pcn-firewall: implement support for insert/delete

this commit introduces the support for:
- insert: insert a rule at position id
and translate forward all the following rules.
by default inserts in position id=0
that means at the beginning of the ruleset
- delete: delete a rule taking as parameter the
rule fields (not the id). This could help in
scenarios in witch we don't care about indexes.
if multiple rules are present with same fields
then the firts matching is taken

Signed-off-by: Matteo Bertrone <m.bertrone@gmail.com>

Author: mbertrone

src/services/pcn-firewall/src/Chain.cpp

@@ -589,9 +589,156 @@ void Chain::delRuleList() {
 }
 
 ChainInsertOutputJsonObject Chain::insert(ChainInsertInputJsonObject input) {
-  throw std::runtime_error("Chain::ChainInsertOutput: Method not implemented");
+  ChainRuleJsonObject conf;
+
+  if (input.conntrackIsSet()) {
+    conf.setConntrack(input.getConntrack());
+  }
+  if (input.srcIsSet()) {
+    conf.setSrc(input.getSrc());
+  }
+  if (input.dstIsSet()) {
+    conf.setDst(input.getDst());
+  }
+  if (input.sportIsSet()) {
+    conf.setSport(input.getSport());
+  }
+  if (input.dportIsSet()) {
+    conf.setDport(input.getDport());
+  }
+  if (input.tcpflagsIsSet()) {
+    conf.setTcpflags(input.getTcpflags());
+  }
+  if (input.l4protoIsSet()) {
+    conf.setL4proto(input.getL4proto());
+  }
+  if (input.actionIsSet()) {
+    conf.setAction(input.getAction());
+  } else {
+    conf.setAction(ActionEnum::DROP);
+  }
+
+  uint32_t id = 0;
+  if (input.idIsSet()) {
+    id = input.getId();
+  }
+
+  if (id > rules_.size()) {
+    throw std::runtime_error("id not allowed");
+  }
+
+  auto newRule = std::make_shared<ChainRule>(*this, conf);
+
+  ChainStatsJsonObject confStats;
+  auto newStats = std::make_shared<ChainStats>(*this, confStats);
+
+  getStatsList();
+
+  if (newRule == nullptr) {
+    // Totally useless, but it is needed to avoid the compiler making wrong
+    // assumptions and reordering
+    throw new std::runtime_error("I won't be thrown");
+
+  } else if (rules_.size() >= id && newRule != nullptr) {
+    rules_.resize(rules_.size() + 1);
+    counters_.resize(counters_.size() + 1);
+  }
+
+  // 0, 1, 2, 3
+  // insert @2
+  // 0, 1, 2*, 2->3, 3->4
+
+  // for rules before id
+  // nothing
+
+  // for rules starting from id to rules size-1
+  // move ahead i -> i+i
+  // btw, better to start from the end of the array
+  // for rules starting from size-1 to id
+  // move ahead i -> i+i
+
+  int i = 0;
+  int id_int = (int)id;
+
+  // ids are 0,1,2
+  // size=3
+  // id = 1 (insert)
+
+  // new size = 4
+
+  // from 1 to 2
+  // move 2->3
+  // move 1->2,
+  // replace 1
+
+  for (i = rules_.size() - 2; i >= id_int; i--) {
+    rules_[i + 1] = rules_[i];
+    counters_[i + 1] = counters_[i];
+    if (rules_[i + 1] != nullptr) {
+      rules_[i + 1]->id = i + 1;
+    }
+    if (counters_[i + 1] != nullptr) {
+      counters_[i + 1]->counter.setId(i + 1);
+    }
+  }
+
+  rules_[id] = newRule;
+  rules_[id]->id = id;
+
+  counters_[id] = newStats;
+  counters_[id]->counter.setPkts(0);
+  counters_[id]->counter.setBytes(0);
+  counters_[id]->counter.setId(id);
+
+  if (parent_.interactive_) {
+    updateChain();
+  }
+
+  // set fields for return object
+  ChainInsertOutputJsonObject result;
+  result.setId(id);
+
+  return result;
 }
 
 void Chain::deletes(ChainDeleteInputJsonObject input) {
-  throw std::runtime_error("Chain::: Method not implemented");
+  ChainRuleJsonObject conf;
+
+  if (input.conntrackIsSet()) {
+    conf.setConntrack(input.getConntrack());
+  }
+  if (input.srcIsSet()) {
+    conf.setSrc(input.getSrc());
+  }
+  if (input.dstIsSet()) {
+    conf.setDst(input.getDst());
+  }
+  if (input.sportIsSet()) {
+    conf.setSport(input.getSport());
+  }
+  if (input.dportIsSet()) {
+    conf.setDport(input.getDport());
+  }
+  if (input.tcpflagsIsSet()) {
+    conf.setTcpflags(input.getTcpflags());
+  }
+  if (input.l4protoIsSet()) {
+    conf.setL4proto(input.getL4proto());
+  }
+  if (input.actionIsSet()) {
+    conf.setAction(input.getAction());
+  } else {
+    conf.setAction(ActionEnum::DROP);
+  }
+
+  for (int i = 0; i < rules_.size(); i++) {
+    if (rules_[i] != nullptr) {
+      ChainRule c(*this, conf);
+      if (rules_[i]->equal(c)) {
+        delRule(i);
+        return;
+      }
+    }
+  }
+  throw std::runtime_error("no matching rule to delete");
 }

src/services/pcn-firewall/src/Chain.h

@@ -20,6 +20,7 @@
 #include <condition_variable>
 #include <mutex>
 #include <thread>
+#include <memory>
 
