acl

package
v6.18.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 31, 2025 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var ReservedNetworkSubects = []string{"internal", "external"}

ReservedNetworkSubects contains a list of reserved network peer names (those starting with @ character) that cannot be used when to name peering connections. Otherwise peer connections wouldn't be able to be referenced in ACL rules using the "@<peer name>" format without the potential of conflicts.

View Source 
var ValidActions = []string{"allow", "allow-stateless", "drop", "reject"}

ValidActions defines valid actions for rules.

Functions

func BridgeUpdateACLs added in v6.0.4 

func BridgeUpdateACLs(s *state.State, l logger.Logger, aclProjectName string, aclNetDevices map[string]NetworkACLUsage) error

BridgeUpdateACLs forces the update of all NIC devices who have the changed ACL applied.

func Create 

func Create(s *state.State, projectName string, aclInfo *api.NetworkACLsPost) error

Create validates supplied record and creates new Network ACL record in the database.

func Exists 

func Exists(s *state.State, projectName string, name ...string) error

Exists checks the ACL name(s) provided exists in the project. If multiple names are provided, also checks that duplicate names aren't specified in the list.

func FirewallACLRules added in v6.0.4 

func FirewallACLRules(s *state.State, aclDeviceName string, aclProjectName string, config map[string]string) ([]firewallDrivers.ACLRule, error)

FirewallACLRules returns ACL rules for network firewall.

func FirewallApplyACLRules 

func FirewallApplyACLRules(s *state.State, logger logger.Logger, aclProjectName string, aclNet NetworkACLUsage) error

FirewallApplyACLRules applies ACL rules to network firewall.

func NetworkUsage 

func NetworkUsage(s *state.State, aclProjectName string, aclNames []string, aclNets map[string]NetworkACLUsage) error

NetworkUsage populates the provided aclNets map with networks that are using any of the specified ACLs.

func OVNACLNetworkPortGroupName 

func OVNACLNetworkPortGroupName(networkACLID int64, networkID int64) ovn.OVNPortGroup

OVNACLNetworkPortGroupName returns the port group name for a Network ACL ID and Network ID.

func OVNACLPortGroupNamePrefix added in v6.16.0 

func OVNACLPortGroupNamePrefix(networkACLID int64) string

OVNACLPortGroupNamePrefix returns the port groups name prefix for a Network ACL ID.

func OVNApplyInstanceNICDefaultRules 

func OVNApplyInstanceNICDefaultRules(client *ovn.NB, switchPortGroup ovn.OVNPortGroup, logPrefix string, nicPortName ovn.OVNSwitchPort, ingressAction string, ingressLogged bool, egressAction string, egressLogged bool) error

OVNApplyInstanceNICDefaultRules applies instance NIC default rules to per-network port group.

func OVNApplyNetworkBaselineRules 

func OVNApplyNetworkBaselineRules(client *ovn.NB, switchName ovn.OVNSwitch, routerPortName ovn.OVNSwitchPort, intRouterIPs []*net.IPNet, dnsIPs []net.IP) error

OVNApplyNetworkBaselineRules applies preset baseline logical switch rules to a allow access to network services.

func OVNEnsureACLs 

func OVNEnsureACLs(s *state.State, l logger.Logger, client *ovn.NB, aclProjectName string, aclNameIDs map[string]int64, aclNets map[string]NetworkACLUsage, aclNames []string, reapplyRules bool) (revert.Hook, error)

OVNEnsureACLs ensures that the requested aclNames exist as OVN port groups (creates & applies ACL rules if not), If reapplyRules is true then the current ACL rules in the database are applied to the existing port groups rather than just new ones. Any ACLs referenced in the requested ACLs rules are also created as empty OVN port groups if needed. If a requested ACL exists, but has no ACL rules applied, then the current rules are loaded out of the database and applied. For each network provided in aclNets, the network specific port group for each ACL is checked for existence (it is created & applies network specific ACL rules if not). Returns a revert fail function that can be used to undo this function if a subsequent step fails.

func OVNIntSwitchName 

func OVNIntSwitchName(networkID int64) ovn.OVNSwitch

OVNIntSwitchName returns the internal logical switch name for a Network ID.

func OVNIntSwitchPortGroupAddressSetPrefix 

func OVNIntSwitchPortGroupAddressSetPrefix(networkID int64) ovn.OVNAddressSet

OVNIntSwitchPortGroupAddressSetPrefix returns the internal switch routes address set prefix for a Network ID.

func OVNIntSwitchPortGroupName 

func OVNIntSwitchPortGroupName(networkID int64) ovn.OVNPortGroup

OVNIntSwitchPortGroupName returns the port group name for a Network ID.

func OVNIntSwitchRouterPortName 

func OVNIntSwitchRouterPortName(networkID int64) ovn.OVNSwitchPort

OVNIntSwitchRouterPortName returns OVN logical internal switch router port name.

