package com.yahoo.vespa.hosted.node.admin.maintenance.acl;

import com.google.common.net.InetAddresses;
import com.yahoo.vespa.hosted.node.admin.docker.DockerOperations;
import com.yahoo.vespa.hosted.node.admin.nodeagent.NodeAgentContext;
import com.yahoo.vespa.hosted.node.admin.task.util.file.Editor;
import com.yahoo.vespa.hosted.node.admin.task.util.file.LineEditor;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPAddresses;
import com.yahoo.vespa.hosted.node.admin.task.util.network.IPVersion;
import com.yahoo.yolean.Exceptions;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.util.List;
import java.util.function.Consumer;
import java.util.function.Supplier;
import java.util.logging.Level;
import java.util.logging.Logger;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer.class */
public class AclMaintainer {
    private static final Logger logger = Logger.getLogger(AclMaintainer.class.getName());
    private final DockerOperations dockerOperations;
    private final IPAddresses ipAddresses;

    /* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/maintenance/acl/AclMaintainer$TemporaryIpTablesFileHandler.class */
    private static class TemporaryIpTablesFileHandler implements AutoCloseable {
        private final Path path;

        private TemporaryIpTablesFileHandler(String str) {
            this.path = (Path) Exceptions.uncheck(() -> {
                return Files.createTempFile("iptables-restore", "." + str, new FileAttribute[0]);
            });
        }

        private void writeUtf8Content(String str) throws IOException {
            Files.write(this.path, str.getBytes(StandardCharsets.UTF_8), new OpenOption[0]);
        }

        private String absolutePath() {
            return this.path.toAbsolutePath().toString();
        }

        @Override // java.lang.AutoCloseable
        public void close() throws IOException {
            Files.deleteIfExists(this.path);
        }
    }

    public AclMaintainer(DockerOperations dockerOperations, IPAddresses iPAddresses) {
        this.dockerOperations = dockerOperations;
        this.ipAddresses = iPAddresses;
    }

    public synchronized void converge(NodeAgentContext nodeAgentContext) {
        editFlushOnError(nodeAgentContext, IPVersion.IPv4, "filter", FilterTableLineEditor.from(nodeAgentContext.acl(), IPVersion.IPv4));
        editFlushOnError(nodeAgentContext, IPVersion.IPv6, "filter", FilterTableLineEditor.from(nodeAgentContext.acl(), IPVersion.IPv6));
        this.ipAddresses.getAddress(nodeAgentContext.hostname().value(), IPVersion.IPv4).ifPresent(inetAddress -> {
            applyRedirect(nodeAgentContext, inetAddress);
        });
        this.ipAddresses.getAddress(nodeAgentContext.hostname().value(), IPVersion.IPv6).ifPresent(inetAddress2 -> {
            applyRedirect(nodeAgentContext, inetAddress2);
        });
    }

    private void applyRedirect(NodeAgentContext nodeAgentContext, InetAddress inetAddress) {
        IPVersion iPVersion = IPVersion.get(inetAddress);
        editLogOnError(nodeAgentContext, iPVersion, "nat", NatTableLineEditor.from("-A OUTPUT -d " + InetAddresses.toAddrString(inetAddress) + iPVersion.singleHostCidr() + " -j REDIRECT"));
    }

    private boolean editFlushOnError(NodeAgentContext nodeAgentContext, IPVersion iPVersion, String str, LineEditor lineEditor) {
        return edit(nodeAgentContext, str, iPVersion, lineEditor, true);
    }

    private boolean editLogOnError(NodeAgentContext nodeAgentContext, IPVersion iPVersion, String str, LineEditor lineEditor) {
        return edit(nodeAgentContext, str, iPVersion, lineEditor, false);
    }

    private boolean edit(NodeAgentContext nodeAgentContext, String str, IPVersion iPVersion, LineEditor lineEditor, boolean z) {
        return new Editor(iPVersion.iptablesCmd() + "-" + str, listTable(nodeAgentContext, str, iPVersion), restoreTable(nodeAgentContext, str, iPVersion, z), lineEditor).edit(str2 -> {
            nodeAgentContext.log(logger, str2);
        });
    }

    private Supplier<List<String>> listTable(NodeAgentContext nodeAgentContext, String str, IPVersion iPVersion) {
        return () -> {
            return this.dockerOperations.executeCommandInNetworkNamespace(nodeAgentContext, iPVersion.iptablesCmd(), "-S", "-t", str).mapEachLine((v0) -> {
                return v0.trim();
            });
        };
    }

    private Consumer<List<String>> restoreTable(NodeAgentContext nodeAgentContext, String str, IPVersion iPVersion, boolean z) {
        return list -> {
            try {
                TemporaryIpTablesFileHandler temporaryIpTablesFileHandler = new TemporaryIpTablesFileHandler(str);
                try {
                    temporaryIpTablesFileHandler.writeUtf8Content("*" + str + "\n" + String.join("\n", list) + "\nCOMMIT\n");
                    this.dockerOperations.executeCommandInNetworkNamespace(nodeAgentContext, iPVersion.iptablesRestore(), temporaryIpTablesFileHandler.absolutePath());
                    temporaryIpTablesFileHandler.close();
                } finally {
                }
            } catch (Exception e) {
                if (!z) {
                    nodeAgentContext.log(logger, Level.WARNING, "Unable to sync iptables for " + str, e);
                    return;
                }
                nodeAgentContext.log(logger, Level.SEVERE, "Exception occurred while syncing iptable " + str + ", attempting rollback", e);
                try {
                    this.dockerOperations.executeCommandInNetworkNamespace(nodeAgentContext, iPVersion.iptablesCmd(), "-F", "-t", str);
                } catch (Exception e2) {
                    nodeAgentContext.log(logger, Level.SEVERE, "Rollback of table " + str + " failed, giving up", e2);
                }
            }
        };
    }
}
