Fix golint errors

Author: robbertkl

firewall.go

@@ -7,15 +7,19 @@ import (
 	"github.com/coreos/go-iptables/iptables"
 )
 
+// Table describes an ip(6)tables table
 type Table string
 
+// All ip(6)tables tables we use
 const (
 	TableFilter = "filter"
 	TableNat    = "nat"
 )
 
+// Chain describes an ip(6)tables chain
 type Chain string
 
+// All ip(6)tables chains we use
 const (
 	ChainInput            = "INPUT"
 	ChainOutput           = "OUTPUT"
@@ -28,58 +32,65 @@ const (
 	ChainDockerIsolation2 = "DOCKER-ISOLATION-STAGE-2"
 )
 
+// TableChain references a combination of an ip(6)tables table and chain
 type TableChain struct {
 	table Table
 	chain Chain
 }
 
-type rule struct {
+// Rule represents a unique firewall rule
+type Rule struct {
 	tc      TableChain
 	spec    []string
 	prepend bool
 }
 
-func NewRule(table Table, chain Chain, spec ...string) *rule {
-	return &rule{
+// NewRule constructs a new (non prepended) Rule
+func NewRule(table Table, chain Chain, spec ...string) *Rule {
+	return &Rule{
 		tc:      TableChain{table, chain},
 		spec:    spec,
 		prepend: false,
 	}
 }
 
-func NewPrependRule(table Table, chain Chain, spec ...string) *rule {
-	return &rule{
+// NewPrependRule constructs a new Rule with prepend set to true
+func NewPrependRule(table Table, chain Chain, spec ...string) *Rule {
+	return &Rule{
 		tc:      TableChain{table, chain},
 		spec:    spec,
 		prepend: true,
 	}
 }
 
-func (r *rule) hash() string {
+func (r *Rule) hash() string {
 	return strings.Join(r.spec, "#")
 }
 
-func (r1 *rule) Equal(r2 *rule) bool {
-	if r1.tc != r2.tc {
+// Equal compares 2 Rules
+func (r *Rule) Equal(other *Rule) bool {
+	if r.tc != other.tc {
 		return false
 	}
 
-	if len(r1.spec) != len(r2.spec) {
+	if len(r.spec) != len(other.spec) {
 		return false
 	}
 
-	for index := range r1.spec {
-		if r1.spec[index] != r2.spec[index] {
+	for index := range r.spec {
+		if r.spec[index] != other.spec[index] {
 			return false
 		}
 	}
 
 	return true
 }
 
-type Ruleset []*rule
+// Ruleset contains a list of unique rules
+type Ruleset []*Rule
 
-func (s *Ruleset) Contains(r *rule) bool {
+// Contains checks if a Rule is part of the Ruleset
+func (s *Ruleset) Contains(r *Rule) bool {
 	for _, sr := range *s {
 		if r.Equal(sr) {
 			return true
@@ -89,54 +100,58 @@ func (s *Ruleset) Contains(r *rule) bool {
 	return false
 }
 
-func (s1 *Ruleset) Diff(s2 *Ruleset) *Ruleset {
-	if len(*s2) == 0 {
-		return s1
+// Diff returns a new Ruleset with only the rules that are not part of other
+func (s *Ruleset) Diff(other *Ruleset) *Ruleset {
+	if len(*other) == 0 {
+		return s
 	}
 
-	s := make(Ruleset, 0, len(*s1))
-	for _, r := range *s1 {
-		if !s2.Contains(r) {
-			s = append(s, r)
+	diffed := make(Ruleset, 0, len(*s))
+	for _, r := range *s {
+		if !other.Contains(r) {
+			diffed = append(diffed, r)
 		}
 	}
 
-	return &s
+	return &diffed
 }
 
-type firewall struct {
+// Firewall keeps track of the active rules, in order to perform proper appends/prepends
+type Firewall struct {
 	ipt               *iptables.IPTables
 	activeRules       map[TableChain]map[string]bool
 	debug             bool
-	userChainJumpRule *rule
+	userChainJumpRule *Rule
 }
 
-func NewFirewall(debug bool) (*firewall, error) {
+// NewFirewall constructs a new Firewall
+func NewFirewall(debug bool) (*Firewall, error) {
 	ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
 	if err != nil {
 		return nil, err
 	}
 
-	return &firewall{
+	return &Firewall{
 		ipt:               ipt,
 		activeRules:       make(map[TableChain]map[string]bool),
 		debug:             debug,
 		userChainJumpRule: NewRule(TableFilter, ChainForward, "-j", ChainDockerUser),
 	}, nil
 }
 
-func (fw *firewall) activateRule(r *rule) {
+func (fw *Firewall) activateRule(r *Rule) {
 	if _, exists := fw.activeRules[r.tc]; !exists {
 		fw.activeRules[r.tc] = make(map[string]bool)
 	}
 	fw.activeRules[r.tc][r.hash()] = true
 }
 
