fix: [NPM] updating NPM marks with a mask to not clash with kube-proxy

npm/pkg/dataplane/policies/chain-management_linux.go

@@ -321,10 +321,6 @@ func (pMgr *PolicyManager) creatorForBootup(currentChains map[string]struct{}) *
 	creator.AddLine("", nil, jumpOnIngressMatchSpecs...)
 
 	// add AZURE-NPM-ACCEPT chain rules
-	clearSpecs := []string{util.IptablesAppendFlag, util.IptablesAzureAcceptChain}
-	clearSpecs = append(clearSpecs, setMarkSpecs(util.IptablesAzureClearMarkHex)...)
-	clearSpecs = append(clearSpecs, commentSpecs("CLEAR-AZURE-NPM-MARKS")...)
-	creator.AddLine("", nil, clearSpecs...)
 	creator.AddLine("", nil, util.IptablesAppendFlag, util.IptablesAzureAcceptChain, util.IptablesJumpFlag, util.IptablesAccept)
 	creator.AddLine("", nil, util.IptablesRestoreCommit)
 	return creator

npm/pkg/dataplane/policies/chain-management_linux_test.go

@@ -213,12 +213,11 @@ func TestCreatorForBootup(t *testing.T) {
 				":AZURE-NPM-INGRESS-ALLOW-MARK - -",
 				":AZURE-NPM-EGRESS - -",
 				":AZURE-NPM-ACCEPT - -",
-				"-A AZURE-NPM-INGRESS -j DROP -m mark --mark 0x4000 -m comment --comment DROP-ON-INGRESS-DROP-MARK-0x4000",
-				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j MARK --set-mark 0x2000 -m comment --comment SET-INGRESS-ALLOW-MARK-0x2000",
+				"-A AZURE-NPM-INGRESS -j DROP -m mark --mark 0x400/0x400 -m comment --comment DROP-ON-INGRESS-DROP-MARK-0x400/0x400",
+				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j MARK --set-mark 0x200/0x200 -m comment --comment SET-INGRESS-ALLOW-MARK-0x200/0x200",
 				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j AZURE-NPM-EGRESS",
-				"-A AZURE-NPM-EGRESS -j DROP -m mark --mark 0x5000 -m comment --comment DROP-ON-EGRESS-DROP-MARK-0x5000",
-				"-A AZURE-NPM-EGRESS -j AZURE-NPM-ACCEPT -m mark --mark 0x2000 -m comment --comment ACCEPT-ON-INGRESS-ALLOW-MARK-0x2000",
-				"-A AZURE-NPM-ACCEPT -j MARK --set-mark 0x0 -m comment --comment CLEAR-AZURE-NPM-MARKS",
+				"-A AZURE-NPM-EGRESS -j DROP -m mark --mark 0x800/0x800 -m comment --comment DROP-ON-EGRESS-DROP-MARK-0x800/0x800",
+				"-A AZURE-NPM-EGRESS -j AZURE-NPM-ACCEPT -m mark --mark 0x200/0x200 -m comment --comment ACCEPT-ON-INGRESS-ALLOW-MARK-0x200/0x200",
 				"-A AZURE-NPM-ACCEPT -j ACCEPT",
 				"COMMIT",
 				"",
@@ -246,12 +245,11 @@ func TestCreatorForBootup(t *testing.T) {
 				"-F AZURE-NPM-ACCEPT",
 				"-F AZURE-NPM-INGRESS-123456",
 				"-F AZURE-NPM-EGRESS-123456",
-				"-A AZURE-NPM-INGRESS -j DROP -m mark --mark 0x4000 -m comment --comment DROP-ON-INGRESS-DROP-MARK-0x4000",
-				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j MARK --set-mark 0x2000 -m comment --comment SET-INGRESS-ALLOW-MARK-0x2000",
+				"-A AZURE-NPM-INGRESS -j DROP -m mark --mark 0x400/0x400 -m comment --comment DROP-ON-INGRESS-DROP-MARK-0x400/0x400",
+				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j MARK --set-mark 0x200/0x200 -m comment --comment SET-INGRESS-ALLOW-MARK-0x200/0x200",
 				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j AZURE-NPM-EGRESS",
-				"-A AZURE-NPM-EGRESS -j DROP -m mark --mark 0x5000 -m comment --comment DROP-ON-EGRESS-DROP-MARK-0x5000",
-				"-A AZURE-NPM-EGRESS -j AZURE-NPM-ACCEPT -m mark --mark 0x2000 -m comment --comment ACCEPT-ON-INGRESS-ALLOW-MARK-0x2000",
