.MkdirAll(pidfilePath, 0755)
dhcpPluginPath, err := exec.LookPath("dhcp")
Expect(err).NotTo(HaveOccurred())
clientCmd = exec.Command(dhcpPluginPath, "daemon")
err = clientCmd.Start()
Expect(err).NotTo(HaveOccurred())
Expect(clientCmd.Process).NotTo(BeNil())
// Wait up to 15 seconds for the client socket
Eventually(func() bool {
_, err := os.Stat(socketPath)
return err == nil
}, time.Second*15, time.Second/4).Should(BeTrue())
})
AfterEach(func() {
dhcpServerStopCh <- true
dhcpServerDone.Wait()
clientCmd.Process.Kill()
clientCmd.Wait()
Expect(originalNS.Close()).To(Succeed())
Expect(targetNS.Close()).To(Succeed())
os.Remove(socketPath)
os.Remove(pidfilePath)
})
It("configures and deconfigures a link with ADD/DEL", func() {
conf := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"ipam": {
"type": "dhcp"
}
}`
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
IfName: contVethName,
StdinData: []byte(conf),
}
var addResult *current.Result
err := originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
r, _, err := testutils.CmdAddWithResult(targetNS.Path(), contVethName, []byte(conf), func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
addResult, err = current.GetResult(r)
Expect(err).NotTo(HaveOccurred())
Expect(len(addResult.IPs)).To(Equal(1))
Expect(addResult.IPs[0].Address.String()).To(Equal("192.168.1.5/24"))
return nil
})
Expect(err).NotTo(HaveOccurred())
err = originalNS.Do(func(ns.NetNS) error {
return testutils.CmdDelWithResult(targetNS.Path(), contVethName, func() error {
return cmdDel(args)
})
})
Expect(err).NotTo(HaveOccurred())
})
It("correctly handles multiple DELs for the same container", func() {
conf := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"ipam": {
"type": "dhcp"
}
}`
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
IfName: contVethName,
StdinData: []byte(conf),
}
var addResult *current.Result
err := originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
r, _, err := testutils.CmdAddWithResult(targetNS.Path(), contVethName, []byte(conf), func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
addResult, err = current.GetResult(r)
Expect(err).NotTo(HaveOccurred())
Expect(len(addResult.IPs)).To(Equal(1))
Expect(addResult.IPs[0].Address.String()).To(Equal("192.168.1.5/24"))
return nil
})
Expect(err).NotTo(HaveOccurred())
wg := sync.WaitGroup{}
wg.Add(3)
started := sync.WaitGroup{}
started.Add(3)
for i := 0; i < 3; i++ {
go func() {
defer GinkgoRecover()
// Wait until all goroutines are running
started.Done()
started.Wait()
err = originalNS.Do(func(ns.NetNS) error {
return testutils.CmdDelWithResult(targetNS.Path(), contVethName, func() error {
return cmdDel(args)
})
})
Expect(err).NotTo(HaveOccurred())
wg.Done()
}()
}
wg.Wait()
err = originalNS.Do(func(ns.NetNS) error {
return testutils.CmdDelWithResult(targetNS.Path(), contVethName, func() error {
return cmdDel(args)
})
})
Expect(err).NotTo(HaveOccurred())
})
})

28
plugins/ipam/dhcp/lease.go
View File

@ -20,6 +20,7 @@ import (
"math/rand"
"net"
"sync"
"sync/atomic"
"time"
"github.com/d2g/dhcp4"
@ -55,6 +56,7 @@ type DHCPLease struct {
renewalTime time.Time
rebindingTime time.Time
expireTime time.Time
stopping uint32
stop chan struct{}
wg sync.WaitGroup
}
@ -106,7 +108,9 @@ func AcquireLease(clientID, netns, ifName string) (*DHCPLease, error) {
// Stop terminates the background task that maintains the lease
// and issues a DHCP Release
func (l *DHCPLease) Stop() {
close(l.stop)
if atomic.CompareAndSwapUint32(&l.stopping, 0, 1) {
close(l.stop)
}
l.wg.Wait()
}
@ -292,8 +296,26 @@ func (l *DHCPLease) Gateway() net.IP {
}
func (l *DHCPLease) Routes() []*types.Route {
routes := parseRoutes(l.opts)
return append(routes, parseCIDRRoutes(l.opts)...)
routes := []*types.Route{}
// RFC 3442 states that if Classless Static Routes (option 121)
// exist, we ignore Static Routes (option 33) and the Router/Gateway.
opt121_routes := parseCIDRRoutes(l.opts)
if len(opt121_routes) > 0 {
return append(routes, opt121_routes...)
}
// Append Static Routes
routes = append(routes, parseRoutes(l.opts)...)
// The CNI spec says even if there is a gateway specified, we must
// add a default route in the routes section.
if gw := l.Gateway(); gw != nil {
_, defaultRoute, _ := net.ParseCIDR("0.0.0.0/0")
routes = append(routes, &types.Route{Dst: *defaultRoute, GW: gw})
}
return routes
}
// jitter returns a random value within [-span, span) range

4
plugins/ipam/dhcp/main.go
View File

@ -33,11 +33,13 @@ const socketPath = "/run/cni/dhcp.sock"
func main() {
if len(os.Args) > 1 && os.Args[1] == "daemon" {
var pidfilePath string
var hostPrefix string
daemonFlags := flag.NewFlagSet("daemon", flag.ExitOnError)
daemonFlags.StringVar(&pidfilePath, "pidfile", "", "optional path to write daemon PID to")
daemonFlags.StringVar(&hostPrefix, "hostprefix", "", "optional prefix to netns")
daemonFlags.Parse(os.Args[2:])
if err := runDaemon(pidfilePath); err != nil {
if err := runDaemon(pidfilePath, hostPrefix); err != nil {
log.Printf(err.Error())
os.Exit(1)
}

46
plugins/ipam/host-local/README.md
View File

@ -8,24 +8,40 @@ it can include a DNS configuration from a `resolv.conf` file on the host.
host-local IPAM plugin allocates ip addresses out of a set of address ranges.
It stores the state locally on the host filesystem, therefore ensuring uniqueness of IP addresses on a single host.
The allocator can allocate multiple ranges, and supports sets of multiple (disjoint)
subnets. The allocation strategy is loosely round-robin within each range set.
## Example configurations
Note that the key `ranges` is a list of range sets. That is to say, the length
of the top-level array is the number of addresses returned. The second-level
array is a set of subnets to use as a pool of possible addresses.
This example configuration returns 2 IP addresses.
```json
{
"ipam": {
"type": "host-local",
"ranges": [
{
"subnet": "10.10.0.0/16",
"rangeStart": "10.10.1.20",
"rangeEnd": "10.10.3.50",
"gateway": "10.10.0.254"
},
{
"subnet": "3ffe:ffff:0:01ff::/64",
"rangeStart": "3ffe:ffff:0:01ff::0010",
"rangeEnd": "3ffe:ffff:0:01ff::0020"
}
[
{
"subnet": "10.10.0.0/16",
"rangeStart": "10.10.1.20",
"rangeEnd": "10.10.3.50",
"gateway": "10.10.0.254"
},
{
"subnet": "172.16.5.0/24"
}
],
[
{
"subnet": "3ffe:ffff:0:01ff::/64",
"rangeStart": "3ffe:ffff:0:01ff::0010",
"rangeEnd": "3ffe:ffff:0:01ff::0020"
}
]
],
"routes": [
{ "dst": "0.0.0.0/0" },
@ -58,7 +74,7 @@ deprecated but still supported.
We can test it out on the command-line:
```bash
$ echo '{ "cniVersion": "0.3.1", "name": "examplenet", "ipam": { "type": "host-local", "ranges": [ {"subnet": "203.0.113.0/24"}, {"subnet": "2001:db8:1::/64"}], "dataDir": "/tmp/cni-example" } }' | CNI_COMMAND=ADD CNI_CONTAINERID=example CNI_NETNS=/dev/null CNI_IFNAME=dummy0 CNI_PATH=. ./host-local
$ echo '{ "cniVersion": "0.3.1", "name": "examplenet", "ipam": { "type": "host-local", "ranges": [ [{"subnet": "203.0.113.0/24"}], [{"subnet": "2001:db8:1::/64"}]], "dataDir": "/tmp/cni-example" } }' | CNI_COMMAND=ADD CNI_CONTAINERID=example CNI_NETNS=/dev/null CNI_IFNAME=dummy0 CNI_PATH=. ./host-local
```
@ -86,7 +102,7 @@ $ echo '{ "cniVersion": "0.3.1", "name": "examplenet", "ipam": { "type": "host-l
* `routes` (string, optional): list of routes to add to the container namespace. Each route is a dictionary with "dst" and optional "gw" fields. If "gw" is omitted, value of "gateway" will be used.
* `resolvConf` (string, optional): Path to a `resolv.conf` on the host to parse and return as the DNS configuration
* `dataDir` (string, optional): Path to a directory to use for maintaining state, e.g. which IPs have been allocated to which containers
* `ranges`, (array, required, nonempty) an array of range objects:
* `ranges`, (array, required, nonempty) an array of arrays of range objects:
* `subnet` (string, required): CIDR block to allocate out of.
* `rangeStart` (string, optional): IP inside of "subnet" from which to start allocating addresses. Defaults to ".2" IP inside of the "subnet" block.
* `rangeEnd` (string, optional): IP inside of "subnet" with which to end allocating addresses. Defaults to ".254" IP inside of the "subnet" block for ipv4, ".255" for IPv6
@ -104,6 +120,10 @@ The following [args conventions](https://github.com/containernetworking/cni/blob
* `ips` (array of strings): A list of custom IPs to attempt to allocate
The following [Capability Args](https://github.com/containernetworking/cni/blob/master/CONVENTIONS.md) are supported:
* `ipRanges`: The exact same as the `ranges` array - a list of address pools
### Custom IP allocation
For every requested custom IP, the `host-local` allocator will request that IP
if it falls within one of the `range` objects. Thus it is possible to specify

156
plugins/ipam/host-local/backend/allocator/allocator.go
View File

@ -15,11 +15,11 @@
package allocator
import (
"encoding/base64"
"fmt"
"log"
"net"
"os"
"strconv"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ip"
@ -27,29 +27,16 @@ import (
)
type IPAllocator struct {
netName string
ipRange Range
store backend.Store
rangeID string // Used for tracking last reserved ip
rangeset *RangeSet
store backend.Store
rangeID string // Used for tracking last reserved ip
}
type RangeIter struct {
low net.IP
high net.IP
cur net.IP
start net.IP
}
func NewIPAllocator(netName string, r Range, store backend.Store) *IPAllocator {
// The range name (last allocated ip suffix) is just the base64
// encoding of the bytes of the first IP
rangeID := base64.URLEncoding.EncodeToString(r.RangeStart)
func NewIPAllocator(s *RangeSet, store backend.Store, id int) *IPAllocator {
return &IPAllocator{
netName: netName,
ipRange: r,
store: store,
rangeID: rangeID,
rangeset: s,
store: store,
rangeID: strconv.Itoa(id),
}
}
@ -58,27 +45,32 @@ func (a *IPAllocator) Get(id string, requestedIP net.IP) (*current.IPConfig, err
a.store.Lock()
defer a.store.Unlock()
gw := a.ipRange.Gateway
var reservedIP net.IP
var reservedIP *net.IPNet
var gw net.IP
if requestedIP != nil {
if gw != nil && gw.Equal(requestedIP) {
return nil, fmt.Errorf("requested IP must differ from gateway IP")
if err := canonicalizeIP(&requestedIP); err != nil {
return nil, err
}
if err := a.ipRange.IPInRange(requestedIP); err != nil {
r, err := a.rangeset.RangeFor(requestedIP)
if err != nil {
return nil, err
}
if requestedIP.Equal(r.Gateway) {
return nil, fmt.Errorf("requested ip %s is subnet's gateway", requestedIP.String())
}
reserved, err := a.store.Reserve(id, requestedIP, a.rangeID)
if err != nil {
return nil, err
}
if !reserved {
return nil, fmt.Errorf("requested IP address %q is not available in network: %s %s", requestedIP, a.netName, (*net.IPNet)(&a.ipRange.Subnet).String())
return nil, fmt.Errorf("requested IP address %s is not available in range set %s", requestedIP, a.rangeset.String())
}
reservedIP = requestedIP
reservedIP = &net.IPNet{IP: requestedIP, Mask: r.Subnet.Mask}
gw = r.Gateway
} else {
iter, err := a.GetIter()
@ -86,39 +78,33 @@ func (a *IPAllocator) Get(id string, requestedIP net.IP) (*current.IPConfig, err
return nil, err
}
for {
cur := iter.Next()
if cur == nil {
reservedIP, gw = iter.Next()
if reservedIP == nil {
break
}
// don't allocate gateway IP
if gw != nil && cur.Equal(gw) {
continue
}
reserved, err := a.store.Reserve(id, cur, a.rangeID)
reserved, err := a.store.Reserve(id, reservedIP.IP, a.rangeID)
if err != nil {
return nil, err
}
if reserved {
reservedIP = cur
break
}
}
}
if reservedIP == nil {
return nil, fmt.Errorf("no IP addresses available in network: %s %s", a.netName, (*net.IPNet)(&a.ipRange.Subnet).String())
return nil, fmt.Errorf("no IP addresses available in range set: %s", a.rangeset.String())
}
version := "4"
if reservedIP.To4() == nil {
if reservedIP.IP.To4() == nil {
version = "6"
}
return &current.IPConfig{
Version: version,
Address: net.IPNet{IP: reservedIP, Mask: a.ipRange.Subnet.Mask},
Address: *reservedIP,
Gateway: gw,
}, nil
}
@ -131,15 +117,28 @@ func (a *IPAllocator) Release(id string) error {
return a.store.ReleaseByID(id)
}
type RangeIter struct {
rangeset *RangeSet
// The current range id
rangeIdx int
// Our current position
cur net.IP
// The IP and range index where we started iterating; if we hit this again, we're done.
startIP net.IP
startRange int
}
// GetIter encapsulates the strategy for this allocator.
// We use a round-robin strategy, attempting to evenly use the whole subnet.
// We use a round-robin strategy, attempting to evenly use the whole set.
// More specifically, a crash-looping container will not see the same IP until
// the entire range has been run through.
// We may wish to consider avoiding recently-released IPs in the future.
func (a *IPAllocator) GetIter() (*RangeIter, error) {
i := RangeIter{
low: a.ipRange.RangeStart,
high: a.ipRange.RangeEnd,
iter := RangeIter{
rangeset: a.rangeset,
}
// Round-robin by trying to allocate from the last reserved IP + 1
@ -151,39 +150,68 @@ func (a *IPAllocator) GetIter() (*RangeIter, error) {
if err != nil && !os.IsNotExist(err) {
log.Printf("Error retrieving last reserved ip: %v", err)
} else if lastReservedIP != nil {
startFromLastReservedIP = a.ipRange.IPInRange(lastReservedIP) == nil
startFromLastReservedIP = a.rangeset.Contains(lastReservedIP)
}
// Find the range in the set with this IP
if startFromLastReservedIP {
if i.high.Equal(lastReservedIP) {
i.start = i.low
} else {
i.start = ip.NextIP(lastReservedIP)
for i, r := range *a.rangeset {
if r.Contains(lastReservedIP) {
iter.rangeIdx = i
iter.startRange = i
// We advance the cursor on every Next(), so the first call
// to next() will return lastReservedIP + 1
iter.cur = lastReservedIP
break
}
}
} else {
i.start = a.ipRange.RangeStart
iter.rangeIdx = 0
iter.startRange = 0
iter.startIP = (*a.rangeset)[0].RangeStart
}
return &i, nil
return &iter, nil
}
// Next returns the next IP in the iterator, or nil if end is reached
func (i *RangeIter) Next() net.IP {
// If we're at the beginning, time to start
// Next returns the next IP, its mask, and its gateway. Returns nil
// if the iterator has been exhausted
func (i *RangeIter) Next() (*net.IPNet, net.IP) {
r := (*i.rangeset)[i.rangeIdx]
// If this is the first time iterating and we're not starting in the middle
// of the range, then start at rangeStart, which is inclusive
if i.cur == nil {
i.cur = i.start
return i.cur
i.cur = r.RangeStart
i.startIP = i.cur
if i.cur.Equal(r.Gateway) {
return i.Next()
}
return &net.IPNet{IP: i.cur, Mask: r.Subnet.Mask}, r.Gateway
}
// we returned .high last time, since we're inclusive
if i.cur.Equal(i.high) {
i.cur = i.low
// If we've reached the end of this range, we need to advance the range
// RangeEnd is inclusive as well
if i.cur.Equal(r.RangeEnd) {
i.rangeIdx += 1
i.rangeIdx %= len(*i.rangeset)
r = (*i.rangeset)[i.rangeIdx]
i.cur = r.RangeStart
} else {
i.cur = ip.NextIP(i.cur)
}
// If we've looped back to where we started, exit
if i.cur.Equal(i.start) {
return nil
if i.startIP == nil {
i.startIP = i.cur
} else if i.rangeIdx == i.startRange && i.cur.Equal(i.startIP) {
// IF we've looped back to where we started, give up
return nil, nil
}
return i.cur
if i.cur.Equal(r.Gateway) {
return i.Next()
}
return &net.IPNet{IP: i.cur, Mask: r.Subnet.Mask}, r.Gateway
}

217
plugins/ipam/host-local/backend/allocator/allocator_test.go
View File

@ -21,31 +21,29 @@ import (
"github.com/containernetworking/cni/pkg/types"
"github.com/containernetworking/cni/pkg/types/current"
fakestore "github.com/containernetworking/plugins/plugins/ipam/host-local/backend/testing"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
type AllocatorTestCase struct {
subnet string
subnets []string
ipmap map[string]string
expectResult string
lastIP string
}
func mkalloc() IPAllocator {
ipnet, _ := types.ParseCIDR("192.168.1.0/24")
r := Range{
Subnet: types.IPNet(*ipnet),
p := RangeSet{
Range{Subnet: mustSubnet("192.168.1.0/29")},
}
r.Canonicalize()
p.Canonicalize()
store := fakestore.NewFakeStore(map[string]string{}, map[string]net.IP{})
alloc := IPAllocator{
netName: "netname",
ipRange: r,
store: store,
rangeID: "rangeid",
rangeset: &p,
store: store,
rangeID: "rangeid",
}
return alloc
@ -53,24 +51,23 @@ func mkalloc() IPAllocator {
func (t AllocatorTestCase) run(idx int) (*current.IPConfig, error) {
fmt.Fprintln(GinkgoWriter, "Index:", idx)
subnet, err := types.ParseCIDR(t.subnet)
if err != nil {
return nil, err
p := RangeSet{}
for _, s := range t.subnets {
subnet, err := types.ParseCIDR(s)
if err != nil {
return nil, err
}
p = append(p, Range{Subnet: types.IPNet(*subnet)})
}
conf := Range{
Subnet: types.IPNet(*subnet),
}
Expect(conf.Canonicalize()).To(BeNil())
Expect(p.Canonicalize()).To(BeNil())
store := fakestore.NewFakeStore(t.ipmap, map[string]net.IP{"rangeid": net.ParseIP(t.lastIP)})
alloc := IPAllocator{
"netname",
conf,
store,
"rangeid",
rangeset: &p,
store: store,
rangeID: "rangeid",
}
return alloc.Get("ID", nil)
@ -79,50 +76,40 @@ func (t AllocatorTestCase) run(idx int) (*current.IPConfig, error) {
var _ = Describe("host-local ip allocator", func() {
Context("RangeIter", func() {
It("should loop correctly from the beginning", func() {
r := RangeIter{
start: net.IP{10, 0, 0, 0},
low: net.IP{10, 0, 0, 0},
high: net.IP{10, 0, 0, 5},
}
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 0}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 1}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 2}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 3}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 4}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 5}))
Expect(r.Next()).To(BeNil())
a := mkalloc()
r, _ := a.GetIter()
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 2}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 3}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 4}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 5}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 6}))
Expect(r.nextip()).To(BeNil())
})
It("should loop correctly from the end", func() {
r := RangeIter{
start: net.IP{10, 0, 0, 5},
low: net.IP{10, 0, 0, 0},
high: net.IP{10, 0, 0, 5},
}
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 5}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 0}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 1}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 2}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 3}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 4}))
Expect(r.Next()).To(BeNil())
a := mkalloc()
a.store.Reserve("ID", net.IP{192, 168, 1, 6}, a.rangeID)
a.store.ReleaseByID("ID")
r, _ := a.GetIter()
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 2}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 3}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 4}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 5}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 6}))
Expect(r.nextip()).To(BeNil())
})
It("should loop correctly from the middle", func() {
r := RangeIter{
start: net.IP{10, 0, 0, 3},
low: net.IP{10, 0, 0, 0},
high: net.IP{10, 0, 0, 5},
}
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 3}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 4}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 5}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 0}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 1}))
Expect(r.Next()).To(Equal(net.IP{10, 0, 0, 2}))
Expect(r.Next()).To(BeNil())
a := mkalloc()
a.store.Reserve("ID", net.IP{192, 168, 1, 3}, a.rangeID)
a.store.ReleaseByID("ID")
r, _ := a.GetIter()
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 4}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 5}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 6}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 2}))
Expect(r.nextip()).To(Equal(net.IP{192, 168, 1, 3}))
Expect(r.nextip()).To(BeNil())
})
})
Context("when has free ip", func() {
@ -130,25 +117,25 @@ var _ = Describe("host-local ip allocator", func() {
testCases := []AllocatorTestCase{
// fresh start
{
subnet: "10.0.0.0/29",
subnets: []string{"10.0.0.0/29"},
ipmap: map[string]string{},
expectResult: "10.0.0.2",
lastIP: "",
},
{
subnet: "2001:db8:1::0/64",
subnets: []string{"2001:db8:1::0/64"},
ipmap: map[string]string{},
expectResult: "2001:db8:1::2",
lastIP: "",
},
{
subnet: "10.0.0.0/30",
subnets: []string{"10.0.0.0/30"},
ipmap: map[string]string{},
expectResult: "10.0.0.2",
lastIP: "",
},
{
subnet: "10.0.0.0/29",
subnets: []string{"10.0.0.0/29"},
ipmap: map[string]string{
"10.0.0.2": "id",
},
@ -157,13 +144,13 @@ var _ = Describe("host-local ip allocator", func() {
},
// next ip of last reserved ip
{
subnet: "10.0.0.0/29",
subnets: []string{"10.0.0.0/29"},
ipmap: map[string]string{},
expectResult: "10.0.0.6",
lastIP: "10.0.0.5",
},
{
subnet: "10.0.0.0/29",
subnets: []string{"10.0.0.0/29"},
ipmap: map[string]string{
"10.0.0.4": "id",
"10.0.0.5": "id",
@ -173,7 +160,7 @@ var _ = Describe("host-local ip allocator", func() {
},
// round robin to the beginning
{
subnet: "10.0.0.0/29",
subnets: []string{"10.0.0.0/29"},
ipmap: map[string]string{
"10.0.0.6": "id",
},
@ -182,16 +169,17 @@ var _ = Describe("host-local ip allocator", func() {
},
// lastIP is out of range
{
subnet: "10.0.0.0/29",
subnets: []string{"10.0.0.0/29"},
ipmap: map[string]string{
"10.0.0.2": "id",
},
expectResult: "10.0.0.3",
lastIP: "10.0.0.128",
},
// subnet is completely full except for lastip
// wrap around and reserve lastIP
{
subnet: "10.0.0.0/29",
subnets: []string{"10.0.0.0/29"},
ipmap: map[string]string{
"10.0.0.2": "id",
"10.0.0.4": "id",
@ -201,6 +189,26 @@ var _ = Describe("host-local ip allocator", func() {
expectResult: "10.0.0.3",
lastIP: "10.0.0.3",
},
// alocate from multiple subnets
{
subnets: []string{"10.0.0.0/30", "10.0.1.0/30"},
expectResult: "10.0.0.2",
ipmap: map[string]string{},
},
// advance to next subnet
{
subnets: []string{"10.0.0.0/30", "10.0.1.0/30"},
lastIP: "10.0.0.2",
expectResult: "10.0.1.2",
ipmap: map[string]string{},
},
// Roll to start subnet
{
subnets: []string{"10.0.0.0/30", "10.0.1.0/30", "10.0.2.0/30"},
lastIP: "10.0.2.2",
expectResult: "10.0.0.2",
ipmap: map[string]string{},
},
}
for idx, tc := range testCases {
@ -212,10 +220,10 @@ var _ = Describe("host-local ip allocator", func() {
It("should not allocate the broadcast address", func() {
alloc := mkalloc()
for i := 2; i < 255; i++ {
for i := 2; i < 7; i++ {
res, err := alloc.Get("ID", nil)
Expect(err).ToNot(HaveOccurred())
s := fmt.Sprintf("192.168.1.%d/24", i)
s := fmt.Sprintf("192.168.1.%d/29", i)
Expect(s).To(Equal(res.Address.String()))
fmt.Fprintln(GinkgoWriter, "got ip", res.Address.String())
}
@ -229,44 +237,17 @@ var _ = Describe("host-local ip allocator", func() {
alloc := mkalloc()
res, err := alloc.Get("ID", nil)
Expect(err).ToNot(HaveOccurred())
Expect(res.Address.String()).To(Equal("192.168.1.2/24"))
Expect(res.Address.String()).To(Equal("192.168.1.2/29"))
err = alloc.Release("ID")
Expect(err).ToNot(HaveOccurred())
res, err = alloc.Get("ID", nil)
Expect(err).ToNot(HaveOccurred())
Expect(res.Address.String()).To(Equal("192.168.1.3/24"))
Expect(res.Address.String()).To(Equal("192.168.1.3/29"))
})
It("should allocate RangeStart first", func() {
alloc := mkalloc()
alloc.ipRange.RangeStart = net.IP{192, 168, 1, 10}
res, err := alloc.Get("ID", nil)
Expect(err).ToNot(HaveOccurred())
Expect(res.Address.String()).To(Equal("192.168.1.10/24"))
res, err = alloc.Get("ID", nil)
Expect(err).ToNot(HaveOccurred())
Expect(res.Address.String()).To(Equal("192.168.1.11/24"))
})
It("should allocate RangeEnd but not past RangeEnd", func() {
alloc := mkalloc()
alloc.ipRange.RangeEnd = net.IP{192, 168, 1, 5}
for i := 1; i < 5; i++ {
res, err := alloc.Get("ID", nil)
Expect(err).ToNot(HaveOccurred())
// i+1 because the gateway address is skipped
Expect(res.Address.String()).To(Equal(fmt.Sprintf("192.168.1.%d/24", i+1)))
}
_, err := alloc.Get("ID", nil)
Expect(err).To(HaveOccurred())
})
Context("when requesting a specific IP", func() {
It("must allocate the requested IP", func() {
alloc := mkalloc()
@ -284,21 +265,21 @@ var _ = Describe("host-local ip allocator", func() {
Expect(res.Address.IP.String()).To(Equal(requestedIP.String()))
_, err = alloc.Get("ID", requestedIP)
Expect(err).To(MatchError(`requested IP address "192.168.1.5" is not available in network: netname 192.168.1.0/24`))
Expect(err).To(MatchError(`requested IP address 192.168.1.5 is not available in range set 192.168.1.1-192.168.1.6`))
})
It("must return an error when the requested IP is after RangeEnd", func() {
alloc := mkalloc()
alloc.ipRange.RangeEnd = net.IP{192, 168, 1, 5}
requestedIP := net.IP{192, 168, 1, 6}
(*alloc.rangeset)[0].RangeEnd = net.IP{192, 168, 1, 4}
requestedIP := net.IP{192, 168, 1, 5}
_, err := alloc.Get("ID", requestedIP)
Expect(err).To(HaveOccurred())
})
It("must return an error when the requested IP is before RangeStart", func() {
alloc := mkalloc()
alloc.ipRange.RangeStart = net.IP{192, 168, 1, 6}
requestedIP := net.IP{192, 168, 1, 5}
(*alloc.rangeset)[0].RangeStart = net.IP{192, 168, 1, 3}
requestedIP := net.IP{192, 168, 1, 2}
_, err := alloc.Get("ID", requestedIP)
Expect(err).To(HaveOccurred())
})
@ -309,28 +290,44 @@ var _ = Describe("host-local ip allocator", func() {
It("returns a meaningful error", func() {
testCases := []AllocatorTestCase{
{
subnet: "10.0.0.0/30",
subnets: []string{"10.0.0.0/30"},
ipmap: map[string]string{
"10.0.0.2": "id",
"10.0.0.3": "id",
},
},
{
subnet: "10.0.0.0/29",
subnets: []string{"10.0.0.0/29"},
ipmap: map[string]string{
"10.0.0.2": "id",
"10.0.0.3": "id",
"10.0.0.4": "id",
"10.0.0.5": "id",
"10.0.0.6": "id",
"10.0.0.7": "id",
},
},
{
subnets: []string{"10.0.0.0/30", "10.0.1.0/30"},
ipmap: map[string]string{
"10.0.0.2": "id",
"10.0.1.2": "id",
},
},
}
for idx, tc := range testCases {
_, err := tc.run(idx)
Expect(err).To(MatchError("no IP addresses available in network: netname " + tc.subnet))
Expect(err).NotTo(BeNil())
Expect(err.Error()).To(HavePrefix("no IP addresses available in range set"))
}
})
})
})
// nextip is a convenience function used for testing
func (i *RangeIter) nextip() net.IP {
c, _ := i.Next()
if c == nil {
return nil
}
return c.IP
}

50
plugins/ipam/host-local/backend/allocator/config.go
View File

@ -23,6 +23,20 @@ import (
types020 "github.com/containernetworking/cni/pkg/types/020"
)
// The top-level network config - IPAM plugins are passed the full configuration
// of the calling plugin, not just the IPAM section.
type Net struct {
Name string `json:"name"`
CNIVersion string `json:"cniVersion"`
IPAM *IPAMConfig `json:"ipam"`
RuntimeConfig struct { // The capability arg
IPRanges []RangeSet `json:"ipRanges,omitempty"`
} `json:"runtimeConfig,omitempty"`
Args *struct {
A *IPAMArgs `json:"cni"`
} `json:"args"`
}
// IPAMConfig represents the IP related network configuration.
// This nests Range because we initially only supported a single
// range directly, and wish to preserve backwards compatability
@ -33,7 +47,7 @@ type IPAMConfig struct {
Routes []*types.Route `json:"routes"`
DataDir string `json:"dataDir"`
ResolvConf string `json:"resolvConf"`
Ranges []Range `json:"ranges"`
Ranges []RangeSet `json:"ranges"`
IPArgs []net.IP `json:"-"` // Requested IPs from CNI_ARGS and args
}
@ -46,15 +60,7 @@ type IPAMArgs struct {
IPs []net.IP `json:"ips"`
}
// The top-level network config, just so we can get the IPAM block
type Net struct {
Name string `json:"name"`
CNIVersion string `json:"cniVersion"`
IPAM *IPAMConfig `json:"ipam"`
Args *struct {
A *IPAMArgs `json:"cni"`
} `json:"args"`
}
type RangeSet []Range
type Range struct {
RangeStart net.IP `json:"rangeStart,omitempty"` // The first ip, inclusive
@ -97,13 +103,18 @@ func LoadIPAMConfig(bytes []byte, envArgs string) (*IPAMConfig, string, error) {
}
}
// If a single range (old-style config) is specified, move it to
// If a single range (old-style config) is specified, prepend it to
// the Ranges array
if n.IPAM.Range != nil && n.IPAM.Range.Subnet.IP != nil {
n.IPAM.Ranges = append([]Range{*n.IPAM.Range}, n.IPAM.Ranges...)
n.IPAM.Ranges = append([]RangeSet{{*n.IPAM.Range}}, n.IPAM.Ranges...)
}
n.IPAM.Range = nil
// If a range is supplied as a runtime config, prepend it to the Ranges
if len(n.RuntimeConfig.IPRanges) > 0 {
n.IPAM.Ranges = append(n.RuntimeConfig.IPRanges, n.IPAM.Ranges...)
