Skip to content

Commit

Permalink
add SUPPORT_IP_MATCH define
Browse files Browse the repository at this point in the history
Signed-off-by: superCharge-xsy <[email protected]>
  • Loading branch information
supercharge-xsy committed Aug 10, 2024
1 parent 4c6d4e8 commit abec189
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 22 deletions.
18 changes: 0 additions & 18 deletions bpf/include/bpf_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -163,24 +163,6 @@ static inline bool handle_kmesh_manage_process(struct kmesh_context *kmesh_ctx)
return false;
}

/* This function is used to modify the value of the
* record in the manager map. When the value is 0, it
* means that it has not been bypassed. When it is 1,
* it means that it has been bypassed.
*/
static inline bool handle_bypass_process(struct kmesh_context *kmesh_ctx)
{
if (conn_from_bypass_sim_add(kmesh_ctx)) {
set_netns_bypass_value(kmesh_ctx->ctx, 1);
return true;
}
if (conn_from_bypass_sim_delete(kmesh_ctx)) {
set_netns_bypass_value(kmesh_ctx->ctx, 0);
return true;
}
return false;
}

static inline void *kmesh_get_ptr_val(const void *ptr)
{
/*
Expand Down
13 changes: 9 additions & 4 deletions bpf/kmesh/workload/include/authz.h
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
#define UNMATCHED 0
#define MATCHED 1
#define UNSUPPORTED 2
#define MAX_MEMBER_NUM_PER_POLICY 16
#define MAX_MEMBER_NUM_PER_POLICY 8
#define TYPE_SRCIP (1)
#define TYPE_DSTIP (1 << 1)
#define TYPE_DSTPORT (1 << 2)
Expand All @@ -40,7 +40,7 @@ static inline Istio__Security__Authorization *map_lookup_authz(const char *key)
return (Istio__Security__Authorization*)kmesh_map_lookup_elem(&map_of_authz, key);
}


#ifdef SUPPORT_IP_MATCH
static inline __u32 convert_ipv4_to_u32(const struct ProtobufCBinaryData *ipv4_data)
{
if (ipv4_data->len != 4) {
Expand Down Expand Up @@ -143,6 +143,7 @@ static inline int matchSrcIPs(Istio__Security__Match *match, struct bpf_sock_tup
}
return UNMATCHED;
}
#endif

static inline int matchDstPorts(Istio__Security__Match *match, struct bpf_sock_tuple *tuple_info)
{
Expand All @@ -161,7 +162,7 @@ static inline int matchDstPorts(Istio__Security__Match *match, struct bpf_sock_t
return UNMATCHED;
}

for (i = 0; i <MAX_MEMBER_NUM_PER_POLICY; i++) {
for (i = 0; i < MAX_MEMBER_NUM_PER_POLICY; i++) {
if (i >= match->n_not_destination_ports) {
break;
}
Expand Down Expand Up @@ -200,10 +201,11 @@ static inline int match_check(Istio__Security__Match *match, struct bpf_sock_tup

// todo: if some type not supported, need retun UNSUPPORT and allow this packet

Check failure on line 202 in bpf/kmesh/workload/include/authz.h

View workflow job for this annotation

GitHub Actions / Check for spelling errors

retun ==> return

Check failure on line 202 in bpf/kmesh/workload/include/authz.h

View workflow job for this annotation

GitHub Actions / Check for spelling errors

UNSUPPORT ==> UNSUPPORTED
// if multiple types are set, they are AND-ed, all matched is a match
/*
matchResult = matchSrcIPs(match, tuple_info);
if (matchResult != MATCHED) {
return matchResult;
}
}*/

matchResult = matchDstPorts(match, tuple_info);
return matchResult;
Expand Down Expand Up @@ -322,6 +324,9 @@ static inline int match_workload_scope(struct bpf_sock_tuple *tuple_info)
int ret = 0;
char policy_key[BPF_DATA_MAX_LEN] = "test-policy"; // 键为 "test-policy"
Istio__Security__Authorization *policy = map_lookup_authz(policy_key);
if (!policy) {
return AUTH_ALLOW;
}
ret = policy_manage(policy, tuple_info);
if (ret == AUTH_DENY) {
BPF_LOG(ERR, AUTH, "policy %s manage result deny\n", kmesh_get_ptr_val(policy->name));
Expand Down

0 comments on commit abec189

Please sign in to comment.