-func (fw *firewall) deactivateRule(r *rule) {
+func (fw *Firewall) deactivateRule(r *Rule) {
 	delete(fw.activeRules[r.tc], r.hash())
 }
 
-func (fw *firewall) EnsureTableChains(tableChains []TableChain) error {
+// EnsureTableChains creates (and clears!) the given TableChains
+func (fw *Firewall) EnsureTableChains(tableChains []TableChain) error {
 	for _, tc := range tableChains {
 		if err := fw.ipt.ClearChain(string(tc.table), string(tc.chain)); err != nil {
 			return err
@@ -147,7 +162,8 @@ func (fw *firewall) EnsureTableChains(tableChains []TableChain) error {
 	return nil
 }
 
-func (fw *firewall) RemoveTableChains(tableChains []TableChain) error {
+// RemoveTableChains deletes the given TableChains
+func (fw *Firewall) RemoveTableChains(tableChains []TableChain) error {
 	for _, tc := range tableChains {
 		fw.ipt.ClearChain(string(tc.table), string(tc.chain))
 		fw.ipt.DeleteChain(string(tc.table), string(tc.chain))
@@ -157,7 +173,8 @@ func (fw *firewall) RemoveTableChains(tableChains []TableChain) error {
 	return nil
 }
 
-func (fw *firewall) EnsureRules(rules *Ruleset) error {
+// EnsureRules makes sure the Rules in the given Ruleset exist or it creates them
+func (fw *Firewall) EnsureRules(rules *Ruleset) error {
 	// A regular loop to append only the non-prepend rules
 	for _, rule := range *rules {
 		if rule.prepend {
@@ -206,7 +223,8 @@ func (fw *firewall) EnsureRules(rules *Ruleset) error {
 	return nil
 }
 
-func (fw *firewall) RemoveRules(rules *Ruleset) error {
+// RemoveRules makes sure the Rules in the given Ruleset don't exist or removes them
+func (fw *Firewall) RemoveRules(rules *Ruleset) error {
 	for _, rule := range *rules {
 		if rule.Equal(fw.userChainJumpRule) {
 			continue
@@ -231,7 +249,8 @@ func (fw *firewall) RemoveRules(rules *Ruleset) error {
 	return nil
 }
 
-func (fw *firewall) EnsureUserFilterChain() error {
+// EnsureUserFilterChain makes sure the DOCKER-USER chain exists, without clearing it
+func (fw *Firewall) EnsureUserFilterChain() error {
 	chains, err := fw.ipt.ListChains(TableFilter)
 	if err != nil {
 		return err

manager.go

@@ -32,12 +32,14 @@ type managedPort struct {
 	hostPort    uint16
 }
 
-type manager struct {
-	fw          *firewall
+// Manager controls the firewall by managing rules for Docker networks and containers
+type Manager struct {
+	fw          *Firewall
 	hairpinMode bool
 }
 
-func NewManager(debug bool) (*manager, error) {
+// NewManager constructs a new Manager
+func NewManager(debug bool) (*Manager, error) {
 	hairpinMode, err := detectHairpinMode()
 	if err != nil {
 		return nil, err
@@ -60,7 +62,7 @@ func NewManager(debug bool) (*manager, error) {
 		return nil, err
 	}
 
-	return &manager{
+	return &Manager{
 		fw:          fw,
 		hairpinMode: hairpinMode,
 	}, nil
@@ -100,7 +102,8 @@ func detectHairpinMode() (bool, error) {
 	return false, errors.New("unable to detect hairpin mode (is the docker daemon running?)")
 }
 
-func (m *manager) Cleanup() error {
+// Cleanup removes the base rules and table-chains (per-network / per-container rules should already be removed)
+func (m *Manager) Cleanup() error {
 	if err := m.fw.RemoveRules(getBaseRules(m.hairpinMode)); err != nil {
 		return err
 	}
@@ -112,15 +115,17 @@ func (m *manager) Cleanup() error {
 	return nil
 }
 
-func (m *manager) ReplaceNetwork(oldNetwork, newNetwork *managedNetwork) error {
+// ReplaceNetwork applies relative rule changes for a network
+func (m *Manager) ReplaceNetwork(oldNetwork, newNetwork *managedNetwork) error {
 	return m.applyRules(getRulesForNetwork(oldNetwork, m.hairpinMode), getRulesForNetwork(newNetwork, m.hairpinMode))
 }
 
-func (m *manager) ReplaceContainer(oldContainer, newContainer *managedContainer) error {
+// ReplaceContainer applies relative rule changes for a container
+func (m *Manager) ReplaceContainer(oldContainer, newContainer *managedContainer) error {
 	return m.applyRules(getRulesForContainer(oldContainer, m.hairpinMode), getRulesForContainer(newContainer, m.hairpinMode))
 }
 
