From be053ef8b4eba8684a71055860c501b35b6eca09 Mon Sep 17 00:00:00 2001 From: anlicheng <244108715@qq.com> Date: Sat, 28 Feb 2026 17:22:41 +0800 Subject: [PATCH] fix rules --- apps/sdlan/include/policy.hrl | 4 +--- apps/sdlan/src/policy/identity_ets.erl | 21 ------------------- apps/sdlan/src/policy/identity_policy_ets.erl | 8 +++---- apps/sdlan/src/policy/policy.erl | 21 ------------------- apps/sdlan/src/policy/policy_ets.erl | 16 -------------- apps/sdlan/src/policy/rule_ets.erl | 16 ++++++++++++-- apps/sdlan/src/quic/sdlan_quic_channel.erl | 14 ++++++++++--- apps/sdlan/src/sdlan_app.erl | 4 ++++ apps/sdlan/src/sdlan_sync_mysql.erl | 16 +++++++++----- 9 files changed, 44 insertions(+), 76 deletions(-) delete mode 100644 apps/sdlan/src/policy/identity_ets.erl delete mode 100644 apps/sdlan/src/policy/policy.erl delete mode 100644 apps/sdlan/src/policy/policy_ets.erl diff --git a/apps/sdlan/include/policy.hrl b/apps/sdlan/include/policy.hrl index c7ec09b..926ca8a 100644 --- a/apps/sdlan/include/policy.hrl +++ b/apps/sdlan/include/policy.hrl @@ -30,13 +30,11 @@ -record(rule, { rule_id :: integer(), - policy_id :: integer(), network_id :: integer(), - access_rule_id :: integer(), src_policy_id :: integer(), dst_policy_id :: integer(), proto :: integer(), port :: integer(), - action, + action = allow :: allow | deny, created_at = 0 :: integer() }). \ No newline at end of file diff --git a/apps/sdlan/src/policy/identity_ets.erl b/apps/sdlan/src/policy/identity_ets.erl deleted file mode 100644 index bb27491..0000000 --- a/apps/sdlan/src/policy/identity_ets.erl +++ /dev/null @@ -1,21 +0,0 @@ --module(identity_ets). --include("policy.hrl"). - --export([init/0]). --export([lookup/1, insert/1]). - --define(TABLE, identity_ets_table). - -init() -> - ets:new(?TABLE, [named_table, ordered_set, public, {keypos, 2}, {read_concurrency, true}]). - -lookup(IdentityId) when is_integer(IdentityId) -> - case ets:lookup(?TABLE, IdentityId) of - [Identity] -> - {ok, Identity}; - [] -> - error - end. - -insert(Identity = #identity{}) -> - true = ets:insert(?TABLE, Identity). \ No newline at end of file diff --git a/apps/sdlan/src/policy/identity_policy_ets.erl b/apps/sdlan/src/policy/identity_policy_ets.erl index ae1eafb..357e91a 100644 --- a/apps/sdlan/src/policy/identity_policy_ets.erl +++ b/apps/sdlan/src/policy/identity_policy_ets.erl @@ -4,15 +4,13 @@ -export([init/0]). -export([get_policies/1, insert/1]). --define(TABLE, identity_policy_ets_table). - init() -> - ets:new(?TABLE, [named_table, bag, public, {keypos, 2}, {read_concurrency, true}]). + ets:new(identity_policy, [named_table, bag, public, {keypos, 2}, {read_concurrency, true}]). -spec get_policies(IdentityId :: integer()) -> [PolicyId :: integer()]. get_policies(IdentityId) when is_integer(IdentityId) -> - Records = ets:lookup(?TABLE, IdentityId), + Records = ets:lookup(identity_policy, IdentityId), lists:map(fun(#identity_policy{policy_id = PolicyId}) -> PolicyId end, Records). insert(IdentityPolicy = #identity_policy{}) -> - true = ets:insert(?TABLE, IdentityPolicy). \ No newline at end of file + true = ets:insert(identity_policy, IdentityPolicy). \ No newline at end of file diff --git a/apps/sdlan/src/policy/policy.erl b/apps/sdlan/src/policy/policy.erl deleted file mode 100644 index bff2874..0000000 --- a/apps/sdlan/src/policy/policy.erl +++ /dev/null @@ -1,21 +0,0 @@ -%%%------------------------------------------------------------------- -%%% @author anlicheng -%%% @copyright (C) 2026, -%%% @doc -%%% -%%% @end -%%% Created : 28. 