}
if len(n.IPAM.Ranges) == 0 {
return nil, "", fmt.Errorf("no IP ranges specified")
}
@ -113,9 +124,10 @@ func LoadIPAMConfig(bytes []byte, envArgs string) (*IPAMConfig, string, error) {
numV6 := 0
for i, _ := range n.IPAM.Ranges {
if err := n.IPAM.Ranges[i].Canonicalize(); err != nil {
return nil, "", fmt.Errorf("Cannot understand range %d: %v", i, err)
return nil, "", fmt.Errorf("invalid range set %d: %s", i, err)
}
if len(n.IPAM.Ranges[i].RangeStart) == 4 {
if n.IPAM.Ranges[i][0].RangeStart.To4() != nil {
numV4++
} else {
numV6++
@ -126,17 +138,17 @@ func LoadIPAMConfig(bytes []byte, envArgs string) (*IPAMConfig, string, error) {
if numV4 > 1 || numV6 > 1 {
for _, v := range types020.SupportedVersions {
if n.CNIVersion == v {
return nil, "", fmt.Errorf("CNI version %v does not support more than 1 range per address family", n.CNIVersion)
return nil, "", fmt.Errorf("CNI version %v does not support more than 1 address per family", n.CNIVersion)
}
}
}
// Check for overlaps
l := len(n.IPAM.Ranges)
for i, r1 := range n.IPAM.Ranges[:l-1] {
for j, r2 := range n.IPAM.Ranges[i+1:] {
if r1.Overlaps(&r2) {
return nil, "", fmt.Errorf("Range %d overlaps with range %d", i, (i + j + 1))
for i, p1 := range n.IPAM.Ranges[:l-1] {
for j, p2 := range n.IPAM.Ranges[i+1:] {
if p1.Overlaps(&p2) {
return nil, "", fmt.Errorf("range set %d overlaps with %d", i, (i + j + 1))
}
}
}

453
plugins/ipam/host-local/backend/allocator/config_test.go
View File

@ -44,43 +44,122 @@ var _ = Describe("IPAM config", func() {
Expect(conf).To(Equal(&IPAMConfig{
Name: "mynet",
Type: "host-local",
Ranges: []Range{
{
RangeStart: net.IP{10, 1, 2, 9},
RangeEnd: net.IP{10, 1, 2, 20},
Gateway: net.IP{10, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{10, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
Ranges: []RangeSet{
RangeSet{
{
RangeStart: net.IP{10, 1, 2, 9},
RangeEnd: net.IP{10, 1, 2, 20},
Gateway: net.IP{10, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{10, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
},
},
},
},
}))
})
It("Should parse a new-style config", func() {
input := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
[
{
"subnet": "10.1.2.0/24",
"rangeStart": "10.1.2.9",
"rangeEnd": "10.1.2.20",
"gateway": "10.1.2.30"
},
{
"subnet": "10.1.4.0/24"
}
],
[{
"subnet": "11.1.2.0/24",
"rangeStart": "11.1.2.9",
"rangeEnd": "11.1.2.20",
"gateway": "11.1.2.30"
}]
]
}
}`
conf, version, err := LoadIPAMConfig([]byte(input), "")
Expect(err).NotTo(HaveOccurred())
Expect(version).Should(Equal("0.3.1"))
Expect(conf).To(Equal(&IPAMConfig{
Name: "mynet",
Type: "host-local",
Ranges: []RangeSet{
{
{
RangeStart: net.IP{10, 1, 2, 9},
RangeEnd: net.IP{10, 1, 2, 20},
Gateway: net.IP{10, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{10, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
},
},
{
RangeStart: net.IP{10, 1, 4, 1},
RangeEnd: net.IP{10, 1, 4, 254},
Gateway: net.IP{10, 1, 4, 1},
Subnet: types.IPNet{
IP: net.IP{10, 1, 4, 0},
Mask: net.CIDRMask(24, 32),
},
},
},
{
{
RangeStart: net.IP{11, 1, 2, 9},
RangeEnd: net.IP{11, 1, 2, 20},
Gateway: net.IP{11, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{11, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
},
},
},
},
}))
})
It("Should parse a mixed config with runtime args", func() {
input := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"runtimeConfig": {
"irrelevant": "a",
"ipRanges": [
[{ "subnet": "12.1.3.0/24" }]
]
},
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"rangeStart": "10.1.2.9",
"rangeEnd": "10.1.2.20",
"gateway": "10.1.2.30"
},
{
"subnet": "11.1.2.0/24",
"rangeStart": "11.1.2.9",
"rangeEnd": "11.1.2.20",
"gateway": "11.1.2.30"
"gateway": "10.1.2.30",
"ranges": [[
{
"subnet": "11.1.2.0/24",
"rangeStart": "11.1.2.9",
"rangeEnd": "11.1.2.20",
"gateway": "11.1.2.30"
}
]]
}
]
}
}`
}`
conf, version, err := LoadIPAMConfig([]byte(input), "")
Expect(err).NotTo(HaveOccurred())
Expect(version).Should(Equal("0.3.1"))
@ -88,75 +167,38 @@ var _ = Describe("IPAM config", func() {
Expect(conf).To(Equal(&IPAMConfig{
Name: "mynet",
Type: "host-local",
Ranges: []Range{
{
RangeStart: net.IP{10, 1, 2, 9},
RangeEnd: net.IP{10, 1, 2, 20},
Gateway: net.IP{10, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{10, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
Ranges: []RangeSet{
{ // The RuntimeConfig should always be first
{
RangeStart: net.IP{12, 1, 3, 1},
RangeEnd: net.IP{12, 1, 3, 254},
Gateway: net.IP{12, 1, 3, 1},
Subnet: types.IPNet{
IP: net.IP{12, 1, 3, 0},
Mask: net.CIDRMask(24, 32),
},
},
},
{
RangeStart: net.IP{11, 1, 2, 9},
RangeEnd: net.IP{11, 1, 2, 20},
Gateway: net.IP{11, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{11, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
},
},
},
}))
})
It("Should parse a mixed config", func() {
input := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"rangeStart": "10.1.2.9",
"rangeEnd": "10.1.2.20",
"gateway": "10.1.2.30",
"ranges": [
{
"subnet": "11.1.2.0/24",
"rangeStart": "11.1.2.9",
"rangeEnd": "11.1.2.20",
"gateway": "11.1.2.30"
}
]
}
}`
conf, version, err := LoadIPAMConfig([]byte(input), "")
Expect(err).NotTo(HaveOccurred())
Expect(version).Should(Equal("0.3.1"))
Expect(conf).To(Equal(&IPAMConfig{
Name: "mynet",
Type: "host-local",
Ranges: []Range{
{
RangeStart: net.IP{10, 1, 2, 9},
RangeEnd: net.IP{10, 1, 2, 20},
Gateway: net.IP{10, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{10, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
{
RangeStart: net.IP{10, 1, 2, 9},
RangeEnd: net.IP{10, 1, 2, 20},
Gateway: net.IP{10, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{10, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
},
},
},
{
RangeStart: net.IP{11, 1, 2, 9},
RangeEnd: net.IP{11, 1, 2, 20},
Gateway: net.IP{11, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{11, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
{
RangeStart: net.IP{11, 1, 2, 9},
RangeEnd: net.IP{11, 1, 2, 20},
Gateway: net.IP{11, 1, 2, 30},
Subnet: types.IPNet{
IP: net.IP{11, 1, 2, 0},
Mask: net.CIDRMask(24, 32),
},
},
},
},
@ -165,28 +207,22 @@ var _ = Describe("IPAM config", func() {
It("Should parse CNI_ARGS env", func() {
input := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
{
"subnet": "10.1.2.0/24",
"rangeStart": "10.1.2.9",
"rangeEnd": "10.1.2.20",
"gateway": "10.1.2.30"
},
{
"subnet": "11.1.2.0/24",
"rangeStart": "11.1.2.9",
"rangeEnd": "11.1.2.20",
"gateway": "11.1.2.30"
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [[
{
"subnet": "10.1.2.0/24",
"rangeStart": "10.1.2.9",
"rangeEnd": "10.1.2.20",
"gateway": "10.1.2.30"
}
]]
}
]
}
}`
}`
envArgs := "IP=10.1.2.10"
@ -195,38 +231,39 @@ var _ = Describe("IPAM config", func() {
Expect(conf.IPArgs).To(Equal([]net.IP{{10, 1, 2, 10}}))
})
It("Should parse config args", func() {
input := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"args": {
"cni": {
"ips": [ "10.1.2.11", "11.11.11.11", "2001:db8:1::11"]
}
},
"ipam": {
"type": "host-local",
"ranges": [
{
"subnet": "10.1.2.0/24",
"rangeStart": "10.1.2.9",
"rangeEnd": "10.1.2.20",
"gateway": "10.1.2.30"
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"args": {
"cni": {
"ips": [ "10.1.2.11", "11.11.11.11", "2001:db8:1::11"]
}
},
{
"subnet": "11.1.2.0/24",
"rangeStart": "11.1.2.9",
"rangeEnd": "11.1.2.20",
"gateway": "11.1.2.30"
},
{
"subnet": "2001:db8:1::/64"
"ipam": {
"type": "host-local",
"ranges": [
[{
"subnet": "10.1.2.0/24",
"rangeStart": "10.1.2.9",
"rangeEnd": "10.1.2.20",
"gateway": "10.1.2.30"
}],
[{
"subnet": "11.1.2.0/24",
"rangeStart": "11.1.2.9",
"rangeEnd": "11.1.2.20",
"gateway": "11.1.2.30"
}],
[{
"subnet": "2001:db8:1::/64"
}]
]
}
]
}
}`
}`
envArgs := "IP=10.1.2.10"
@ -239,70 +276,106 @@ var _ = Describe("IPAM config", func() {
net.ParseIP("2001:db8:1::11"),
}))
})
It("Should detect overlap", func() {
It("Should detect overlap between rangesets", func() {
input := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
{
"subnet": "10.1.2.0/24",
"rangeEnd": "10.1.2.128"
},
{
"subnet": "10.1.2.0/24",
"rangeStart": "10.1.2.15"
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
[
{"subnet": "10.1.2.0/24"},
{"subnet": "10.2.2.0/24"}
],
[
{ "subnet": "10.1.4.0/24"},
{ "subnet": "10.1.6.0/24"},
{ "subnet": "10.1.8.0/24"},
{ "subnet": "10.1.2.0/24"}
]
]
}
]
}
}`
}`
_, _, err := LoadIPAMConfig([]byte(input), "")
Expect(err).To(MatchError("Range 0 overlaps with range 1"))
Expect(err).To(MatchError("range set 0 overlaps with 1"))
})
It("Should detect overlap within rangeset", func() {
input := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
[
{ "subnet": "10.1.0.0/22" },
{ "subnet": "10.1.2.0/24" }
]
]
}
}`
_, _, err := LoadIPAMConfig([]byte(input), "")
Expect(err).To(MatchError("invalid range set 0: subnets 10.1.0.1-10.1.3.254 and 10.1.2.1-10.1.2.254 overlap"))
})
It("should error on rangesets with different families", func() {
input := `{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
[
{ "subnet": "10.1.0.0/22" },
{ "subnet": "2001:db8:5::/64" }
]
]
}
}`
_, _, err := LoadIPAMConfig([]byte(input), "")
Expect(err).To(MatchError("invalid range set 0: mixed address families"))
})
It("Should should error on too many ranges", func() {
input := `{
"cniVersion": "0.2.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
{
"subnet": "10.1.2.0/24"
},
{
"subnet": "11.1.2.0/24"
}
]
}
}`
"cniVersion": "0.2.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
[{"subnet": "10.1.2.0/24"}],
[{"subnet": "11.1.2.0/24"}]
]
}
}`
_, _, err := LoadIPAMConfig([]byte(input), "")
Expect(err).To(MatchError("CNI version 0.2.0 does not support more than 1 range per address family"))
Expect(err).To(MatchError("CNI version 0.2.0 does not support more than 1 address per family"))
})
It("Should allow one v4 and v6 range for 0.2.0", func() {
input := `{
"cniVersion": "0.2.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
{
"subnet": "10.1.2.0/24"
},
{
"subnet": "2001:db8:1::/24"
}
]
}
}`
"cniVersion": "0.2.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"ranges": [
[{"subnet": "10.1.2.0/24"}],
[{"subnet": "2001:db8:1::/24"}]
]
}
}`
_, _, err := LoadIPAMConfig([]byte(input), "")
Expect(err).NotTo(HaveOccurred())
})

41
plugins/ipam/host-local/backend/allocator/range.go
View File

@ -61,8 +61,8 @@ func (r *Range) Canonicalize() error {
return err
}
if err := r.IPInRange(r.RangeStart); err != nil {
return err
if !r.Contains(r.RangeStart) {
return fmt.Errorf("RangeStart %s not in network %s", r.RangeStart.String(), (*net.IPNet)(&r.Subnet).String())
}
} else {
r.RangeStart = ip.NextIP(r.Subnet.IP)
@ -75,8 +75,8 @@ func (r *Range) Canonicalize() error {
return err
}
if err := r.IPInRange(r.RangeEnd); err != nil {
return err
if !r.Contains(r.RangeEnd) {
return fmt.Errorf("RangeEnd %s not in network %s", r.RangeEnd.String(), (*net.IPNet)(&r.Subnet).String())
}
} else {
r.RangeEnd = lastIP(r.Subnet)
@ -86,38 +86,39 @@ func (r *Range) Canonicalize() error {
}
// IsValidIP checks if a given ip is a valid, allocatable address in a given Range
func (r *Range) IPInRange(addr net.IP) error {
func (r *Range) Contains(addr net.IP) bool {
if err := canonicalizeIP(&addr); err != nil {
return err
return false
}
subnet := (net.IPNet)(r.Subnet)
// Not the same address family
if len(addr) != len(r.Subnet.IP) {
return fmt.Errorf("IP %s is not the same protocol as subnet %s",
addr, subnet.String())
return false
}
// Not in network
if !subnet.Contains(addr) {
return fmt.Errorf("%s not in network %s", addr, subnet.String())
return false
}
// We ignore nils here so we can use this function as we initialize the range.
if r.RangeStart != nil {
// Before the range start
if ip.Cmp(addr, r.RangeStart) < 0 {
return fmt.Errorf("%s is in network %s but before start %s",
addr, (*net.IPNet)(&r.Subnet).String(), r.RangeStart)
return false
}
}
if r.RangeEnd != nil {
if ip.Cmp(addr, r.RangeEnd) > 0 {
return fmt.Errorf("%s is in network %s but after end %s",
addr, (*net.IPNet)(&r.Subnet).String(), r.RangeEnd)
// After the range end
return false
}
}
return nil
return true
}
// Overlaps returns true if there is any overlap between ranges
@ -127,10 +128,14 @@ func (r *Range) Overlaps(r1 *Range) bool {
return false
}
return r.IPInRange(r1.RangeStart) == nil ||
r.IPInRange(r1.RangeEnd) == nil ||
r1.IPInRange(r.RangeStart) == nil ||
r1.IPInRange(r.RangeEnd) == nil
return r.Contains(r1.RangeStart) ||
r.Contains(r1.RangeEnd) ||
r1.Contains(r.RangeStart) ||
r1.Contains(r.RangeEnd)
}
func (r *Range) String() string {
return fmt.Sprintf("%s-%s", r.RangeStart.String(), r.RangeEnd.String())
}
// canonicalizeIP makes sure a provided ip is in standard form

97
plugins/ipam/host-local/backend/allocator/range_set.go Normal file
View File

@ -0,0 +1,97 @@
// Copyright 2017 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package allocator
import (
"fmt"
"net"
"strings"
)
// Contains returns true if any range in this set contains an IP
func (s *RangeSet) Contains(addr net.IP) bool {
r, _ := s.RangeFor(addr)
return r != nil
}
// RangeFor finds the range that contains an IP, or nil if not found
func (s *RangeSet) RangeFor(addr net.IP) (*Range, error) {
if err := canonicalizeIP(&addr); err != nil {
return nil, err
}
for _, r := range *s {
if r.Contains(addr) {
return &r, nil
}
}
return nil, fmt.Errorf("%s not in range set %s", addr.String(), s.String())
}
// Overlaps returns true if any ranges in any set overlap with this one
func (s *RangeSet) Overlaps(p1 *RangeSet) bool {
for _, r := range *s {
for _, r1 := range *p1 {
if r.Overlaps(&r1) {
return true
}
}
}
return false
}
// Canonicalize ensures the RangeSet is in a standard form, and detects any
// invalid input. Call Range.Canonicalize() on every Range in the set
func (s *RangeSet) Canonicalize() error {
if len(*s) == 0 {
return fmt.Errorf("empty range set")
}
fam := 0
for i, _ := range *s {
if err := (*s)[i].Canonicalize(); err != nil {
return err
}
if i == 0 {
fam = len((*s)[i].RangeStart)
} else {
if fam != len((*s)[i].RangeStart) {
return fmt.Errorf("mixed address families")
}
}
}
// Make sure none of the ranges in the set overlap
l := len(*s)
for i, r1 := range (*s)[:l-1] {
for _, r2 := range (*s)[i+1:] {
if r1.Overlaps(&r2) {
return fmt.Errorf("subnets %s and %s overlap", r1.String(), r2.String())
}
}
}
return nil
}
func (s *RangeSet) String() string {
out := []string{}
for _, r := range *s {
out = append(out, r.String())
}
return strings.Join(out, ",")
}

70
plugins/ipam/host-local/backend/allocator/range_set_test.go Normal file
View File

@ -0,0 +1,70 @@
// Copyright 2017 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package allocator
import (
"net"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
var _ = Describe("range sets", func() {
It("should detect set membership correctly", func() {
p := RangeSet{
Range{Subnet: mustSubnet("192.168.0.0/24")},
Range{Subnet: mustSubnet("172.16.1.0/24")},
}
err := p.Canonicalize()
Expect(err).NotTo(HaveOccurred())
Expect(p.Contains(net.IP{192, 168, 0, 55})).To(BeTrue())
r, err := p.RangeFor(net.IP{192, 168, 0, 55})
Expect(err).NotTo(HaveOccurred())
Expect(r).To(Equal(&p[0]))
r, err = p.RangeFor(net.IP{192, 168, 99, 99})
Expect(r).To(BeNil())
Expect(err).To(MatchError("192.168.99.99 not in range set 192.168.0.1-192.168.0.254,172.16.1.1-172.16.1.254"))
})
It("should discover overlaps within a set", func() {
p := RangeSet{
{Subnet: mustSubnet("192.168.0.0/20")},
{Subnet: mustSubnet("192.168.2.0/24")},
}
err := p.Canonicalize()
Expect(err).To(MatchError("subnets 192.168.0.1-192.168.15.254 and 192.168.2.1-192.168.2.254 overlap"))
})
It("should discover overlaps outside a set", func() {
p1 := RangeSet{
{Subnet: mustSubnet("192.168.0.0/20")},
}
p2 := RangeSet{
{Subnet: mustSubnet("192.168.2.0/24")},
}
p1.Canonicalize()
p2.Canonicalize()
Expect(p1.Overlaps(&p2)).To(BeTrue())
Expect(p2.Overlaps(&p1)).To(BeTrue())
})
})

32
plugins/ipam/host-local/backend/allocator/range_test.go
View File

@ -77,11 +77,11 @@ var _ = Describe("IP ranges", func() {
It("should reject invalid RangeStart and RangeEnd specifications", func() {
r := Range{Subnet: mustSubnet("192.0.2.0/24"), RangeStart: net.ParseIP("192.0.3.0")}
err := r.Canonicalize()
Expect(err).Should(MatchError("192.0.3.0 not in network 192.0.2.0/24"))
Expect(err).Should(MatchError("RangeStart 192.0.3.0 not in network 192.0.2.0/24"))
r = Range{Subnet: mustSubnet("192.0.2.0/24"), RangeEnd: net.ParseIP("192.0.4.0")}
err = r.Canonicalize()
Expect(err).Should(MatchError("192.0.4.0 not in network 192.0.2.0/24"))
Expect(err).Should(MatchError("RangeEnd 192.0.4.0 not in network 192.0.2.0/24"))
r = Range{
Subnet: mustSubnet("192.0.2.0/24"),
@ -89,7 +89,7 @@ var _ = Describe("IP ranges", func() {
RangeEnd: net.ParseIP("192.0.2.40"),
}
err = r.Canonicalize()
Expect(err).Should(MatchError("192.0.2.50 is in network 192.0.2.0/24 but after end 192.0.2.40"))
Expect(err).Should(MatchError("RangeStart 192.0.2.50 not in network 192.0.2.0/24"))
})
It("should reject invalid gateways", func() {
@ -126,15 +126,12 @@ var _ = Describe("IP ranges", func() {
err := r.Canonicalize()
Expect(err).NotTo(HaveOccurred())
Expect(r.IPInRange(net.ParseIP("192.0.3.0"))).Should(MatchError(
"192.0.3.0 not in network 192.0.2.0/24"))
Expect(r.Contains(net.ParseIP("192.0.3.0"))).Should(BeFalse())
Expect(r.IPInRange(net.ParseIP("192.0.2.39"))).Should(MatchError(
"192.0.2.39 is in network 192.0.2.0/24 but before start 192.0.2.40"))
Expect(r.IPInRange(net.ParseIP("192.0.2.40"))).Should(BeNil())
Expect(r.IPInRange(net.ParseIP("192.0.2.50"))).Should(BeNil())
Expect(r.IPInRange(net.ParseIP("192.0.2.51"))).Should(MatchError(
"192.0.2.51 is in network 192.0.2.0/24 but after end 192.0.2.50"))
Expect(r.Contains(net.ParseIP("192.0.2.39"))).Should(BeFalse())
Expect(r.Contains(net.ParseIP("192.0.2.40"))).Should(BeTrue())
Expect(r.Contains(net.ParseIP("192.0.2.50"))).Should(BeTrue())
Expect(r.Contains(net.ParseIP("192.0.2.51"))).Should(BeFalse())
})
It("should accept v6 IPs in range and reject IPs out of range", func() {
@ -145,15 +142,12 @@ var _ = Describe("IP ranges", func() {
}
err := r.Canonicalize()
Expect(err).NotTo(HaveOccurred())
Expect(r.IPInRange(net.ParseIP("2001:db8:2::"))).Should(MatchError(
"2001:db8:2:: not in network 2001:db8:1::/64"))
Expect(r.Contains(net.ParseIP("2001:db8:2::"))).Should(BeFalse())
Expect(r.IPInRange(net.ParseIP("2001:db8:1::39"))).Should(MatchError(
"2001:db8:1::39 is in network 2001:db8:1::/64 but before start 2001:db8:1::40"))
Expect(r.IPInRange(net.ParseIP("2001:db8:1::40"))).Should(BeNil())
Expect(r.IPInRange(net.ParseIP("2001:db8:1::50"))).Should(BeNil())
Expect(r.IPInRange(net.ParseIP("2001:db8:1::51"))).Should(MatchError(
"2001:db8:1::51 is in network 2001:db8:1::/64 but after end 2001:db8:1::50"))
Expect(r.Contains(net.ParseIP("2001:db8:1::39"))).Should(BeFalse())
Expect(r.Contains(net.ParseIP("2001:db8:1::40"))).Should(BeTrue())
Expect(r.Contains(net.ParseIP("2001:db8:1::50"))).Should(BeTrue())
Expect(r.Contains(net.ParseIP("2001:db8:1::51"))).Should(BeFalse())
})
DescribeTable("Detecting overlap",

21
plugins/ipam/host-local/backend/disk/backend.go
View File

@ -22,6 +22,7 @@ import (
"strings"
"github.com/containernetworking/plugins/plugins/ipam/host-local/backend"
"runtime"
)
const lastIPFilePrefix = "last_reserved_ip."
@ -31,7 +32,7 @@ var defaultDataDir = "/var/lib/cni/networks"
// Store is a simple disk-backed store that creates one file per IP
// address in a given directory. The contents of the file are the container ID.
type Store struct {
FileLock
*FileLock
dataDir string
}
@ -51,11 +52,12 @@ func New(network, dataDir string) (*Store, error) {
if err != nil {
return nil, err
}
return &Store{*lk, dir}, nil
return &Store{lk, dir}, nil
}
func (s *Store) Reserve(id string, ip net.IP, rangeID string) (bool, error) {
fname := filepath.Join(s.dataDir, ip.String())
fname := GetEscapedPath(s.dataDir, ip.String())
f, err := os.OpenFile(fname, os.O_RDWR|os.O_EXCL|os.O_CREATE, 0644)
if os.IsExist(err) {
return false, nil
@ -73,7 +75,7 @@ func (s *Store) Reserve(id string, ip net.IP, rangeID string) (bool, error) {
return false, err
}
// store the reserved ip in lastIPFile
ipfile := filepath.Join(s.dataDir, lastIPFilePrefix+rangeID)
ipfile := GetEscapedPath(s.dataDir, lastIPFilePrefix+rangeID)
err = ioutil.WriteFile(ipfile, []byte(ip.String()), 0644)
if err != nil {
return false, err
@ -83,7 +85,7 @@ func (s *Store) Reserve(id string, ip net.IP, rangeID string) (bool, error) {
// LastReservedIP returns the last reserved IP if exists
func (s *Store) LastReservedIP(rangeID string) (net.IP, error) {
ipfile := filepath.Join(s.dataDir, lastIPFilePrefix+rangeID)
ipfile := GetEscapedPath(s.dataDir, lastIPFilePrefix+rangeID)
data, err := ioutil.ReadFile(ipfile)
if err != nil {
return nil, err
@ -92,7 +94,7 @@ func (s *Store) LastReservedIP(rangeID string) (net.IP, error) {
}
func (s *Store) Release(ip net.IP) error {
return os.Remove(filepath.Join(s.dataDir, ip.String()))
return os.Remove(GetEscapedPath(s.dataDir, ip.String()))
}
// N.B. This function eats errors to be tolerant and
@ -115,3 +117,10 @@ func (s *Store) ReleaseByID(id string) error {
})
return err
}
func GetEscapedPath(dataDir string, fname string) string {
if runtime.GOOS == "windows" {
fname = strings.Replace(fname, ":", "_", -1)
}
return filepath.Join(dataDir, fname)
}

23
pkg/ip/route_unspecified.go → plugins/ipam/host-local/backend/disk/disk_suite_test.go
View File

@ -1,4 +1,4 @@
// Copyright 2015-2017 CNI authors
// Copyright 2016 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@ -12,23 +12,16 @@
// See the License for the specific language governing permissions and
// limitations under the License.
// +build !linux
package ip
package disk
import (
"net"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/containernetworking/cni/pkg/types"
"github.com/vishvananda/netlink"
"testing"
)
// AddRoute adds a universally-scoped route to a device.
func AddRoute(ipn *net.IPNet, gw net.IP, dev netlink.Link) error {
return types.NotImplementedError
}
// AddHostRoute adds a host-scoped route to a device.
func AddHostRoute(ipn *net.IPNet, gw net.IP, dev netlink.Link) error {
return types.NotImplementedError
func TestLock(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Disk Suite")
}

23
plugins/ipam/host-local/backend/disk/lock.go
View File

@ -15,18 +15,28 @@
package disk
import (
"github.com/alexflint/go-filemutex"
"os"
"syscall"
"path"
)
// FileLock wraps os.File to be used as a lock using flock
type FileLock struct {
f *os.File
f *filemutex.FileMutex
}
// NewFileLock opens file/dir at path and returns unlocked FileLock object
func NewFileLock(path string) (*FileLock, error) {
f, err := os.Open(path)
func NewFileLock(lockPath string) (*FileLock, error) {
fi, err := os.Stat(lockPath)
if err != nil {
return nil, err
}
if fi.IsDir() {
lockPath = path.Join(lockPath, "lock")
}
f, err := filemutex.New(lockPath)
if err != nil {
return nil, err
}
@ -34,17 +44,16 @@ func NewFileLock(path string) (*FileLock, error) {
return &FileLock{f}, nil
}
// Close closes underlying file
func (l *FileLock) Close() error {
return l.f.Close()
}
// Lock acquires an exclusive lock
func (l *FileLock) Lock() error {
return syscall.Flock(int(l.f.Fd()), syscall.LOCK_EX)
return l.f.Lock()
}
// Unlock releases the lock
func (l *FileLock) Unlock() error {
return syscall.Flock(int(l.f.Fd()), syscall.LOCK_UN)
return l.f.Unlock()
}

63
plugins/ipam/host-local/backend/disk/lock_test.go Normal file
View File

@ -0,0 +1,63 @@
// Copyright 2016 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package disk
import (
"io/ioutil"
"os"
"path/filepath"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
var _ = Describe("Lock Operations", func() {
It("locks a file path", func() {
dir, err := ioutil.TempDir("", "")
Expect(err).ToNot(HaveOccurred())
defer os.RemoveAll(dir)
// create a dummy file to lock
path := filepath.Join(dir, "x")
f, err := os.OpenFile(path, os.O_RDONLY|os.O_CREATE, 0666)
Expect(err).ToNot(HaveOccurred())
err = f.Close()
Expect(err).ToNot(HaveOccurred())
// now use it to lock
m, err := NewFileLock(path)
Expect(err).ToNot(HaveOccurred())
err = m.Lock()
Expect(err).ToNot(HaveOccurred())
err = m.Unlock()
Expect(err).ToNot(HaveOccurred())
})
It("locks a folder path", func() {
dir, err := ioutil.TempDir("", "")
Expect(err).ToNot(HaveOccurred())
defer os.RemoveAll(dir)
// use the folder to lock
m, err := NewFileLock(dir)
Expect(err).ToNot(HaveOccurred())
err = m.Lock()
Expect(err).ToNot(HaveOccurred())
err = m.Unlock()
Expect(err).ToNot(HaveOccurred())
})
})

300
plugins/ipam/host-local/host_local_test.go
View File

@ -28,6 +28,7 @@ import (
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/testutils"
"github.com/containernetworking/plugins/plugins/ipam/host-local/backend/disk"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
@ -37,7 +38,7 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
@ -45,26 +46,26 @@ var _ = Describe("host-local Operations", func() {
Expect(err).NotTo(HaveOccurred())
conf := fmt.Sprintf(`{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"resolvConf": "%s/resolv.conf",
"ranges": [
{ "subnet": "10.1.2.0/24" },
{ "subnet": "2001:db8:1::0/64" }
],
"routes": [
{"dst": "0.0.0.0/0"},
{"dst": "::/0"},
{"dst": "192.168.0.0/16", "gw": "1.1.1.1"},
{"dst": "2001:db8:2::0/64", "gw": "2001:db8:3::1"}
]
}
}`, tmpDir, tmpDir)
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"resolvConf": "%s/resolv.conf",
"ranges": [
[{ "subnet": "10.1.2.0/24" }, {"subnet": "10.2.2.0/24"}],
[{ "subnet": "2001:db8:1::0/64" }]
],
"routes": [
{"dst": "0.0.0.0/0"},
{"dst": "::/0"},
{"dst": "192.168.0.0/16", "gw": "1.1.1.1"},
{"dst": "2001:db8:2::0/64", "gw": "2001:db8:3::1"}
]
}
}`, tmpDir, tmpDir)
args := &skel.CmdArgs{
ContainerID: "dummy",
@ -112,17 +113,17 @@ var _ = Describe("host-local Operations", func() {
Expect(err).NotTo(HaveOccurred())
Expect(string(contents)).To(Equal("dummy"))
ipFilePath2 := filepath.Join(tmpDir, "mynet", "2001:db8:1::2")
ipFilePath2 := filepath.Join(tmpDir, disk.GetEscapedPath("mynet", "2001:db8:1::2"))
contents, err = ioutil.ReadFile(ipFilePath2)
Expect(err).NotTo(HaveOccurred())
Expect(string(contents)).To(Equal("dummy"))
lastFilePath1 := filepath.Join(tmpDir, "mynet", "last_reserved_ip.CgECAQ==")
lastFilePath1 := filepath.Join(tmpDir, "mynet", "last_reserved_ip.0")
contents, err = ioutil.ReadFile(lastFilePath1)
Expect(err).NotTo(HaveOccurred())
Expect(string(contents)).To(Equal("10.1.2.2"))
lastFilePath2 := filepath.Join(tmpDir, "mynet", "last_reserved_ip.IAENuAABAAAAAAAAAAAAAQ==")
lastFilePath2 := filepath.Join(tmpDir, "mynet", "last_reserved_ip.1")
contents, err = ioutil.ReadFile(lastFilePath2)
Expect(err).NotTo(HaveOccurred())
Expect(string(contents)).To(Equal("2001:db8:1::2"))
@ -142,21 +143,21 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
conf := fmt.Sprintf(`{
"cniVersion": "0.3.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"dataDir": "%s"
}
}`, tmpDir)
"cniVersion": "0.3.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"dataDir": "%s"
}
}`, tmpDir)
args := &skel.CmdArgs{
ContainerID: "dummy",
@ -176,7 +177,7 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
@ -184,17 +185,17 @@ var _ = Describe("host-local Operations", func() {
Expect(err).NotTo(HaveOccurred())
conf := fmt.Sprintf(`{
"cniVersion": "0.1.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"dataDir": "%s",
"resolvConf": "%s/resolv.conf"
}
}`, tmpDir, tmpDir)
"cniVersion": "0.1.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"dataDir": "%s",
"resolvConf": "%s/resolv.conf"
}
}`, tmpDir, tmpDir)
args := &skel.CmdArgs{
ContainerID: "dummy",
@ -224,7 +225,7 @@ var _ = Describe("host-local Operations", func() {
Expect(err).NotTo(HaveOccurred())
Expect(string(contents)).To(Equal("dummy"))
lastFilePath := filepath.Join(tmpDir, "mynet", "last_reserved_ip.CgECAQ==")
lastFilePath := filepath.Join(tmpDir, "mynet", "last_reserved_ip.0")
contents, err = ioutil.ReadFile(lastFilePath)
Expect(err).NotTo(HaveOccurred())
Expect(string(contents)).To(Equal("10.1.2.2"))
@ -245,21 +246,21 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
conf := fmt.Sprintf(`{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"dataDir": "%s"
}
}`, tmpDir)
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"dataDir": "%s"
}
}`, tmpDir)
args := &skel.CmdArgs{
ContainerID: " dummy\n ",
@ -296,21 +297,21 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
conf := fmt.Sprintf(`{
"cniVersion": "0.2.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"dataDir": "%s"
}
}`, tmpDir)
"cniVersion": "0.2.0",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"subnet": "10.1.2.0/24",
"dataDir": "%s"
}
}`, tmpDir)
args := &skel.CmdArgs{
ContainerID: "testing",
@ -331,28 +332,28 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
conf := fmt.Sprintf(`{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"ranges": [
{ "subnet": "10.1.2.0/24" }
]
},
"args": {
"cni": {
"ips": ["10.1.2.88"]
}
}
}`, tmpDir)
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"ranges": [
[{ "subnet": "10.1.2.0/24" }]
]
},
"args": {
"cni": {
"ips": ["10.1.2.88"]
}
}
}`, tmpDir)
args := &skel.CmdArgs{
ContainerID: "dummy",
@ -376,7 +377,7 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
@ -384,24 +385,24 @@ var _ = Describe("host-local Operations", func() {
Expect(err).NotTo(HaveOccurred())
conf := fmt.Sprintf(`{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"ranges": [
{ "subnet": "10.1.2.0/24" },
{ "subnet": "10.1.3.0/24" }
]
},
"args": {
"cni": {
"ips": ["10.1.2.88", "10.1.3.77"]
}
}
}`, tmpDir)
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"ranges": [
[{ "subnet": "10.1.2.0/24" }],
[{ "subnet": "10.1.3.0/24" }]
]
},
"args": {
"cni": {
"ips": ["10.1.2.88", "10.1.3.77"]
}
}
}`, tmpDir)
args := &skel.CmdArgs{
ContainerID: "dummy",
@ -426,7 +427,7 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
@ -434,24 +435,24 @@ var _ = Describe("host-local Operations", func() {
Expect(err).NotTo(HaveOccurred())
conf := fmt.Sprintf(`{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"ranges": [
{ "subnet": "10.1.2.0/24" },
{ "subnet": "2001:db8:1::/24" }
]
},
"args": {
"cni": {
"ips": ["10.1.2.88", "2001:db8:1::999"]
}
}
}`, tmpDir)
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"ranges": [
[{"subnet":"172.16.1.0/24"}, { "subnet": "10.1.2.0/24" }],
[{ "subnet": "2001:db8:1::/24" }]
]
},
"args": {
"cni": {
"ips": ["10.1.2.88", "2001:db8:1::999"]
}
}
}`, tmpDir)
args := &skel.CmdArgs{
ContainerID: "dummy",
@ -476,29 +477,29 @@ var _ = Describe("host-local Operations", func() {
const ifname string = "eth0"
const nspath string = "/some/where"
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
tmpDir, err := getTmpDir()
Expect(err).NotTo(HaveOccurred())
defer os.RemoveAll(tmpDir)
conf := fmt.Sprintf(`{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"ranges": [
{ "subnet": "10.1.2.0/24" },
{ "subnet": "10.1.3.0/24" }
]
},
"args": {
"cni": {
"ips": ["10.1.2.88", "10.1.2.77"]
}
}
}`, tmpDir)
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"master": "foo0",
"ipam": {
"type": "host-local",
"dataDir": "%s",
"ranges": [
[{ "subnet": "10.1.2.0/24" }],
[{ "subnet": "10.1.3.0/24" }]
]
},
"args": {
"cni": {
"ips": ["10.1.2.88", "10.1.2.77"]
}
}
}`, tmpDir)
args := &skel.CmdArgs{
ContainerID: "dummy",
@ -517,6 +518,15 @@ var _ = Describe("host-local Operations", func() {
})
})
func getTmpDir() (string, error) {
tmpDir, err := ioutil.TempDir("", "host_local_artifacts")
if err == nil {
tmpDir = filepath.ToSlash(tmpDir)
}
return tmpDir, err
}
func mustCIDR(s string) net.IPNet {
ip, n, err := net.ParseCIDR(s)
n.IP = ip

10
plugins/ipam/host-local/main.go
View File

@ -66,13 +66,13 @@ func cmdAdd(args *skel.CmdArgs) error {
requestedIPs[ip.String()] = ip
}
for idx, ipRange := range ipamConf.Ranges {
allocator := allocator.NewIPAllocator(ipamConf.Name, ipRange, store)
for idx, rangeset := range ipamConf.Ranges {
allocator := allocator.NewIPAllocator(&rangeset, store, idx)
// Check to see if there are any custom IPs requested in this range.
var requestedIP net.IP
for k, ip := range requestedIPs {
if ipRange.IPInRange(ip) == nil {
if rangeset.Contains(ip) {
requestedIP = ip
delete(requestedIPs, k)
break
@ -124,8 +124,8 @@ func cmdDel(args *skel.CmdArgs) error {
// Loop through all ranges, releasing all IPs, even if an error occurs
var errors []string
for _, ipRange := range ipamConf.Ranges {
ipAllocator := allocator.NewIPAllocator(ipamConf.Name, ipRange, store)
for idx, rangeset := range ipamConf.Ranges {
ipAllocator := allocator.NewIPAllocator(&rangeset, store, idx)
err := ipAllocator.Release(args.ContainerID)
if err != nil {

10
plugins/linux_only.txt Normal file
View File

@ -0,0 +1,10 @@
plugins/ipam/dhcp
plugins/main/bridge
plugins/main/host-device
plugins/main/ipvlan
plugins/main/loopback
plugins/main/macvlan
plugins/main/ptp
plugins/main/vlan
plugins/meta/portmap
plugins/meta/tuning

71
plugins/main/bridge/bridge.go
View File

@ -32,6 +32,7 @@ import (
"github.com/containernetworking/plugins/pkg/ipam"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containernetworking/plugins/pkg/utils"
"github.com/j-keck/arping"
"github.com/vishvananda/netlink"
)
@ -172,6 +173,13 @@ func ensureBridgeAddr(br *netlink.Bridge, family int, ipn *net.IPNet, forceAddre
if err := netlink.AddrAdd(br, addr); err != nil {
return fmt.Errorf("could not add IP address to %q: %v", br.Name, err)
}
// Set the bridge's MAC to itself. Otherwise, the bridge will take the
// lowest-numbered mac on the bridge, and will change as ifs churn
if err := netlink.LinkSetHardwareAddr(br, br.HardwareAddr); err != nil {
return fmt.Errorf("could not set bridge's mac: %v", err)
}
return nil
}
@ -294,8 +302,15 @@ func setupBridge(n *NetConf) (*netlink.Bridge, *current.Interface, error) {
}
// disableIPV6DAD disables IPv6 Duplicate Address Detection (DAD)
// for an interface.