-func (m *manager) applyRules(oldRules, newRules *Ruleset) error {
+func (m *Manager) applyRules(oldRules, newRules *Ruleset) error {
 	oldRules = oldRules.Diff(newRules)
 
 	if err := m.fw.EnsureRules(newRules); err != nil {

state.go

@@ -8,8 +8,9 @@ import (
 	"github.com/fsouza/go-dockerclient"
 )
 
-type state struct {
-	manager    *manager
+// State keeps track of the current Docker containers and networks to apply relative updates to the manager
+type State struct {
+	manager    *Manager
 	networks   map[string]*managedNetwork
 	containers map[string]*managedContainer
 }
@@ -20,20 +21,22 @@ var ulaCIDR = net.IPNet{
 	Mask: net.CIDRMask(7, 128),
 }
 
-func NewState(debug bool) (*state, error) {
+// NewState constructs a new state
+func NewState(debug bool) (*State, error) {
 	manager, err := NewManager(debug)
 	if err != nil {
 		return nil, err
 	}
 
-	return &state{
+	return &State{
 		manager:    manager,
 		networks:   make(map[string]*managedNetwork),
 		containers: make(map[string]*managedContainer),
 	}, nil
 }
 
-func (s *state) Cleanup() error {
+// Cleanup resets the state
+func (s *State) Cleanup() error {
 	s.RemoveMissingContainers([]string{})
 	s.RemoveMissingNetworks([]string{})
 
@@ -44,7 +47,8 @@ func (s *state) Cleanup() error {
 	return nil
 }
 
-func (s *state) RemoveMissingNetworks(networkIDs []string) error {
+// RemoveMissingNetworks removes any of the given networks, if they don't exist
+func (s *State) RemoveMissingNetworks(networkIDs []string) error {
 	for id := range s.networks {
 		if !contains(networkIDs, id) {
 			if err := s.UpdateNetwork(id, nil); err != nil {
@@ -56,7 +60,8 @@ func (s *state) RemoveMissingNetworks(networkIDs []string) error {
 	return nil
 }
 
-func (s *state) RemoveMissingContainers(containerIDs []string) error {
+// RemoveMissingContainers removes any of the given containers if they don't exist
+func (s *State) RemoveMissingContainers(containerIDs []string) error {
 	for id := range s.containers {
 		if !contains(containerIDs, id) {
 			if err := s.UpdateContainer(id, nil); err != nil {
@@ -68,7 +73,8 @@ func (s *state) RemoveMissingContainers(containerIDs []string) error {
 	return nil
 }
 
-func (s *state) UpdateNetwork(id string, network *docker.Network) error {
+// UpdateNetwork applies a network, which can add, remove or update it
+func (s *State) UpdateNetwork(id string, network *docker.Network) error {
 	oldNetwork := s.networks[id]
 	newNetwork := s.parseNetwork(network)
 
@@ -87,7 +93,8 @@ func (s *state) UpdateNetwork(id string, network *docker.Network) error {
 	return nil
 }
 
-func (s *state) UpdateContainer(id string, container *docker.Container) error {
+// UpdateContainer applies a container, which can add, remove or update it
+func (s *State) UpdateContainer(id string, container *docker.Container) error {
 	oldContainer := s.containers[id]
 	newContainer := s.parseContainer(container)
 
@@ -106,7 +113,7 @@ func (s *state) UpdateContainer(id string, container *docker.Container) error {
 	return nil
 }
 
-func (s *state) parseNetwork(network *docker.Network) *managedNetwork {
+func (s *State) parseNetwork(network *docker.Network) *managedNetwork {
 	if network == nil {
 		return nil
 	}
@@ -172,7 +179,7 @@ func (s *state) parseNetwork(network *docker.Network) *managedNetwork {
 	return &n
 }
 
-func (s *state) findFirstKnownNetwork(networks map[string]docker.ContainerNetwork) (*managedNetwork, net.IP) {
+func (s *State) findFirstKnownNetwork(networks map[string]docker.ContainerNetwork) (*managedNetwork, net.IP) {
 	for _, network := range networks {
 		ip := net.ParseIP(network.GlobalIPv6Address)
 		if !ulaCIDR.Contains(ip) {
@@ -190,7 +197,7 @@ func (s *state) findFirstKnownNetwork(networks map[string]docker.ContainerNetwor
 	return nil, nil
 }
 
-func (s *state) getKnownNetworks() []*managedNetwork {
+func (s *State) getKnownNetworks() []*managedNetwork {
 	networks := make([]*managedNetwork, len(s.networks))
 	index := 0
 	for _, network := range s.networks {
@@ -201,7 +208,7 @@ func (s *state) getKnownNetworks() []*managedNetwork {
 	return networks
 }
 
-func (s *state) parseContainer(container *docker.Container) *managedContainer {
+func (s *State) parseContainer(container *docker.Container) *managedContainer {
 	if container == nil {
 		return nil
 	}