-				"-A AZURE-NPM-ACCEPT -j MARK --set-mark 0x0 -m comment --comment CLEAR-AZURE-NPM-MARKS",
+				"-A AZURE-NPM-EGRESS -j DROP -m mark --mark 0x800/0x800 -m comment --comment DROP-ON-EGRESS-DROP-MARK-0x800/0x800",
+				"-A AZURE-NPM-EGRESS -j AZURE-NPM-ACCEPT -m mark --mark 0x200/0x200 -m comment --comment ACCEPT-ON-INGRESS-ALLOW-MARK-0x200/0x200",
 				"-A AZURE-NPM-ACCEPT -j ACCEPT",
 				"COMMIT",
 				"",
@@ -276,12 +274,11 @@ func TestCreatorForBootup(t *testing.T) {
 				"-F AZURE-NPM-ACCEPT",
 				"-F AZURE-NPM-INGRESS",
 				"-F AZURE-NPM-INGRESS-ALLOW-MARK",
-				"-A AZURE-NPM-INGRESS -j DROP -m mark --mark 0x4000 -m comment --comment DROP-ON-INGRESS-DROP-MARK-0x4000",
-				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j MARK --set-mark 0x2000 -m comment --comment SET-INGRESS-ALLOW-MARK-0x2000",
+				"-A AZURE-NPM-INGRESS -j DROP -m mark --mark 0x400/0x400 -m comment --comment DROP-ON-INGRESS-DROP-MARK-0x400/0x400",
+				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j MARK --set-mark 0x200/0x200 -m comment --comment SET-INGRESS-ALLOW-MARK-0x200/0x200",
 				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j AZURE-NPM-EGRESS",
-				"-A AZURE-NPM-EGRESS -j DROP -m mark --mark 0x5000 -m comment --comment DROP-ON-EGRESS-DROP-MARK-0x5000",
-				"-A AZURE-NPM-EGRESS -j AZURE-NPM-ACCEPT -m mark --mark 0x2000 -m comment --comment ACCEPT-ON-INGRESS-ALLOW-MARK-0x2000",
-				"-A AZURE-NPM-ACCEPT -j MARK --set-mark 0x0 -m comment --comment CLEAR-AZURE-NPM-MARKS",
+				"-A AZURE-NPM-EGRESS -j DROP -m mark --mark 0x800/0x800 -m comment --comment DROP-ON-EGRESS-DROP-MARK-0x800/0x800",
+				"-A AZURE-NPM-EGRESS -j AZURE-NPM-ACCEPT -m mark --mark 0x200/0x200 -m comment --comment ACCEPT-ON-INGRESS-ALLOW-MARK-0x200/0x200",
 				"-A AZURE-NPM-ACCEPT -j ACCEPT",
 				"COMMIT",
 				"",
@@ -305,12 +302,11 @@ func TestCreatorForBootup(t *testing.T) {
 				"-F AZURE-NPM-EGRESS-DROPS",
 				"-F AZURE-NPM-EGRESS-FROM",
 				"-F AZURE-NPM-EGRESS-PORTS",
-				"-A AZURE-NPM-INGRESS -j DROP -m mark --mark 0x4000 -m comment --comment DROP-ON-INGRESS-DROP-MARK-0x4000",
-				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j MARK --set-mark 0x2000 -m comment --comment SET-INGRESS-ALLOW-MARK-0x2000",
+				"-A AZURE-NPM-INGRESS -j DROP -m mark --mark 0x400/0x400 -m comment --comment DROP-ON-INGRESS-DROP-MARK-0x400/0x400",
+				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j MARK --set-mark 0x200/0x200 -m comment --comment SET-INGRESS-ALLOW-MARK-0x200/0x200",
 				"-A AZURE-NPM-INGRESS-ALLOW-MARK -j AZURE-NPM-EGRESS",
-				"-A AZURE-NPM-EGRESS -j DROP -m mark --mark 0x5000 -m comment --comment DROP-ON-EGRESS-DROP-MARK-0x5000",
-				"-A AZURE-NPM-EGRESS -j AZURE-NPM-ACCEPT -m mark --mark 0x2000 -m comment --comment ACCEPT-ON-INGRESS-ALLOW-MARK-0x2000",
-				"-A AZURE-NPM-ACCEPT -j MARK --set-mark 0x0 -m comment --comment CLEAR-AZURE-NPM-MARKS",
+				"-A AZURE-NPM-EGRESS -j DROP -m mark --mark 0x800/0x800 -m comment --comment DROP-ON-EGRESS-DROP-MARK-0x800/0x800",
+				"-A AZURE-NPM-EGRESS -j AZURE-NPM-ACCEPT -m mark --mark 0x200/0x200 -m comment --comment ACCEPT-ON-INGRESS-ALLOW-MARK-0x200/0x200",
 				"-A AZURE-NPM-ACCEPT -j ACCEPT",
 				"COMMIT",
 				"",