// for an interface, if the interface does not support enhanced_dad.
// We do this because interfaces with hairpin mode will see their own DAD packets
func disableIPV6DAD(ifName string) error {
// ehanced_dad sends a nonce with the DAD packets, so that we can safely
// ignore ourselves
enh, err := ioutil.ReadFile(fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/enhanced_dad", ifName))
if err == nil && string(enh) == "1\n" {
return nil
}
f := fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/accept_dad", ifName)
return ioutil.WriteFile(f, []byte("0"), 0644)
}
@ -363,32 +378,34 @@ func cmdAdd(args *skel.CmdArgs) error {
// Configure the container hardware address and IP address(es)
if err := netns.Do(func(_ ns.NetNS) error {
// Disable IPv6 DAD just in case hairpin mode is enabled on the
// bridge. Hairpin mode causes echos of neighbor solicitation
// packets, which causes DAD failures.
// TODO: (short term) Disable DAD conditional on actual hairpin mode
// TODO: (long term) Use enhanced DAD when that becomes available in kernels.
if err := disableIPV6DAD(args.IfName); err != nil {
contVeth, err := net.InterfaceByName(args.IfName)
if err != nil {
return err
}
// Disable IPv6 DAD just in case hairpin mode is enabled on the
// bridge. Hairpin mode causes echos of neighbor solicitation
// packets, which causes DAD failures.
for _, ipc := range result.IPs {
if ipc.Version == "6" && (n.HairpinMode || n.PromiscMode) {
if err := disableIPV6DAD(args.IfName); err != nil {
return err
}
break
}
}
// Add the IP to the interface
if err := ipam.ConfigureIface(args.IfName, result); err != nil {
return err
}
if result.IPs[0].Address.IP.To4() != nil {
if err := ip.SetHWAddrByIP(args.IfName, result.IPs[0].Address.IP, nil /* TODO IPv6 */); err != nil {
return err
// Send a gratuitous arp
for _, ipc := range result.IPs {
if ipc.Version == "4" {
_ = arping.GratuitousArpOverIface(ipc.Address.IP, *contVeth)
}
}
// Refetch the veth since its MAC address may changed
link, err := netlink.LinkByName(args.IfName)
if err != nil {
return fmt.Errorf("could not lookup %q: %v", args.IfName, err)
}
containerInterface.Mac = link.Attrs().HardwareAddr.String()
return nil
}); err != nil {
return err
@ -415,12 +432,6 @@ func cmdAdd(args *skel.CmdArgs) error {
}
}
}
if firstV4Addr != nil {
if err := ip.SetHWAddrByIP(n.BrName, firstV4Addr, nil /* TODO IPv6 */); err != nil {
return err
}
}
}
if n.IPMasq {
@ -463,10 +474,10 @@ func cmdDel(args *skel.CmdArgs) error {
// There is a netns so try to clean up. Delete can be called multiple times
// so don't return an error if the device is already removed.
// If the device isn't there then don't try to clean up IP masq either.
var ipn *net.IPNet
var ipnets []*net.IPNet
err = ns.WithNetNSPath(args.Netns, func(_ ns.NetNS) error {
var err error
ipn, err = ip.DelLinkByNameAddr(args.IfName, netlink.FAMILY_ALL)
ipnets, err = ip.DelLinkByNameAddr(args.IfName)
if err != nil && err == ip.ErrLinkNotFound {
return nil
}
@ -477,10 +488,14 @@ func cmdDel(args *skel.CmdArgs) error {
return err
}
if ipn != nil && n.IPMasq {
if n.IPMasq {
chain := utils.FormatChainName(n.Name, args.ContainerID)
comment := utils.FormatComment(n.Name, args.ContainerID)
err = ip.TeardownIPMasq(ipn, chain, comment)
for _, ipn := range ipnets {
if err := ip.TeardownIPMasq(ipn, chain, comment); err != nil {
return err
}
}
}
return err

64
plugins/main/bridge/bridge_test.go
View File

@ -25,7 +25,6 @@ import (
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containernetworking/plugins/pkg/testutils"
"github.com/containernetworking/plugins/pkg/utils/hwaddr"
"github.com/vishvananda/netlink"
@ -94,14 +93,14 @@ const (
rangesStartStr = `,
"ranges": [`
rangeSubnetConfStr = `
{
[{
"subnet": "%s"
}`
}]`
rangeSubnetGWConfStr = `
{
[{
"subnet": "%s",
"gateway": "%s"
}`
}]`
rangesEndStr = `
]`
@ -258,7 +257,14 @@ func (tester *testerV03x) cmdAddTest(tc testCase) {
Expect(len(result.Interfaces)).To(Equal(3))
Expect(result.Interfaces[0].Name).To(Equal(BRNAME))
Expect(result.Interfaces[0].Mac).To(HaveLen(17))
Expect(result.Interfaces[1].Name).To(HavePrefix("veth"))
Expect(result.Interfaces[1].Mac).To(HaveLen(17))
Expect(result.Interfaces[2].Name).To(Equal(IFNAME))
Expect(result.Interfaces[2].Mac).To(HaveLen(17)) //mac is random
Expect(result.Interfaces[2].Sandbox).To(Equal(tester.targetNS.Path()))
// Make sure bridge link exists
link, err := netlink.LinkByName(result.Interfaces[0].Name)
@ -266,6 +272,7 @@ func (tester *testerV03x) cmdAddTest(tc testCase) {
Expect(link.Attrs().Name).To(Equal(BRNAME))
Expect(link).To(BeAssignableToTypeOf(&netlink.Bridge{}))
Expect(link.Attrs().HardwareAddr.String()).To(Equal(result.Interfaces[0].Mac))
bridgeMAC := link.Attrs().HardwareAddr.String()
// Ensure bridge has expected gateway address(es)
addrs, err := netlink.AddrList(link, netlink.FAMILY_ALL)
@ -274,10 +281,6 @@ func (tester *testerV03x) cmdAddTest(tc testCase) {
for _, cidr := range tc.expGWCIDRs {
ip, subnet, err := net.ParseCIDR(cidr)
Expect(err).NotTo(HaveOccurred())
if ip.To4() != nil {
hwAddr := fmt.Sprintf("%s", link.Attrs().HardwareAddr)
Expect(hwAddr).To(HavePrefix(hwaddr.PrivateMACPrefixString))
}
found := false
subnetPrefix, subnetBits := subnet.Mask.Size()
@ -300,6 +303,12 @@ func (tester *testerV03x) cmdAddTest(tc testCase) {
Expect(err).NotTo(HaveOccurred())
Expect(link).To(BeAssignableToTypeOf(&netlink.Veth{}))
tester.vethName = result.Interfaces[1].Name
// Check that the bridge has a different mac from the veth
// If not, it means the bridge has an unstable mac and will change
// as ifs are added and removed
Expect(link.Attrs().HardwareAddr.String()).NotTo(Equal(bridgeMAC))
return nil
})
Expect(err).NotTo(HaveOccurred())
@ -314,14 +323,11 @@ func (tester *testerV03x) cmdAddTest(tc testCase) {
Expect(link).To(BeAssignableToTypeOf(&netlink.Veth{}))
expCIDRsV4, expCIDRsV6 := tc.expectedCIDRs()
if expCIDRsV4 != nil {
hwAddr := fmt.Sprintf("%s", link.Attrs().HardwareAddr)
Expect(hwAddr).To(HavePrefix(hwaddr.PrivateMACPrefixString))
}
addrs, err := netlink.AddrList(link, netlink.FAMILY_V4)
Expect(err).NotTo(HaveOccurred())
Expect(len(addrs)).To(Equal(len(expCIDRsV4)))
addrs, err = netlink.AddrList(link, netlink.FAMILY_V6)
Expect(len(addrs)).To(Equal(len(expCIDRsV6) + 1)) //add one for the link-local
Expect(err).NotTo(HaveOccurred())
// Ignore link local address which may or may not be
// ready when we read addresses.
@ -442,10 +448,6 @@ func (tester *testerV01xOr02x) cmdAddTest(tc testCase) {
for _, cidr := range tc.expGWCIDRs {
ip, subnet, err := net.ParseCIDR(cidr)
Expect(err).NotTo(HaveOccurred())
if ip.To4() != nil {
hwAddr := fmt.Sprintf("%s", link.Attrs().HardwareAddr)
Expect(hwAddr).To(HavePrefix(hwaddr.PrivateMACPrefixString))
}
found := false
subnetPrefix, subnetBits := subnet.Mask.Size()
@ -479,10 +481,6 @@ func (tester *testerV01xOr02x) cmdAddTest(tc testCase) {
Expect(link).To(BeAssignableToTypeOf(&netlink.Veth{}))
expCIDRsV4, expCIDRsV6 := tc.expectedCIDRs()
if expCIDRsV4 != nil {
hwAddr := fmt.Sprintf("%s", link.Attrs().HardwareAddr)
Expect(hwAddr).To(HavePrefix(hwaddr.PrivateMACPrefixString))
}
addrs, err := netlink.AddrList(link, netlink.FAMILY_V4)
Expect(err).NotTo(HaveOccurred())
Expect(len(addrs)).To(Equal(len(expCIDRsV4)))
@ -892,4 +890,28 @@ var _ = Describe("bridge Operations", func() {
})
Expect(err).NotTo(HaveOccurred())
})
It("creates a bridge with a stable MAC addresses", func() {
testCases := []testCase{
{
subnet: "10.1.2.0/24",
},
{
subnet: "2001:db8:42::/64",
},
}
for _, tc := range testCases {
tc.cniVersion = "0.3.1"
_, _, err := setupBridge(tc.netConf())
link, err := netlink.LinkByName(BRNAME)
Expect(err).NotTo(HaveOccurred())
origMac := link.Attrs().HardwareAddr
cmdAddDelTest(originalNS, tc)
link, err = netlink.LinkByName(BRNAME)
Expect(err).NotTo(HaveOccurred())
Expect(link.Attrs().HardwareAddr).To(Equal(origMac))
}
})
})

21
plugins/main/host-device/README.md Normal file
View File

@ -0,0 +1,21 @@
# host-device
Move an already-existing device in to a container.
This simple plugin will move the requested device from the host's network namespace
to the container's. Nothing else will be done - no IPAM, no addresses.
The device can be specified with any one of three properties:
* `device`: The device name, e.g. `eth0`, `can0`
* `hwaddr`: A MAC address
* `kernelpath`: The kernel device kobj, e.g. `/sys/devices/pci0000:00/0000:00:1f.6`
For this plugin, `CNI_IFNAME` will be ignored. Upon DEL, the device will be moved back.
A sample configuration might look like:
```json
{
"cniVersion": "0.3.1",
"device": "enp0s1"
}
```

216
plugins/main/host-device/host-device.go Normal file
View File

@ -0,0 +1,216 @@
// Copyright 2015 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"bytes"
"encoding/json"
"fmt"
"io/ioutil"
"net"
"path/filepath"
"runtime"
"strings"
"github.com/containernetworking/cni/pkg/skel"
"github.com/containernetworking/cni/pkg/types"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/cni/pkg/version"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/vishvananda/netlink"
)
type NetConf struct {
types.NetConf
Device string `json:"device"` // Device-Name, something like eth0 or can0 etc.
HWAddr string `json:"hwaddr"` // MAC Address of target network interface
KernelPath string `json:"kernelpath"` // Kernelpath of the device
}
func init() {
// this ensures that main runs only on main thread (thread group leader).
// since namespace ops (unshare, setns) are done for a single thread, we
// must ensure that the goroutine does not jump from OS thread to thread
runtime.LockOSThread()
}
func loadConf(bytes []byte) (*NetConf, error) {
n := &NetConf{}
if err := json.Unmarshal(bytes, n); err != nil {
return nil, fmt.Errorf("failed to load netconf: %v", err)
}
if n.Device == "" && n.HWAddr == "" && n.KernelPath == "" {
return nil, fmt.Errorf(`specify either "device", "hwaddr" or "kernelpath"`)
}
return n, nil
}
func cmdAdd(args *skel.CmdArgs) error {
cfg, err := loadConf(args.StdinData)
if err != nil {
return err
}
containerNs, err := ns.GetNS(args.Netns)
if err != nil {
return fmt.Errorf("failed to open netns %q: %v", args.Netns, err)
}
defer containerNs.Close()
hostDev, err := getLink(cfg.Device, cfg.HWAddr, cfg.KernelPath)
if err != nil {
return fmt.Errorf("failed to find host device: %v", err)
}
contDev, err := moveLinkIn(hostDev, containerNs, args.IfName)
if err != nil {
return fmt.Errorf("failed to move link %v", err)
}
return printLink(contDev, cfg.CNIVersion, containerNs)
}
func cmdDel(args *skel.CmdArgs) error {
_, err := loadConf(args.StdinData)
if err != nil {
return err
}
containerNs, err := ns.GetNS(args.Netns)
if err != nil {
return fmt.Errorf("failed to open netns %q: %v", args.Netns, err)
}
defer containerNs.Close()
if err := moveLinkOut(containerNs, args.IfName); err != nil {
return err
}
return nil
}
func moveLinkIn(hostDev netlink.Link, containerNs ns.NetNS, ifName string) (netlink.Link, error) {
if err := netlink.LinkSetNsFd(hostDev, int(containerNs.Fd())); err != nil {
return nil, err
}
var contDev netlink.Link
if err := containerNs.Do(func(_ ns.NetNS) error {
var err error
contDev, err = netlink.LinkByName(hostDev.Attrs().Name)
if err != nil {
return fmt.Errorf("failed to find %q: %v", hostDev.Attrs().Name, err)
}
// Save host device name into the container device's alias property
if err := netlink.LinkSetAlias(contDev, hostDev.Attrs().Name); err != nil {
return fmt.Errorf("failed to set alias to %q: %v", hostDev.Attrs().Name, err)
}
// Rename container device to respect args.IfName
if err := netlink.LinkSetName(contDev, ifName); err != nil {
return fmt.Errorf("failed to rename device %q to %q: %v", hostDev.Attrs().Name, ifName, err)
}
// Retrieve link again to get up-to-date name and attributes
contDev, err = netlink.LinkByName(ifName)
if err != nil {
return fmt.Errorf("failed to find %q: %v", ifName, err)
}
return nil
}); err != nil {
return nil, err
}
return contDev, nil
}
func moveLinkOut(containerNs ns.NetNS, ifName string) error {
defaultNs, err := ns.GetCurrentNS()
if err != nil {
return err
}
defer defaultNs.Close()
return containerNs.Do(func(_ ns.NetNS) error {
dev, err := netlink.LinkByName(ifName)
if err != nil {
return fmt.Errorf("failed to find %q: %v", ifName, err)
}
// Rename device to it's original name
if err := netlink.LinkSetName(dev, dev.Attrs().Alias); err != nil {
return fmt.Errorf("failed to restore %q to original name %q: %v", ifName, dev.Attrs().Alias, err)
}
if err := netlink.LinkSetNsFd(dev, int(defaultNs.Fd())); err != nil {
return fmt.Errorf("failed to move %q to host netns: %v", dev.Attrs().Alias, err)
}
return nil
})
}
func printLink(dev netlink.Link, cniVersion string, containerNs ns.NetNS) error {
result := current.Result{
CNIVersion: current.ImplementedSpecVersion,
Interfaces: []*current.Interface{
{
Name: dev.Attrs().Name,
Mac: dev.Attrs().HardwareAddr.String(),
Sandbox: containerNs.Path(),
},
},
}
return types.PrintResult(&result, cniVersion)
}
func getLink(devname, hwaddr, kernelpath string) (netlink.Link, error) {
links, err := netlink.LinkList()
if err != nil {
return nil, fmt.Errorf("failed to list node links: %v", err)
}
if len(devname) > 0 {
return netlink.LinkByName(devname)
} else if len(hwaddr) > 0 {
hwAddr, err := net.ParseMAC(hwaddr)
if err != nil {
return nil, fmt.Errorf("failed to parse MAC address %q: %v", hwaddr, err)
}
for _, link := range links {
if bytes.Equal(link.Attrs().HardwareAddr, hwAddr) {
return link, nil
}
}
} else if len(kernelpath) > 0 {
if !filepath.IsAbs(kernelpath) || !strings.HasPrefix(kernelpath, "/sys/devices/") {
return nil, fmt.Errorf("kernel device path %q must be absolute and begin with /sys/devices/", kernelpath)
}
netDir := filepath.Join(kernelpath, "net")
files, err := ioutil.ReadDir(netDir)
if err != nil {
return nil, fmt.Errorf("failed to find network devices at %q", netDir)
}
// Grab the first device from eg /sys/devices/pci0000:00/0000:00:19.0/net
for _, file := range files {
// Make sure it's really an interface
for _, l := range links {
if file.Name() == l.Attrs().Name {
return l, nil
}
}
}
}
return nil, fmt.Errorf("failed to find physical interface")
}
func main() {
skel.PluginMain(cmdAdd, cmdDel, version.All)
}

29
pkg/ns/ns_unspecified.go → plugins/main/host-device/host-device_suite_test.go
View File

@ -1,4 +1,4 @@
// Copyright 2015-2017 CNI authors
// Copyright 2016 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
@ -12,25 +12,16 @@
// See the License for the specific language governing permissions and
// limitations under the License.
// +build !linux
package main
package ns
import (
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
import "github.com/containernetworking/cni/pkg/types"
"testing"
)
// Returns an object representing the current OS thread's network namespace
func GetCurrentNS() (NetNS, error) {
return nil, types.NotImplementedError
}
func NewNS() (NetNS, error) {
return nil, types.NotImplementedError
}
func (ns *netNS) Close() error {
return types.NotImplementedError
}
func (ns *netNS) Set() error {
return types.NotImplementedError
func TestVlan(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "host-device Suite")
}

155
plugins/main/host-device/host-device_test.go Normal file
View File

@ -0,0 +1,155 @@
// Copyright 2017 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"fmt"
"math/rand"
"github.com/containernetworking/cni/pkg/skel"
"github.com/containernetworking/cni/pkg/types"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containernetworking/plugins/pkg/testutils"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/vishvananda/netlink"
)
var _ = Describe("base functionality", func() {
var originalNS ns.NetNS
var ifname string
BeforeEach(func() {
var err error
originalNS, err = ns.NewNS()
Expect(err).NotTo(HaveOccurred())
ifname = fmt.Sprintf("dummy-%x", rand.Int31())
})
AfterEach(func() {
originalNS.Close()
})
It("Works with a valid config", func() {
var origLink netlink.Link
// prepare ifname in original namespace
err := originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
err := netlink.LinkAdd(&netlink.Dummy{
LinkAttrs: netlink.LinkAttrs{
Name: ifname,
},
})
Expect(err).NotTo(HaveOccurred())
origLink, err = netlink.LinkByName(ifname)
Expect(err).NotTo(HaveOccurred())
err = netlink.LinkSetUp(origLink)
Expect(err).NotTo(HaveOccurred())
return nil
})
Expect(err).NotTo(HaveOccurred())
// call CmdAdd
targetNS, err := ns.NewNS()
Expect(err).NotTo(HaveOccurred())
CNI_IFNAME := "eth0"
conf := fmt.Sprintf(`{
"cniVersion": "0.3.0",
"name": "cni-plugin-host-device-test",
"type": "host-device",
"device": %q
}`, ifname)
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNS.Path(),
IfName: CNI_IFNAME,
StdinData: []byte(conf),
}
var resI types.Result
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
var err error
resI, _, err = testutils.CmdAddWithResult(targetNS.Path(), CNI_IFNAME, []byte(conf), func() error { return cmdAdd(args) })
return err
})
Expect(err).NotTo(HaveOccurred())
// check that the result was sane
res, err := current.NewResultFromResult(resI)
Expect(err).NotTo(HaveOccurred())
Expect(res.Interfaces).To(Equal([]*current.Interface{
{
Name: CNI_IFNAME,
Mac: origLink.Attrs().HardwareAddr.String(),
Sandbox: targetNS.Path(),
},
}))
// assert that dummy0 is now in the target namespace
err = targetNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
link, err := netlink.LinkByName(CNI_IFNAME)
Expect(err).NotTo(HaveOccurred())
Expect(link.Attrs().HardwareAddr).To(Equal(origLink.Attrs().HardwareAddr))
return nil
})
Expect(err).NotTo(HaveOccurred())
// assert that dummy0 is now NOT in the original namespace anymore
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
_, err := netlink.LinkByName(ifname)
Expect(err).To(HaveOccurred())
return nil
})
Expect(err).NotTo(HaveOccurred())
// Check that deleting the device moves it back and restores the name
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
err = testutils.CmdDelWithResult(targetNS.Path(), CNI_IFNAME, func() error { return cmdDel(args) })
Expect(err).NotTo(HaveOccurred())
_, err := netlink.LinkByName(ifname)
Expect(err).NotTo(HaveOccurred())
return nil
})
Expect(err).NotTo(HaveOccurred())
})
It("fails an invalid config", func() {
conf := `{
"cniVersion": "0.3.0",
"name": "cni-plugin-host-device-test",
"type": "host-device"
}`
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: originalNS.Path(),
IfName: ifname,
StdinData: []byte(conf),
}
_, _, err := testutils.CmdAddWithResult(originalNS.Path(), ifname, []byte(conf), func() error { return cmdAdd(args) })
Expect(err).To(MatchError(`specify either "device", "hwaddr" or "kernelpath"`))
})
})

11
plugins/main/ipvlan/README.md
View File

@ -27,10 +27,10 @@ Because all ipvlan interfaces share the MAC address with the host interface, DHC
* `name` (string, required): the name of the network.
* `type` (string, required): "ipvlan".
* `master` (string, required): name of the host interface to enslave.
* `mode` (string, optional): one of "l2", "l3". Defaults to "l2".
* `master` (string, required unless chained): name of the host interface to enslave.
* `mode` (string, optional): one of "l2", "l3", "l3s". Defaults to "l2".
* `mtu` (integer, optional): explicitly set MTU to the specified value. Defaults to the value chosen by the kernel.
* `ipam` (dictionary, required): IPAM configuration to be used for this network.
* `ipam` (dictionary, required unless chained): IPAM configuration to be used for this network.
## Notes
@ -38,3 +38,8 @@ Because all ipvlan interfaces share the MAC address with the host interface, DHC
Therefore the container will not be able to reach the host via `ipvlan` interface.
Be sure to also have container join a network that provides connectivity to the host (e.g. `ptp`).
* A single master interface can not be enslaved by both `macvlan` and `ipvlan`.
* For IP allocation schemes that cannot be interface agnostic, the ipvlan plugin
can be chained with an earlier plugin that handles this logic. If `master` is
omitted, then the previous Result must contain a single interface name for the
ipvlan plugin to enslave. If `ipam` is omitted, then the previous Result is used
to configure the ipvlan interface.

73
plugins/main/ipvlan/ipvlan.go
View File

@ -32,6 +32,12 @@ import (
type NetConf struct {
types.NetConf
// support chaining for master interface and IP decisions
// occurring prior to running ipvlan plugin
RawPrevResult *map[string]interface{} `json:"prevResult"`
PrevResult *current.Result `json:"-"`
Master string `json:"master"`
Mode string `json:"mode"`
MTU int `json:"mtu"`
@ -49,8 +55,31 @@ func loadConf(bytes []byte) (*NetConf, string, error) {
if err := json.Unmarshal(bytes, n); err != nil {
return nil, "", fmt.Errorf("failed to load netconf: %v", err)
}
// Parse previous result
if n.RawPrevResult != nil {
resultBytes, err := json.Marshal(n.RawPrevResult)
if err != nil {
return nil, "", fmt.Errorf("could not serialize prevResult: %v", err)
}
res, err := version.NewResult(n.CNIVersion, resultBytes)
if err != nil {
return nil, "", fmt.Errorf("could not parse prevResult: %v", err)
}
n.RawPrevResult = nil
n.PrevResult, err = current.NewResultFromResult(res)
if err != nil {
return nil, "", fmt.Errorf("could not convert result to current version: %v", err)
}
}
if n.Master == "" {
return nil, "", fmt.Errorf(`"master" field is required. It specifies the host interface name to virtualize`)
if n.PrevResult == nil {
return nil, "", fmt.Errorf(`"master" field is required. It specifies the host interface name to virtualize`)
}
if len(n.PrevResult.Interfaces) == 1 && n.PrevResult.Interfaces[0].Name != "" {
n.Master = n.PrevResult.Interfaces[0].Name
} else {
return nil, "", fmt.Errorf("chained master failure. PrevResult lacks a single named interface")
}
}
return n, n.CNIVersion, nil
}
@ -143,19 +172,26 @@ func cmdAdd(args *skel.CmdArgs) error {
return err
}
// run the IPAM plugin and get back the config to apply
r, err := ipam.ExecAdd(n.IPAM.Type, args.StdinData)
if err != nil {
return err
}
// Convert whatever the IPAM result was into the current Result type
result, err := current.NewResultFromResult(r)
if err != nil {
return err
}
var result *current.Result
// Configure iface from PrevResult if we have IPs and an IPAM
// block has not been configured
if n.IPAM.Type == "" && n.PrevResult != nil && len(n.PrevResult.IPs) > 0 {
result = n.PrevResult
} else {
// run the IPAM plugin and get back the config to apply
r, err := ipam.ExecAdd(n.IPAM.Type, args.StdinData)
if err != nil {
return err
}
// Convert whatever the IPAM result was into the current Result type
result, err = current.NewResultFromResult(r)
if err != nil {
return err
}
if len(result.IPs) == 0 {
return errors.New("IPAM plugin returned missing IP config")
if len(result.IPs) == 0 {
return errors.New("IPAM plugin returned missing IP config")
}
}
for _, ipc := range result.IPs {
// All addresses belong to the ipvlan interface
@ -182,9 +218,12 @@ func cmdDel(args *skel.CmdArgs) error {
return err
}
err = ipam.ExecDel(n.IPAM.Type, args.StdinData)
if err != nil {
return err
// On chained invocation, IPAM block can be empty
if n.IPAM.Type != "" {
err = ipam.ExecDel(n.IPAM.Type, args.StdinData)
if err != nil {
return err
}
}
if args.Netns == "" {
@ -194,7 +233,7 @@ func cmdDel(args *skel.CmdArgs) error {
// There is a netns so try to clean up. Delete can be called multiple times
// so don't return an error if the device is already removed.
err = ns.WithNetNSPath(args.Netns, func(_ ns.NetNS) error {
if _, err := ip.DelLinkByNameAddr(args.IfName, netlink.FAMILY_V4); err != nil {
if err := ip.DelLinkByName(args.IfName); err != nil {
if err != ip.ErrLinkNotFound {
return err
}

166
plugins/main/ipvlan/ipvlan_test.go
View File

@ -33,6 +33,79 @@ import (
const MASTER_NAME = "eth0"
func ipvlanAddDelTest(conf, IFNAME string, originalNS ns.NetNS) {
targetNs, err := ns.NewNS()
Expect(err).NotTo(HaveOccurred())
defer targetNs.Close()
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNs.Path(),
IfName: IFNAME,
StdinData: []byte(conf),
}
var result *current.Result
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
r, _, err := testutils.CmdAddWithResult(targetNs.Path(), IFNAME, []byte(conf), func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
result, err = current.GetResult(r)
Expect(err).NotTo(HaveOccurred())
Expect(len(result.Interfaces)).To(Equal(1))
Expect(result.Interfaces[0].Name).To(Equal(IFNAME))
Expect(len(result.IPs)).To(Equal(1))
return nil
})
Expect(err).NotTo(HaveOccurred())
// Make sure ipvlan link exists in the target namespace
err = targetNs.Do(func(ns.NetNS) error {
defer GinkgoRecover()
link, err := netlink.LinkByName(IFNAME)
Expect(err).NotTo(HaveOccurred())
Expect(link.Attrs().Name).To(Equal(IFNAME))
hwaddr, err := net.ParseMAC(result.Interfaces[0].Mac)
Expect(err).NotTo(HaveOccurred())
Expect(link.Attrs().HardwareAddr).To(Equal(hwaddr))
addrs, err := netlink.AddrList(link, syscall.AF_INET)
Expect(err).NotTo(HaveOccurred())
Expect(len(addrs)).To(Equal(1))
return nil
})
Expect(err).NotTo(HaveOccurred())
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
err = testutils.CmdDelWithResult(targetNs.Path(), IFNAME, func() error {
return cmdDel(args)
})
Expect(err).NotTo(HaveOccurred())
return nil
})
Expect(err).NotTo(HaveOccurred())
// Make sure ipvlan link has been deleted
err = targetNs.Do(func(ns.NetNS) error {
defer GinkgoRecover()
link, err := netlink.LinkByName(IFNAME)
Expect(err).To(HaveOccurred())
Expect(link).To(BeNil())
return nil
})
Expect(err).NotTo(HaveOccurred())
}
var _ = Describe("ipvlan Operations", func() {
var originalNS ns.NetNS
@ -116,76 +189,35 @@ var _ = Describe("ipvlan Operations", func() {
}
}`, MASTER_NAME)
targetNs, err := ns.NewNS()
Expect(err).NotTo(HaveOccurred())
defer targetNs.Close()
ipvlanAddDelTest(conf, IFNAME, originalNS)
})
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNs.Path(),
IfName: IFNAME,
StdinData: []byte(conf),
}
It("configures and deconfigures an iplvan link with ADD/DEL when chained", func() {
const IFNAME = "ipvl0"
var result *current.Result
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
conf := fmt.Sprintf(`{
"cniVersion": "0.3.1",
"name": "mynet",
"type": "ipvlan",
"prevResult": {
"interfaces": [
{
"name": "%s"
}
],
"ips": [
{
"version": "4",
"address": "10.1.2.2/24",
"gateway": "10.1.2.1",
"interface": 0
}
],
"routes": []
}
}`, MASTER_NAME)
r, _, err := testutils.CmdAddWithResult(targetNs.Path(), IFNAME, []byte(conf), func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
result, err = current.GetResult(r)
Expect(err).NotTo(HaveOccurred())
Expect(len(result.Interfaces)).To(Equal(1))
Expect(result.Interfaces[0].Name).To(Equal(IFNAME))
Expect(len(result.IPs)).To(Equal(1))
return nil
})
Expect(err).NotTo(HaveOccurred())
// Make sure ipvlan link exists in the target namespace
err = targetNs.Do(func(ns.NetNS) error {
defer GinkgoRecover()
link, err := netlink.LinkByName(IFNAME)
Expect(err).NotTo(HaveOccurred())
Expect(link.Attrs().Name).To(Equal(IFNAME))
hwaddr, err := net.ParseMAC(result.Interfaces[0].Mac)
Expect(err).NotTo(HaveOccurred())
Expect(link.Attrs().HardwareAddr).To(Equal(hwaddr))
addrs, err := netlink.AddrList(link, syscall.AF_INET)
Expect(err).NotTo(HaveOccurred())
Expect(len(addrs)).To(Equal(1))
return nil
})
Expect(err).NotTo(HaveOccurred())
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
err = testutils.CmdDelWithResult(targetNs.Path(), IFNAME, func() error {
return cmdDel(args)
})
Expect(err).NotTo(HaveOccurred())
return nil
})
Expect(err).NotTo(HaveOccurred())
// Make sure ipvlan link has been deleted
err = targetNs.Do(func(ns.NetNS) error {
defer GinkgoRecover()
link, err := netlink.LinkByName(IFNAME)
Expect(err).To(HaveOccurred())
Expect(link).To(BeNil())
return nil
})
Expect(err).NotTo(HaveOccurred())
ipvlanAddDelTest(conf, IFNAME, originalNS)
})
It("deconfigures an unconfigured ipvlan link with DEL", func() {

19
plugins/main/macvlan/macvlan.go
View File

@ -161,11 +161,28 @@ func cmdAdd(args *skel.CmdArgs) error {
return err
}
// Delete link if err to avoid link leak in this ns
defer func() {
if err != nil {
netns.Do(func(_ ns.NetNS) error {
return ip.DelLinkByName(args.IfName)
})
}
}()
// run the IPAM plugin and get back the config to apply
r, err := ipam.ExecAdd(n.IPAM.Type, args.StdinData)
if err != nil {
return err
}
// Invoke ipam del if err to avoid ip leak
defer func() {
if err != nil {
ipam.ExecDel(n.IPAM.Type, args.StdinData)
}
}()
// Convert whatever the IPAM result was into the current Result type
result, err := current.NewResultFromResult(r)
if err != nil {
@ -226,7 +243,7 @@ func cmdDel(args *skel.CmdArgs) error {
// There is a netns so try to clean up. Delete can be called multiple times
// so don't return an error if the device is already removed.
err = ns.WithNetNSPath(args.Netns, func(_ ns.NetNS) error {
if _, err := ip.DelLinkByNameAddr(args.IfName, netlink.FAMILY_V4); err != nil {
if err := ip.DelLinkByName(args.IfName); err != nil {
if err != ip.ErrLinkNotFound {
return err
}

10
plugins/main/ptp/ptp.go
View File

@ -259,10 +259,10 @@ func cmdDel(args *skel.CmdArgs) error {
// There is a netns so try to clean up. Delete can be called multiple times
// so don't return an error if the device is already removed.
