-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Implemented on top of Genie changes from Tom - Add the following classes class[gbpe/LocalL24Classifier] class[gbp/LocalSecGroup] class[gbp/LocalSecGroupSubject] class[gbp/LocalSecGroupRule] class[gbp/LocalAllowDenyAction] class[gbp/LocalSubnets] class[gbp/LocalSubnet] - These are enabled via opflex.enable-local-netpol config variable and read from .netpol files in the netpol-sources.filesystem thats configured in the opflex config (Default localnetpol is disabled) - Each security group will contain a .netpol json file containing corresponding netpol - The implemenation will read these files and update the MODB via the read that then triggers callbacks. These will be the old callbacks in the policymanager that have been extended to also process the Local network policies. - Add new classtype LOCAL_POLICY to differentiate between POLICY that is always assumed as remote and would trigger a resolveObj - extend deserialize to support local ObjectInstances, currently it assumes its only called for remote ones. - add LocalAllowDenyAction on startup since this is the only MO shared across netpols and should never be deleted. This is added in common tenant and one is created at startup. - Implement delete by saving the notifs during add. File based delete will not work without some state because the file notification happens after the file is deleted. Signed-off-by: Madhu Challa <challa@gmail.com>
- Loading branch information
Showing
30 changed files
with
839 additions
and
102 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
/* -*- C++ -*-; c-basic-offset: 4; indent-tabs-mode: nil */ | ||
/* | ||
* Implementation for FSNetpolSource class. | ||
* | ||
* Copyright (c) 2024 Cisco Systems, Inc. and others. All rights reserved. | ||
* | ||
* This program and the accompanying materials are made available under the | ||
* terms of the Eclipse Public License v1.0 which accompanies this distribution, | ||
* and is available at http://www.eclipse.org/legal/epl-v10.html | ||
*/ | ||
|
||
#ifdef HAVE_CONFIG_H | ||
#include <config.h> | ||
#endif | ||
#if defined(HAVE_SYS_INOTIFY_H) && defined(HAVE_SYS_EVENTFD_H) | ||
#define USE_INOTIFY | ||
#endif | ||
|
||
#include <stdexcept> | ||
#include <sstream> | ||
#include <boost/algorithm/string/predicate.hpp> | ||
|
||
#include <opflexagent/FSNetpolSource.h> | ||
#include <opflexagent/logging.h> | ||
|
||
namespace opflexagent { | ||
|
||
using boost::optional; | ||
namespace fs = boost::filesystem; | ||
using std::string; | ||
using std::runtime_error; | ||
|
||
FSNetpolSource::FSNetpolSource(opflex::ofcore::OFFramework& framework_, | ||
FSWatcher& listener, | ||
const std::string& netpolDir) | ||
: framework(framework_) { | ||
LOG(INFO) << "Watching " << netpolDir << " for netpol data"; | ||
listener.addWatch(netpolDir, *this); | ||
} | ||
|
||
static bool isnetpol(fs::path filePath) { | ||
string fstr = filePath.filename().string(); | ||
return (boost::algorithm::ends_with(fstr, ".netpol") && | ||
!boost::algorithm::starts_with(fstr, ".")); | ||
} | ||
|
||
void FSNetpolSource::updated(const fs::path& filePath) { | ||
if (!isnetpol(filePath)) return; | ||
|
||
try { | ||
string pathstr = filePath.string(); | ||
netpol_map_t::const_iterator it = knownNetpols.find(pathstr); | ||
if (it != knownNetpols.end()) { | ||
deleted(filePath); | ||
} | ||
opflex::modb::mointernal::StoreClient::notif_t notifs; | ||
size_t n = | ||
framework.updateMOs(pathstr, opflex::gbp::PolicyUpdateOp::REPLACE, ¬ifs); | ||
knownNetpols[pathstr] = notifs; | ||
|
||
LOG(INFO) << "Updated Netpol " << filePath.stem() | ||
<< " from " << filePath | ||
<< " ( " << n << " Objects )"; | ||
} catch (const std::exception& ex) { | ||
LOG(ERROR) << "Could not load netpol from: " | ||
<< filePath << ": " | ||
<< ex.what(); | ||
} catch (...) { | ||
LOG(ERROR) << "Unknown error while loading netpol " | ||
<< "information from " | ||
<< filePath; | ||
} | ||
} | ||
|
||
void FSNetpolSource::deleted(const fs::path& filePath) { | ||
try { | ||
string pathstr = filePath.string(); | ||
netpol_map_t::iterator it = knownNetpols.find(pathstr); | ||
if (it != knownNetpols.end()) { | ||
|
||
framework.deleteMOs(it->second); | ||
LOG(INFO) << "Removed netpol-uuid " | ||
<< filePath.stem() | ||
<< " at " << filePath | ||
<< " ( " << it->second.size() << " Objects )"; | ||
knownNetpols.erase(it); | ||
} | ||
} catch (const std::exception& ex) { | ||
LOG(ERROR) << "Could not delete netpol for " | ||
<< filePath << ": " | ||
<< ex.what(); | ||
} catch (...) { | ||
LOG(ERROR) << "Unknown error while deleting netpol information for " | ||
<< filePath; | ||
} | ||
} | ||
|
||
} /* namespace opflexagent */ |
Oops, something went wrong.