func OVNNetworkPrefix 

func OVNNetworkPrefix(networkID int64) string

OVNNetworkPrefix returns the prefix used for OVN entities related to a Network ID.

func OVNPortGroupDeleteIfUnused 

func OVNPortGroupDeleteIfUnused(s *state.State, l logger.Logger, client *ovn.NB, aclProjectName string, ignoreUsageType any, ignoreUsageNicName string, keepACLs ...string) error

OVNPortGroupDeleteIfUnused deletes unused port groups. Accepts optional ignoreUsageType and ignoreUsageNicName arguments, allowing the used by logic to ignore an instance/profile NIC or network (useful if config not applied to database yet). Also accepts optional list of ACLs to explicitly consider in use by OVN. The combination of ignoring the specified usage type and explicit keep ACLs allows the caller to ensure that the desired ACLs are considered unused by the usage type even if the referring config has not yet been removed from the database.

func OVNPortGroupInstanceNICSchedule 

func OVNPortGroupInstanceNICSchedule(portUUID ovn.OVNSwitchPortUUID, changeSet map[ovn.OVNPortGroup][]ovn.OVNSwitchPortUUID, portGroups ...ovn.OVNPortGroup)

OVNPortGroupInstanceNICSchedule adds the specified NIC port to the specified port groups in the changeSet.

func PortGroupActionPriority added in v6.16.0 

func PortGroupActionPriority(action string, reversed bool) int

PortGroupActionPriority returns the priority for the specific action.

func UsedBy 

func UsedBy(s *state.State, aclProjectName string, usageFunc func(ctx context.Context, tx *db.ClusterTx, matchedACLNames []string, usageType any, nicName string, nicConfig map[string]string) error, matchACLNames ...string) error

UsedBy finds all networks, profiles and instance NICs that use any of the specified ACLs and executes usageFunc once for each resource using one or more of the ACLs with info about the resource and matched ACLs being used.

func ValidName 

func ValidName(name string) error

ValidName checks the ACL name is valid.

Types

type DirectionalPortGroups added in v6.16.0 

type DirectionalPortGroups struct {
	Prefix          string
	All             ovn.OVNPortGroup
	Ingress         ovn.OVNPortGroup
	Egress          ovn.OVNPortGroup
	IngressReversed ovn.OVNPortGroup
	EgressReversed  ovn.OVNPortGroup
}

DirectionalPortGroups defines the OVN port group names for traffic matching in each direction, including both normal and reversed flows.

func OVNACLDirectionalPortGroups added in v6.16.0 

func OVNACLDirectionalPortGroups(networkACLID int64) *DirectionalPortGroups

OVNACLDirectionalPortGroups returns the port group names of all kinds for a Network ACL ID.

func (*DirectionalPortGroups) AddToChangeSet added in v6.16.0 

func (p *DirectionalPortGroups) AddToChangeSet(portUUID ovn.OVNSwitchPortUUID, changeSet map[ovn.OVNPortGroup][]ovn.OVNSwitchPortUUID)

AddToChangeSet adds all ports from the specified port groups to the given changeSet.

func (*DirectionalPortGroups) CreatePortGroups added in v6.16.0 

func (p *DirectionalPortGroups) CreatePortGroups(l logger.Logger, client *ovn.NB, reverter *revert.Reverter, projectID int64, aclName string) error

CreatePortGroups creates directional port groups for ingress and egress rules.

func (*DirectionalPortGroups) Exist added in v6.16.0 

func (p *DirectionalPortGroups) Exist(client *ovn.NB) (bool, bool, error)

Exist checks whether all port groups in the set exist. It returns two values:

  • exists: false if any port group does not exist.
  • hasACLs: false if any existing port group has no ACLs.

func (*DirectionalPortGroups) PortGroups added in v6.16.0 

func (p *DirectionalPortGroups) PortGroups() []ovn.OVNPortGroup

PortGroups returns all port group names as a slice.

func (*DirectionalPortGroups) Remove added in v6.16.0 

func (p *DirectionalPortGroups) Remove(removeACLPortGroups map[ovn.OVNPortGroup]struct{})

Remove deletes the specified port groups from the given map of port groups.

type NetworkACL 

type NetworkACL interface {

	// Info.
	ID() int64
	Project() string
	Info() *api.NetworkACL
	Etag() []any
	UsedBy() ([]string, error)

	// GetLog.
	GetLog(clientType request.ClientType) (string, error)

	// Modifications.
	Update(config *api.NetworkACLPut, clientType request.ClientType) error
	Rename(newName string) error
	Delete() error
	// contains filtered or unexported methods
}

NetworkACL represents a Network ACL.

func LoadByName 

func LoadByName(s *state.State, projectName string, name string) (NetworkACL, error)

LoadByName loads and initializes a Network ACL from the database by project and name.

type NetworkACLUsage 

type NetworkACLUsage struct {
	ID           int64
	Name         string
	Type         string
	Config       map[string]string
	InstanceName string
	DeviceName   string
}

NetworkACLUsage info about a network and what ACL it uses.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.