// If the device isn't there then don't try to clean up IP masq either.
var ipn *net.IPNet
var ipnets []*net.IPNet
err := ns.WithNetNSPath(args.Netns, func(_ ns.NetNS) error {
var err error
ipn, err = ip.DelLinkByNameAddr(args.IfName, netlink.FAMILY_V4)
ipnets, err = ip.DelLinkByNameAddr(args.IfName)
if err != nil && err == ip.ErrLinkNotFound {
return nil
}
@ -273,10 +273,12 @@ func cmdDel(args *skel.CmdArgs) error {
return err
}
if ipn != nil && conf.IPMasq {
if len(ipnets) != 0 && conf.IPMasq {
chain := utils.FormatChainName(conf.Name, args.ContainerID)
comment := utils.FormatComment(conf.Name, args.ContainerID)
err = ip.TeardownIPMasq(ipn, chain, comment)
for _, ipn := range ipnets {
err = ip.TeardownIPMasq(ipn, chain, comment)
}
}
return err

19
plugins/main/ptp/ptp_test.go
View File

@ -78,12 +78,14 @@ var _ = Describe("ptp Operations", func() {
// Make sure ptp link exists in the target namespace
// Then, ping the gateway
seenIPs := 0
wantMac := ""
err = targetNs.Do(func(ns.NetNS) error {
defer GinkgoRecover()
link, err := netlink.LinkByName(IFNAME)
Expect(err).NotTo(HaveOccurred())
Expect(link.Attrs().Name).To(Equal(IFNAME))
wantMac = link.Attrs().HardwareAddr.String()
for _, ipc := range res.IPs {
if *ipc.Interface != 1 {
@ -105,6 +107,17 @@ var _ = Describe("ptp Operations", func() {
Expect(seenIPs).To(Equal(numIPs))
// make sure the interfaces are correct
Expect(res.Interfaces).To(HaveLen(2))
Expect(res.Interfaces[0].Name).To(HavePrefix("veth"))
Expect(res.Interfaces[0].Mac).To(HaveLen(17))
Expect(res.Interfaces[0].Sandbox).To(BeEmpty())
Expect(res.Interfaces[1].Name).To(Equal(IFNAME))
Expect(res.Interfaces[1].Mac).To(Equal(wantMac))
Expect(res.Interfaces[1].Sandbox).To(Equal(targetNs.Path()))
// Call the plugins with the DEL command, deleting the veth endpoints
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
@ -155,8 +168,8 @@ var _ = Describe("ptp Operations", func() {
"ipam": {
"type": "host-local",
"ranges": [
{ "subnet": "10.1.2.0/24"},
{ "subnet": "2001:db8:1::0/66"}
[{ "subnet": "10.1.2.0/24"}],
[{ "subnet": "2001:db8:1::0/66"}]
]
}
}`

5
plugins/main/vlan/vlan.go
View File

@ -181,9 +181,8 @@ func cmdDel(args *skel.CmdArgs) error {
}
err = ns.WithNetNSPath(args.Netns, func(_ ns.NetNS) error {
_, err = ip.DelLinkByNameAddr(args.IfName, netlink.FAMILY_V4)
// FIXME: use ip.ErrLinkNotFound when cni is revendored
if err != nil && err.Error() == "Link not found" {
err = ip.DelLinkByName(args.IfName)
if err != nil && err != ip.ErrLinkNotFound {
return nil
}
return err

0
plugins/meta/flannel/flannel_test.go → plugins/meta/flannel/flannel_linux_test.go
View File

88
plugins/meta/portmap/README.md
View File

@ -8,6 +8,8 @@ You should use this plugin as part of a network configuration list. It accepts
the following configuration options:
* `snat` - boolean, default true. If true or omitted, set up the SNAT chains
* `markMasqBit` - int, (0-31), default 13. The mark bit to use for masquerading (see section SNAT). Cannot be set when `externalSetMarkChain` is used.
* `externalSetMarkChain` - string, default nil. If you already have a Masquerade mark chain (e.g. Kubernetes), specify it here. This will use that instead of creating a separate chain. When this is set, `markMasqBit` must be unspecified.
* `conditionsV4`, `conditionsV6` - array of strings. A list of arbitrary `iptables`
matches to add to the per-container rule. This may be useful if you wish to
exclude specific IPs from port-mapping
@ -15,7 +17,7 @@ exclude specific IPs from port-mapping
The plugin expects to receive the actual list of port mappings via the
`portMappings` [capability argument](https://github.com/containernetworking/cni/blob/master/CONVENTIONS.md)
So a sample standalone config list (with the file extension .conflist) might
A sample standalone config list for Kubernetes (with the file extension .conflist) might
look like:
```json
@ -39,21 +41,31 @@ look like:
{
"type": "portmap",
"capabilities": {"portMappings": true},
"snat": false,
"conditionsV4": ["!", "-d", "192.0.2.0/24"],
"conditionsV6": ["!", "-d", "fc00::/7"]
"externalSetMarkChain": "KUBE-MARK-MASQ"
}
]
}
```
A configuration file with all options set:
```json
{
"type": "portmap",
"capabilities": {"portMappings": true},
"snat": true,
"markMasqBit": 13,
"externalSetMarkChain": "CNI-HOSTPORT-SETMARK",
"conditionsV4": ["!", "-d", "192.0.2.0/24"],
"conditionsV6": ["!", "-d", "fc00::/7"]
}
```
## Rule structure
The plugin sets up two sequences of chains and rules - one "primary" DNAT
sequence to rewrite the destination, and one additional SNAT sequence that
rewrites the source address for packets from localhost. The sequence is somewhat
complex to minimize the number of rules non-forwarded packets must traverse.
will masquerade traffic as needed.
### DNAT
@ -68,50 +80,54 @@ rules look like this:
- `--dst-type LOCAL -j CNI-HOSTPORT-DNAT`
`CNI-HOSTPORT-DNAT` chain:
- `${ConditionsV4/6} -j CNI-DN-xxxxxx` (where xxxxxx is a function of the ContainerID and network name)
- `${ConditionsV4/6} -p tcp --destination-ports 8080,8043 -j CNI-DN-xxxxxx` (where xxxxxx is a function of the ContainerID and network name)
`CNI-DN-xxxxxx` chain:
- `-p tcp --dport 8080 -j DNAT --to-destination 172.16.30.2:80`
`CNI-HOSTPORT-SETMARK` chain:
- `-j MARK --set-xmark 0x2000/0x2000`
`CNI-DN-xxxxxx` chain:
- `-p tcp -s 172.16.30.2 --dport 8080 -j CNI-HOSTPORT-SETMARK` (masquerade hairpin traffic)
- `-p tcp -s 127.0.0.1 --dport 8080 -j CNI-HOSTPORT-SETMARK` (masquerade localhost traffic)
- `-p tcp --dport 8080 -j DNAT --to-destination 172.16.30.2:80` (rewrite destination)
- `-p tcp -s 172.16.30.2 --dport 8043 -j CNI-HOSTPORT-SETMARK`
- `-p tcp -s 127.0.0.1 --dport 8043 -j CNI-HOSTPORT-SETMARK`
- `-p tcp --dport 8043 -j DNAT --to-destination 172.16.30.2:443`
New connections to the host will have to traverse every rule, so large numbers
of port forwards may have a performance impact. This won't affect established
connections, just the first packet.
### SNAT
The SNAT rule enables port-forwarding from the localhost IP on the host.
This rule rewrites (masquerades) the source address for connections from
localhost. If this rule did not exist, a connection to `localhost:80` would
still have a source IP of 127.0.0.1 when received by the container, so no
packets would respond. Again, it is a sequence of 3 chains. Because SNAT has to
occur in the `POSTROUTING` chain, the packet has already been through the DNAT
chain.
### SNAT (Masquerade)
Some packets also need to have the source address rewritten:
* connections from localhost
* Hairpin traffic back to the container.
In the DNAT chain, a bit is set on the mark for packets that need snat. This
chain performs that masquerading. By default, bit 13 is set, but this is
configurable. If you are using other tools that also use the iptables mark,
you should make sure this doesn't conflict.
Some container runtimes, most notably Kubernetes, already have a set of rules
for masquerading when a specific mark bit is set. If so enabled, the plugin
will use that chain instead.
`POSTROUTING`:
- `-s 127.0.0.1 ! -d 127.0.0.1 -j CNI-HOSTPORT-SNAT`
- `-j CNI-HOSTPORT-MASQ`
`CNI-HOSTPORT-SNAT`:
- `-j CNI-SN-xxxxx`
`CNI-SN-xxxxx`:
- `-p tcp -s 127.0.0.1 -d 172.16.30.2 --dport 80 -j MASQUERADE`
- `-p tcp -s 127.0.0.1 -d 172.16.30.2 --dport 443 -j MASQUERADE`
Only new connections from the host, where the source address is 127.0.0.1 but
not the destination will traverse this chain. It is unlikely that any packets
will reach these rules without being SNATted, so the cost should be minimal.
`CNI-HOSTPORT-MASQ`:
- `--mark 0x2000 -j MASQUERADE`
Because MASQUERADE happens in POSTROUTING, it means that packets with source ip
127.0.0.1 need to pass a routing boundary. By default, that is not allowed
in Linux. So, need to enable the sysctl `net.ipv4.conf.IFNAME.route_localnet`,
where IFNAME is the name of the host-side interface that routes traffic to the
container.
127.0.0.1 need to first pass a routing boundary before being masqueraded. By
default, that is not allowed in Linux. So, the plugin needs to enable the sysctl
`net.ipv4.conf.IFNAME.route_localnet`, where IFNAME is the name of the host-side
interface that routes traffic to the container.
There is no equivalent to `route_localnet` for ipv6, so SNAT does not work
for ipv6. If you need port forwarding from localhost, your container must have
an ipv4 address.
There is no equivalent to `route_localnet` for ipv6, so connections to ::1
will not be portmapped for ipv6. If you need port forwarding from localhost,
your container must have an ipv4 address.
## Known issues
- ipsets could improve efficiency
- SNAT does not work with ipv6.
- forwarding from localhost does not work with ipv6.

22
plugins/meta/portmap/chain.go
View File

@ -25,12 +25,14 @@ import (
type chain struct {
table string
name string
entryRule []string // the rule that enters this chain
entryChains []string // the chains to add the entry rule
entryRules [][]string // the rules that "point" to this chain
rules [][]string // the rules this chain contains
}
// setup idempotently creates the chain. It will not error if the chain exists.
func (c *chain) setup(ipt *iptables.IPTables, rules [][]string) error {
func (c *chain) setup(ipt *iptables.IPTables) error {
// create the chain
exists, err := chainExists(ipt, c.table, c.name)
if err != nil {
@ -43,17 +45,21 @@ func (c *chain) setup(ipt *iptables.IPTables, rules [][]string) error {
}
// Add the rules to the chain
for i := len(rules) - 1; i >= 0; i-- {
if err := prependUnique(ipt, c.table, c.name, rules[i]); err != nil {
for i := len(c.rules) - 1; i >= 0; i-- {
if err := prependUnique(ipt, c.table, c.name, c.rules[i]); err != nil {
return err
}
}
// Add the entry rules
entryRule := append(c.entryRule, "-j", c.name)
// Add the entry rules to the entry chains
for _, entryChain := range c.entryChains {
if err := prependUnique(ipt, c.table, entryChain, entryRule); err != nil {
return err
for i := len(c.entryRules) - 1; i >= 0; i-- {
r := []string{}
r = append(r, c.entryRules[i]...)
r = append(r, "-j", c.name)
if err := prependUnique(ipt, c.table, entryChain, r); err != nil {
return err
}
}
}

28
plugins/meta/portmap/chain_test.go
View File

@ -49,8 +49,12 @@ var _ = Describe("chain tests", func() {
testChain = chain{
table: TABLE,
name: chainName,
entryRule: []string{"-d", "203.0.113.1"},
entryChains: []string{tlChainName},
entryRules: [][]string{{"-d", "203.0.113.1"}},
rules: [][]string{
{"-m", "comment", "--comment", "test 1", "-j", "RETURN"},
{"-m", "comment", "--comment", "test 2", "-j", "RETURN"},
},
}
ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
@ -90,11 +94,7 @@ var _ = Describe("chain tests", func() {
Expect(err).NotTo(HaveOccurred())
// Create the chain
chainRules := [][]string{
{"-m", "comment", "--comment", "test 1", "-j", "RETURN"},
{"-m", "comment", "--comment", "test 2", "-j", "RETURN"},
}
err = testChain.setup(ipt, chainRules)
err = testChain.setup(ipt)
Expect(err).NotTo(HaveOccurred())
// Verify the chain exists
@ -151,15 +151,11 @@ var _ = Describe("chain tests", func() {
It("creates chains idempotently", func() {
defer cleanup()
// Create the chain
chainRules := [][]string{
{"-m", "comment", "--comment", "test", "-j", "RETURN"},
}
err := testChain.setup(ipt, chainRules)
err := testChain.setup(ipt)
Expect(err).NotTo(HaveOccurred())
// Create it again!
err = testChain.setup(ipt, chainRules)
err = testChain.setup(ipt)
Expect(err).NotTo(HaveOccurred())
// Make sure there are only two rules
@ -167,18 +163,14 @@ var _ = Describe("chain tests", func() {
rules, err := ipt.List(TABLE, testChain.name)
Expect(err).NotTo(HaveOccurred())
Expect(len(rules)).To(Equal(2))
Expect(len(rules)).To(Equal(3))
})
It("deletes chains idempotently", func() {
defer cleanup()
// Create the chain
chainRules := [][]string{
{"-m", "comment", "--comment", "test", "-j", "RETURN"},
}
err := testChain.setup(ipt, chainRules)
err := testChain.setup(ipt)
Expect(err).NotTo(HaveOccurred())
err = testChain.teardown(ipt)

27
plugins/meta/portmap/main.go
View File

@ -47,10 +47,12 @@ type PortMapEntry struct {
type PortMapConf struct {
types.NetConf
SNAT *bool `json:"snat,omitempty"`
ConditionsV4 *[]string `json:"conditionsV4"`
ConditionsV6 *[]string `json:"conditionsV6"`
RuntimeConfig struct {
SNAT *bool `json:"snat,omitempty"`
ConditionsV4 *[]string `json:"conditionsV4"`
ConditionsV6 *[]string `json:"conditionsV6"`
MarkMasqBit *int `json:"markMasqBit"`
ExternalSetMarkChain *string `json:"externalSetMarkChain"`
RuntimeConfig struct {
PortMaps []PortMapEntry `json:"portMappings,omitempty"`
} `json:"runtimeConfig,omitempty"`
RawPrevResult map[string]interface{} `json:"prevResult,omitempty"`
@ -63,6 +65,10 @@ type PortMapConf struct {
ContIPv6 net.IP `json:"-"`
}
// The default mark bit to signal that masquerading is required
// Kubernetes uses 14 and 15, Calico uses 20-31.
const DefaultMarkBit = 13
func cmdAdd(args *skel.CmdArgs) error {
netConf, err := parseConfig(args.StdinData, args.IfName)
if err != nil {
@ -145,6 +151,19 @@ func parseConfig(stdin []byte, ifName string) (*PortMapConf, error) {
conf.SNAT = &tvar
}
if conf.MarkMasqBit != nil && conf.ExternalSetMarkChain != nil {
return nil, fmt.Errorf("Cannot specify externalSetMarkChain and markMasqBit")
}
if conf.MarkMasqBit == nil {
bvar := DefaultMarkBit // go constants are "special"
conf.MarkMasqBit = &bvar
}
if *conf.MarkMasqBit < 0 || *conf.MarkMasqBit > 31 {
return nil, fmt.Errorf("MasqMarkBit must be between 0 and 31")
}
// Reject invalid port numbers
for _, pm := range conf.RuntimeConfig.PortMaps {
if pm.ContainerPort <= 0 {

286
plugins/meta/portmap/portmap.go
View File

@ -17,6 +17,7 @@ package main
import (
"fmt"
"net"
"sort"
"strconv"
"github.com/containernetworking/plugins/pkg/utils/sysctl"
@ -24,33 +25,26 @@ import (
)
// This creates the chains to be added to iptables. The basic structure is
// a bit complex for efficiencies sake. We create 2 chains: a summary chain
// a bit complex for efficiency's sake. We create 2 chains: a summary chain
// that is shared between invocations, and an invocation (container)-specific
// chain. This minimizes the number of operations on the top level, but allows
// for easy cleanup.
//
// We also create DNAT chains to rewrite destinations, and SNAT chains so that
// connections to localhost work.
//
// The basic setup (all operations are on the nat table) is:
//
// DNAT case (rewrite destination IP and port):
// PREROUTING, OUTPUT: --dst-type local -j CNI-HOSTPORT_DNAT
// CNI-HOSTPORT-DNAT: -j CNI-DN-abcd123
// PREROUTING, OUTPUT: --dst-type local -j CNI-HOSTPORT-DNAT
// CNI-HOSTPORT-DNAT: --destination-ports 8080,8081 -j CNI-DN-abcd123
// CNI-DN-abcd123: -p tcp --dport 8080 -j DNAT --to-destination 192.0.2.33:80
// CNI-DN-abcd123: -p tcp --dport 8081 -j DNAT ...
//
// SNAT case (rewrite source IP from localhost after dnat):
// POSTROUTING: -s 127.0.0.1 ! -d 127.0.0.1 -j CNI-HOSTPORT-SNAT
// CNI-HOSTPORT-SNAT: -j CNI-SN-abcd123
// CNI-SN-abcd123: -p tcp -s 127.0.0.1 -d 192.0.2.33 --dport 80 -j MASQUERADE
// CNI-SN-abcd123: -p tcp -s 127.0.0.1 -d 192.0.2.33 --dport 90 -j MASQUERADE
// The names of the top-level summary chains.
// These should never be changed, or else upgrading will require manual
// intervention.
const TopLevelDNATChainName = "CNI-HOSTPORT-DNAT"
const TopLevelSNATChainName = "CNI-HOSTPORT-SNAT"
const SetMarkChainName = "CNI-HOSTPORT-SETMARK"
const MarkMasqChainName = "CNI-HOSTPORT-MASQ"
const OldTopLevelSNATChainName = "CNI-HOSTPORT-SNAT"
// forwardPorts establishes port forwarding to a given container IP.
// containerIP can be either v4 or v6.
@ -59,48 +53,35 @@ func forwardPorts(config *PortMapConf, containerIP net.IP) error {
var ipt *iptables.IPTables
var err error
var conditions *[]string
if isV6 {
ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv6)
conditions = config.ConditionsV6
} else {
ipt, err = iptables.NewWithProtocol(iptables.ProtocolIPv4)
conditions = config.ConditionsV4
}
if err != nil {
return fmt.Errorf("failed to open iptables: %v", err)
}
toplevelDnatChain := genToplevelDnatChain()
if err := toplevelDnatChain.setup(ipt, nil); err != nil {
return fmt.Errorf("failed to create top-level DNAT chain: %v", err)
}
// Enable masquerading for traffic as necessary.
// The DNAT chain sets a mark bit for traffic that needs masq:
// - connections from localhost
// - hairpin traffic back to the container
// Idempotently create the rule that masquerades traffic with this mark.
// Need to do this first; the DNAT rules reference these chains
if *config.SNAT {
if config.ExternalSetMarkChain == nil {
setMarkChain := genSetMarkChain(*config.MarkMasqBit)
if err := setMarkChain.setup(ipt); err != nil {
return fmt.Errorf("unable to create chain %s: %v", setMarkChain.name, err)
}
dnatChain := genDnatChain(config.Name, config.ContainerID, conditions)
_ = dnatChain.teardown(ipt) // If we somehow collide on this container ID + network, cleanup
dnatRules := dnatRules(config.RuntimeConfig.PortMaps, containerIP)
if err := dnatChain.setup(ipt, dnatRules); err != nil {
return fmt.Errorf("unable to setup DNAT: %v", err)
}
// Enable SNAT for connections to localhost.
// This won't work for ipv6, since the kernel doesn't have the equvalent
// route_localnet sysctl.
if *config.SNAT && !isV6 {
toplevelSnatChain := genToplevelSnatChain(isV6)
if err := toplevelSnatChain.setup(ipt, nil); err != nil {
return fmt.Errorf("failed to create top-level SNAT chain: %v", err)
masqChain := genMarkMasqChain(*config.MarkMasqBit)
if err := masqChain.setup(ipt); err != nil {
return fmt.Errorf("unable to create chain %s: %v", setMarkChain.name, err)
}
}
snatChain := genSnatChain(config.Name, config.ContainerID)
_ = snatChain.teardown(ipt)
snatRules := snatRules(config.RuntimeConfig.PortMaps, containerIP)
if err := snatChain.setup(ipt, snatRules); err != nil {
return fmt.Errorf("unable to setup SNAT: %v", err)
}
if !isV6 {
// Set the route_localnet bit on the host interface, so that
// 127/8 can cross a routing boundary.
@ -113,6 +94,20 @@ func forwardPorts(config *PortMapConf, containerIP net.IP) error {
}
}
// Generate the DNAT (actual port forwarding) rules
toplevelDnatChain := genToplevelDnatChain()
if err := toplevelDnatChain.setup(ipt); err != nil {
return fmt.Errorf("failed to create top-level DNAT chain: %v", err)
}
dnatChain := genDnatChain(config.Name, config.ContainerID)
// First, idempotently tear down this chain in case there was some
// sort of collision or bad state.
fillDnatRules(&dnatChain, config, containerIP)
if err := dnatChain.setup(ipt); err != nil {
return fmt.Errorf("unable to setup DNAT: %v", err)
}
return nil
}
@ -124,106 +119,153 @@ func genToplevelDnatChain() chain {
return chain{
table: "nat",
name: TopLevelDNATChainName,
entryRule: []string{
entryRules: [][]string{{
"-m", "addrtype",
"--dst-type", "LOCAL",
},
}},
entryChains: []string{"PREROUTING", "OUTPUT"},
}
}
// genDnatChain creates the per-container chain.
// Conditions are any static entry conditions for the chain.
func genDnatChain(netName, containerID string, conditions *[]string) chain {
name := formatChainName("DN-", netName, containerID)
comment := fmt.Sprintf(`dnat name: "%s" id: "%s"`, netName, containerID)
ch := chain{
table: "nat",
name: name,
entryRule: []string{
"-m", "comment",
"--comment", comment,
},
func genDnatChain(netName, containerID string) chain {
return chain{
table: "nat",
name: formatChainName("DN-", netName, containerID),
entryChains: []string{TopLevelDNATChainName},
}
if conditions != nil && len(*conditions) != 0 {
ch.entryRule = append(ch.entryRule, *conditions...)
}
return ch
}
// dnatRules generates the destination NAT rules, one per port, to direct
// traffic from hostip:hostport to podip:podport
func dnatRules(entries []PortMapEntry, containerIP net.IP) [][]string {
out := make([][]string, 0, len(entries))
func fillDnatRules(c *chain, config *PortMapConf, containerIP net.IP) {
isV6 := (containerIP.To4() == nil)
comment := trimComment(fmt.Sprintf(`dnat name: "%s" id: "%s"`, config.Name, config.ContainerID))
entries := config.RuntimeConfig.PortMaps
setMarkChainName := SetMarkChainName
if config.ExternalSetMarkChain != nil {
setMarkChainName = *config.ExternalSetMarkChain
}
//Generate the dnat entry rules. We'll use multiport, but it ony accepts
// up to 15 rules, so partition the list if needed.
// Do it in a stable order for testing
protoPorts := groupByProto(entries)
protos := []string{}
for proto := range protoPorts {
protos = append(protos, proto)
}
sort.Strings(protos)
for _, proto := range protos {
for _, portSpec := range splitPortList(protoPorts[proto]) {
r := []string{
"-m", "comment",
"--comment", comment,
"-m", "multiport",
"-p", proto,
"--destination-ports", portSpec,
}
if isV6 && config.ConditionsV6 != nil && len(*config.ConditionsV6) > 0 {
r = append(r, *config.ConditionsV6...)
} else if !isV6 && config.ConditionsV4 != nil && len(*config.ConditionsV4) > 0 {
r = append(r, *config.ConditionsV4...)
}
c.entryRules = append(c.entryRules, r)
}
}
// For every entry, generate 3 rules:
// - mark hairpin for masq
// - mark localhost for masq (for v4)
// - do dnat
// the ordering is important here; the mark rules must be first.
c.rules = make([][]string, 0, 3*len(entries))
for _, entry := range entries {
rule := []string{
ruleBase := []string{
"-p", entry.Protocol,
"--dport", strconv.Itoa(entry.HostPort)}
if entry.HostIP != "" {
rule = append(rule,
ruleBase = append(ruleBase,
"-d", entry.HostIP)
}
rule = append(rule,
// Add mark-to-masquerade rules for hairpin and localhost
if *config.SNAT {
// hairpin
hpRule := make([]string, len(ruleBase), len(ruleBase)+4)
copy(hpRule, ruleBase)
hpRule = append(hpRule,
"-s", containerIP.String(),
"-j", setMarkChainName,
)
c.rules = append(c.rules, hpRule)
if !isV6 {
// localhost
localRule := make([]string, len(ruleBase), len(ruleBase)+4)
copy(localRule, ruleBase)
localRule = append(localRule,
"-s", "127.0.0.1",
"-j", setMarkChainName,
)
c.rules = append(c.rules, localRule)
}
}
// The actual dnat rule
dnatRule := make([]string, len(ruleBase), len(ruleBase)+4)
copy(dnatRule, ruleBase)
dnatRule = append(dnatRule,
"-j", "DNAT",
"--to-destination", fmtIpPort(containerIP, entry.ContainerPort))
out = append(out, rule)
}
return out
}
// genToplevelSnatChain creates the top-level summary snat chain.
// IMPORTANT: do not change this, or else upgrading plugins will require
// manual intervention
func genToplevelSnatChain(isV6 bool) chain {
return chain{
table: "nat",
name: TopLevelSNATChainName,
entryRule: []string{
"-s", localhostIP(isV6),
"!", "-d", localhostIP(isV6),
},
entryChains: []string{"POSTROUTING"},
"--to-destination", fmtIpPort(containerIP, entry.ContainerPort),
)
c.rules = append(c.rules, dnatRule)
}
}
// genSnatChain creates the snat (localhost) chain for this container.
func genSnatChain(netName, containerID string) chain {
name := formatChainName("SN-", netName, containerID)
comment := fmt.Sprintf(`snat name: "%s" id: "%s"`, netName, containerID)
return chain{
// genSetMarkChain creates the SETMARK chain - the chain that sets the
// "to-be-masqueraded" mark and returns.
// Chains are idempotent, so we'll always create this.
func genSetMarkChain(markBit int) chain {
markValue := 1 << uint(markBit)
markDef := fmt.Sprintf("%#x/%#x", markValue, markValue)
ch := chain{
table: "nat",
name: name,
entryRule: []string{
name: SetMarkChainName,
rules: [][]string{{
"-m", "comment",
"--comment", comment,
},
entryChains: []string{TopLevelSNATChainName},
"--comment", "CNI portfwd masquerade mark",
"-j", "MARK",
"--set-xmark", markDef,
}},
}
return ch
}
// snatRules sets up masquerading for connections to localhost:hostport,
// rewriting the source so that returning packets are correct.
func snatRules(entries []PortMapEntry, containerIP net.IP) [][]string {
isV6 := (containerIP.To4() == nil)
out := make([][]string, 0, len(entries))
for _, entry := range entries {
out = append(out, []string{
"-p", entry.Protocol,
"-s", localhostIP(isV6),
"-d", containerIP.String(),
"--dport", strconv.Itoa(entry.ContainerPort),
// genMarkMasqChain creates the chain that masquerades all packets marked
// in the SETMARK chain
func genMarkMasqChain(markBit int) chain {
markValue := 1 << uint(markBit)
markDef := fmt.Sprintf("%#x/%#x", markValue, markValue)
ch := chain{
table: "nat",
name: MarkMasqChainName,
entryChains: []string{"POSTROUTING"},
entryRules: [][]string{{
"-m", "comment",
"--comment", "CNI portfwd requiring masquerade",
}},
rules: [][]string{{
"-m", "mark",
"--mark", markDef,
"-j", "MASQUERADE",
})
}},
}
return out
return ch
}
// enableLocalnetRouting tells the kernel not to treat 127/8 as a martian,
@ -234,6 +276,18 @@ func enableLocalnetRouting(ifName string) error {
return err
}
// genOldSnatChain is no longer used, but used to be created. We'll try and
// tear it down in case the plugin version changed between ADD and DEL
func genOldSnatChain(netName, containerID string) chain {
name := formatChainName("SN-", netName, containerID)
return chain{
table: "nat",
name: name,
entryChains: []string{OldTopLevelSNATChainName},
}
}
// unforwardPorts deletes any iptables rules created by this plugin.
// It should be idempotent - it will not error if the chain does not exist.
//
@ -245,8 +299,10 @@ func enableLocalnetRouting(ifName string) error {
// So, we first check that iptables is "generally OK" by doing a check. If
// not, we ignore the error, unless neither v4 nor v6 are OK.
func unforwardPorts(config *PortMapConf) error {
dnatChain := genDnatChain(config.Name, config.ContainerID, nil)
snatChain := genSnatChain(config.Name, config.ContainerID)
dnatChain := genDnatChain(config.Name, config.ContainerID)
// Might be lying around from old versions
oldSnatChain := genOldSnatChain(config.Name, config.ContainerID)
ip4t := maybeGetIptables(false)
ip6t := maybeGetIptables(true)
@ -258,16 +314,14 @@ func unforwardPorts(config *PortMapConf) error {
if err := dnatChain.teardown(ip4t); err != nil {
return fmt.Errorf("could not teardown ipv4 dnat: %v", err)
}
if err := snatChain.teardown(ip4t); err != nil {
return fmt.Errorf("could not teardown ipv4 snat: %v", err)
}
oldSnatChain.teardown(ip4t)
}
if ip6t != nil {
if err := dnatChain.teardown(ip6t); err != nil {
return fmt.Errorf("could not teardown ipv6 dnat: %v", err)
}
// no SNAT teardown because it doesn't work for v6
oldSnatChain.teardown(ip6t)
}
return nil
}

91
plugins/meta/portmap/portmap_integ_test.go
View File

@ -15,12 +15,14 @@
package main
import (
"bytes"
"fmt"
"math/rand"
"net"
"os"
"os/exec"
"path/filepath"
"time"
"strconv"
"github.com/containernetworking/cni/libcni"
"github.com/containernetworking/cni/pkg/types/current"
@ -28,19 +30,20 @@ import (
"github.com/coreos/go-iptables/iptables"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"github.com/onsi/gomega/gexec"
"github.com/vishvananda/netlink"
)
const TIMEOUT = 90
var _ = Describe("portmap integration tests", func() {
rand.Seed(time.Now().UTC().UnixNano())
var configList *libcni.NetworkConfigList
var cniConf *libcni.CNIConfig
var targetNS ns.NetNS
var containerPort int
var closeChan chan interface{}
var (
configList *libcni.NetworkConfigList
cniConf *libcni.CNIConfig
targetNS ns.NetNS
containerPort int
session *gexec.Session
)
BeforeEach(func() {
var err error
@ -80,12 +83,12 @@ var _ = Describe("portmap integration tests", func() {
fmt.Fprintln(GinkgoWriter, "namespace:", targetNS.Path())
// Start an echo server and get the port
containerPort, closeChan, err = RunEchoServerInNS(targetNS)
containerPort, session, err = StartEchoServerInNamespace(targetNS)
Expect(err).NotTo(HaveOccurred())
})
AfterEach(func() {
session.Terminate().Wait()
if targetNS != nil {
targetNS.Close()
}
@ -123,13 +126,20 @@ var _ = Describe("portmap integration tests", func() {
// we'll also manually check the iptables chains
ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
Expect(err).NotTo(HaveOccurred())
dnatChainName := genDnatChain("cni-portmap-unit-test", runtimeConfig.ContainerID, nil).name
dnatChainName := genDnatChain("cni-portmap-unit-test", runtimeConfig.ContainerID).name
// Create the network
resI, err := cniConf.AddNetworkList(configList, &runtimeConfig)
Expect(err).NotTo(HaveOccurred())
defer deleteNetwork()
// Undo Docker's forwarding policy
cmd := exec.Command("iptables", "-t", "filter",
"-P", "FORWARD", "ACCEPT")
cmd.Stderr = GinkgoWriter
err = cmd.Run()
Expect(err).NotTo(HaveOccurred())
// Check the chain exists
_, err = ipt.List("nat", dnatChainName)
Expect(err).NotTo(HaveOccurred())
@ -154,16 +164,19 @@ var _ = Describe("portmap integration tests", func() {
hostIP, hostPort, contIP, containerPort)
// Sanity check: verify that the container is reachable directly
contOK := testEchoServer(fmt.Sprintf("%s:%d", contIP.String(), containerPort))
contOK := testEchoServer(contIP.String(), containerPort, "")
// Verify that a connection to the forwarded port works
dnatOK := testEchoServer(fmt.Sprintf("%s:%d", hostIP, hostPort))
dnatOK := testEchoServer(hostIP, hostPort, "")
// Verify that a connection to localhost works
snatOK := testEchoServer(fmt.Sprintf("%s:%d", "127.0.0.1", hostPort))
snatOK := testEchoServer("127.0.0.1", hostPort, "")
// verify that hairpin works
hairpinOK := testEchoServer(hostIP, hostPort, targetNS.Path())
// Cleanup
close(closeChan)
session.Terminate()
err = deleteNetwork()
Expect(err).NotTo(HaveOccurred())
@ -181,6 +194,9 @@ var _ = Describe("portmap integration tests", func() {
if !snatOK {
Fail("connection to 127.0.0.1 was not forwarded")
}
if !hairpinOK {
Fail("Hairpin connection failed")
}
close(done)
@ -188,40 +204,33 @@ var _ = Describe("portmap integration tests", func() {
})
// testEchoServer returns true if we found an echo server on the port
func testEchoServer(address string) bool {
fmt.Fprintln(GinkgoWriter, "dialing", address)
conn, err := net.Dial("tcp", address)
if err != nil {
fmt.Fprintln(GinkgoWriter, "connection to", address, "failed:", err)
return false
}
defer conn.Close()
conn.SetDeadline(time.Now().Add(TIMEOUT * time.Second))
fmt.Fprintln(GinkgoWriter, "connected to", address)
func testEchoServer(address string, port int, netns string) bool {
message := "Aliquid melius quam pessimum optimum non est."
_, err = fmt.Fprint(conn, message)
bin, err := exec.LookPath("nc")
Expect(err).NotTo(HaveOccurred())
var cmd *exec.Cmd
if netns != "" {
netns = filepath.Base(netns)
cmd = exec.Command("ip", "netns", "exec", netns, bin, "-v", address, strconv.Itoa(port))
} else {
cmd = exec.Command("nc", address, strconv.Itoa(port))
}
cmd.Stdin = bytes.NewBufferString(message)
cmd.Stderr = GinkgoWriter
out, err := cmd.Output()
if err != nil {
fmt.Fprintln(GinkgoWriter, "sending message to", address, " failed:", err)
fmt.Fprintln(GinkgoWriter, "got non-zero exit from ", cmd.Args)
return false
}
conn.SetDeadline(time.Now().Add(TIMEOUT * time.Second))
fmt.Fprintln(GinkgoWriter, "reading...")
response := make([]byte, len(message))
_, err = conn.Read(response)
if err != nil {
fmt.Fprintln(GinkgoWriter, "receiving message from", address, " failed:", err)
if string(out) != message {
fmt.Fprintln(GinkgoWriter, "returned message didn't match?")
fmt.Fprintln(GinkgoWriter, string(out))
return false
}
fmt.Fprintln(GinkgoWriter, "read...")
if string(response) == message {
return true
}
fmt.Fprintln(GinkgoWriter, "returned message didn't match?")
return false
return true
}
func getLocalIP() string {

101
plugins/meta/portmap/portmap_suite_test.go
View File

@ -15,89 +15,64 @@
package main
import (
"fmt"
"math/rand"
"net"
"time"
"os/exec"
"path/filepath"
"strconv"
"strings"
"github.com/containernetworking/plugins/pkg/ns"
. "github.com/onsi/ginkgo"
"github.com/onsi/ginkgo/config"
. "github.com/onsi/gomega"
"github.com/onsi/gomega/gbytes"
"github.com/onsi/gomega/gexec"
"testing"
)
func TestPortmap(t *testing.T) {
rand.Seed(config.GinkgoConfig.RandomSeed)
RegisterFailHandler(Fail)
RunSpecs(t, "portmap Suite")
}
// OpenEchoServer opens a server that listens until closeChan is closed.
// It opens on a random port and sends the port number on portChan when
// the server is up and running. If an error is encountered, closes portChan.
// If closeChan is closed, closes the socket.
func OpenEchoServer(portChan chan<- int, closeChan <-chan interface{}) error {
laddr, err := net.ResolveTCPAddr("tcp", "0.0.0.0:0")
if err != nil {
close(portChan)
return err
}
sock, err := net.ListenTCP("tcp", laddr)
if err != nil {
close(portChan)
return err
}
defer sock.Close()
var echoServerBinaryPath string
switch addr := sock.Addr().(type) {
case *net.TCPAddr:
portChan <- addr.Port
default:
close(portChan)
return fmt.Errorf("addr cast failed!")