npm/pkg/dataplane/policies/policymanager_linux_test.go

@@ -89,14 +89,19 @@ const (
 // iptables rule variables for ACLs
 var (
 	ingressDropRule = fmt.Sprintf(
-		"-j MARK --set-mark 0x4000 -p TCP --dport 222:333 -m set --match-set %s src -m set ! --match-set %s dst -m comment --comment %s",
+		"-j MARK --set-mark %s -p TCP --dport 222:333 -m set --match-set %s src -m set ! --match-set %s dst -m comment --comment %s",
+		util.IptablesAzureIngressDropMarkHex,
 		ipsets.TestCIDRSet.HashedName,
 		ipsets.TestKeyPodSet.HashedName,
 		ingressDropComment,
 	)
 	ingressAllowRule = fmt.Sprintf("-j AZURE-NPM-INGRESS-ALLOW-MARK -m set --match-set %s src -m comment --comment %s", ipsets.TestCIDRSet.HashedName, ingressAllowComment)
-	egressDropRule   = fmt.Sprintf("-j MARK --set-mark 0x5000 -p UDP --dport 144 -m set --match-set %s dst -m comment --comment %s", ipsets.TestCIDRSet.HashedName, egressDropComment)
-	egressAllowRule  = fmt.Sprintf("-j AZURE-NPM-ACCEPT -m set --match-set %s dst -m comment --comment %s", ipsets.TestNamedportSet.HashedName, egressAllowComment)
+	egressDropRule   = fmt.Sprintf("-j MARK --set-mark %s -p UDP --dport 144 -m set --match-set %s dst -m comment --comment %s",
+		util.IptablesAzureEgressDropMarkHex,
+		ipsets.TestCIDRSet.HashedName,
+		egressDropComment,
+	)
+	egressAllowRule = fmt.Sprintf("-j AZURE-NPM-ACCEPT -m set --match-set %s dst -m comment --comment %s", ipsets.TestNamedportSet.HashedName, egressAllowComment)
 )
 
 // NetworkPolicies

npm/util/const.go

@@ -116,12 +116,18 @@ const (
 	IptablesAzureEgressToPodChain    string = "AZURE-NPM-EGRESS-TO-POD"
 
 	// Below are the skb->mark NPM will use for different criteria
+	// for V1
 	IptablesAzureClearMarkHex string = "0x0"
+	// for v2, deprecated
+	IptablesAzureClearMarkHexV2 string = "0x0/0xE00"
 
 	// marks in NPM v2
-	IptablesAzureIngressAllowMarkHex string = "0x2000" // same as old IptablesAzureIngressMarkHex
-	IptablesAzureIngressDropMarkHex  string = "0x4000"
-	IptablesAzureEgressDropMarkHex   string = "0x5000"
+	// NPM uses the 3rd word of the 32-bit mark for the purpose of
+	// identifying the traffic direction and decision making.
+	// NPM uses 9th, 10th and 11th bit for marking
+	IptablesAzureIngressAllowMarkHex string = "0x200/0x200"
+	IptablesAzureIngressDropMarkHex  string = "0x400/0x400"
+	IptablesAzureEgressDropMarkHex   string = "0x800/0x800"
 
 	// marks in NPM v1
 	IptablesAzureIngressMarkHex string = "0x2000"