Optimize ACL performance (#994)

* Optimize rules with All groups * Use IP sets in ACLs (nftables implementation) * Fix squash rule when we receive optimized rules list from management
2026-04-19 08:46:38 +00:00 · 2023-07-18 13:12:50 +04:00
parent 7ebe58f20a
commit e69ec6ab6a
15 changed files with 727 additions and 114 deletions
--- a/client/firewall/nftables/ruleset_linux.go
+++ b/client/firewall/nftables/ruleset_linux.go
@@ -0,0 +1,115 @@
+package nftables
+
+import (
+	"bytes"
+	"fmt"
+
+	"github.com/google/nftables"
+	"github.com/rs/xid"
+)
+
+// nftRuleset links native firewall rule and ipset to ACL generated rules
+type nftRuleset struct {
+	nftRule     *nftables.Rule
+	nftSet      *nftables.Set
+	issuedRules map[string]*Rule
+	rulesetID   string
+}
+
+type rulesetManager struct {
+	rulesets map[string]*nftRuleset
+
+	nftSetName2rulesetID   map[string]string
+	issuedRuleID2rulesetID map[string]string
+}
+
+func newRuleManager() *rulesetManager {
+	return &rulesetManager{
+		rulesets: map[string]*nftRuleset{},
+
+		nftSetName2rulesetID:   map[string]string{},
+		issuedRuleID2rulesetID: map[string]string{},
+	}
+}
+
+func (r *rulesetManager) getRuleset(rulesetID string) (*nftRuleset, bool) {
+	ruleset, ok := r.rulesets[rulesetID]
+	return ruleset, ok
+}
+
+func (r *rulesetManager) createRuleset(
+	rulesetID string,
+	nftRule *nftables.Rule,
+	nftSet *nftables.Set,
+) *nftRuleset {
+	ruleset := nftRuleset{
+		rulesetID:   rulesetID,
+		nftRule:     nftRule,
+		nftSet:      nftSet,
+		issuedRules: map[string]*Rule{},
+	}
+	r.rulesets[ruleset.rulesetID] = &ruleset
+	if nftSet != nil {
+		r.nftSetName2rulesetID[nftSet.Name] = ruleset.rulesetID
+	}
+	return &ruleset
+}
+
+func (r *rulesetManager) addRule(
+	ruleset *nftRuleset,
+	ip []byte,
+) (*Rule, error) {
+	if _, ok := r.rulesets[ruleset.rulesetID]; !ok {
+		return nil, fmt.Errorf("ruleset not found")
+	}
+
+	rule := Rule{
+		nftRule: ruleset.nftRule,
+		nftSet:  ruleset.nftSet,
+		ruleID:  xid.New().String(),
+		ip:      ip,
+	}
+
+	ruleset.issuedRules[rule.ruleID] = &rule
+	r.issuedRuleID2rulesetID[rule.ruleID] = ruleset.rulesetID
+
+	return &rule, nil
+}
+
+// deleteRule from ruleset and returns true if contains other rules
+func (r *rulesetManager) deleteRule(rule *Rule) bool {
+	rulesetID, ok := r.issuedRuleID2rulesetID[rule.ruleID]
+	if !ok {
+		return false
+	}
+
+	ruleset := r.rulesets[rulesetID]
+	if ruleset.nftRule == nil {
+		return false
+	}
+	delete(r.issuedRuleID2rulesetID, rule.ruleID)
+	delete(ruleset.issuedRules, rule.ruleID)
+
+	if len(ruleset.issuedRules) == 0 {
+		delete(r.rulesets, ruleset.rulesetID)
+		if rule.nftSet != nil {
+			delete(r.nftSetName2rulesetID, rule.nftSet.Name)
+		}
+		return false
+	}
+	return true
+}
+
+// setNftRuleHandle finds rule by userdata which contains rulesetID and updates it's handle number
+//
+// This is important to do, because after we add rule to the nftables we can't update it until
+// we set correct handle value to it.
+func (r *rulesetManager) setNftRuleHandle(nftRule *nftables.Rule) error {
+	split := bytes.Split(nftRule.UserData, []byte(" "))
+	ruleset, ok := r.rulesets[string(split[0])]
+	if !ok {
+		return fmt.Errorf("ruleset not found")
+	}
+	*ruleset.nftRule = *nftRule
+	return nil
+}