}
for {
select {
case <-closeChan:
break
default:
}
var _ = SynchronizedBeforeSuite(func() []byte {
binaryPath, err := gexec.Build("github.com/containernetworking/plugins/pkg/testutils/echosvr")
Expect(err).NotTo(HaveOccurred())
return []byte(binaryPath)
}, func(data []byte) {
echoServerBinaryPath = string(data)
})
sock.SetDeadline(time.Now().Add(time.Second))
con, err := sock.AcceptTCP()
if err != nil {
if opErr, ok := err.(*net.OpError); ok && opErr.Timeout() {
continue
}
continue
}
var _ = SynchronizedAfterSuite(func() {}, func() {
gexec.CleanupBuildArtifacts()
})
buf := make([]byte, 512)
con.Read(buf)
con.Write(buf)
con.Close()
}
func startInNetNS(binPath string, netNS ns.NetNS) (*gexec.Session, error) {
baseName := filepath.Base(netNS.Path())
// we are relying on the netNS path living in /var/run/netns
// where `ip netns exec` can find it
cmd := exec.Command("ip", "netns", "exec", baseName, binPath)
session, err := gexec.Start(cmd, GinkgoWriter, GinkgoWriter)
return session, err
}
func RunEchoServerInNS(netNS ns.NetNS) (int, chan interface{}, error) {
portChan := make(chan int)
closeChan := make(chan interface{})
func StartEchoServerInNamespace(netNS ns.NetNS) (int, *gexec.Session, error) {
session, err := startInNetNS(echoServerBinaryPath, netNS)
Expect(err).NotTo(HaveOccurred())
go func() {
err := netNS.Do(func(ns.NetNS) error {
OpenEchoServer(portChan, closeChan)
return nil
})
// Somehow the ns.Do failed
if err != nil {
close(portChan)
}
}()
// wait for it to print it's address on stdout
Eventually(session.Out).Should(gbytes.Say("\n"))
_, portString, err := net.SplitHostPort(strings.TrimSpace(string(session.Out.Contents())))
Expect(err).NotTo(HaveOccurred())
portNum := <-portChan
if portNum == 0 {
return 0, nil, fmt.Errorf("failed to execute server")
}
return portNum, closeChan, nil
port, err := strconv.Atoi(portString)
Expect(err).NotTo(HaveOccurred())
return port, session, nil
}

238
plugins/meta/portmap/portmap_test.go
View File

@ -15,6 +15,7 @@
package main
import (
"fmt"
"net"
. "github.com/onsi/ginkgo"
@ -25,13 +26,6 @@ var _ = Describe("portmapping configuration", func() {
netName := "testNetName"
containerID := "icee6giejonei6sohng6ahngee7laquohquee9shiGo7fohferakah3Feiyoolu2pei7ciPhoh7shaoX6vai3vuf0ahfaeng8yohb9ceu0daez5hashee8ooYai5wa3y"
mappings := []PortMapEntry{
{80, 90, "tcp", ""},
{1000, 2000, "udp", ""},
}
ipv4addr := net.ParseIP("192.2.0.1")
ipv6addr := net.ParseIP("2001:db8::1")
Context("config parsing", func() {
It("Correctly parses an ADD config", func() {
configBytes := []byte(`{
@ -156,101 +150,179 @@ var _ = Describe("portmapping configuration", func() {
Describe("Generating chains", func() {
Context("for DNAT", func() {
It("generates a correct container chain", func() {
ch := genDnatChain(netName, containerID, &[]string{"-m", "hello"})
It("generates a correct standard container chain", func() {
ch := genDnatChain(netName, containerID)
Expect(ch).To(Equal(chain{
table: "nat",
name: "CNI-DN-bfd599665540dd91d5d28",
entryRule: []string{
"-m", "comment",
"--comment", `dnat name: "testNetName" id: "` + containerID + `"`,
"-m", "hello",
},
table: "nat",
name: "CNI-DN-bfd599665540dd91d5d28",
entryChains: []string{TopLevelDNATChainName},
}))
configBytes := []byte(`{
"name": "test",
"type": "portmap",
"cniVersion": "0.3.1",
"runtimeConfig": {
"portMappings": [
{ "hostPort": 8080, "containerPort": 80, "protocol": "tcp"},
{ "hostPort": 8081, "containerPort": 80, "protocol": "tcp"},
{ "hostPort": 8080, "containerPort": 81, "protocol": "udp"},
{ "hostPort": 8082, "containerPort": 82, "protocol": "udp"}
]
},
"snat": true,
"conditionsV4": ["a", "b"],
"conditionsV6": ["c", "d"]
}`)
conf, err := parseConfig(configBytes, "foo")
Expect(err).NotTo(HaveOccurred())
conf.ContainerID = containerID
ch = genDnatChain(conf.Name, containerID)
Expect(ch).To(Equal(chain{
table: "nat",
name: "CNI-DN-67e92b96e692a494b6b85",
entryChains: []string{"CNI-HOSTPORT-DNAT"},
}))
fillDnatRules(&ch, conf, net.ParseIP("10.0.0.2"))
Expect(ch.entryRules).To(Equal([][]string{
{"-m", "comment", "--comment",
fmt.Sprintf("dnat name: \"test\" id: \"%s\"", containerID),
"-m", "multiport",
"-p", "tcp",
"--destination-ports", "8080,8081",
"a", "b"},
{"-m", "comment", "--comment",
fmt.Sprintf("dnat name: \"test\" id: \"%s\"", containerID),
"-m", "multiport",
"-p", "udp",
"--destination-ports", "8080,8082",
"a", "b"},
}))
Expect(ch.rules).To(Equal([][]string{
{"-p", "tcp", "--dport", "8080", "-s", "10.0.0.2", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "tcp", "--dport", "8080", "-s", "127.0.0.1", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "tcp", "--dport", "8080", "-j", "DNAT", "--to-destination", "10.0.0.2:80"},
{"-p", "tcp", "--dport", "8081", "-s", "10.0.0.2", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "tcp", "--dport", "8081", "-s", "127.0.0.1", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "tcp", "--dport", "8081", "-j", "DNAT", "--to-destination", "10.0.0.2:80"},
{"-p", "udp", "--dport", "8080", "-s", "10.0.0.2", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "udp", "--dport", "8080", "-s", "127.0.0.1", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "udp", "--dport", "8080", "-j", "DNAT", "--to-destination", "10.0.0.2:81"},
{"-p", "udp", "--dport", "8082", "-s", "10.0.0.2", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "udp", "--dport", "8082", "-s", "127.0.0.1", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "udp", "--dport", "8082", "-j", "DNAT", "--to-destination", "10.0.0.2:82"},
}))
ch.rules = nil
ch.entryRules = nil
fillDnatRules(&ch, conf, net.ParseIP("2001:db8::2"))
Expect(ch.rules).To(Equal([][]string{
{"-p", "tcp", "--dport", "8080", "-s", "2001:db8::2", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "tcp", "--dport", "8080", "-j", "DNAT", "--to-destination", "[2001:db8::2]:80"},
{"-p", "tcp", "--dport", "8081", "-s", "2001:db8::2", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "tcp", "--dport", "8081", "-j", "DNAT", "--to-destination", "[2001:db8::2]:80"},
{"-p", "udp", "--dport", "8080", "-s", "2001:db8::2", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "udp", "--dport", "8080", "-j", "DNAT", "--to-destination", "[2001:db8::2]:81"},
{"-p", "udp", "--dport", "8082", "-s", "2001:db8::2", "-j", "CNI-HOSTPORT-SETMARK"},
{"-p", "udp", "--dport", "8082", "-j", "DNAT", "--to-destination", "[2001:db8::2]:82"},
}))
// Disable snat, generate rules
ch.rules = nil
ch.entryRules = nil
fvar := false
conf.SNAT = &fvar
fillDnatRules(&ch, conf, net.ParseIP("10.0.0.2"))
Expect(ch.rules).To(Equal([][]string{
{"-p", "tcp", "--dport", "8080", "-j", "DNAT", "--to-destination", "10.0.0.2:80"},
{"-p", "tcp", "--dport", "8081", "-j", "DNAT", "--to-destination", "10.0.0.2:80"},
{"-p", "udp", "--dport", "8080", "-j", "DNAT", "--to-destination", "10.0.0.2:81"},
{"-p", "udp", "--dport", "8082", "-j", "DNAT", "--to-destination", "10.0.0.2:82"},
}))
})
It("generates a correct chain with external mark", func() {
ch := genDnatChain(netName, containerID)
Expect(ch).To(Equal(chain{
table: "nat",
name: "CNI-DN-bfd599665540dd91d5d28",
entryChains: []string{TopLevelDNATChainName},
}))
configBytes := []byte(`{
"name": "test",
"type": "portmap",
"cniVersion": "0.3.1",
"runtimeConfig": {
"portMappings": [
{ "hostPort": 8080, "containerPort": 80, "protocol": "tcp"}
]
},
"externalSetMarkChain": "PLZ-SET-MARK",
"conditionsV4": ["a", "b"],
"conditionsV6": ["c", "d"]
}`)
conf, err := parseConfig(configBytes, "foo")
Expect(err).NotTo(HaveOccurred())
conf.ContainerID = containerID
ch = genDnatChain(conf.Name, containerID)
fillDnatRules(&ch, conf, net.ParseIP("10.0.0.2"))
Expect(ch.rules).To(Equal([][]string{
{"-p", "tcp", "--dport", "8080", "-s", "10.0.0.2", "-j", "PLZ-SET-MARK"},
{"-p", "tcp", "--dport", "8080", "-s", "127.0.0.1", "-j", "PLZ-SET-MARK"},
{"-p", "tcp", "--dport", "8080", "-j", "DNAT", "--to-destination", "10.0.0.2:80"},
}))
})
It("generates a correct top-level chain", func() {
ch := genToplevelDnatChain()
Expect(ch).To(Equal(chain{
table: "nat",
name: "CNI-HOSTPORT-DNAT",
entryRule: []string{
"-m", "addrtype",
"--dst-type", "LOCAL",
},
table: "nat",
name: "CNI-HOSTPORT-DNAT",
entryChains: []string{"PREROUTING", "OUTPUT"},
entryRules: [][]string{{"-m", "addrtype", "--dst-type", "LOCAL"}},
}))
})
})
Context("for SNAT", func() {
It("generates a correct container chain", func() {
ch := genSnatChain(netName, containerID)
It("generates the correct mark chains", func() {
masqBit := 5
ch := genSetMarkChain(masqBit)
Expect(ch).To(Equal(chain{
table: "nat",
name: "CNI-SN-bfd599665540dd91d5d28",
entryRule: []string{
name: "CNI-HOSTPORT-SETMARK",
rules: [][]string{{
"-m", "comment",
"--comment", `snat name: "testNetName" id: "` + containerID + `"`,
},
entryChains: []string{TopLevelSNATChainName},
"--comment", "CNI portfwd masquerade mark",
"-j", "MARK",
"--set-xmark", "0x20/0x20",
}},
}))
})
It("generates a correct top-level chain", func() {
Context("for ipv4", func() {
ch := genToplevelSnatChain(false)
Expect(ch).To(Equal(chain{
table: "nat",
name: "CNI-HOSTPORT-SNAT",
entryRule: []string{
"-s", "127.0.0.1",
"!", "-d", "127.0.0.1",
},
entryChains: []string{"POSTROUTING"},
}))
})
})
})
})
Describe("Forwarding rules", func() {
Context("for DNAT", func() {
It("generates correct ipv4 rules", func() {
rules := dnatRules(mappings, ipv4addr)
Expect(rules).To(Equal([][]string{
{"-p", "tcp", "--dport", "80", "-j", "DNAT", "--to-destination", "192.2.0.1:90"},
{"-p", "udp", "--dport", "1000", "-j", "DNAT", "--to-destination", "192.2.0.1:2000"},
}))
})
It("generates correct ipv6 rules", func() {
rules := dnatRules(mappings, ipv6addr)
Expect(rules).To(Equal([][]string{
{"-p", "tcp", "--dport", "80", "-j", "DNAT", "--to-destination", "[2001:db8::1]:90"},
{"-p", "udp", "--dport", "1000", "-j", "DNAT", "--to-destination", "[2001:db8::1]:2000"},
}))
})
})
Context("for SNAT", func() {
It("generates correct ipv4 rules", func() {
rules := snatRules(mappings, ipv4addr)
Expect(rules).To(Equal([][]string{
{"-p", "tcp", "-s", "127.0.0.1", "-d", "192.2.0.1", "--dport", "90", "-j", "MASQUERADE"},
{"-p", "udp", "-s", "127.0.0.1", "-d", "192.2.0.1", "--dport", "2000", "-j", "MASQUERADE"},
}))
})
It("generates correct ipv6 rules", func() {
rules := snatRules(mappings, ipv6addr)
Expect(rules).To(Equal([][]string{
{"-p", "tcp", "-s", "::1", "-d", "2001:db8::1", "--dport", "90", "-j", "MASQUERADE"},
{"-p", "udp", "-s", "::1", "-d", "2001:db8::1", "--dport", "2000", "-j", "MASQUERADE"},
ch = genMarkMasqChain(masqBit)
Expect(ch).To(Equal(chain{
table: "nat",
name: "CNI-HOSTPORT-MASQ",
entryChains: []string{"POSTROUTING"},
entryRules: [][]string{{
"-m", "comment",
"--comment", "CNI portfwd requiring masquerade",
}},
rules: [][]string{{
"-m", "mark",
"--mark", "0x20/0x20",
"-j", "MASQUERADE",
}},
}))
})
})

50
plugins/meta/portmap/utils.go
View File

@ -18,6 +18,8 @@ import (
"crypto/sha512"
"fmt"
"net"
"strconv"
"strings"
"github.com/vishvananda/netlink"
)
@ -65,3 +67,51 @@ func formatChainName(prefix, name, id string) string {
chain := fmt.Sprintf("CNI-%s%x", prefix, chainBytes)
return chain[:maxChainNameLength]
}
// groupByProto groups port numbers by protocol
func groupByProto(entries []PortMapEntry) map[string][]int {
if len(entries) == 0 {
return map[string][]int{}
}
out := map[string][]int{}
for _, e := range entries {
_, ok := out[e.Protocol]
if ok {
out[e.Protocol] = append(out[e.Protocol], e.HostPort)
} else {
out[e.Protocol] = []int{e.HostPort}
}
}
return out
}
// splitPortList splits a list of integers in to one or more comma-separated
// string values, for use by multiport. Multiport only allows up to 15 ports
// per entry.
func splitPortList(l []int) []string {
out := []string{}
acc := []string{}
for _, i := range l {
acc = append(acc, strconv.Itoa(i))
if len(acc) == 15 {
out = append(out, strings.Join(acc, ","))
acc = []string{}
}
}
if len(acc) > 0 {
out = append(out, strings.Join(acc, ","))
}
return out
}
// trimComment makes sure no comment is over the iptables limit of 255 chars
func trimComment(val string) string {
if len(val) <= 255 {
return val
}
return val[0:253] + "..."
}

41
plugins/meta/tuning/tuning.go
View File

@ -34,19 +34,47 @@ import (
// TuningConf represents the network tuning configuration.
type TuningConf struct {
types.NetConf
SysCtl map[string]string `json:"sysctl"`
SysCtl map[string]string `json:"sysctl"`
RawPrevResult map[string]interface{} `json:"prevResult,omitempty"`
PrevResult *current.Result `json:"-"`
}
func parseConf(data []byte) (*TuningConf, error) {
conf := TuningConf{}
if err := json.Unmarshal(data, &conf); err != nil {
return nil, fmt.Errorf("failed to load netconf: %v", err)
}
// Parse previous result.
if conf.RawPrevResult != nil {
resultBytes, err := json.Marshal(conf.RawPrevResult)
if err != nil {
return nil, fmt.Errorf("could not serialize prevResult: %v", err)
}
res, err := version.NewResult(conf.CNIVersion, resultBytes)
if err != nil {
return nil, fmt.Errorf("could not parse prevResult: %v", err)
}
conf.RawPrevResult = nil
conf.PrevResult, err = current.NewResultFromResult(res)
if err != nil {
return nil, fmt.Errorf("could not convert result to current version: %v", err)
}
}
return &conf, nil
}
func cmdAdd(args *skel.CmdArgs) error {
tuningConf := TuningConf{}
if err := json.Unmarshal(args.StdinData, &tuningConf); err != nil {
return fmt.Errorf("failed to load netconf: %v", err)
tuningConf, err := parseConf(args.StdinData)
if err != nil {
return err
}
// The directory /proc/sys/net is per network namespace. Enter in the
// network namespace before writing on it.
err := ns.WithNetNSPath(args.Netns, func(_ ns.NetNS) error {
err = ns.WithNetNSPath(args.Netns, func(_ ns.NetNS) error {
for key, value := range tuningConf.SysCtl {
fileName := filepath.Join("/proc/sys", strings.Replace(key, ".", "/", -1))
fileName = filepath.Clean(fileName)
@ -68,8 +96,7 @@ func cmdAdd(args *skel.CmdArgs) error {
return err
}
result := current.Result{}
return result.Print()
return types.PrintResult(tuningConf.PrevResult, tuningConf.CNIVersion)
}
func cmdDel(args *skel.CmdArgs) error {

27
plugins/meta/tuning/tuning_suite_test.go Normal file
View File

@ -0,0 +1,27 @@
// Copyright 2017 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
"testing"
)
func TestTuning(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "tuning Suite")
}

112
plugins/meta/tuning/tuning_test.go Normal file
View File

@ -0,0 +1,112 @@
// Copyright 2017 CNI authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package main
import (
"github.com/containernetworking/cni/pkg/skel"
"github.com/containernetworking/cni/pkg/types/current"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containernetworking/plugins/pkg/testutils"
"github.com/vishvananda/netlink"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
var _ = Describe("tuning plugin", func() {
var originalNS ns.NetNS
const IFNAME string = "dummy0"
BeforeEach(func() {
// Create a new NetNS so we don't modify the host
var err error
originalNS, err = ns.NewNS()
Expect(err).NotTo(HaveOccurred())
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
err = netlink.LinkAdd(&netlink.Dummy{
LinkAttrs: netlink.LinkAttrs{
Name: IFNAME,
},
})
Expect(err).NotTo(HaveOccurred())
_, err = netlink.LinkByName(IFNAME)
Expect(err).NotTo(HaveOccurred())
return nil
})
Expect(err).NotTo(HaveOccurred())
})
AfterEach(func() {
Expect(originalNS.Close()).To(Succeed())
})
It("passes prevResult through unchanged", func() {
conf := []byte(`{
"name": "test",
"type": "tuning",
"cniVersion": "0.3.1",
"sysctl": {
"net.ipv4.conf.all.log_martians": "1"
},
"prevResult": {
"interfaces": [
{"name": "dummy0", "sandbox":"netns"}
],
"ips": [
{
"version": "4",
"address": "10.0.0.2/24",
"gateway": "10.0.0.1",
"interface": 0
}
]
}
}`)
targetNs, err := ns.NewNS()
Expect(err).NotTo(HaveOccurred())
defer targetNs.Close()
args := &skel.CmdArgs{
ContainerID: "dummy",
Netns: targetNs.Path(),
IfName: IFNAME,
StdinData: conf,
}
err = originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
r, _, err := testutils.CmdAddWithResult(targetNs.Path(), IFNAME, []byte(conf), func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
result, err := current.GetResult(r)
Expect(err).NotTo(HaveOccurred())
Expect(len(result.Interfaces)).To(Equal(1))
Expect(result.Interfaces[0].Name).To(Equal(IFNAME))
Expect(len(result.IPs)).To(Equal(1))
Expect(result.IPs[0].Address.String()).To(Equal("10.0.0.2/24"))
return nil
})
Expect(err).NotTo(HaveOccurred())
})
})

0
plugins/sample/sample_test.go → plugins/sample/sample_linux_test.go
View File

4
scripts/release.sh
View File

@ -12,12 +12,14 @@ OUTPUT_DIR=bin
# Always clean first
rm -Rf ${SRC_DIR}/${RELEASE_DIR}
mkdir -p ${SRC_DIR}/${RELEASE_DIR}
mkdir -p ${OUTPUT_DIR}
docker run -i -v ${SRC_DIR}:/opt/src --rm golang:1.8-alpine \
docker run -i -v ${SRC_DIR}:/opt/src --rm golang:1.9-alpine \
/bin/sh -xe -c "\
apk --no-cache add bash tar;
cd /opt/src; umask 0022;
for arch in amd64 arm arm64 ppc64le s390x; do \
rm -f ${OUTPUT_DIR}/*; \
CGO_ENABLED=0 GOARCH=\$arch ./build.sh ${BUILDFLAGS}; \
for format in tgz; do \
FILENAME=cni-plugins-\$arch-${TAG}.\$format; \

30
test.sh
View File

@ -10,36 +10,36 @@ source ./build.sh
echo "Running tests"
TESTABLE="plugins/ipam/dhcp plugins/ipam/host-local plugins/ipam/host-local/backend/allocator plugins/main/loopback plugins/main/ipvlan plugins/main/macvlan plugins/main/bridge plugins/main/ptp plugins/meta/flannel plugins/main/vlan plugins/sample pkg/ip pkg/ipam pkg/ns pkg/utils pkg/utils/hwaddr pkg/utils/sysctl plugins/meta/portmap"
# test everything that's not in vendor
pushd "$GOPATH/src/$REPO_PATH" >/dev/null
ALL_PKGS="$(go list ./... | grep -v vendor | xargs echo)"
popd >/dev/null
GINKGO_FLAGS="-p --randomizeAllSpecs --randomizeSuites --failOnPending --progress"
# user has not provided PKG override
if [ -z "$PKG" ]; then
TEST=$TESTABLE
FMT=$TESTABLE
GINKGO_FLAGS="$GINKGO_FLAGS -r ."
LINT_TARGETS="$ALL_PKGS"
# user has provided PKG override
else
TEST=$PKG
# only run gofmt on packages provided by user
FMT="$TEST"
GINKGO_FLAGS="$GINKGO_FLAGS $PKG"
LINT_TARGETS="$PKG"
fi
# split TEST into an array and prepend REPO_PATH to each local package
split=(${TEST// / })
TEST=${split[@]/#/${REPO_PATH}/}
sudo -E bash -c "umask 0; PATH=${GOROOT}/bin:$(pwd)/bin:${PATH} go test ${TEST}"
cd "$GOPATH/src/$REPO_PATH"
sudo -E bash -c "umask 0; PATH=${GOROOT}/bin:$(pwd)/bin:${PATH} ginkgo ${GINKGO_FLAGS}"
echo "Checking gofmt..."
fmtRes=$(gofmt -l $FMT)
fmtRes=$(go fmt $LINT_TARGETS)
if [ -n "${fmtRes}" ]; then
echo -e "gofmt checking failed:\n${fmtRes}"
echo -e "go fmt checking failed:\n${fmtRes}"
exit 255
fi
echo "Checking govet..."
vetRes=$(go vet $TEST)
vetRes=$(go vet $LINT_TARGETS)
if [ -n "${vetRes}" ]; then
echo -e "govet checking failed:\n${vetRes}"
exit 255

21
vendor/github.com/alexflint/go-filemutex/LICENSE generated vendored Normal file
View File

@ -0,0 +1,21 @@
The MIT License
Copyright (c) 2010-2017 Alex Flint.
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

31
vendor/github.com/alexflint/go-filemutex/README.md generated vendored Normal file
View File

@ -0,0 +1,31 @@
# FileMutex
FileMutex is similar to `sync.RWMutex`, but also synchronizes across processes.
On Linux, OSX, and other POSIX systems it uses the flock system call. On windows
it uses the LockFileEx and UnlockFileEx system calls.
```go
import (
"log"
"github.com/alexflint/go-filemutex"
)
func main() {
m, err := filemutex.New("/tmp/foo.lock")
if err != nil {
log.Fatalln("Directory did not exist or file could not created")
}
m.Lock() // Will block until lock can be acquired
// Code here is protected by the mutex
m.Unlock()
}
```
### Installation
go get github.com/alexflint/go-filemutex
Forked from https://github.com/golang/build/tree/master/cmd/builder/filemutex_*.go

67
vendor/github.com/alexflint/go-filemutex/filemutex_flock.go generated vendored Normal file
View File

@ -0,0 +1,67 @@
// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
// +build darwin dragonfly freebsd linux netbsd openbsd
package filemutex
import (
"syscall"
)
const (
mkdirPerm = 0750
)
// FileMutex is similar to sync.RWMutex, but also synchronizes across processes.
// This implementation is based on flock syscall.
type FileMutex struct {
fd int
}
func New(filename string) (*FileMutex, error) {
fd, err := syscall.Open(filename, syscall.O_CREAT|syscall.O_RDONLY, mkdirPerm)
if err != nil {
return nil, err
}
return &FileMutex{fd: fd}, nil
}
func (m *FileMutex) Lock() error {
if err := syscall.Flock(m.fd, syscall.LOCK_EX); err != nil {
return err
}
return nil
}
func (m *FileMutex) Unlock() error {
if err := syscall.Flock(m.fd, syscall.LOCK_UN); err != nil {
return err
}
return nil
}
func (m *FileMutex) RLock() error {
if err := syscall.Flock(m.fd, syscall.LOCK_SH); err != nil {
return err
}
return nil
}
func (m *FileMutex) RUnlock() error {
if err := syscall.Flock(m.fd, syscall.LOCK_UN); err != nil {
return err
}
return nil
}
// Close does an Unlock() combined with closing and unlinking the associated
// lock file. You should create a New() FileMutex for every Lock() attempt if
// using Close().
func (m *FileMutex) Close() error {
if err := syscall.Flock(m.fd, syscall.LOCK_UN); err != nil {
return err
}
return syscall.Close(m.fd)
}

102
vendor/github.com/alexflint/go-filemutex/filemutex_windows.go generated vendored Normal file
View File

@ -0,0 +1,102 @@
// Copyright 2013 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package filemutex
import (
"syscall"
"unsafe"
)
var (
modkernel32 = syscall.NewLazyDLL("kernel32.dll")
procLockFileEx = modkernel32.NewProc("LockFileEx")
procUnlockFileEx = modkernel32.NewProc("UnlockFileEx")
)
const (
lockfileExclusiveLock = 2
)
func lockFileEx(h syscall.Handle, flags, reserved, locklow, lockhigh uint32, ol *syscall.Overlapped) (err error) {
r1, _, e1 := syscall.Syscall6(procLockFileEx.Addr(), 6, uintptr(h), uintptr(flags), uintptr(reserved), uintptr(locklow), uintptr(lockhigh), uintptr(unsafe.Pointer(ol)))
if r1 == 0 {
if e1 != 0 {
err = error(e1)
} else {
err = syscall.EINVAL
}
}
return
}
func unlockFileEx(h syscall.Handle, reserved, locklow, lockhigh uint32, ol *syscall.Overlapped) (err error) {
r1, _, e1 := syscall.Syscall6(procUnlockFileEx.Addr(), 5, uintptr(h), uintptr(reserved), uintptr(locklow), uintptr(lockhigh), uintptr(unsafe.Pointer(ol)), 0)
if r1 == 0 {
if e1 != 0 {
err = error(e1)
} else {
err = syscall.EINVAL
}
}
return
}
// FileMutex is similar to sync.RWMutex, but also synchronizes across processes.
// This implementation is based on flock syscall.
type FileMutex struct {
fd syscall.Handle
}
func New(filename string) (*FileMutex, error) {
fd, err := syscall.CreateFile(&(syscall.StringToUTF16(filename)[0]), syscall.GENERIC_READ|syscall.GENERIC_WRITE,
syscall.FILE_SHARE_READ|syscall.FILE_SHARE_WRITE, nil, syscall.OPEN_ALWAYS, syscall.FILE_ATTRIBUTE_NORMAL, 0)
if err != nil {
return nil, err
}
return &FileMutex{fd: fd}, nil
}
func (m *FileMutex) Lock() error {
var ol syscall.Overlapped
if err := lockFileEx(m.fd, lockfileExclusiveLock, 0, 1, 0, &ol); err != nil {
return err
}
return nil
}
func (m *FileMutex) Unlock() error {
var ol syscall.Overlapped
if err := unlockFileEx(m.fd, 0, 1, 0, &ol); err != nil {
return err
}
return nil
}
func (m *FileMutex) RLock() error {
var ol syscall.Overlapped
if err := lockFileEx(m.fd, 0, 0, 1, 0, &ol); err != nil {
return err
}
return nil
}
func (m *FileMutex) RUnlock() error {
var ol syscall.Overlapped
if err := unlockFileEx(m.fd, 0, 1, 0, &ol); err != nil {
return err
}
return nil
}
// Close does an Unlock() combined with closing and unlinking the associated
// lock file. You should create a New() FileMutex for every Lock() attempt if
// using Close().
func (m *FileMutex) Close() error {
var ol syscall.Overlapped
if err := unlockFileEx(m.fd, 0, 1, 0, &ol); err != nil {
return err
}
return syscall.Close(m.fd)
}

5
vendor/github.com/coreos/go-iptables/NOTICE generated vendored Normal file
View File

@ -0,0 +1,5 @@
CoreOS Project
Copyright 2018 CoreOS, Inc
This product includes software developed at CoreOS, Inc.
(http://www.coreos.com/).

167
vendor/github.com/coreos/go-iptables/iptables/iptables.go generated vendored
View File

@ -29,11 +29,15 @@ import (
// Adds the output of stderr to exec.ExitError
type Error struct {
exec.ExitError
cmd exec.Cmd
msg string
cmd exec.Cmd
msg string
exitStatus *int //for overriding
}
func (e *Error) ExitStatus() int {
if e.exitStatus != nil {
return *e.exitStatus
}
return e.Sys().(syscall.WaitStatus).ExitStatus()
}
@ -41,6 +45,13 @@ func (e *Error) Error() string {
return fmt.Sprintf("running %v: exit status %v: %v", e.cmd.Args, e.ExitStatus(), e.msg)
}
// IsNotExist returns true if the error is due to the chain or rule not existing
func (e *Error) IsNotExist() bool {
return e.ExitStatus() == 1 &&
(e.msg == "iptables: Bad rule (does a matching rule exist in that chain?).\n" ||
e.msg == "iptables: No chain/target/match by that name.\n")
}
// Protocol to differentiate between IPv4 and IPv6
type Protocol byte
@ -50,10 +61,15 @@ const (
)
type IPTables struct {
path string
proto Protocol
hasCheck bool
hasWait bool
path string
proto Protocol
hasCheck bool
hasWait bool
hasRandomFully bool
v1 int
v2 int
v3 int
mode string // the underlying iptables operating mode, e.g. nf_tables
}
// New creates a new IPTables.
@ -69,15 +85,21 @@ func NewWithProtocol(proto Protocol) (*IPTables, error) {
if err != nil {
return nil, err
}
checkPresent, waitPresent, err := getIptablesCommandSupport(path)
if err != nil {
return nil, fmt.Errorf("error checking iptables version: %v", err)
}
vstring, err := getIptablesVersionString(path)
v1, v2, v3, mode, err := extractIptablesVersion(vstring)
checkPresent, waitPresent, randomFullyPresent := getIptablesCommandSupport(v1, v2, v3)
ipt := IPTables{
path: path,
proto: proto,
hasCheck: checkPresent,
hasWait: waitPresent,
path: path,
proto: proto,
hasCheck: checkPresent,
hasWait: waitPresent,
hasRandomFully: randomFullyPresent,
v1: v1,
v2: v2,
v3: v3,
mode: mode,
}
return &ipt, nil
}
@ -248,10 +270,27 @@ func (ipt *IPTables) executeList(args []string) ([]string, error) {
}
rules := strings.Split(stdout.String(), "\n")
// strip trailing newline
if len(rules) > 0 && rules[len(rules)-1] == "" {
rules = rules[:len(rules)-1]
}
// nftables mode doesn't return an error code when listing a non-existent
// chain. Patch that up.
if len(rules) == 0 && ipt.mode == "nf_tables" {
v := 1
return nil, &Error{
cmd: exec.Cmd{Args: args},
msg: "iptables: No chain/target/match by that name.",
exitStatus: &v,
}
}
for i, rule := range rules {
rules[i] = filterRuleOutput(rule)
}
return rules, nil
}
@ -266,11 +305,18 @@ func (ipt *IPTables) NewChain(table, chain string) error {
func (ipt *IPTables) ClearChain(table, chain string) error {
err := ipt.NewChain(table, chain)
// the exit code for "this table already exists" is different for
// different iptables modes
existsErr := 1
if ipt.mode == "nf_tables" {
existsErr = 4
}
eerr, eok := err.(*Error)
switch {
case err == nil:
return nil
case eok && eerr.ExitStatus() == 1:
case eok && eerr.ExitStatus() == existsErr:
// chain already exists. Flush (clear) it.
return ipt.run("-t", table, "-F", chain)
default:
@ -289,6 +335,21 @@ func (ipt *IPTables) DeleteChain(table, chain string) error {
return ipt.run("-t", table, "-X", chain)
}
// ChangePolicy changes policy on chain to target
func (ipt *IPTables) ChangePolicy(table, chain, target string) error {
return ipt.run("-t", table, "-P", chain, target)
}
// Check if the underlying iptables command supports the --random-fully flag
func (ipt *IPTables) HasRandomFully() bool {
return ipt.hasRandomFully
}
// Return version components of the underlying iptables command
func (ipt *IPTables) GetIptablesVersion() (int, int, int) {
return ipt.v1, ipt.v2, ipt.v3
}
// run runs an iptables command with the given arguments, ignoring
// any stdout output
func (ipt *IPTables) run(args ...string) error {
@ -324,7 +385,7 @@ func (ipt *IPTables) runWithOutput(args []string, stdout io.Writer) error {
if err := cmd.Run(); err != nil {
switch e := err.(type) {
case *exec.ExitError:
return &Error{*e, cmd, stderr.String()}
return &Error{*e, cmd, stderr.String(), nil}
default:
return err
}
@ -343,45 +404,40 @@ func getIptablesCommand(proto Protocol) string {
}
// Checks if iptables has the "-C" and "--wait" flag
func getIptablesCommandSupport(path string) (bool, bool, error) {
vstring, err := getIptablesVersionString(path)
if err != nil {
return false, false, err
}
v1, v2, v3, err := extractIptablesVersion(vstring)
if err != nil {
return false, false, err
}
return iptablesHasCheckCommand(v1, v2, v3), iptablesHasWaitCommand(v1, v2, v3), nil
func getIptablesCommandSupport(v1 int, v2 int, v3 int) (bool, bool, bool) {
return iptablesHasCheckCommand(v1, v2, v3), iptablesHasWaitCommand(v1, v2, v3), iptablesHasRandomFully(v1, v2, v3)
}
// getIptablesVersion returns the first three components of the iptables version.
// e.g. "iptables v1.3.66" would return (1, 3, 66, nil)
func extractIptablesVersion(str string) (int, int, int, error) {
versionMatcher := regexp.MustCompile("v([0-9]+)\\.([0-9]+)\\.([0-9]+)")
// getIptablesVersion returns the first three components of the iptables version
// and the operating mode (e.g. nf_tables or legacy)
// e.g. "iptables v1.3.66" would return (1, 3, 66, legacy, nil)
func extractIptablesVersion(str string) (int, int, int, string, error) {
versionMatcher := regexp.MustCompile(`v([0-9]+)\.([0-9]+)\.([0-9]+)(?:\s+\((\w+))?`)
result := versionMatcher.FindStringSubmatch(str)
if result == nil {
return 0, 0, 0, fmt.Errorf("no iptables version found in string: %s", str)
return 0, 0, 0, "", fmt.Errorf("no iptables version found in string: %s", str)
}
v1, err := strconv.Atoi(result[1])
if err != nil {
return 0, 0, 0, err
return 0, 0, 0, "", err
}
v2, err := strconv.Atoi(result[2])
if err != nil {
return 0, 0, 0, err
return 0, 0, 0, "", err
}
v3, err := strconv.Atoi(result[3])
if err != nil {
return 0, 0, 0, err
return 0, 0, 0, "", err
}
return v1, v2, v3, nil
mode := "legacy"
if result[4] != "" {
mode = result[4]
}
return v1, v2, v3, mode, nil
}
// Runs "iptables --version" to get the version string
@ -424,6 +480,20 @@ func iptablesHasWaitCommand(v1 int, v2 int, v3 int) bool {
return false
}
// Checks if an iptables version is after 1.6.2, when --random-fully was added
func iptablesHasRandomFully(v1 int, v2 int, v3 int) bool {
if v1 > 1 {
return true
}
if v1 == 1 && v2 > 6 {
return true
}
if v1 == 1 && v2 == 6 && v3 >= 2 {
return true
}
return false
}
// Checks if a rule specification exists for a table
func (ipt *IPTables) existsForOldIptables(table, chain string, rulespec []string) (bool, error) {
rs := strings.Join(append([]string{"-A", chain}, rulespec...), " ")
@ -435,3 +505,26 @@ func (ipt *IPTables) existsForOldIptables(table, chain string, rulespec []string
}
return strings.Contains(stdout.String(), rs), nil
}
// counterRegex is the regex used to detect nftables counter format
var counterRegex = regexp.MustCompile(`^\[([0-9]+):([0-9]+)\] `)
// filterRuleOutput works around some inconsistencies in output.