 #include "base/ChainBase.h"
 

src/services/pcn-firewall/src/ChainRule.cpp

@@ -194,3 +194,64 @@ uint32_t ChainRule::getId() {
   // This method retrieves the id value.
   return id;
 }
+
+bool ChainRule::equal(ChainRule &cmp) {
+  if (ipSrcIsSet != cmp.ipSrcIsSet)
+    return false;
+  if (ipSrcIsSet) {
+    if (ipSrc.toString() != cmp.ipSrc.toString())
+      return false;
+  }
+
+  if (ipDstIsSet != cmp.ipDstIsSet)
+    return false;
+  if (ipDstIsSet) {
+    if (ipDst.toString() != cmp.ipDst.toString())
+      return false;
+  }
+
+  if (srcPortIsSet != cmp.srcPortIsSet)
+    return false;
+  if (srcPortIsSet) {
+    if (srcPort != cmp.srcPort)
+      return false;
+  }
+
+  if (dstPortIsSet != cmp.dstPortIsSet)
+    return false;
+  if (dstPortIsSet) {
+    if (dstPort != cmp.dstPort)
+      return false;
+  }
+
+  if (l4ProtoIsSet != cmp.l4ProtoIsSet)
+    return false;
+  if (l4ProtoIsSet) {
+    if (l4Proto != cmp.l4Proto)
+      return false;
+  }
+
+  if (tcpFlagsIsSet != cmp.tcpFlagsIsSet)
+    return false;
+  if (tcpFlagsIsSet) {
+    if ((flagsSet != cmp.flagsSet) || ((flagsNotSet != cmp.flagsNotSet)))
+      return false;
+  }
+
+  if (actionIsSet != cmp.actionIsSet)
+    return false;
+
+  if (actionIsSet) {
+    if (action != cmp.action)
+      return false;
+  }
+
+  if (conntrackIsSet != cmp.conntrackIsSet)
+    return false;
+  if (conntrackIsSet) {
+    if (conntrack != cmp.conntrack)
+      return false;
+  }
+
+  return true;
+}

src/services/pcn-firewall/src/ChainRule.h

@@ -35,6 +35,8 @@ class ChainRule : public ChainRuleBase {
   void update(const ChainRuleJsonObject &conf) override;
   ChainRuleJsonObject toJsonObject() override;
 
+  bool equal(ChainRule &cmp);
+
   /// <summary>
   /// Description of the rule.
   /// </summary>

src/services/pcn-firewall/src/api/FirewallApiImpl.cpp

@@ -160,7 +160,7 @@ create_firewall_chain_delete_by_id(const std::string &name, const ChainNameEnum
   auto firewall = get_cube(name);
   auto chain = firewall->getChain(chainName);
 
-//  return chain->delete(value);
+  return chain->deletes(value);
 }
 
 /**

src/services/pcn-firewall/test/general/test_insert.sh

@@ -0,0 +1,56 @@
+# PING testing rule appending
+
+source "${BASH_SOURCE%/*}/../helpers.bash"
+
+function fwcleanup {
+  set +e
+  polycubectl firewall del fw
+  delete_veth 2
+}
+trap fwcleanup EXIT
+
+echo -e '\nTest insert \n'
+set -e
+set -x
+
+create_veth 2
+
+polycubectl firewall add fw loglevel=DEBUG
+polycubectl attach fw veth1
+
+# test simple insert rules
+polycubectl firewall fw chain INGRESS insert src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=FORWARD
+
+polycubectl firewall fw chain EGRESS insert src=10.0.0.2/32 dst=10.0.0.1/32 l4proto=ICMP action=FORWARD
+
+sudo ip netns exec ns1 ping 10.0.0.2 -c 2 -i 0.5 -w 1
+
+
+polycubectl firewall fw chain INGRESS insert src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=DROP
+
+test_fail sudo ip netns exec ns1 ping 10.0.0.2 -c 2 -i 0.5 -w 1
+
+
+polycubectl firewall fw chain INGRESS delete src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=DROP
+
+polycubectl firewall fw chain INGRESS show
+
+sudo ip netns exec ns1 ping 10.0.0.2 -c 2 -i 0.5 -w 1
+
+# test insert rule in specific position
+polycubectl firewall fw chain INGRESS insert id=1 src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=DROP
+
+polycubectl firewall fw chain INGRESS show
+
+sudo ip netns exec ns1 ping 10.0.0.2 -c 2 -i 0.5 -w 1
+
+# test wrong position
+set +e
+polycubectl firewall fw chain INGRESS insert id=2 src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=DROP
+polycubectl firewall fw chain INGRESS insert id=5 src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=DROP
+polycubectl firewall fw chain INGRESS insert id=-1 src=10.0.0.1 dst=10.0.0.2 l4proto=ICMP action=DROP
+set -e
+
+polycubectl firewall fw chain INGRESS show
+
+sudo ip netns exec ns1 ping 10.0.0.2 -c 2 -i 0.5 -w 1