2月 2026 15:55 -%%%------------------------------------------------------------------- --module(policy). --author("anlicheng"). - -%% API --export([]). - -get_rules(SrcIdentityId, DstIdentityId) when is_integer(SrcIdentityId), is_integer(DstIdentityId) -> - SrcPolicies = identity_policy_ets:get_policies(SrcIdentityId), - DstPolicies = identity_policy_ets:get_policies(DstIdentityId), - - - - ok. \ No newline at end of file diff --git a/apps/sdlan/src/policy/policy_ets.erl b/apps/sdlan/src/policy/policy_ets.erl deleted file mode 100644 index 8310846..0000000 --- a/apps/sdlan/src/policy/policy_ets.erl +++ /dev/null @@ -1,16 +0,0 @@ --module(policy_ets). --include("policy.hrl"). - --export([init/0]). --export([lookup/1, insert/1]). - --define(TABLE, policy_ets_table). - -init() -> - ets:new(?TABLE, [named_table, ordered_set, public, {keypos, 2}, {read_concurrency, true}]). - -lookup(PolicyId) when is_integer(PolicyId) -> - Records = ets:lookup(?TABLE, PolicyId). - -insert(Policy = #policy{}) -> - true = ets:insert(?TABLE, Policy). \ No newline at end of file diff --git a/apps/sdlan/src/policy/rule_ets.erl b/apps/sdlan/src/policy/rule_ets.erl index 92210a8..46d220f 100644 --- a/apps/sdlan/src/policy/rule_ets.erl +++ b/apps/sdlan/src/policy/rule_ets.erl @@ -6,14 +6,26 @@ init() -> ets:new(rule_table, [named_table, ordered_set, public, {keypos, 2}, {read_concurrency, true}]), - ets:new(rule_index, [named_table, set, public, {read_concurrency, true}]). + ets:new(rule_index, [named_table, bag, public, {read_concurrency, true}]). +-spec get_rules(SrcPolicyIds :: any(), DstPolicyIds :: any()) -> {ok, [{Proto :: integer(), Port :: integer()}]}. get_rules(SrcPolicyIds, DstPolicyIds) when is_list(SrcPolicyIds), is_list(DstPolicyIds) -> MatchKeys = [{S, D, '_'} || S <- SrcPolicyIds, D <- DstPolicyIds], Records = lists:flatmap(fun({S, D, _}) -> ets:match_object(rule_index, {S, D, '_'}) end, MatchKeys), Rules = lists:flatmap(fun({_, _, RuleId}) -> ets:lookup(rule_table, RuleId) end, Records), - {ok, Rules}. + + S = lists:foldl(fun(Rule, S) -> + case Rule of + #rule{action = allow, proto = Proto, port = Port} -> + sets:add_element({Proto, Port}, S); + _ -> + S + end + end, sets:new(), Rules), + + {ok, sets:to_list(S)}. insert(Rule = #rule{src_policy_id = SrcPolicyId, dst_policy_id = DstPolicyId, rule_id = RuleId}) -> ets:insert(rule_table, Rule), + logger:debug("rule_index: ~p", [{SrcPolicyId, DstPolicyId, RuleId}]), ets:insert(rule_index, {SrcPolicyId, DstPolicyId, RuleId}). \ No newline at end of file diff --git a/apps/sdlan/src/quic/sdlan_quic_channel.erl b/apps/sdlan/src/quic/sdlan_quic_channel.erl index de630a5..dded336 100644 --- a/apps/sdlan/src/quic/sdlan_quic_channel.erl +++ b/apps/sdlan/src/quic/sdlan_quic_channel.erl @@ -201,16 +201,18 @@ handle_event(info, {frame, <>}, registered, #st keep_state_and_data end; -%% TODO 处理权限查询 handle_event(info, {frame, <>}, registered, #state{stream = Stream, network_pid = NetworkPid}) when is_pid(NetworkPid) -> maybe PolicyRequest = catch sdlan_pb:decode_msg(Body, sdl_policy_request), #sdl_policy_request{src_identity_id = SrcIdentityId, dst_identity_id = DstIdentityId, version = Version} ?