// For example, when iptables is in legacy vs. nftables mode, it produces
// different results.
func filterRuleOutput(rule string) string {
out := rule
// work around an output difference in nftables mode where counters
// are output in iptables-save format, rather than iptables -S format
// The string begins with "[0:0]"
//
// Fixes #49
if groups := counterRegex.FindStringSubmatch(out); groups != nil {
// drop the brackets
out = out[len(groups[0]):]
out = fmt.Sprintf("%s -c %s %s", out, groups[1], groups[2])
}
return out
}

354
vendor/github.com/d2g/dhcp4server/LICENSE generated vendored Normal file
View File

@ -0,0 +1,354 @@
Mozilla Public License, version 2.0
1. Definitions
1.1. “Contributor”
means each individual or legal entity that creates, contributes to the
creation of, or owns Covered Software.
1.2. “Contributor Version”
means the combination of the Contributions of others (if any) used by a
Contributor and that particular Contributors Contribution.
1.3. “Contribution”
means Covered Software of a particular Contributor.
1.4. “Covered Software”
means Source Code Form to which the initial Contributor has attached the
notice in Exhibit A, the Executable Form of such Source Code Form, and
Modifications of such Source Code Form, in each case including portions
thereof.
1.5. “Incompatible With Secondary Licenses”
means
a. that the initial Contributor has attached the notice described in
Exhibit B to the Covered Software; or
b. that the Covered Software was made available under the terms of version
1.1 or earlier of the License, but not also under the terms of a
Secondary License.
1.6. “Executable Form”
means any form of the work other than Source Code Form.
1.7. “Larger Work”
means a work that combines Covered Software with other material, in a separate
file or files, that is not Covered Software.
1.8. “License”
means this document.
1.9. “Licensable”
means having the right to grant, to the maximum extent possible, whether at the
time of the initial grant or subsequently, any and all of the rights conveyed by
this License.
1.10. “Modifications”
means any of the following:
a. any file in Source Code Form that results from an addition to, deletion
from, or modification of the contents of Covered Software; or
b. any new file in Source Code Form that contains any Covered Software.
1.11. “Patent Claims” of a Contributor
means any patent claim(s), including without limitation, method, process,
and apparatus claims, in any patent Licensable by such Contributor that
would be infringed, but for the grant of the License, by the making,
using, selling, offering for sale, having made, import, or transfer of
either its Contributions or its Contributor Version.
1.12. “Secondary License”
means either the GNU General Public License, Version 2.0, the GNU Lesser
General Public License, Version 2.1, the GNU Affero General Public
License, Version 3.0, or any later versions of those licenses.
1.13. “Source Code Form”
means the form of the work preferred for making modifications.
1.14. “You” (or “Your”)
means an individual or a legal entity exercising rights under this
License. For legal entities, “You” includes any entity that controls, is
controlled by, or is under common control with You. For purposes of this
definition, “control” means (a) the power, direct or indirect, to cause
the direction or management of such entity, whether by contract or
otherwise, or (b) ownership of more than fifty percent (50%) of the
outstanding shares or beneficial ownership of such entity.
2. License Grants and Conditions
2.1. Grants
Each Contributor hereby grants You a world-wide, royalty-free,
non-exclusive license:
a. under intellectual property rights (other than patent or trademark)
Licensable by such Contributor to use, reproduce, make available,
modify, display, perform, distribute, and otherwise exploit its
Contributions, either on an unmodified basis, with Modifications, or as
part of a Larger Work; and
b. under Patent Claims of such Contributor to make, use, sell, offer for
sale, have made, import, and otherwise transfer either its Contributions
or its Contributor Version.
2.2. Effective Date
The licenses granted in Section 2.1 with respect to any Contribution become
effective for each Contribution on the date the Contributor first distributes
such Contribution.
2.3. Limitations on Grant Scope
The licenses granted in this Section 2 are the only rights granted under this
License. No additional rights or licenses will be implied from the distribution
or licensing of Covered Software under this License. Notwithstanding Section
2.1(b) above, no patent license is granted by a Contributor:
a. for any code that a Contributor has removed from Covered Software; or
b. for infringements caused by: (i) Your and any other third partys
modifications of Covered Software, or (ii) the combination of its
Contributions with other software (except as part of its Contributor
Version); or
c. under Patent Claims infringed by Covered Software in the absence of its
Contributions.
This License does not grant any rights in the trademarks, service marks, or
logos of any Contributor (except as may be necessary to comply with the
notice requirements in Section 3.4).
2.4. Subsequent Licenses
No Contributor makes additional grants as a result of Your choice to
distribute the Covered Software under a subsequent version of this License
(see Section 10.2) or under the terms of a Secondary License (if permitted
under the terms of Section 3.3).
2.5. Representation
Each Contributor represents that the Contributor believes its Contributions
are its original creation(s) or it has sufficient rights to grant the
rights to its Contributions conveyed by this License.
2.6. Fair Use
This License is not intended to limit any rights You have under applicable
copyright doctrines of fair use, fair dealing, or other equivalents.
2.7. Conditions
Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
Section 2.1.
3. Responsibilities
3.1. Distribution of Source Form
All distribution of Covered Software in Source Code Form, including any
Modifications that You create or to which You contribute, must be under the
terms of this License. You must inform recipients that the Source Code Form
of the Covered Software is governed by the terms of this License, and how
they can obtain a copy of this License. You may not attempt to alter or
restrict the recipients rights in the Source Code Form.
3.2. Distribution of Executable Form
If You distribute Covered Software in Executable Form then:
a. such Covered Software must also be made available in Source Code Form,
as described in Section 3.1, and You must inform recipients of the
Executable Form how they can obtain a copy of such Source Code Form by
reasonable means in a timely manner, at a charge no more than the cost
of distribution to the recipient; and
b. You may distribute such Executable Form under the terms of this License,
or sublicense it under different terms, provided that the license for
the Executable Form does not attempt to limit or alter the recipients
rights in the Source Code Form under this License.
3.3. Distribution of a Larger Work
You may create and distribute a Larger Work under terms of Your choice,
provided that You also comply with the requirements of this License for the
Covered Software. If the Larger Work is a combination of Covered Software
with a work governed by one or more Secondary Licenses, and the Covered
Software is not Incompatible With Secondary Licenses, this License permits
You to additionally distribute such Covered Software under the terms of
such Secondary License(s), so that the recipient of the Larger Work may, at
their option, further distribute the Covered Software under the terms of
either this License or such Secondary License(s).
3.4. Notices
You may not remove or alter the substance of any license notices (including
copyright notices, patent notices, disclaimers of warranty, or limitations
of liability) contained within the Source Code Form of the Covered
Software, except that You may alter any license notices to the extent
required to remedy known factual inaccuracies.
3.5. Application of Additional Terms
You may choose to offer, and to charge a fee for, warranty, support,
indemnity or liability obligations to one or more recipients of Covered
Software. However, You may do so only on Your own behalf, and not on behalf
of any Contributor. You must make it absolutely clear that any such
warranty, support, indemnity, or liability obligation is offered by You
alone, and You hereby agree to indemnify every Contributor for any
liability incurred by such Contributor as a result of warranty, support,
indemnity or liability terms You offer. You may include additional
disclaimers of warranty and limitations of liability specific to any
jurisdiction.
4. Inability to Comply Due to Statute or Regulation
If it is impossible for You to comply with any of the terms of this License
with respect to some or all of the Covered Software due to statute, judicial
order, or regulation then You must: (a) comply with the terms of this License
to the maximum extent possible; and (b) describe the limitations and the code
they affect. Such description must be placed in a text file included with all
distributions of the Covered Software under this License. Except to the
extent prohibited by statute or regulation, such description must be
sufficiently detailed for a recipient of ordinary skill to be able to
understand it.
5. Termination
5.1. The rights granted under this License will terminate automatically if You
fail to comply with any of its terms. However, if You become compliant,
then the rights granted under this License from a particular Contributor
are reinstated (a) provisionally, unless and until such Contributor
explicitly and finally terminates Your grants, and (b) on an ongoing basis,
if such Contributor fails to notify You of the non-compliance by some
reasonable means prior to 60 days after You have come back into compliance.
Moreover, Your grants from a particular Contributor are reinstated on an
ongoing basis if such Contributor notifies You of the non-compliance by
some reasonable means, this is the first time You have received notice of
non-compliance with this License from such Contributor, and You become
compliant prior to 30 days after Your receipt of the notice.
5.2. If You initiate litigation against any entity by asserting a patent
infringement claim (excluding declaratory judgment actions, counter-claims,
and cross-claims) alleging that a Contributor Version directly or
indirectly infringes any patent, then the rights granted to You by any and
all Contributors for the Covered Software under Section 2.1 of this License
shall terminate.
5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
license agreements (excluding distributors and resellers) which have been
validly granted by You or Your distributors under this License prior to
termination shall survive termination.
6. Disclaimer of Warranty
Covered Software is provided under this License on an “as is” basis, without
warranty of any kind, either expressed, implied, or statutory, including,
without limitation, warranties that the Covered Software is free of defects,
merchantable, fit for a particular purpose or non-infringing. The entire
risk as to the quality and performance of the Covered Software is with You.
Should any Covered Software prove defective in any respect, You (not any
Contributor) assume the cost of any necessary servicing, repair, or
correction. This disclaimer of warranty constitutes an essential part of this
License. No use of any Covered Software is authorized under this License
except under this disclaimer.
7. Limitation of Liability
Under no circumstances and under no legal theory, whether tort (including
negligence), contract, or otherwise, shall any Contributor, or anyone who
distributes Covered Software as permitted above, be liable to You for any
direct, indirect, special, incidental, or consequential damages of any
character including, without limitation, damages for lost profits, loss of
goodwill, work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses, even if such party shall have been
informed of the possibility of such damages. This limitation of liability
shall not apply to liability for death or personal injury resulting from such
partys negligence to the extent applicable law prohibits such limitation.
Some jurisdictions do not allow the exclusion or limitation of incidental or
consequential damages, so this exclusion and limitation may not apply to You.
8. Litigation
Any litigation relating to this License may be brought only in the courts of
a jurisdiction where the defendant maintains its principal place of business
and such litigation shall be governed by laws of that jurisdiction, without
reference to its conflict-of-law provisions. Nothing in this Section shall
prevent a partys ability to bring cross-claims or counter-claims.
9. Miscellaneous
This License represents the complete agreement concerning the subject matter
hereof. If any provision of this License is held to be unenforceable, such
provision shall be reformed only to the extent necessary to make it
enforceable. Any law or regulation which provides that the language of a
contract shall be construed against the drafter shall not be used to construe
this License against a Contributor.
10. Versions of the License
10.1. New Versions
Mozilla Foundation is the license steward. Except as provided in Section
10.3, no one other than the license steward has the right to modify or
publish new versions of this License. Each version will be given a
distinguishing version number.
10.2. Effect of New Versions
You may distribute the Covered Software under the terms of the version of
the License under which You originally received the Covered Software, or
under the terms of any subsequent version published by the license
steward.
10.3. Modified Versions
If you create software not governed by this License, and you want to
create a new license for such software, you may create and use a modified
version of this License if you rename the license and remove any
references to the name of the license steward (except to note that such
modified license differs from this License).
10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses
If You choose to distribute Source Code Form that is Incompatible With
Secondary Licenses under the terms of this version of the License, the
notice described in Exhibit B of this License must be attached.
Exhibit A - Source Code Form License Notice
This Source Code Form is subject to the
terms of the Mozilla Public License, v.
2.0. If a copy of the MPL was not
distributed with this file, You can
obtain one at
http://mozilla.org/MPL/2.0/.
If it is not possible or desirable to put the notice in a particular file, then
You may include the notice in a location (such as a LICENSE file in a relevant
directory) where a recipient would be likely to look for such a notice.
You may add additional accurate notices of copyright ownership.
Exhibit B - “Incompatible With Secondary Licenses” Notice
This Source Code Form is “Incompatible
With Secondary Licenses”, as defined by
the Mozilla Public License, v. 2.0.

4
vendor/github.com/d2g/dhcp4server/README.md generated vendored Normal file
View File

@ -0,0 +1,4 @@
dhcp4server [![GoDoc](https://godoc.org/github.com/d2g/dhcp4server?status.svg)](http://godoc.org/github.com/d2g/dhcp4server) [![Coverage Status](https://coveralls.io/repos/d2g/dhcp4server/badge.svg)](https://coveralls.io/r/d2g/dhcp4server) [![Codeship Status for d2g/dhcp4server](https://codeship.com/projects/ff96ded0-89cb-0132-8209-4635861fb902/status?branch=master)](https://codeship.com/projects/59804)
===========
DHCP Server

95
vendor/github.com/d2g/dhcp4server/leasepool/lease.go generated vendored Normal file
View File

@ -0,0 +1,95 @@
package leasepool
import (
"encoding/json"
"net"
"time"
)
type LeaseStatus int
const (
Free LeaseStatus = 0
Reserved LeaseStatus = 1
Active LeaseStatus = 2
)
type Lease struct {
IP net.IP //The IP of the Lease
Status LeaseStatus //Are Reserved, Active or Free
MACAddress net.HardwareAddr //Mac Address of the Device
Hostname string //Hostname From option 12
Expiry time.Time //Expiry Time
}
func (this Lease) MarshalJSON() ([]byte, error) {
stringMarshal := struct {
IP string
Status int
MACAddress string
Hostname string
Expiry time.Time
}{
(this.IP.String()),
int(this.Status),
(this.MACAddress.String()),
this.Hostname,
this.Expiry,
}
return json.Marshal(stringMarshal)
}
func (this *Lease) UnmarshalJSON(data []byte) error {
stringUnMarshal := struct {
IP string
Status int
MACAddress string
Hostname string
Expiry time.Time
}{}
err := json.Unmarshal(data, &stringUnMarshal)
if err != nil {
return err
}
this.IP = net.ParseIP(stringUnMarshal.IP)
this.Status = LeaseStatus(stringUnMarshal.Status)
if stringUnMarshal.MACAddress != "" {
this.MACAddress, err = net.ParseMAC(stringUnMarshal.MACAddress)
}
if err != nil {
return err
}
this.Hostname = stringUnMarshal.Hostname
this.Expiry = stringUnMarshal.Expiry
return nil
}
func (this Lease) Equal(other Lease) bool {
if !this.IP.Equal(other.IP) {
return false
}
if int(this.Status) != int(other.Status) {
return false
}
if this.MACAddress.String() != other.MACAddress.String() {
return false
}
if this.Hostname != other.Hostname {
return false
}
if !this.Expiry.Equal(other.Expiry) {
return false
}
return true
}

51
vendor/github.com/d2g/dhcp4server/leasepool/lease_test.go generated vendored Normal file
View File

@ -0,0 +1,51 @@
package leasepool
import (
"encoding/json"
"net"
"testing"
"time"
)
/*
* The Leases are Marshalled and Unmarshalled for storage.
* I JSON Marshal these for gvklite
*/
func TestMarshaling(test *testing.T) {
var err error
startLease := Lease{}
startLease.IP = net.IPv4(192, 168, 0, 1)
startLease.Hostname = "ExampleHostname"
startLease.Status = Active
startLease.Expiry = time.Now()
startLease.MACAddress, err = net.ParseMAC("01:23:45:67:89:ab")
if err != nil {
test.Error("Error Parsing Mac Address:" + err.Error())
}
byteStartLease, err := json.Marshal(startLease)
if err != nil {
test.Error("Error Marshaling to JSON:" + err.Error())
}
test.Log("StartLease As JSON:" + string(byteStartLease))
endLease := Lease{}
err = json.Unmarshal(byteStartLease, &endLease)
if err != nil {
test.Error("Error Unmarshaling to JSON:" + err.Error())
}
test.Logf("End Lease Object:%v\n", endLease)
if !startLease.Equal(endLease) {
byteEndLease, err := json.Marshal(endLease)
if err != nil {
test.Error("Can't Marshal End Lease For Debuging:" + err.Error())
}
test.Log("End Lease as JSON:" + string(byteEndLease))
test.Error("Starting Lease Doesn't Match End Lease")
}
}

49
vendor/github.com/d2g/dhcp4server/leasepool/leasepool.go generated vendored Normal file
View File

@ -0,0 +1,49 @@
package leasepool
import (
"net"
)
/*
* Lease.IP is the Key.
*/
type LeasePool interface {
//Add A Lease To The Pool
AddLease(Lease) error
//Remove
RemoveLease(net.IP) error
//Remove All Leases from the Pool (Required for Persistant LeaseManagers)
PurgeLeases() error
/*
* Get the Lease
* -Found
* -Copy Of the Lease
* -Any Error
*/
GetLease(net.IP) (bool, Lease, error)
//Get the lease already in use by that hardware address.
GetLeaseForHardwareAddress(net.HardwareAddr) (bool, Lease, error)
/*
* -Lease Available
* -Lease
* -Error
*/
GetNextFreeLease() (bool, Lease, error)
/*
* Return All Leases
*/
GetLeases() ([]Lease, error)
/*
* Update Lease
* - Has Updated
* - Error
*/
UpdateLease(Lease) (bool, error)
}

150
vendor/github.com/d2g/dhcp4server/leasepool/memorypool/memorypool.go generated vendored Normal file
View File

@ -0,0 +1,150 @@
package memorypool
import (
"bytes"
"errors"
"github.com/d2g/dhcp4server/leasepool"
"net"
"sync"
)
type MemoryPool struct {
pool []leasepool.Lease
poolLock sync.Mutex
}
//Add A Lease To The Pool
func (t *MemoryPool) AddLease(newLease leasepool.Lease) error {
t.poolLock.Lock()
defer t.poolLock.Unlock()
if t.pool == nil {
t.pool = make([]leasepool.Lease, 0)
}
for i := range t.pool {
if t.pool[i].IP.Equal(newLease.IP) {
//Lease Already Exists In Pool
return errors.New("Error: Lease IP \"" + newLease.IP.String() + "\" alreay exists in Pool")
}
}
t.pool = append([]leasepool.Lease{newLease}, t.pool...)
return nil
}
//Remove a Lease From The Pool
func (t *MemoryPool) RemoveLease(leaseIP net.IP) error {
t.poolLock.Lock()
defer t.poolLock.Unlock()
for i := range t.pool {
if t.pool[i].IP.Equal(leaseIP) {
//Move the Last Element to This Position.
t.pool[i] = t.pool[len(t.pool)-1]
//Shortern the Pool By One.
t.pool = t.pool[0:(len(t.pool) - 1)]
return nil
}
}
return errors.New("Error: Lease IP \"" + leaseIP.String() + "\" Is Not In The Pool")
}
//Remove All Leases from the Pool (Required for Persistant LeaseManagers)
func (t *MemoryPool) PurgeLeases() error {
t.poolLock.Lock()
defer t.poolLock.Unlock()
t.pool = nil
t.pool = make([]leasepool.Lease, 0)
return nil
}
/*
* Get the Lease
* -Found
* -Copy Of the Lease
* -Any Error
*/
func (t *MemoryPool) GetLease(leaseIP net.IP) (bool, leasepool.Lease, error) {
t.poolLock.Lock()
defer t.poolLock.Unlock()
for i := range t.pool {
if t.pool[i].IP.Equal(leaseIP) {
return true, t.pool[i], nil
}
}
return false, leasepool.Lease{}, nil
}
//Get the lease already in use by that hardware address.
func (t *MemoryPool) GetLeaseForHardwareAddress(macAddress net.HardwareAddr) (bool, leasepool.Lease, error) {
t.poolLock.Lock()
defer t.poolLock.Unlock()
for i := range t.pool {
if bytes.Equal(t.pool[i].MACAddress, macAddress) {
return true, t.pool[i], nil
}
}
return false, leasepool.Lease{}, nil
}
/*
* -Lease Available
* -Lease
* -Error
*/
func (t *MemoryPool) GetNextFreeLease() (bool, leasepool.Lease, error) {
t.poolLock.Lock()
defer t.poolLock.Unlock()
//Loop Through the elements backwards.
for i := (len(t.pool) - 1); i >= 0; i-- {
//If the Lease Is Free
if t.pool[i].Status == leasepool.Free {
//Take the Element
iLease := t.pool[i]
//Shrink the Pool By 1
t.pool = t.pool[:(len(t.pool) - 1)]
//Place the Lease At the Begining (This saves us having some sort of counter...)
t.pool = append([]leasepool.Lease{iLease}, t.pool...)
return true, iLease, nil
}
}
return false, leasepool.Lease{}, nil
}
/*
* Return All Leases
*/
func (t *MemoryPool) GetLeases() ([]leasepool.Lease, error) {
return t.pool, nil
}
/*
* Update Lease
* - Has Updated
* - Error
*/
func (t *MemoryPool) UpdateLease(lease leasepool.Lease) (bool, error) {
t.poolLock.Lock()
defer t.poolLock.Unlock()
for i := range t.pool {
if t.pool[i].IP.Equal(lease.IP) {
t.pool[i].MACAddress = lease.MACAddress
t.pool[i].Hostname = lease.Hostname
t.pool[i].Expiry = lease.Expiry
t.pool[i].Status = lease.Status
return true, nil
}
}
return false, nil
}

51
vendor/github.com/d2g/dhcp4server/leasepool/memorypool/memorypool_test.go generated vendored Normal file
View File

@ -0,0 +1,51 @@
package memorypool
import (
"github.com/d2g/dhcp4"
"github.com/d2g/dhcp4server/leasepool"
"net"
"testing"
)
func TestLeaseCycle(test *testing.T) {
myMemoryLeasePool := MemoryPool{}
//Lets add a list of IPs to the pool these will be served to the clients so make sure they work for you.
// So Create Array of IPs 192.168.1.1 to 192.168.1.30
for i := 0; i < 30; i++ {
err := myMemoryLeasePool.AddLease(leasepool.Lease{IP: dhcp4.IPAdd(net.IPv4(192, 168, 1, 1), i)})
if err != nil {
test.Error("Error Creating Lease:" + err.Error())
}
}
for i := 0; i < 30; i++ {
hasLease, iLease, err := myMemoryLeasePool.GetNextFreeLease()
if err != nil || !hasLease {
test.Error("Error Getting Lease:" + err.Error())
}
if !dhcp4.IPAdd(net.IPv4(192, 168, 1, 1), i).Equal(iLease.IP) {
test.Error("Expected Lease:" + dhcp4.IPAdd(net.IPv4(192, 168, 1, 1), i).String() + " Received:" + iLease.IP.String())
}
}
}
func TestSingleLease(test *testing.T) {
myMemoryLeasePool := MemoryPool{}
err := myMemoryLeasePool.AddLease(leasepool.Lease{IP: dhcp4.IPAdd(net.IPv4(192, 168, 1, 5), 0)})
if err != nil {
test.Error("Error Creating Lease:" + err.Error())
}
hasLease, iLease, err := myMemoryLeasePool.GetNextFreeLease()
if err != nil || !hasLease {
test.Error("Error Getting Lease:" + err.Error())
}
if !dhcp4.IPAdd(net.IPv4(192, 168, 1, 5), 0).Equal(iLease.IP) {
test.Error("Expected Lease:" + dhcp4.IPAdd(net.IPv4(192, 168, 1, 5), 0).String() + " Received:" + iLease.IP.String())
}
}

572
vendor/github.com/d2g/dhcp4server/server.go generated vendored Normal file
View File

@ -0,0 +1,572 @@
package dhcp4server
import (
"bytes"
"errors"
"log"
"net"
"sync"
"time"
"github.com/d2g/dhcp4"
"github.com/d2g/dhcp4server/leasepool"
"golang.org/x/net/ipv4"
)
/*
* The DHCP Server Structure
*/
type Server struct {
//Configuration Options
ip net.IP //The IP Address We Tell Clients The Server Is On.
defaultGateway net.IP //The Default Gateway Address
dnsServers []net.IP //DNS Servers
subnetMask net.IP //ie. 255.255.255.0
leaseDuration time.Duration //Number of Seconds
ignoreIPs []net.IP //Slice of IP's that should be ignored by the Server.
ignoreHardwareAddress []net.HardwareAddr //Slice of Hardware Addresses we should ignore.
//Local Address
laddr net.UDPAddr
//Remote address
raddr net.UDPAddr
//LeasePool
leasePool leasepool.LeasePool //Lease Pool Manager
//Used to Gracefully Close the Server
shutdownLock sync.Mutex
shutdown bool
//Listeners & Response Connection.
connection *ipv4.PacketConn
}
// Create A New Server
func New(ip net.IP, l leasepool.LeasePool, options ...func(*Server) error) (*Server, error) {
s := Server{
ip: ip,
defaultGateway: ip,
dnsServers: []net.IP{net.IPv4(208, 67, 222, 222), net.IPv4(208, 67, 220, 220)}, //OPENDNS
subnetMask: net.IPv4(255, 255, 255, 0),
leaseDuration: 24 * time.Hour,
leasePool: l,
laddr: net.UDPAddr{IP: net.IPv4(0, 0, 0, 0), Port: 67},
raddr: net.UDPAddr{IP: net.IPv4bcast, Port: 68},
}
err := s.setOptions(options...)
if err != nil {
return &s, err
}
return &s, err
}
func (s *Server) setOptions(options ...func(*Server) error) error {
for _, opt := range options {
if err := opt(s); err != nil {
return err
}
}
return nil
}
// Set the Server IP
func IP(i net.IP) func(*Server) error {
return func(s *Server) error {
s.ip = i
return nil
}
return nil
}
// Set the Default Gateway Address.
func DefaultGateway(r net.IP) func(*Server) error {
return func(s *Server) error {
s.defaultGateway = r
return nil
}
}
// Set the DNS servers.
func DNSServers(dnss []net.IP) func(*Server) error {
return func(s *Server) error {
s.dnsServers = dnss
return nil
}
}
// Set the Subnet Mask
func SubnetMask(m net.IP) func(*Server) error {
return func(s *Server) error {
s.subnetMask = m
return nil
}
}
// Set Lease Duration
func LeaseDuration(d time.Duration) func(*Server) error {
return func(s *Server) error {
s.leaseDuration = d
return nil
}
}
// Set Ignore IPs
func IgnoreIPs(ips []net.IP) func(*Server) error {
return func(s *Server) error {
s.ignoreIPs = ips
return nil
}
}
// Set Ignore Hardware Addresses
func IgnoreHardwareAddresses(h []net.HardwareAddr) func(*Server) error {
return func(s *Server) error {
s.ignoreHardwareAddress = h
return nil
}
}
// Set LeasePool
func LeasePool(p leasepool.LeasePool) func(*Server) error {
return func(s *Server) error {
s.leasePool = p
return nil
}
}
// Set The Local Address
func SetLocalAddr(a net.UDPAddr) func(*Server) error {
return func(s *Server) error {
s.laddr = a
return nil
}
}
// Set The Remote Address
func SetRemoteAddr(a net.UDPAddr) func(*Server) error {
return func(s *Server) error {
s.raddr = a
return nil
}
}
func (s *Server) shouldShutdown() bool {
s.shutdownLock.Lock()
defer s.shutdownLock.Unlock()
return s.shutdown
}
/*
* Start The DHCP Server
*/
func (s *Server) ListenAndServe() error {
var err error
connection, err := net.ListenPacket("udp4", s.laddr.String())
if err != nil {
log.Printf("Debug: Error Returned From ListenPacket On \"%s\" Because of \"%s\"\n", s.laddr.String(), err.Error())
return err
}
s.connection = ipv4.NewPacketConn(connection)
defer s.connection.Close()
//We Currently Don't Use this Feature Which is the only bit that is Linux Only.
//if err := s.connection.SetControlMessage(ipv4.FlagInterface, true); err != nil {
// return err
//}
//Make Our Buffer (Max Buffer is 574) "I believe this 576 size comes from RFC 791" - Random Mailing list quote of the day.
buffer := make([]byte, 576)
log.Println("Trace: DHCP Server Listening.")
for {
ListenForDHCPPackets:
if s.shouldShutdown() {
return nil
}
//Set Read Deadline
s.connection.SetReadDeadline(time.Now().Add(time.Second))
// Read Packet
n, control_message, source, err := s.connection.ReadFrom(buffer)
if err != nil {
switch v := err.(type) {
case *net.OpError:
if v.Timeout() {
goto ListenForDHCPPackets
}
case *net.AddrError:
if v.Timeout() {
goto ListenForDHCPPackets
}
case *net.UnknownNetworkError:
if v.Timeout() {
goto ListenForDHCPPackets
}
}
log.Println("Debug: Unexpect Error from Connection Read From:" + err.Error())
return err
}
//We seem to have an issue with undersized packets?
if n < 240 {
log.Printf("Error: Invalid Packet Size \"%d\" Received:%v\n", n, buffer[:n])
continue
}
//We should ignore some requests
//It shouldn't be possible to ignore IP's because they shouldn't have them as we're the DHCP server.
//However, they can have i.e. if you're the client & server :S.
for _, ipToIgnore := range s.ignoreIPs {
if ipToIgnore.Equal(source.(*net.UDPAddr).IP) {
log.Println("Debug: Ignoring DHCP Request From IP:" + ipToIgnore.String())
continue
}
}
packet := dhcp4.Packet(buffer[:n])
//We can ignore hardware addresses.
//Usefull for ignoring a range of hardware addresses
for _, hardwareAddressToIgnore := range s.ignoreHardwareAddress {
if bytes.Equal(hardwareAddressToIgnore, packet.CHAddr()) {
log.Println("Debug: Ignoring DHCP Request From Hardware Address:" + hardwareAddressToIgnore.String())
continue
}
}
log.Printf("Trace: Packet Received ID:%v\n", packet.XId())
log.Printf("Trace: Packet Options:%v\n", packet.ParseOptions())
log.Printf("Trace: Packet Client IP : %v\n", packet.CIAddr().String())
log.Printf("Trace: Packet Your IP : %v\n", packet.YIAddr().String())
log.Printf("Trace: Packet Server IP : %v\n", packet.SIAddr().String())
log.Printf("Trace: Packet Gateway IP: %v\n", packet.GIAddr().String())
log.Printf("Trace: Packet Client Mac: %v\n", packet.CHAddr().String())
//We need to stop butting in with other servers.
if packet.SIAddr().Equal(net.IPv4(0, 0, 0, 0)) || packet.SIAddr().Equal(net.IP{}) || packet.SIAddr().Equal(s.ip) {
returnPacket, err := s.ServeDHCP(packet)
if err != nil {
log.Println("Debug: Error Serving DHCP:" + err.Error())
return err
}
if len(returnPacket) > 0 {
log.Printf("Trace: Packet Returned ID:%v\n", returnPacket.XId())
log.Printf("Trace: Packet Options:%v\n", returnPacket.ParseOptions())
log.Printf("Trace: Packet Client IP : %v\n", returnPacket.CIAddr().String())
log.Printf("Trace: Packet Your IP : %v\n", returnPacket.YIAddr().String())
log.Printf("Trace: Packet Server IP : %v\n", returnPacket.SIAddr().String())
log.Printf("Trace: Packet Gateway IP: %v\n", returnPacket.GIAddr().String())
log.Printf("Trace: Packet Client Mac: %v\n", returnPacket.CHAddr().String())
_, err = s.connection.WriteTo(returnPacket, control_message, &s.raddr)
if err != nil {
log.Println("Debug: Error Writing:" + err.Error())
return err
}
}
}
}
}
func (s *Server) ServeDHCP(packet dhcp4.Packet) (dhcp4.Packet, error) {
packetOptions := packet.ParseOptions()
switch dhcp4.MessageType(packetOptions[dhcp4.OptionDHCPMessageType][0]) {
case dhcp4.Discover:
//Discover Received from client
//Lets get the lease we're going to send them
found, lease, err := s.GetLease(packet)
if err != nil {
return dhcp4.Packet{}, err
}
if !found {
log.Println("Warning: It Looks Like Our Leases Are Depleted...")
return dhcp4.Packet{}, nil
}
offerPacket := s.OfferPacket(packet)
offerPacket.SetYIAddr(lease.IP)
//Sort out the packet options
offerPacket.PadToMinSize()
lease.Status = leasepool.Reserved
lease.MACAddress = packet.CHAddr()
//If the lease expires within the next 5 Mins increase the lease expiary (Giving the Client 5 mins to complete)
if lease.Expiry.Before(time.Now().Add(time.Minute * 5)) {
lease.Expiry = time.Now().Add(time.Minute * 5)
}
if packetOptions[dhcp4.OptionHostName] != nil && string(packetOptions[dhcp4.OptionHostName]) != "" {
lease.Hostname = string(packetOptions[dhcp4.OptionHostName])
}
updated, err := s.leasePool.UpdateLease(lease)
if err != nil {
return dhcp4.Packet{}, err
}
if !updated {
//Unable to reserve lease (It's now active else where maybe?)
return dhcp4.Packet{}, errors.New("Unable to Reserve Lease:" + lease.IP.String())
}
return offerPacket, nil
case dhcp4.Request:
//Request Received from client
//Lets get the lease we're going to send them
found, lease, err := s.GetLease(packet)
if err != nil {
return dhcp4.Packet{}, err
}
if !found {
log.Println("Warning: It Looks Like Our Leases Are Depleted...")
return dhcp4.Packet{}, nil
}
//If the lease is not the one requested We should send a NAK..
if len(packetOptions) > 0 && !net.IP(packetOptions[dhcp4.OptionRequestedIPAddress]).Equal(lease.IP) {
//NAK
declinePacket := s.DeclinePacket(packet)
declinePacket.PadToMinSize()
return declinePacket, nil
} else {
lease.Status = leasepool.Active
lease.MACAddress = packet.CHAddr()
lease.Expiry = time.Now().Add(s.leaseDuration)
if packetOptions[dhcp4.OptionHostName] != nil && string(packetOptions[dhcp4.OptionHostName]) != "" {
lease.Hostname = string(packetOptions[dhcp4.OptionHostName])
}
updated, err := s.leasePool.UpdateLease(lease)
if err != nil {
return dhcp4.Packet{}, err
}
if updated {
//ACK
acknowledgementPacket := s.AcknowledgementPacket(packet)
acknowledgementPacket.SetYIAddr(lease.IP)
//Lease time.
acknowledgementPacket.AddOption(dhcp4.OptionIPAddressLeaseTime, dhcp4.OptionsLeaseTime(lease.Expiry.Sub(time.Now())))
acknowledgementPacket.PadToMinSize()
return acknowledgementPacket, nil
} else {
//NAK
declinePacket := s.DeclinePacket(packet)
declinePacket.PadToMinSize()
return declinePacket, nil
}
}
case dhcp4.Decline:
//Decline from the client:
log.Printf("Debug: Decline Message:%v\n", packet)
case dhcp4.Release:
//Decline from the client:
log.Printf("Debug: Release Message:%v\n", packet)
default:
log.Printf("Debug: Unexpected Packet Type:%v\n", dhcp4.MessageType(packetOptions[dhcp4.OptionDHCPMessageType][0]))
}
return dhcp4.Packet{}, nil
}
/*
* Create DHCP Offer Packet
*/
func (s *Server) OfferPacket(discoverPacket dhcp4.Packet) dhcp4.Packet {
offerPacket := dhcp4.NewPacket(dhcp4.BootReply)
offerPacket.SetXId(discoverPacket.XId())
offerPacket.SetFlags(discoverPacket.Flags())
offerPacket.SetCHAddr(discoverPacket.CHAddr())
offerPacket.SetGIAddr(discoverPacket.GIAddr())
offerPacket.SetSecs(discoverPacket.Secs())
//53
offerPacket.AddOption(dhcp4.OptionDHCPMessageType, []byte{byte(dhcp4.Offer)})
//54
offerPacket.AddOption(dhcp4.OptionServerIdentifier, s.ip.To4())
//51
offerPacket.AddOption(dhcp4.OptionIPAddressLeaseTime, dhcp4.OptionsLeaseTime(s.leaseDuration))
//Other options go in requested order...
discoverPacketOptions := discoverPacket.ParseOptions()
ourOptions := make(dhcp4.Options)
//1
ourOptions[dhcp4.OptionSubnetMask] = s.subnetMask.To4()
//3
ourOptions[dhcp4.OptionRouter] = s.defaultGateway.To4()
//6
ourOptions[dhcp4.OptionDomainNameServer] = dhcp4.JoinIPs(s.dnsServers)
if discoverPacketOptions[dhcp4.OptionParameterRequestList] != nil {
//Loop through the requested options and if we have them add them.
for _, optionCode := range discoverPacketOptions[dhcp4.OptionParameterRequestList] {
if !bytes.Equal(ourOptions[dhcp4.OptionCode(optionCode)], []byte{}) {
offerPacket.AddOption(dhcp4.OptionCode(optionCode), ourOptions[dhcp4.OptionCode(optionCode)])
delete(ourOptions, dhcp4.OptionCode(optionCode))
}
}
}
//Add all the options not requested.
for optionCode, optionValue := range ourOptions {
offerPacket.AddOption(optionCode, optionValue)
}
return offerPacket
}
/*
* Create DHCP Acknowledgement
*/
func (s *Server) AcknowledgementPacket(requestPacket dhcp4.Packet) dhcp4.Packet {
acknowledgementPacket := dhcp4.NewPacket(dhcp4.BootReply)
acknowledgementPacket.SetXId(requestPacket.XId())
acknowledgementPacket.SetFlags(requestPacket.Flags())
acknowledgementPacket.SetGIAddr(requestPacket.GIAddr())
acknowledgementPacket.SetCHAddr(requestPacket.CHAddr())
acknowledgementPacket.SetSecs(requestPacket.Secs())
acknowledgementPacket.AddOption(dhcp4.OptionDHCPMessageType, []byte{byte(dhcp4.ACK)})
acknowledgementPacket.AddOption(dhcp4.OptionSubnetMask, s.subnetMask.To4())
acknowledgementPacket.AddOption(dhcp4.OptionRouter, s.defaultGateway.To4())
acknowledgementPacket.AddOption(dhcp4.OptionDomainNameServer, dhcp4.JoinIPs(s.dnsServers))
acknowledgementPacket.AddOption(dhcp4.OptionServerIdentifier, s.ip.To4())
return acknowledgementPacket
}
/*
* Create DHCP Decline
*/
func (s *Server) DeclinePacket(requestPacket dhcp4.Packet) dhcp4.Packet {
declinePacket := dhcp4.NewPacket(dhcp4.BootReply)
declinePacket.SetXId(requestPacket.XId())
declinePacket.SetFlags(requestPacket.Flags())
declinePacket.SetGIAddr(requestPacket.GIAddr())
declinePacket.SetCHAddr(requestPacket.CHAddr())
declinePacket.SetSecs(requestPacket.Secs())
declinePacket.AddOption(dhcp4.OptionDHCPMessageType, []byte{byte(dhcp4.NAK)})
declinePacket.AddOption(dhcp4.OptionSubnetMask, s.subnetMask.To4())
declinePacket.AddOption(dhcp4.OptionRouter, s.defaultGateway.To4())
declinePacket.AddOption(dhcp4.OptionDomainNameServer, dhcp4.JoinIPs(s.dnsServers))
declinePacket.AddOption(dhcp4.OptionServerIdentifier, s.ip.To4())
return declinePacket
}
/*
* Get Lease tries to work out the best lease for the packet supplied.
