forked from digineo/go-ipset
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathipset.go
202 lines (168 loc) · 4.58 KB
/
ipset.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
// Package ipset contains bindings to libipset
// Requirements: apt install ipset-dev
package ipset
import (
"encoding/xml"
"fmt"
"io"
"os"
"sync"
"unsafe"
)
/*
#cgo pkg-config: libipset
#include <stdlib.h>
#include "ipset.h"
*/
import "C"
// ListResult is the result of a LIST command
type ListResult struct {
Sets []IPSet `xml:"ipset"`
}
// IPSet represents a returned ipset
type IPSet struct {
Type string `xml:"type"`
Revision byte `xml:"revision"`
Name string `xml:"name,attr"`
Header Header `xml:"header"`
Members []Member `xml:"members>member"`
}
// Header is the header of an ipset result
type Header struct {
Family string `xml:"family"`
HashSize int `xml:"hashsize"`
MaxElem int `xml:"maxelem"`
Timeout int `xml:"timeout"`
MemSize int `xml:"memsize"`
References int `xml:"references"`
NumEntries int `xml:"numentries"`
}
// Member is the entry of an ipset
type Member struct {
Elem string `xml:"elem"`
Timeout int `xml:"timeout"`
}
var (
xmlWriter *io.PipeWriter
listLock sync.Mutex
)
func init() {
C.ipset_load_types()
}
//export outfn
func outfn(buf *C.char) {
xmlWriter.Write([]byte(C.GoString(buf)))
}
// ListAll returns all ipsets
func ListAll() ([]IPSet, error) {
return list("")
}
// List returns a single ipset
func List(setname string) (*IPSet, error) {
list, err := list(setname)
if err != nil {
return nil, err
}
return &list[0], nil
}
func list(setname string) ([]IPSet, error) {
// Create session
session := C.session_init_xml()
if session == nil {
return nil, fmt.Errorf("failed to initialize ipset session")
}
defer C.ipset_session_fini(session)
listLock.Lock()
defer listLock.Unlock()
var reader *io.PipeReader
var result ListResult
var err error
var wg sync.WaitGroup
reader, xmlWriter = io.Pipe()
wg.Add(1)
go func() {
err = xml.NewDecoder(reader).Decode(&result)
wg.Done()
}()
if setname != "" {
cSetname := C.CString(setname)
defer C.free(unsafe.Pointer(cSetname))
// Set setname
if C.ipset_parse_setname(session, C.IPSET_SETNAME, cSetname) != 0 {
return nil, fmt.Errorf("failed to parse setname '%s'", setname)
}
}
// Finally execute the command
if retval := C.ipset_cmd(session, C.IPSET_CMD_LIST, 0); retval != 0 {
return nil, fmt.Errorf("ipset failed with %d", retval)
}
xmlWriter.Close()
xmlWriter = nil
wg.Wait()
return result.Sets, err
}
// Add adds a new entry to an existing set
func Add(setname, address string, args ...string) error {
return exec(C.IPSET_CMD_ADD, setname, address, args...)
}
// Del deletes an entry from an existing set
func Del(setname, address string, args ...string) error {
return exec(C.IPSET_CMD_DEL, setname, address, args...)
}
// Test an entry from an existing set
func Test(setname, address string, args ...string) error {
return exec(C.IPSET_CMD_TEST, setname, address, args...)
}
func exec(cmd uint32, setname, address string, args ...string) error {
if len(args)%2 != 0 {
return fmt.Errorf("odd number of arguments given")
}
listLock.Lock()
defer listLock.Unlock()
cAddress := C.CString(address)
defer C.free(unsafe.Pointer(cAddress))
cSetname := C.CString(setname)
defer C.free(unsafe.Pointer(cSetname))
// Create session
session := C.ipset_session_init(nil)
if session == nil {
return fmt.Errorf("failed to initialize ipset session")
}
defer C.ipset_session_fini(session)
// Replace existing entries
C.ipset_envopt_parse(session, C.IPSET_ENV_EXIST, nil)
// Set setname
if C.ipset_parse_setname(session, C.IPSET_SETNAME, cSetname) != 0 {
return fmt.Errorf("failed to parse setname '%s'", setname)
}
// Get type
typ := C.ipset_type_get(session, cmd)
if typ == nil {
if os.Geteuid() != 0 {
return fmt.Errorf("failed to get type of cmd %d - ipset '%s' missing or not running as root?", cmd, setname)
}
return fmt.Errorf("failed to get type of cmd %d - ipset '%s' missing?", cmd, setname)
}
C.ipset_parse_elem(session, typ.last_elem_optional, cAddress)
// Iterate over argument pairs
for i := 0; i < len(args); i += 2 {
key := args[i]
val := args[i+1]
cKey := C.CString(key)
cVal := C.CString(val)
defer C.free(unsafe.Pointer(cKey))
defer C.free(unsafe.Pointer(cVal))
if arg := C.get_ipset_arg(typ, cKey); arg != nil {
if retval := C.ipset_call_parser(session, arg, cVal); retval != 0 {
return fmt.Errorf("failed to set %s=%s (%d)", key, val, retval)
}
} else {
return fmt.Errorf("unknown argument: %s", key)
}
}
// Finally execute the command
if retval := C.ipset_cmd(session, cmd, 0); retval != 0 {
return fmt.Errorf("ipset failed with %d", retval)
}
return nil
}