= PolicyRequest, + + {ok, Rules} = get_rules(SrcIdentityId, DstIdentityId), + RuleBin = iolist_to_binary(lists:map(fun({Proto, Port}) -> <> end, Rules)), PolicyResponsePkt = sdlan_pb:encode_msg(#sdl_policy_response { src_identity_id = SrcIdentityId, dst_identity_id = DstIdentityId, version = Version, - rules = <<1, 80:16, 2, 9090:16>> + rules = RuleBin }), quic_send(Stream, <>) end, @@ -324,4 +326,10 @@ quic_send(Stream, Packet) when is_binary(Packet) -> ok; {error, Reason} -> exit({quic_send_failed, Reason}) - end. \ No newline at end of file + end. + +-spec get_rules(SrcIdentityId :: integer(), DstIdentityId :: integer()) -> {ok, [{Proto :: integer(), Port :: integer()}]}. +get_rules(SrcIdentityId, DstIdentityId) when is_integer(SrcIdentityId), is_integer(DstIdentityId) -> + SrcPolicyIds = identity_policy_ets:get_policies(SrcIdentityId), + DstPolicyIds = identity_policy_ets:get_policies(DstIdentityId), + rule_ets:get_rules(SrcPolicyIds, DstPolicyIds). \ No newline at end of file diff --git a/apps/sdlan/src/sdlan_app.erl b/apps/sdlan/src/sdlan_app.erl index 1eec382..ee34e55 100644 --- a/apps/sdlan/src/sdlan_app.erl +++ b/apps/sdlan/src/sdlan_app.erl @@ -19,6 +19,10 @@ start(_StartType, _StartArgs) -> sdlan_domain_regedit:init(), dns_pending_wheel:start(), + %% 权限的数据管理 + identity_policy_ets:init(), + rule_ets:init(), + start_http_server(), sdlan_sup:start_link(). diff --git a/apps/sdlan/src/sdlan_sync_mysql.erl b/apps/sdlan/src/sdlan_sync_mysql.erl index e73c24f..cb55679 100644 --- a/apps/sdlan/src/sdlan_sync_mysql.erl +++ b/apps/sdlan/src/sdlan_sync_mysql.erl @@ -97,20 +97,20 @@ sync_rule() -> sync_rule0(0). sync_rule0(RuleIdOffset) -> {ok, Rows} = mysql_pool:get_all(mysql_sdlan, <<"select * from rule where rule_id > ? order by rule_id asc limit 5000">>, [RuleIdOffset]), + logger:debug("rule rows: ~p", [Rows]), case length(Rows) > 0 of true -> - RuleIds = lists:map(fun(#{<<"rule_id">> := RuleId, <<"policy_id">> := PolicyId, <<"network_id">> := NetworkId, + RuleIds = lists:map(fun(#{<<"rule_id">> := RuleId, <<"network_id">> := NetworkId, <<"src_policy_id">> := SrcPolicyId, <<"dst_policy_id">> := DstPolicyId, <<"proto">> := Proto, <<"port">> := Port, <<"action">> := Action, <<"created_at">> := CreatedAt}) -> - identity_policy_ets:insert(#rule{ + rule_ets:insert(#rule{ rule_id = RuleId, - policy_id = PolicyId, network_id = NetworkId, src_policy_id = SrcPolicyId, dst_policy_id = DstPolicyId, proto = Proto, port = Port, - action = Action, + action = format_action(Action), created_at = CreatedAt }), RuleId @@ -119,4 +119,10 @@ sync_rule0(RuleIdOffset) -> sync_rule0(LastRuleOffset); false -> ok - end. \ No newline at end of file + end. + +-spec format_action(binary()) -> atom(). +format_action(<<"allow">>) -> + allow; +format_action(_) -> + deny. \ No newline at end of file