* Taking into account all Requested IP, Exisitng MACAddresses and Free leases.
*/
func (s *Server) GetLease(packet dhcp4.Packet) (found bool, lease leasepool.Lease, err error) {
packetOptions := packet.ParseOptions()
//Requested an IP
if (len(packetOptions) > 0) &&
packetOptions[dhcp4.OptionRequestedIPAddress] != nil &&
!net.IP(packetOptions[dhcp4.OptionRequestedIPAddress]).Equal(net.IP{}) {
//An IP Has Been Requested Let's Try and Get that One.
found, lease, err = s.leasePool.GetLease(net.IP(packetOptions[dhcp4.OptionRequestedIPAddress]))
if err != nil {
return
}
if found {
if lease.Status == leasepool.Free {
//Lease Is Free you Can Have it.
return
}
if lease.Status != leasepool.Free && bytes.Equal(lease.MACAddress, packet.CHAddr()) {
//Lease isn't free but it's yours
return
}
}
}
//Ok Even if you requested an IP you can't have it.
found, lease, err = s.leasePool.GetLeaseForHardwareAddress(packet.CHAddr())
if found || err != nil {
return
}
//Just get the next free lease if you can.
found, lease, err = s.leasePool.GetNextFreeLease()
return
}
/*
* Shutdown The Server Gracefully
*/
func (s *Server) Shutdown() {
s.shutdownLock.Lock()
defer s.shutdownLock.Unlock()
s.shutdown = true
}
/*
* Garbage Collection
* Run Garbage Collection On Your Leases To Free Expired Leases.
*/
func (s *Server) GC() error {
leases, err := s.leasePool.GetLeases()
if err != nil {
return err
}
for i := range leases {
if leases[i].Status != leasepool.Free {
//Lease Is Not Free
if time.Now().After(leases[i].Expiry) {
//Lease has expired.
leases[i].Status = leasepool.Free
updated, err := s.leasePool.UpdateLease(leases[i])
if err != nil {
log.Printf("Warning: Error trying to Free Lease %s \"%v\"\n", leases[i].IP.To4().String(), err)
}
if !updated {
log.Printf("Warning: Unable to Free Lease %s\n", leases[i].IP.To4().String())
}
continue
}
}
}
return nil
}

426
vendor/github.com/d2g/dhcp4server/server_test.go generated vendored Normal file
View File

@ -0,0 +1,426 @@
package dhcp4server_test
import (
"bytes"
"encoding/binary"
"log"
"net"
"sync"
"testing"
"time"
"github.com/d2g/dhcp4"
"github.com/d2g/dhcp4client"
"github.com/d2g/dhcp4server"
"github.com/d2g/dhcp4server/leasepool"
"github.com/d2g/dhcp4server/leasepool/memorypool"
"github.com/d2g/hardwareaddr"
)
/*
* Example Server :D
*/
func ExampleServer() {
//Create a Lease Pool We're going to use a memory pool
//Remember the memory is cleared on restart so you will reissue the same IP Addresses.
myMemoryLeasePool := memorypool.MemoryPool{}
//Lets add a list of IPs to the pool these will be served to the clients so make sure they work for you.
// So Create Array of IPs 192.168.1.1 to 192.168.1.30
for i := 0; i < 30; i++ {
err := myMemoryLeasePool.AddLease(leasepool.Lease{IP: dhcp4.IPAdd(net.IPv4(192, 168, 1, 1), i)})
if err != nil {
log.Fatalln("Error Adding IP to pool:" + err.Error())
}
}
// We set the port numbers to over 1024 (1067 & 1068) as the automated test don't have root access
tServer, err := dhcp4server.New(
net.IPv4(192, 168, 1, 201),
&myMemoryLeasePool,
dhcp4server.SetLocalAddr(net.UDPAddr{IP: net.IPv4(0, 0, 0, 0), Port: 1067}),
dhcp4server.SetRemoteAddr(net.UDPAddr{IP: net.IPv4bcast, Port: 1068}),
)
if err != nil {
log.Fatalln("Error Configuring Server:" + err.Error())
}
//Start the Server...
err = tServer.ListenAndServe()
if err != nil {
log.Fatalln("Error Starting Server:" + err.Error())
}
}
/*
* Test Discovering a Lease That's not Within Our Lease Range.
* This Happens When a devce switches network.
* Example: Mobile Phone on Mobile internet Has IP 100.123.123.123 Switch To Home Wifi
* The device requests 100.123.123.123 on Home Wifi which is out of range...
*/
func TestDiscoverOutOfRangeLease(test *testing.T) {
//Setup the Server
myServer, err := dhcp4server.New(
net.IPv4(192, 168, 1, 201),
getTestLeasePool(),
dhcp4server.SetLocalAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1067}),
dhcp4server.SetRemoteAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1068}),
)
if err != nil {
test.Error("Error: Can't Configure Server " + err.Error())
}
var wg sync.WaitGroup
wg.Add(1)
go func() {
defer wg.Done()
err := myServer.ListenAndServe()
if err != nil {
log.Fatalln("Error Starting Server:" + err.Error())
}
}()
time.Sleep(time.Duration(5) * time.Second)
//Generate Hardware Address
HardwareMACAddress, err := hardwareaddr.GenerateEUI48()
if err != nil {
test.Error("Error: Can't Generate Valid MACAddress" + err.Error())
}
//Lets Be A Client
//We need to set the connection ports to 1068 and 1067 so we don't need root access
c, err := dhcp4client.NewInetSock(dhcp4client.SetLocalAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1068}), dhcp4client.SetRemoteAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1067}))
if err != nil {
test.Error("Client Conection Generation:" + err.Error())
}
client, err := dhcp4client.New(dhcp4client.HardwareAddr(HardwareMACAddress), dhcp4client.Connection(c))
defer client.Close()
if err != nil {
test.Error("Conection Error:" + err.Error())
}
discoveryPacket := client.DiscoverPacket()
discoveryPacket.SetCIAddr(net.IPv4(100, 102, 96, 123))
discoveryPacket.PadToMinSize()
err = client.SendPacket(discoveryPacket)
if err != nil {
test.Error("Error: Sending Discover Packet" + err.Error())
}
test.Log("--Discovery Packet--")
test.Logf("Client IP : %v\n", discoveryPacket.CIAddr().String())
test.Logf("Your IP : %v\n", discoveryPacket.YIAddr().String())
test.Logf("Server IP : %v\n", discoveryPacket.SIAddr().String())
test.Logf("Gateway IP: %v\n", discoveryPacket.GIAddr().String())
test.Logf("Client Mac: %v\n", discoveryPacket.CHAddr().String())
if !bytes.Equal(discoveryPacket.CHAddr(), HardwareMACAddress) {
test.Error("MACAddresses Don't Match??")
}
offerPacket, err := client.GetOffer(&discoveryPacket)
if err != nil {
test.Error("Error Getting Offer:" + err.Error())
}
test.Log("--Offer Packet--")
test.Logf("Client IP : %v\n", offerPacket.CIAddr().String())
test.Logf("Your IP : %v\n", offerPacket.YIAddr().String())
test.Logf("Server IP : %v\n", offerPacket.SIAddr().String())
test.Logf("Gateway IP: %v\n", offerPacket.GIAddr().String())
test.Logf("Client Mac: %v\n", offerPacket.CHAddr().String())
requestPacket, err := client.SendRequest(&offerPacket)
if err != nil {
test.Error("Error Sending Request:" + err.Error())
}
test.Log("--Request Packet--")
test.Logf("Client IP : %v\n", requestPacket.CIAddr().String())
test.Logf("Your IP : %v\n", requestPacket.YIAddr().String())
test.Logf("Server IP : %v\n", requestPacket.SIAddr().String())
test.Logf("Gateway IP: %v\n", requestPacket.GIAddr().String())
test.Logf("Client Mac: %v\n", requestPacket.CHAddr().String())
acknowledgement, err := client.GetAcknowledgement(&requestPacket)
if err != nil {
test.Error("Error Getting Acknowledgement:" + err.Error())
}
test.Log("--Acknowledgement Packet--")
test.Logf("Client IP : %v\n", acknowledgement.CIAddr().String())
test.Logf("Your IP : %v\n", acknowledgement.YIAddr().String())
test.Logf("Server IP : %v\n", acknowledgement.SIAddr().String())
test.Logf("Gateway IP: %v\n", acknowledgement.GIAddr().String())
test.Logf("Client Mac: %v\n", acknowledgement.CHAddr().String())
acknowledgementOptions := acknowledgement.ParseOptions()
if dhcp4.MessageType(acknowledgementOptions[dhcp4.OptionDHCPMessageType][0]) != dhcp4.ACK {
test.Error("Didn't get ACK?:" + err.Error())
}
test.Log("Shutting Down Server")
myServer.Shutdown()
wg.Wait()
}
/*
* Try Renewing A Lease From A Different Network.
*/
func TestRequestOutOfRangeLease(test *testing.T) {
//Setup the Server
myServer, err := dhcp4server.New(
net.IPv4(192, 168, 1, 201),
getTestLeasePool(),
dhcp4server.SetLocalAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1067}),
dhcp4server.SetRemoteAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1068}),
)
if err != nil {
test.Error("Error: Can't Configure Server " + err.Error())
}
var wg sync.WaitGroup
wg.Add(1)
go func() {
defer wg.Done()
err := myServer.ListenAndServe()
if err != nil {
log.Fatalln("Error Starting Server:" + err.Error())
}
}()
//Sleep some so the server starts....
time.Sleep(time.Duration(5) * time.Second)
//Generate Hardware Address
HardwareMACAddress, err := hardwareaddr.GenerateEUI48()
if err != nil {
test.Error("Error: Can't Generate Valid MACAddress" + err.Error())
}
HardwareMACAddress, err = net.ParseMAC("58-94-6B-73-57-0C")
if err != nil {
log.Printf("MAC Error:%v\n", err)
}
//Lets Be A Client
c, err := dhcp4client.NewInetSock(dhcp4client.SetLocalAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1068}), dhcp4client.SetRemoteAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1067}))
if err != nil {
test.Error("Client Conection Generation:" + err.Error())
}
client, err := dhcp4client.New(dhcp4client.HardwareAddr(HardwareMACAddress), dhcp4client.Connection(c))
defer client.Close()
if err != nil {
test.Error("Conection Error:" + err.Error())
}
//Create a dummy offer packet
offerPacket := client.DiscoverPacket()
offerPacket.SetCIAddr(net.IPv4(100, 102, 96, 123))
offerPacket.SetSIAddr(net.IPv4(192, 168, 1, 201))
offerPacket.SetYIAddr(net.IPv4(100, 102, 96, 123))
offerPacket.AddOption(dhcp4.OptionDHCPMessageType, []byte{byte(dhcp4.Offer)})
requestPacket, err := client.SendRequest(&offerPacket)
if err != nil {
test.Error("Error Sending Request:" + err.Error())
}
test.Log("--Request Packet--")
test.Logf("Client IP : %v\n", requestPacket.CIAddr().String())
test.Logf("Your IP : %v\n", requestPacket.YIAddr().String())
test.Logf("Server IP : %v\n", requestPacket.SIAddr().String())
test.Logf("Gateway IP: %v\n", requestPacket.GIAddr().String())
test.Logf("Client Mac: %v\n", requestPacket.CHAddr().String())
acknowledgement, err := client.GetAcknowledgement(&requestPacket)
if err != nil {
test.Error("Error Getting Acknowledgement:" + err.Error())
}
test.Log("--Acknowledgement Packet--")
test.Logf("Client IP : %v\n", acknowledgement.CIAddr().String())
test.Logf("Your IP : %v\n", acknowledgement.YIAddr().String())
test.Logf("Server IP : %v\n", acknowledgement.SIAddr().String())
test.Logf("Gateway IP: %v\n", acknowledgement.GIAddr().String())
test.Logf("Client Mac: %v\n", acknowledgement.CHAddr().String())
acknowledgementOptions := acknowledgement.ParseOptions()
if len(acknowledgementOptions[dhcp4.OptionDHCPMessageType]) <= 0 || dhcp4.MessageType(acknowledgementOptions[dhcp4.OptionDHCPMessageType][0]) != dhcp4.NAK {
test.Errorf("Didn't get NAK got DHCP4 Message Type:%v\n", dhcp4.MessageType(acknowledgementOptions[dhcp4.OptionDHCPMessageType][0]))
}
test.Log("Shutting Down Server")
myServer.Shutdown()
wg.Wait()
}
/*
*
*/
func TestConsumeLeases(test *testing.T) {
//Setup the Server
myServer, err := dhcp4server.New(
net.IPv4(127, 0, 0, 1),
getTestLeasePool(),
)
if err != nil {
test.Error("Error: Can't Configure Server " + err.Error())
}
// Setup A Client
// Although We Won't send the packets over the network we'll use the client to create the requests.
c, err := dhcp4client.NewInetSock(dhcp4client.SetLocalAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1068}), dhcp4client.SetRemoteAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1067}))
if err != nil {
test.Error("Client Conection Generation:" + err.Error())
}
client, err := dhcp4client.New(dhcp4client.Connection(c))
if err != nil {
test.Error("Error: Can't Configure Client " + err.Error())
}
defer client.Close()
for i := 0; i < 30; i++ {
//Generate Hardware Address
HardwareMACAddress, err := hardwareaddr.GenerateEUI48()
if err != nil {
test.Error("Error: Can't Generate Valid MACAddress" + err.Error())
}
client.SetOption(dhcp4client.HardwareAddr(HardwareMACAddress))
test.Log("MAC:" + HardwareMACAddress.String())
discovery := client.DiscoverPacket()
//Run the Discovery On the Server
offer, err := myServer.ServeDHCP(discovery)
_, err = myServer.ServeDHCP(discovery)
if err != nil {
test.Error("Discovery Error:" + err.Error())
}
request := client.RequestPacket(&offer)
acknowledgement, err := myServer.ServeDHCP(request)
if err != nil {
test.Error("Acknowledge Error:" + err.Error())
}
test.Logf("Received Lease:%v\n", acknowledgement.YIAddr().String())
if !dhcp4.IPAdd(net.IPv4(192, 168, 1, 1), i).Equal(acknowledgement.YIAddr()) {
test.Error("Expected IP:" + dhcp4.IPAdd(net.IPv4(192, 168, 1, 1), i).String() + " Received:" + acknowledgement.YIAddr().String())
}
//How long the lease is for?
acknowledgementOptions := acknowledgement.ParseOptions()
if len(acknowledgementOptions) > 0 {
test.Logf("Lease Options:%v\n", acknowledgementOptions)
if acknowledgementOptions[dhcp4.OptionIPAddressLeaseTime] != nil {
var result uint32
buf := bytes.NewBuffer(acknowledgementOptions[dhcp4.OptionIPAddressLeaseTime])
binary.Read(buf, binary.BigEndian, &result)
test.Logf("Lease Time (Seconds):%d\n", result)
}
} else {
test.Errorf("Lease:\"%v\" Has No Options\n", acknowledgement.YIAddr())
}
}
}
/*
* Benchmark the ServeDHCP Function
*/
func BenchmarkServeDHCP(test *testing.B) {
//Create a Lease Pool We're going to use a memory pool
//Remember the memory is cleared on restart so you will reissue the same IP Addresses.
myMemoryLeasePool := memorypool.MemoryPool{}
//Lets add a list of IPs to the pool these will be served to the clients so make sure they work for you.
// So Create Array of IPs 192.168.1.1 to 192.168.1.30
for i := 0; i < test.N; i++ {
err := myMemoryLeasePool.AddLease(leasepool.Lease{IP: dhcp4.IPAdd(net.IPv4(192, 168, 1, 1), i)})
if err != nil {
log.Fatalln("Error Adding IP to pool:" + err.Error())
}
}
//Setup the Server
myServer, err := dhcp4server.New(
net.IPv4(127, 0, 0, 1),
&myMemoryLeasePool,
)
if err != nil {
test.Error("Error: Can't Configure Server " + err.Error())
}
//Setup A Client
// Although We Won't send the packets over the network we'll use the client to create the requests.
c, err := dhcp4client.NewInetSock(dhcp4client.SetLocalAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1068}), dhcp4client.SetRemoteAddr(net.UDPAddr{IP: net.IPv4(127, 0, 0, 1), Port: 1067}))
if err != nil {
test.Error("Client Conection Generation:" + err.Error())
}
client, err := dhcp4client.New(dhcp4client.Connection(c))
if err != nil {
test.Error("Error: Can't Configure Client " + err.Error())
}
defer client.Close()
test.ResetTimer()
for i := 0; i < test.N; i++ {
test.StopTimer()
//Generate Hardware Address
HardwareMACAddress, err := hardwareaddr.GenerateEUI48()
if err != nil {
test.Error("Error: Can't Generate Valid MACAddress" + err.Error())
}
client.SetOption(dhcp4client.HardwareAddr(HardwareMACAddress))
discovery := client.DiscoverPacket()
//Run the Discovery On the Server
test.StartTimer()
offer, err := myServer.ServeDHCP(discovery)
if err != nil {
test.Error("Discovery Error:" + err.Error())
}
if len(offer) == 0 {
test.Error("No Valid Offer")
} else {
request := client.RequestPacket(&offer)
_, err := myServer.ServeDHCP(request)
if err != nil {
test.Error("Acknowledge Error:" + err.Error())
}
}
}
}
func getTestLeasePool() *memorypool.MemoryPool {
//Create a Lease Pool We're going to use a memory pool
//Remember the memory is cleared on restart so you will reissue the same IP Addresses.
myMemoryLeasePool := memorypool.MemoryPool{}
//Lets add a list of IPs to the pool these will be served to the clients so make sure they work for you.
// So Create Array of IPs 192.168.1.1 to 192.168.1.30
for i := 0; i < 30; i++ {
err := myMemoryLeasePool.AddLease(leasepool.Lease{IP: dhcp4.IPAdd(net.IPv4(192, 168, 1, 1), i)})
if err != nil {
log.Fatalln("Error Adding IP to pool:" + err.Error())
}
}
return &myMemoryLeasePool
}

41
vendor/golang.org/x/net/bpf/asm.go generated vendored Normal file
View File

@ -0,0 +1,41 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf
import "fmt"
// Assemble converts insts into raw instructions suitable for loading
// into a BPF virtual machine.
//
// Currently, no optimization is attempted, the assembled program flow
// is exactly as provided.
func Assemble(insts []Instruction) ([]RawInstruction, error) {
ret := make([]RawInstruction, len(insts))
var err error
for i, inst := range insts {
ret[i], err = inst.Assemble()
if err != nil {
return nil, fmt.Errorf("assembling instruction %d: %s", i+1, err)
}
}
return ret, nil
}
// Disassemble attempts to parse raw back into
// Instructions. Unrecognized RawInstructions are assumed to be an
// extension not implemented by this package, and are passed through
// unchanged to the output. The allDecoded value reports whether insts
// contains no RawInstructions.
func Disassemble(raw []RawInstruction) (insts []Instruction, allDecoded bool) {
insts = make([]Instruction, len(raw))
allDecoded = true
for i, r := range raw {
insts[i] = r.Disassemble()
if _, ok := insts[i].(RawInstruction); ok {
allDecoded = false
}
}
return insts, allDecoded
}

215
vendor/golang.org/x/net/bpf/constants.go generated vendored Normal file
View File

@ -0,0 +1,215 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf
// A Register is a register of the BPF virtual machine.
type Register uint16
const (
// RegA is the accumulator register. RegA is always the
// destination register of ALU operations.
RegA Register = iota
// RegX is the indirection register, used by LoadIndirect
// operations.
RegX
)
// An ALUOp is an arithmetic or logic operation.
type ALUOp uint16
// ALU binary operation types.
const (
ALUOpAdd ALUOp = iota << 4
ALUOpSub
ALUOpMul
ALUOpDiv
ALUOpOr
ALUOpAnd
ALUOpShiftLeft
ALUOpShiftRight
aluOpNeg // Not exported because it's the only unary ALU operation, and gets its own instruction type.
ALUOpMod
ALUOpXor
)
// A JumpTest is a comparison operator used in conditional jumps.
type JumpTest uint16
// Supported operators for conditional jumps.
const (
// K == A
JumpEqual JumpTest = iota
// K != A
JumpNotEqual
// K > A
JumpGreaterThan
// K < A
JumpLessThan
// K >= A
JumpGreaterOrEqual
// K <= A
JumpLessOrEqual
// K & A != 0
JumpBitsSet
// K & A == 0
JumpBitsNotSet
)
// An Extension is a function call provided by the kernel that
// performs advanced operations that are expensive or impossible
// within the BPF virtual machine.
//
// Extensions are only implemented by the Linux kernel.
//
// TODO: should we prune this list? Some of these extensions seem
// either broken or near-impossible to use correctly, whereas other
// (len, random, ifindex) are quite useful.
type Extension int
// Extension functions available in the Linux kernel.
const (
// ExtLen returns the length of the packet.
ExtLen Extension = 1
// ExtProto returns the packet's L3 protocol type.
ExtProto = 0
// ExtType returns the packet's type (skb->pkt_type in the kernel)
//
// TODO: better documentation. How nice an API do we want to
// provide for these esoteric extensions?
ExtType = 4
// ExtPayloadOffset returns the offset of the packet payload, or
// the first protocol header that the kernel does not know how to
// parse.
ExtPayloadOffset = 52
// ExtInterfaceIndex returns the index of the interface on which
// the packet was received.
ExtInterfaceIndex = 8
// ExtNetlinkAttr returns the netlink attribute of type X at
// offset A.
ExtNetlinkAttr = 12
// ExtNetlinkAttrNested returns the nested netlink attribute of
// type X at offset A.
ExtNetlinkAttrNested = 16
// ExtMark returns the packet's mark value.
ExtMark = 20
// ExtQueue returns the packet's assigned hardware queue.
ExtQueue = 24
// ExtLinkLayerType returns the packet's hardware address type
// (e.g. Ethernet, Infiniband).
ExtLinkLayerType = 28
// ExtRXHash returns the packets receive hash.
//
// TODO: figure out what this rxhash actually is.
ExtRXHash = 32
// ExtCPUID returns the ID of the CPU processing the current
// packet.
ExtCPUID = 36
// ExtVLANTag returns the packet's VLAN tag.
ExtVLANTag = 44
// ExtVLANTagPresent returns non-zero if the packet has a VLAN
// tag.
//
// TODO: I think this might be a lie: it reads bit 0x1000 of the
// VLAN header, which changed meaning in recent revisions of the
// spec - this extension may now return meaningless information.
ExtVLANTagPresent = 48
// ExtVLANProto returns 0x8100 if the frame has a VLAN header,
// 0x88a8 if the frame has a "Q-in-Q" double VLAN header, or some
// other value if no VLAN information is present.
ExtVLANProto = 60
// ExtRand returns a uniformly random uint32.
ExtRand = 56
)
// The following gives names to various bit patterns used in opcode construction.
const (
opMaskCls uint16 = 0x7
// opClsLoad masks
opMaskLoadDest = 0x01
opMaskLoadWidth = 0x18
opMaskLoadMode = 0xe0
// opClsALU
opMaskOperandSrc = 0x08
opMaskOperator = 0xf0
// opClsJump
opMaskJumpConst = 0x0f
opMaskJumpCond = 0xf0
)
const (
// +---------------+-----------------+---+---+---+
// | AddrMode (3b) | LoadWidth (2b) | 0 | 0 | 0 |
// +---------------+-----------------+---+---+---+
opClsLoadA uint16 = iota
// +---------------+-----------------+---+---+---+
// | AddrMode (3b) | LoadWidth (2b) | 0 | 0 | 1 |
// +---------------+-----------------+---+---+---+
opClsLoadX
// +---+---+---+---+---+---+---+---+
// | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 0 |
// +---+---+---+---+---+---+---+---+
opClsStoreA
// +---+---+---+---+---+---+---+---+
// | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 1 |
// +---+---+---+---+---+---+---+---+
opClsStoreX
// +---------------+-----------------+---+---+---+
// | Operator (4b) | OperandSrc (1b) | 1 | 0 | 0 |
// +---------------+-----------------+---+---+---+
opClsALU
// +-----------------------------+---+---+---+---+
// | TestOperator (4b) | 0 | 1 | 0 | 1 |
// +-----------------------------+---+---+---+---+
opClsJump
// +---+-------------------------+---+---+---+---+
// | 0 | 0 | 0 | RetSrc (1b) | 0 | 1 | 1 | 0 |
// +---+-------------------------+---+---+---+---+
opClsReturn
// +---+-------------------------+---+---+---+---+
// | 0 | 0 | 0 | TXAorTAX (1b) | 0 | 1 | 1 | 1 |
// +---+-------------------------+---+---+---+---+
opClsMisc
)
const (
opAddrModeImmediate uint16 = iota << 5
opAddrModeAbsolute
opAddrModeIndirect
opAddrModeScratch
opAddrModePacketLen // actually an extension, not an addressing mode.
opAddrModeMemShift
)
const (
opLoadWidth4 uint16 = iota << 3
opLoadWidth2
opLoadWidth1
)
// Operator defined by ALUOp*
const (
opALUSrcConstant uint16 = iota << 3
opALUSrcX
)
const (
opJumpAlways = iota << 4
opJumpEqual
opJumpGT
opJumpGE
opJumpSet
)
const (
opRetSrcConstant uint16 = iota << 4
opRetSrcA
)
const (
opMiscTAX = 0x00
opMiscTXA = 0x80
)

82
vendor/golang.org/x/net/bpf/doc.go generated vendored Normal file
View File

@ -0,0 +1,82 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
/*
Package bpf implements marshaling and unmarshaling of programs for the
Berkeley Packet Filter virtual machine, and provides a Go implementation
of the virtual machine.
BPF's main use is to specify a packet filter for network taps, so that
the kernel doesn't have to expensively copy every packet it sees to
userspace. However, it's been repurposed to other areas where running
user code in-kernel is needed. For example, Linux's seccomp uses BPF
to apply security policies to system calls. For simplicity, this
documentation refers only to packets, but other uses of BPF have their
own data payloads.
BPF programs run in a restricted virtual machine. It has almost no
access to kernel functions, and while conditional branches are
allowed, they can only jump forwards, to guarantee that there are no
infinite loops.
The virtual machine
The BPF VM is an accumulator machine. Its main register, called
register A, is an implicit source and destination in all arithmetic
and logic operations. The machine also has 16 scratch registers for
temporary storage, and an indirection register (register X) for
indirect memory access. All registers are 32 bits wide.
Each run of a BPF program is given one packet, which is placed in the
VM's read-only "main memory". LoadAbsolute and LoadIndirect
instructions can fetch up to 32 bits at a time into register A for
examination.
The goal of a BPF program is to produce and return a verdict (uint32),
which tells the kernel what to do with the packet. In the context of
packet filtering, the returned value is the number of bytes of the
packet to forward to userspace, or 0 to ignore the packet. Other
contexts like seccomp define their own return values.
In order to simplify programs, attempts to read past the end of the
packet terminate the program execution with a verdict of 0 (ignore
packet). This means that the vast majority of BPF programs don't need
to do any explicit bounds checking.
In addition to the bytes of the packet, some BPF programs have access
to extensions, which are essentially calls to kernel utility
functions. Currently, the only extensions supported by this package
are the Linux packet filter extensions.
Examples
This packet filter selects all ARP packets.
bpf.Assemble([]bpf.Instruction{
// Load "EtherType" field from the ethernet header.
bpf.LoadAbsolute{Off: 12, Size: 2},
// Skip over the next instruction if EtherType is not ARP.
bpf.JumpIf{Cond: bpf.JumpNotEqual, Val: 0x0806, SkipTrue: 1},
// Verdict is "send up to 4k of the packet to userspace."
bpf.RetConstant{Val: 4096},
// Verdict is "ignore packet."
bpf.RetConstant{Val: 0},
})
This packet filter captures a random 1% sample of traffic.
bpf.Assemble([]bpf.Instruction{
// Get a 32-bit random number from the Linux kernel.
bpf.LoadExtension{Num: bpf.ExtRand},
// 1% dice roll?
bpf.JumpIf{Cond: bpf.JumpLessThan, Val: 2^32/100, SkipFalse: 1},
// Capture.
bpf.RetConstant{Val: 4096},
// Ignore.
bpf.RetConstant{Val: 0},
})
*/
package bpf // import "golang.org/x/net/bpf"

434
vendor/golang.org/x/net/bpf/instructions.go generated vendored Normal file
View File

@ -0,0 +1,434 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf
import "fmt"
// An Instruction is one instruction executed by the BPF virtual
// machine.
type Instruction interface {
// Assemble assembles the Instruction into a RawInstruction.
Assemble() (RawInstruction, error)
}
// A RawInstruction is a raw BPF virtual machine instruction.
type RawInstruction struct {
// Operation to execute.
Op uint16
// For conditional jump instructions, the number of instructions
// to skip if the condition is true/false.
Jt uint8
Jf uint8
// Constant parameter. The meaning depends on the Op.
K uint32
}
// Assemble implements the Instruction Assemble method.
func (ri RawInstruction) Assemble() (RawInstruction, error) { return ri, nil }
// Disassemble parses ri into an Instruction and returns it. If ri is
// not recognized by this package, ri itself is returned.
func (ri RawInstruction) Disassemble() Instruction {
switch ri.Op & opMaskCls {
case opClsLoadA, opClsLoadX:
reg := Register(ri.Op & opMaskLoadDest)
sz := 0
switch ri.Op & opMaskLoadWidth {
case opLoadWidth4:
sz = 4
case opLoadWidth2:
sz = 2
case opLoadWidth1:
sz = 1
default:
return ri
}
switch ri.Op & opMaskLoadMode {
case opAddrModeImmediate:
if sz != 4 {
return ri
}
return LoadConstant{Dst: reg, Val: ri.K}
case opAddrModeScratch:
if sz != 4 || ri.K > 15 {
return ri
}
return LoadScratch{Dst: reg, N: int(ri.K)}
case opAddrModeAbsolute:
return LoadAbsolute{Size: sz, Off: ri.K}
case opAddrModeIndirect:
return LoadIndirect{Size: sz, Off: ri.K}
case opAddrModePacketLen:
if sz != 4 {
return ri
}
return LoadExtension{Num: ExtLen}
case opAddrModeMemShift:
return LoadMemShift{Off: ri.K}
default:
return ri
}
case opClsStoreA:
if ri.Op != opClsStoreA || ri.K > 15 {
return ri
}
return StoreScratch{Src: RegA, N: int(ri.K)}
case opClsStoreX:
if ri.Op != opClsStoreX || ri.K > 15 {
return ri
}
return StoreScratch{Src: RegX, N: int(ri.K)}
case opClsALU:
switch op := ALUOp(ri.Op & opMaskOperator); op {
case ALUOpAdd, ALUOpSub, ALUOpMul, ALUOpDiv, ALUOpOr, ALUOpAnd, ALUOpShiftLeft, ALUOpShiftRight, ALUOpMod, ALUOpXor:
if ri.Op&opMaskOperandSrc != 0 {
return ALUOpX{Op: op}
}
return ALUOpConstant{Op: op, Val: ri.K}
case aluOpNeg:
return NegateA{}
default:
return ri
}
case opClsJump:
if ri.Op&opMaskJumpConst != opClsJump {
return ri
}
switch ri.Op & opMaskJumpCond {
case opJumpAlways:
return Jump{Skip: ri.K}
case opJumpEqual:
return JumpIf{
Cond: JumpEqual,
Val: ri.K,
SkipTrue: ri.Jt,
SkipFalse: ri.Jf,
}
case opJumpGT:
return JumpIf{
Cond: JumpGreaterThan,
Val: ri.K,
SkipTrue: ri.Jt,
SkipFalse: ri.Jf,
}
case opJumpGE:
return JumpIf{
Cond: JumpGreaterOrEqual,
Val: ri.K,
SkipTrue: ri.Jt,
SkipFalse: ri.Jf,
}
case opJumpSet:
return JumpIf{
Cond: JumpBitsSet,
Val: ri.K,
SkipTrue: ri.Jt,
SkipFalse: ri.Jf,
}
default:
return ri
}
case opClsReturn:
switch ri.Op {
case opClsReturn | opRetSrcA:
return RetA{}
case opClsReturn | opRetSrcConstant:
return RetConstant{Val: ri.K}
default:
return ri
}
case opClsMisc:
switch ri.Op {
case opClsMisc | opMiscTAX:
return TAX{}
case opClsMisc | opMiscTXA:
return TXA{}
default:
return ri
}
default:
panic("unreachable") // switch is exhaustive on the bit pattern
}
}
// LoadConstant loads Val into register Dst.
type LoadConstant struct {
Dst Register
Val uint32
}
// Assemble implements the Instruction Assemble method.
func (a LoadConstant) Assemble() (RawInstruction, error) {
return assembleLoad(a.Dst, 4, opAddrModeImmediate, a.Val)
}
// LoadScratch loads scratch[N] into register Dst.
type LoadScratch struct {
Dst Register
N int // 0-15
}
// Assemble implements the Instruction Assemble method.
func (a LoadScratch) Assemble() (RawInstruction, error) {
if a.N < 0 || a.N > 15 {
return RawInstruction{}, fmt.Errorf("invalid scratch slot %d", a.N)
}
return assembleLoad(a.Dst, 4, opAddrModeScratch, uint32(a.N))
}
// LoadAbsolute loads packet[Off:Off+Size] as an integer value into
// register A.
type LoadAbsolute struct {
Off uint32
Size int // 1, 2 or 4
}
// Assemble implements the Instruction Assemble method.
func (a LoadAbsolute) Assemble() (RawInstruction, error) {
return assembleLoad(RegA, a.Size, opAddrModeAbsolute, a.Off)
}
// LoadIndirect loads packet[X+Off:X+Off+Size] as an integer value
// into register A.
type LoadIndirect struct {
Off uint32
Size int // 1, 2 or 4
}
// Assemble implements the Instruction Assemble method.
func (a LoadIndirect) Assemble() (RawInstruction, error) {
return assembleLoad(RegA, a.Size, opAddrModeIndirect, a.Off)
}
// LoadMemShift multiplies the first 4 bits of the byte at packet[Off]
// by 4 and stores the result in register X.
//
// This instruction is mainly useful to load into X the length of an
// IPv4 packet header in a single instruction, rather than have to do
// the arithmetic on the header's first byte by hand.
type LoadMemShift struct {
Off uint32
}
// Assemble implements the Instruction Assemble method.
func (a LoadMemShift) Assemble() (RawInstruction, error) {
return assembleLoad(RegX, 1, opAddrModeMemShift, a.Off)
}
// LoadExtension invokes a linux-specific extension and stores the
// result in register A.
type LoadExtension struct {
Num Extension
}
// Assemble implements the Instruction Assemble method.
func (a LoadExtension) Assemble() (RawInstruction, error) {
if a.Num == ExtLen {
return assembleLoad(RegA, 4, opAddrModePacketLen, 0)
}
return assembleLoad(RegA, 4, opAddrModeAbsolute, uint32(-0x1000+a.Num))
}
// StoreScratch stores register Src into scratch[N].
type StoreScratch struct {
Src Register
N int // 0-15
}
// Assemble implements the Instruction Assemble method.
func (a StoreScratch) Assemble() (RawInstruction, error) {
if a.N < 0 || a.N > 15 {
return RawInstruction{}, fmt.Errorf("invalid scratch slot %d", a.N)
}
var op uint16
switch a.Src {
case RegA:
op = opClsStoreA
case RegX:
op = opClsStoreX
default:
return RawInstruction{}, fmt.Errorf("invalid source register %v", a.Src)
}
return RawInstruction{
Op: op,
K: uint32(a.N),
}, nil
}
// ALUOpConstant executes A = A <Op> Val.
type ALUOpConstant struct {
Op ALUOp
Val uint32
}
// Assemble implements the Instruction Assemble method.
func (a ALUOpConstant) Assemble() (RawInstruction, error) {
return RawInstruction{
Op: opClsALU | opALUSrcConstant | uint16(a.Op),
K: a.Val,
}, nil
}
// ALUOpX executes A = A <Op> X
type ALUOpX struct {
Op ALUOp
}
// Assemble implements the Instruction Assemble method.
func (a ALUOpX) Assemble() (RawInstruction, error) {
return RawInstruction{
Op: opClsALU | opALUSrcX | uint16(a.Op),
}, nil
}
// NegateA executes A = -A.
type NegateA struct{}
// Assemble implements the Instruction Assemble method.
func (a NegateA) Assemble() (RawInstruction, error) {
return RawInstruction{
Op: opClsALU | uint16(aluOpNeg),
}, nil
}
// Jump skips the following Skip instructions in the program.
type Jump struct {
Skip uint32
}
// Assemble implements the Instruction Assemble method.
func (a Jump) Assemble() (RawInstruction, error) {
return RawInstruction{
Op: opClsJump | opJumpAlways,
K: a.Skip,
}, nil
}
// JumpIf skips the following Skip instructions in the program if A
// <Cond> Val is true.
type JumpIf struct {
Cond JumpTest
Val uint32
SkipTrue uint8
SkipFalse uint8
}
// Assemble implements the Instruction Assemble method.
func (a JumpIf) Assemble() (RawInstruction, error) {
var (
cond uint16
flip bool
)
switch a.Cond {
case JumpEqual:
cond = opJumpEqual
case JumpNotEqual:
cond, flip = opJumpEqual, true
case JumpGreaterThan:
cond = opJumpGT
case JumpLessThan:
cond, flip = opJumpGE, true
case JumpGreaterOrEqual:
cond = opJumpGE
case JumpLessOrEqual:
cond, flip = opJumpGT, true
case JumpBitsSet:
cond = opJumpSet
case JumpBitsNotSet:
cond, flip = opJumpSet, true
default:
return RawInstruction{}, fmt.Errorf("unknown JumpTest %v", a.Cond)
}
jt, jf := a.SkipTrue, a.SkipFalse
if flip {
jt, jf = jf, jt
}
return RawInstruction{
Op: opClsJump | cond,
Jt: jt,
Jf: jf,
K: a.Val,
}, nil
}
// RetA exits the BPF program, returning the value of register A.
type RetA struct{}
// Assemble implements the Instruction Assemble method.
func (a RetA) Assemble() (RawInstruction, error) {
return RawInstruction{
Op: opClsReturn | opRetSrcA,
}, nil
}
// RetConstant exits the BPF program, returning a constant value.
type RetConstant struct {
Val uint32
}
// Assemble implements the Instruction Assemble method.
func (a RetConstant) Assemble() (RawInstruction, error) {
return RawInstruction{
Op: opClsReturn | opRetSrcConstant,
K: a.Val,
}, nil
}
// TXA copies the value of register X to register A.
type TXA struct{}
// Assemble implements the Instruction Assemble method.
func (a TXA) Assemble() (RawInstruction, error) {
return RawInstruction{
Op: opClsMisc | opMiscTXA,
}, nil
}
// TAX copies the value of register A to register X.
type TAX struct{}
// Assemble implements the Instruction Assemble method.
func (a TAX) Assemble() (RawInstruction, error) {
return RawInstruction{
Op: opClsMisc | opMiscTAX,
}, nil
}
func assembleLoad(dst Register, loadSize int, mode uint16, k uint32) (RawInstruction, error) {
var (
cls uint16
sz uint16
)
switch dst {
case RegA:
cls = opClsLoadA
case RegX:
cls = opClsLoadX
default:
return RawInstruction{}, fmt.Errorf("invalid target register %v", dst)
}
switch loadSize {
case 1:
sz = opLoadWidth1
case 2:
sz = opLoadWidth2
case 4:
sz = opLoadWidth4
default:
return RawInstruction{}, fmt.Errorf("invalid load byte length %d", sz)
}
return RawInstruction{
Op: cls | sz | mode,
K: k,
}, nil
}

184
vendor/golang.org/x/net/bpf/instructions_test.go generated vendored Normal file
View File

@ -0,0 +1,184 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf
import (
"io/ioutil"
"reflect"
"strconv"
"strings"
"testing"
)
// This is a direct translation of the program in
// testdata/all_instructions.txt.
var allInstructions = []Instruction{
LoadConstant{Dst: RegA, Val: 42},
LoadConstant{Dst: RegX, Val: 42},
LoadScratch{Dst: RegA, N: 3},
LoadScratch{Dst: RegX, N: 3},
LoadAbsolute{Off: 42, Size: 1},
LoadAbsolute{Off: 42, Size: 2},
LoadAbsolute{Off: 42, Size: 4},
LoadIndirect{Off: 42, Size: 1},
LoadIndirect{Off: 42, Size: 2},
LoadIndirect{Off: 42, Size: 4},
LoadMemShift{Off: 42},
LoadExtension{Num: ExtLen},
LoadExtension{Num: ExtProto},
LoadExtension{Num: ExtType},
LoadExtension{Num: ExtRand},
StoreScratch{Src: RegA, N: 3},
StoreScratch{Src: RegX, N: 3},
ALUOpConstant{Op: ALUOpAdd, Val: 42},
ALUOpConstant{Op: ALUOpSub, Val: 42},
ALUOpConstant{Op: ALUOpMul, Val: 42},
ALUOpConstant{Op: ALUOpDiv, Val: 42},
ALUOpConstant{Op: ALUOpOr, Val: 42},
ALUOpConstant{Op: ALUOpAnd, Val: 42},
ALUOpConstant{Op: ALUOpShiftLeft, Val: 42},
ALUOpConstant{Op: ALUOpShiftRight, Val: 42},
ALUOpConstant{Op: ALUOpMod, Val: 42},
ALUOpConstant{Op: ALUOpXor, Val: 42},
ALUOpX{Op: ALUOpAdd},
ALUOpX{Op: ALUOpSub},
ALUOpX{Op: ALUOpMul},
ALUOpX{Op: ALUOpDiv},
ALUOpX{Op: ALUOpOr},
ALUOpX{Op: ALUOpAnd},
ALUOpX{Op: ALUOpShiftLeft},
ALUOpX{Op: ALUOpShiftRight},
ALUOpX{Op: ALUOpMod},
ALUOpX{Op: ALUOpXor},
NegateA{},
Jump{Skip: 10},
JumpIf{Cond: JumpEqual, Val: 42, SkipTrue: 8, SkipFalse: 9},
JumpIf{Cond: JumpNotEqual, Val: 42, SkipTrue: 8},
JumpIf{Cond: JumpLessThan, Val: 42, SkipTrue: 7},
JumpIf{Cond: JumpLessOrEqual, Val: 42, SkipTrue: 6},
JumpIf{Cond: JumpGreaterThan, Val: 42, SkipTrue: 4, SkipFalse: 5},
JumpIf{Cond: JumpGreaterOrEqual, Val: 42, SkipTrue: 3, SkipFalse: 4},
JumpIf{Cond: JumpBitsSet, Val: 42, SkipTrue: 2, SkipFalse: 3},
TAX{},
TXA{},
RetA{},
RetConstant{Val: 42},
}
var allInstructionsExpected = "testdata/all_instructions.bpf"
// Check that we produce the same output as the canonical bpf_asm
// linux kernel tool.
func TestInterop(t *testing.T) {
out, err := Assemble(allInstructions)
if err != nil {
t.Fatalf("assembly of allInstructions program failed: %s", err)
}
t.Logf("Assembled program is %d instructions long", len(out))
bs, err := ioutil.ReadFile(allInstructionsExpected)
if err != nil {
t.Fatalf("reading %s: %s", allInstructionsExpected, err)
}
// First statement is the number of statements, last statement is
// empty. We just ignore both and rely on slice length.
stmts := strings.Split(string(bs), ",")
if len(stmts)-2 != len(out) {
t.Fatalf("test program lengths don't match: %s has %d, Go implementation has %d", allInstructionsExpected, len(stmts)-2, len(allInstructions))
}
for i, stmt := range stmts[1 : len(stmts)-2] {
nums := strings.Split(stmt, " ")
if len(nums) != 4 {
t.Fatalf("malformed instruction %d in %s: %s", i+1, allInstructionsExpected, stmt)
}
actual := out[i]
op, err := strconv.ParseUint(nums[0], 10, 16)
if err != nil {
t.Fatalf("malformed opcode %s in instruction %d of %s", nums[0], i+1, allInstructionsExpected)
}
if actual.Op != uint16(op) {
t.Errorf("opcode mismatch on instruction %d (%#v): got 0x%02x, want 0x%02x", i+1, allInstructions[i], actual.Op, op)
}
jt, err := strconv.ParseUint(nums[1], 10, 8)
if err != nil {
t.Fatalf("malformed jt offset %s in instruction %d of %s", nums[1], i+1, allInstructionsExpected)
}
if actual.Jt != uint8(jt) {
t.Errorf("jt mismatch on instruction %d (%#v): got %d, want %d", i+1, allInstructions[i], actual.Jt, jt)
}
jf, err := strconv.ParseUint(nums[2], 10, 8)
if err != nil {
t.Fatalf("malformed jf offset %s in instruction %d of %s", nums[2], i+1, allInstructionsExpected)
}
if actual.Jf != uint8(jf) {
t.Errorf("jf mismatch on instruction %d (%#v): got %d, want %d", i+1, allInstructions[i], actual.Jf, jf)
}
k, err := strconv.ParseUint(nums[3], 10, 32)
if err != nil {
t.Fatalf("malformed constant %s in instruction %d of %s", nums[3], i+1, allInstructionsExpected)
}
if actual.K != uint32(k) {
t.Errorf("constant mismatch on instruction %d (%#v): got %d, want %d", i+1, allInstructions[i], actual.K, k)
}
}
}
// Check that assembly and disassembly match each other.
//
// Because we offer "fake" jump conditions that don't appear in the
// machine code, disassembly won't be a 1:1 match with the original
// source, although the behavior will be identical. However,
// reassembling the disassembly should produce an identical program.
func TestAsmDisasm(t *testing.T) {
prog1, err := Assemble(allInstructions)
if err != nil {
t.Fatalf("assembly of allInstructions program failed: %s", err)
}
t.Logf("Assembled program is %d instructions long", len(prog1))
src, allDecoded := Disassemble(prog1)
if !allDecoded {
t.Errorf("Disassemble(Assemble(allInstructions)) produced unrecognized instructions:")
for i, inst := range src {
if r, ok := inst.(RawInstruction); ok {
t.Logf(" insn %d, %#v --> %#v", i+1, allInstructions[i], r)
}
}
}
prog2, err := Assemble(src)
if err != nil {
t.Fatalf("assembly of Disassemble(Assemble(allInstructions)) failed: %s", err)
}
if len(prog2) != len(prog1) {
t.Fatalf("disassembly changed program size: %d insns before, %d insns after", len(prog1), len(prog2))
}
if !reflect.DeepEqual(prog1, prog2) {
t.Errorf("program mutated by disassembly:")
for i := range prog2 {
if !reflect.DeepEqual(prog1[i], prog2[i]) {
t.Logf(" insn %d, s: %#v, p1: %#v, p2: %#v", i+1, allInstructions[i], prog1[i], prog2[i])
}
}
}
}

1
vendor/golang.org/x/net/bpf/testdata/all_instructions.bpf generated vendored Normal file
View File

@ -0,0 +1 @@
50,0 0 0 42,1 0 0 42,96 0 0 3,97 0 0 3,48 0 0 42,40 0 0 42,32 0 0 42,80 0 0 42,72 0 0 42,64 0 0 42,177 0 0 42,128 0 0 0,32 0 0 4294963200,32 0 0 4294963204,32 0 0 4294963256,2 0 0 3,3 0 0 3,4 0 0 42,20 0 0 42,36 0 0 42,52 0 0 42,68 0 0 42,84 0 0 42,100 0 0 42,116 0 0 42,148 0 0 42,164 0 0 42,12 0 0 0,28 0 0 0,44 0 0 0,60 0 0 0,76 0 0 0,92 0 0 0,108 0 0 0,124 0 0 0,156 0 0 0,172 0 0 0,132 0 0 0,5 0 0 10,21 8 9 42,21 0 8 42,53 0 7 42,37 0 6 42,37 4 5 42,53 3 4 42,69 2 3 42,7 0 0 0,135 0 0 0,22 0 0 0,6 0 0 0,

79
vendor/golang.org/x/net/bpf/testdata/all_instructions.txt generated vendored Normal file
View File

@ -0,0 +1,79 @@
# This filter is compiled to all_instructions.bpf by the `bpf_asm`
# tool, which can be found in the linux kernel source tree under
# tools/net.
# Load immediate
ld #42
ldx #42
# Load scratch
ld M[3]
ldx M[3]
# Load absolute
ldb [42]
ldh [42]
ld [42]
# Load indirect
ldb [x + 42]
ldh [x + 42]
ld [x + 42]
# Load IPv4 header length
ldx 4*([42]&0xf)
# Run extension function
ld #len
ld #proto
ld #type
ld #rand
# Store scratch
st M[3]
stx M[3]
# A <op> constant
add #42
sub #42
mul #42
div #42
or #42
and #42
lsh #42
rsh #42
mod #42
xor #42
# A <op> X
add x
sub x
mul x
div x
or x
and x
lsh x
rsh x
mod x
xor x
# !A
neg
# Jumps
ja end
jeq #42,prev,end
jne #42,end
jlt #42,end
jle #42,end
jgt #42,prev,end
jge #42,prev,end
jset #42,prev,end
# Register transfers
tax
txa
# Returns
prev: ret a
end: ret #42

140
vendor/golang.org/x/net/bpf/vm.go generated vendored Normal file
View File

@ -0,0 +1,140 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf
import (
"errors"
"fmt"
)
// A VM is an emulated BPF virtual machine.
type VM struct {
filter []Instruction
}
// NewVM returns a new VM using the input BPF program.
func NewVM(filter []Instruction) (*VM, error) {
if len(filter) == 0 {
return nil, errors.New("one or more Instructions must be specified")
}
for i, ins := range filter {
check := len(filter) - (i + 1)
switch ins := ins.(type) {
// Check for out-of-bounds jumps in instructions
case Jump:
if check <= int(ins.Skip) {
return nil, fmt.Errorf("cannot jump %d instructions; jumping past program bounds", ins.Skip)
}
case JumpIf:
if check <= int(ins.SkipTrue) {
return nil, fmt.Errorf("cannot jump %d instructions in true case; jumping past program bounds", ins.SkipTrue)
}
if check <= int(ins.SkipFalse) {
return nil, fmt.Errorf("cannot jump %d instructions in false case; jumping past program bounds", ins.SkipFalse)
}
// Check for division or modulus by zero
case ALUOpConstant:
if ins.Val != 0 {
break
}
switch ins.Op {
case ALUOpDiv, ALUOpMod:
return nil, errors.New("cannot divide by zero using ALUOpConstant")
}
// Check for unknown extensions
case LoadExtension:
switch ins.Num {
case ExtLen:
default:
return nil, fmt.Errorf("extension %d not implemented", ins.Num)
}
}
}
// Make sure last instruction is a return instruction
switch filter[len(filter)-1].(type) {
case RetA, RetConstant:
default:
return nil, errors.New("BPF program must end with RetA or RetConstant")
}
// Though our VM works using disassembled instructions, we
// attempt to assemble the input filter anyway to ensure it is compatible
// with an operating system VM.
_, err := Assemble(filter)
return &VM{
filter: filter,
}, err
}
// Run runs the VM's BPF program against the input bytes.
// Run returns the number of bytes accepted by the BPF program, and any errors
// which occurred while processing the program.
func (v *VM) Run(in []byte) (int, error) {
var (
// Registers of the virtual machine
regA uint32
regX uint32
regScratch [16]uint32
// OK is true if the program should continue processing the next
// instruction, or false if not, causing the loop to break
ok = true
)
// TODO(mdlayher): implement:
// - NegateA:
// - would require a change from uint32 registers to int32
// registers
// TODO(mdlayher): add interop tests that check signedness of ALU
// operations against kernel implementation, and make sure Go
// implementation matches behavior
for i := 0; i < len(v.filter) && ok; i++ {
ins := v.filter[i]
switch ins := ins.(type) {
case ALUOpConstant:
regA = aluOpConstant(ins, regA)
case ALUOpX:
regA, ok = aluOpX(ins, regA, regX)
case Jump:
i += int(ins.Skip)
case JumpIf:
jump := jumpIf(ins, regA)
i += jump
case LoadAbsolute:
regA, ok = loadAbsolute(ins, in)
case LoadConstant:
regA, regX = loadConstant(ins, regA, regX)
case LoadExtension:
regA = loadExtension(ins, in)
case LoadIndirect:
regA, ok = loadIndirect(ins, in, regX)
case LoadMemShift:
regX, ok = loadMemShift(ins, in)
case LoadScratch:
regA, regX = loadScratch(ins, regScratch, regA, regX)
case RetA:
return int(regA), nil
case RetConstant:
return int(ins.Val), nil
case StoreScratch:
regScratch = storeScratch(ins, regScratch, regA, regX)
case TAX:
regX = regA
case TXA:
regA = regX
default:
return 0, fmt.Errorf("unknown Instruction at index %d: %T", i, ins)
}
}
return 0, nil
}

512
vendor/golang.org/x/net/bpf/vm_aluop_test.go generated vendored Normal file
View File

@ -0,0 +1,512 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf_test
import (
"testing"
"golang.org/x/net/bpf"
)
func TestVMALUOpAdd(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpAdd,
Val: 3,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
8, 2, 3,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 3, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpSub(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.TAX{},
bpf.ALUOpX{
Op: bpf.ALUOpSub,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
1, 2, 3,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 0, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpMul(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpMul,
Val: 2,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
6, 2, 3, 4,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 4, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpDiv(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpDiv,
Val: 2,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
20, 2, 3, 4,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 2, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpDivByZeroALUOpConstant(t *testing.T) {
_, _, err := testVM(t, []bpf.Instruction{
bpf.ALUOpConstant{
Op: bpf.ALUOpDiv,
Val: 0,
},
bpf.RetA{},
})
if errStr(err) != "cannot divide by zero using ALUOpConstant" {
t.Fatalf("unexpected error: %v", err)
}
}
func TestVMALUOpDivByZeroALUOpX(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
// Load byte 0 into X
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.TAX{},
// Load byte 1 into A
bpf.LoadAbsolute{
Off: 9,
Size: 1,
},
// Attempt to perform 1/0
bpf.ALUOpX{
Op: bpf.ALUOpDiv,
},
// Return 4 bytes if program does not terminate
bpf.LoadConstant{
Val: 12,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
0, 1, 3, 4,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 0, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpOr(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 2,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpOr,
Val: 0x01,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
0x00, 0x10, 0x03, 0x04,
0x05, 0x06, 0x07, 0x08,
0x09, 0xff,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 9, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpAnd(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 2,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpAnd,
Val: 0x0019,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
0xaa, 0x09,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 1, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpShiftLeft(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpShiftLeft,
Val: 0x01,
},
bpf.JumpIf{
Cond: bpf.JumpEqual,
Val: 0x02,
SkipTrue: 1,
},
bpf.RetConstant{
Val: 0,
},
bpf.RetConstant{
Val: 9,
},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
0x01, 0xaa,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 1, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpShiftRight(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpShiftRight,
Val: 0x01,
},
bpf.JumpIf{
Cond: bpf.JumpEqual,
Val: 0x04,
SkipTrue: 1,
},
bpf.RetConstant{
Val: 0,
},
bpf.RetConstant{
Val: 9,
},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
0x08, 0xff, 0xff,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 1, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpMod(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpMod,
Val: 20,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
30, 0, 0,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 2, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpModByZeroALUOpConstant(t *testing.T) {
_, _, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpMod,
Val: 0,
},
bpf.RetA{},
})
if errStr(err) != "cannot divide by zero using ALUOpConstant" {
t.Fatalf("unexpected error: %v", err)
}
}
func TestVMALUOpModByZeroALUOpX(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
// Load byte 0 into X
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.TAX{},
// Load byte 1 into A
bpf.LoadAbsolute{
Off: 9,
Size: 1,
},
// Attempt to perform 1%0
bpf.ALUOpX{
Op: bpf.ALUOpMod,
},
// Return 4 bytes if program does not terminate
bpf.LoadConstant{
Val: 12,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
0, 1, 3, 4,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 0, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpXor(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpXor,
Val: 0x0a,
},
bpf.JumpIf{
Cond: bpf.JumpEqual,
Val: 0x01,
SkipTrue: 1,
},
bpf.RetConstant{
Val: 0,
},
bpf.RetConstant{
Val: 9,
},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
0x0b, 0x00, 0x00, 0x00,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 1, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}
func TestVMALUOpUnknown(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadAbsolute{
Off: 8,
Size: 1,
},
bpf.ALUOpConstant{
Op: bpf.ALUOpAdd,
Val: 1,
},
// Verify that an unknown operation is a no-op
bpf.ALUOpConstant{
Op: 100,
},
bpf.JumpIf{
Cond: bpf.JumpEqual,
Val: 0x02,
SkipTrue: 1,
},
bpf.RetConstant{
Val: 0,
},
bpf.RetConstant{
Val: 9,
},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
1,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 1, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}

192
vendor/golang.org/x/net/bpf/vm_bpf_test.go generated vendored Normal file
View File

@ -0,0 +1,192 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf_test
import (
"net"
"runtime"
"testing"
"time"
"golang.org/x/net/bpf"
"golang.org/x/net/ipv4"
)
// A virtualMachine is a BPF virtual machine which can process an
// input packet against a BPF program and render a verdict.
type virtualMachine interface {
Run(in []byte) (int, error)
}
// canUseOSVM indicates if the OS BPF VM is available on this platform.
func canUseOSVM() bool {
// OS BPF VM can only be used on platforms where x/net/ipv4 supports
// attaching a BPF program to a socket.
switch runtime.GOOS {
case "linux":
return true
}
return false
}
// All BPF tests against both the Go VM and OS VM are assumed to
// be used with a UDP socket. As a result, the entire contents
// of a UDP datagram is sent through the BPF program, but only
// the body after the UDP header will ever be returned in output.
// testVM sets up a Go BPF VM, and if available, a native OS BPF VM
// for integration testing.
func testVM(t *testing.T, filter []bpf.Instruction) (virtualMachine, func(), error) {
goVM, err := bpf.NewVM(filter)
if err != nil {
// Some tests expect an error, so this error must be returned
// instead of fatally exiting the test
return nil, nil, err
}
mvm := &multiVirtualMachine{
goVM: goVM,
t: t,
}
// If available, add the OS VM for tests which verify that both the Go
// VM and OS VM have exactly the same output for the same input program
// and packet.
done := func() {}
if canUseOSVM() {
osVM, osVMDone := testOSVM(t, filter)
done = func() { osVMDone() }
mvm.osVM = osVM
}
return mvm, done, nil
}
// udpHeaderLen is the length of a UDP header.
const udpHeaderLen = 8
// A multiVirtualMachine is a virtualMachine which can call out to both the Go VM
// and the native OS VM, if the OS VM is available.
type multiVirtualMachine struct {
goVM virtualMachine
osVM virtualMachine
t *testing.T
}
func (mvm *multiVirtualMachine) Run(in []byte) (int, error) {
if len(in) < udpHeaderLen {
mvm.t.Fatalf("input must be at least length of UDP header (%d), got: %d",
udpHeaderLen, len(in))
}
// All tests have a UDP header as part of input, because the OS VM
// packets always will. For the Go VM, this output is trimmed before
// being sent back to tests.
goOut, goErr := mvm.goVM.Run(in)
if goOut >= udpHeaderLen {
goOut -= udpHeaderLen
}
// If Go output is larger than the size of the packet, packet filtering
// interop tests must trim the output bytes to the length of the packet.
// The BPF VM should not do this on its own, as other uses of it do
// not trim the output byte count.
trim := len(in) - udpHeaderLen
if goOut > trim {
goOut = trim
}
// When the OS VM is not available, process using the Go VM alone
if mvm.osVM == nil {
return goOut, goErr
}
// The OS VM will apply its own UDP header, so remove the pseudo header
// that the Go VM needs.
osOut, err := mvm.osVM.Run(in[udpHeaderLen:])
if err != nil {
mvm.t.Fatalf("error while running OS VM: %v", err)
}
// Verify both VMs return same number of bytes
var mismatch bool
if goOut != osOut {
mismatch = true
mvm.t.Logf("output byte count does not match:\n- go: %v\n- os: %v", goOut, osOut)
}
if mismatch {
mvm.t.Fatal("Go BPF and OS BPF packet outputs do not match")
}
return goOut, goErr
}
// An osVirtualMachine is a virtualMachine which uses the OS's BPF VM for
// processing BPF programs.
type osVirtualMachine struct {
l net.PacketConn
s net.Conn
}
// testOSVM creates a virtualMachine which uses the OS's BPF VM by injecting
// packets into a UDP listener with a BPF program attached to it.
func testOSVM(t *testing.T, filter []bpf.Instruction) (virtualMachine, func()) {
l, err := net.ListenPacket("udp4", "127.0.0.1:0")
if err != nil {
t.Fatalf("failed to open OS VM UDP listener: %v", err)
}
prog, err := bpf.Assemble(filter)
if err != nil {
t.Fatalf("failed to compile BPF program: %v", err)
}
p := ipv4.NewPacketConn(l)
if err = p.SetBPF(prog); err != nil {
t.Fatalf("failed to attach BPF program to listener: %v", err)
}
s, err := net.Dial("udp4", l.LocalAddr().String())
if err != nil {
t.Fatalf("failed to dial connection to listener: %v", err)
}
done := func() {
_ = s.Close()
_ = l.Close()
}
return &osVirtualMachine{
l: l,
s: s,
}, done
}
// Run sends the input bytes into the OS's BPF VM and returns its verdict.
func (vm *osVirtualMachine) Run(in []byte) (int, error) {
go func() {
_, _ = vm.s.Write(in)
}()
vm.l.SetDeadline(time.Now().Add(50 * time.Millisecond))
var b [512]byte
n, _, err := vm.l.ReadFrom(b[:])
if err != nil {
// A timeout indicates that BPF filtered out the packet, and thus,
// no input should be returned.
if nerr, ok := err.(net.Error); ok && nerr.Timeout() {
return n, nil
}
return n, err
}
return n, nil
}

49
vendor/golang.org/x/net/bpf/vm_extension_test.go generated vendored Normal file
View File

@ -0,0 +1,49 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf_test
import (
"testing"
"golang.org/x/net/bpf"
)
func TestVMLoadExtensionNotImplemented(t *testing.T) {
_, _, err := testVM(t, []bpf.Instruction{
bpf.LoadExtension{
Num: 100,
},
bpf.RetA{},
})
if errStr(err) != "extension 100 not implemented" {
t.Fatalf("unexpected error: %v", err)
}
}
func TestVMLoadExtensionExtLen(t *testing.T) {
vm, done, err := testVM(t, []bpf.Instruction{
bpf.LoadExtension{
Num: bpf.ExtLen,
},
bpf.RetA{},
})
if err != nil {
t.Fatalf("failed to load BPF program: %v", err)
}
defer done()
out, err := vm.Run([]byte{
0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff,
0, 1, 2, 3,
})
if err != nil {
t.Fatalf("unexpected error while running program: %v", err)
}
if want, got := 4, out; want != got {
t.Fatalf("unexpected number of output bytes:\n- want: %d\n- got: %d",
want, got)
}
}

174
vendor/golang.org/x/net/bpf/vm_instructions.go generated vendored Normal file
View File

@ -0,0 +1,174 @@
// Copyright 2016 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.
package bpf
import (
"encoding/binary"
"fmt"
)
func aluOpConstant(ins ALUOpConstant, regA uint32) uint32 {
return aluOpCommon(ins.Op, regA, ins.Val)
}
func aluOpX(ins ALUOpX, regA uint32, regX uint32) (uint32, bool) {
// Guard against division or modulus by zero by terminating
// the program, as the OS BPF VM does
if regX == 0 {
switch ins.Op {
case ALUOpDiv, ALUOpMod:
return 0, false
}
}
return aluOpCommon(ins.Op, regA, regX), true
}
func aluOpCommon(op ALUOp, regA uint32, value uint32) uint32 {
switch op {
case ALUOpAdd:
return regA + value
case ALUOpSub:
return regA - value
case ALUOpMul:
return regA * value
case ALUOpDiv:
// Division by zero not permitted by NewVM and aluOpX checks
return regA / value
case ALUOpOr:
return regA | value
case ALUOpAnd:
return regA & value
case ALUOpShiftLeft:
return regA << value
case ALUOpShiftRight:
return regA >> value
case ALUOpMod:
// Modulus by zero not permitted by NewVM and aluOpX checks
return regA % value
case ALUOpXor:
return regA ^ value
default:
return regA
}
}
func jumpIf(ins JumpIf, value uint32) int {
var ok bool
inV := uint32(ins.Val)
switch ins.Cond {
case JumpEqual:
ok = value == inV
case JumpNotEqual:
ok = value != inV
case JumpGreaterThan:
ok = value > inV
case JumpLessThan:
ok = value < inV
case JumpGreaterOrEqual:
ok = value >= inV
case JumpLessOrEqual:
ok = value <= inV
case JumpBitsSet:
ok = (value & inV) != 0
case JumpBitsNotSet:
ok = (value & inV) == 0
}
if ok {
return int(ins.SkipTrue)
}
return int(ins.SkipFalse)
}
func loadAbsolute(ins LoadAbsolute, in []byte) (uint32, bool) {
offset := int(ins.Off)
size := int(ins.Size)
return loadCommon(in, offset, size)
}
func loadConstant(ins LoadConstant, regA uint32, regX uint32) (uint32, uint32) {
switch ins.Dst {
case RegA:
regA = ins.Val
case RegX:
regX = ins.Val
}
return regA, regX
}
func loadExtension(ins LoadExtension, in []byte) uint32 {
switch ins.Num {
case ExtLen:
return uint32(len(in))
default:
panic(fmt.Sprintf("unimplemented extension: %d", ins.Num))
}
}
func loadIndirect(ins LoadIndirect, in []byte, regX uint32) (uint32, bool) {
offset := int(ins.Off) + int(regX)
size := int(ins.Size)
return loadCommon(in, offset, size)
}
func loadMemShift(ins LoadMemShift, in []byte) (uint32, bool) {
offset := int(ins.Off)
if !inBounds(len(in), offset, 0) {
return 0, false
}
// Mask off high 4 bits and multiply low 4 bits by 4
return uint32(in[offset]&0x0f) * 4, true
}
func inBounds(inLen int, offset int, size int) bool {
return offset+size <= inLen
}
func loadCommon(in []byte, offset int, size int) (uint32, bool) {
if !inBounds(len(in), offset, size) {
return 0, false
}
switch size {
case 1:
return uint32(in[offset]), true
case 2:
return uint32(binary.BigEndian.Uint16(in[offset : offset+size])), true
case 4:
return uint32(binary.BigEndian.Uint32(in[offset : offset+size])), true
default:
panic(fmt.Sprintf("invalid load size: %d", size))
}
}
func loadScratch(ins LoadScratch, regScratch [16]uint32, regA uint32, regX uint32) (uint32, uint32) {
switch ins.Dst {
case RegA:
regA = regScratch[ins.N]
case RegX:
regX = regScratch[ins.N]
}
return regA, regX
}
func storeScratch(ins StoreScratch, regScratch [16]uint32, regA uint32, regX uint32) [16]uint32 {
switch ins.Src {
case RegA:
regScratch[ins.N] = regA
case RegX:
regScratch[ins.N] = regX
}
return regScratch
}

Some files were not shown because too many files have changed in this diff Show More