diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index 5f32f615c6..ebae4f79f5 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -32,6 +32,7 @@ type IptEntry struct { Chain string Flag string LockWaitTimeInSeconds string + IsJumpEntry bool Specs []string } @@ -300,7 +301,11 @@ func (iptMgr *IptablesManager) Add(entry *IptEntry) error { return nil } - iptMgr.OperationFlag = util.IptablesAppendFlag + if entry.IsJumpEntry { + iptMgr.OperationFlag = util.IptablesAppendFlag + } else { + iptMgr.OperationFlag = util.IptablesInsertionFlag + } if _, err := iptMgr.Run(entry); err != nil { log.Errorf("Error: failed to create iptables rules.") return err diff --git a/npm/translatePolicy.go b/npm/translatePolicy.go index 3c93850333..5ba714df8e 100644 --- a/npm/translatePolicy.go +++ b/npm/translatePolicy.go @@ -239,31 +239,6 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne for _, fromRule := range rule.From { // Handle IPBlock field of NetworkPolicyPeer if fromRule.IPBlock != nil { - if len(fromRule.IPBlock.Except) > 0 { - for _, except := range fromRule.IPBlock.Except { - exceptEntry := &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, - } - exceptEntry.Specs = append( - exceptEntry.Specs, - util.IptablesSFlag, - except, - ) - exceptEntry.Specs = append(exceptEntry.Specs, targetSelectorIptEntrySpec...) - exceptEntry.Specs = append( - exceptEntry.Specs, - util.IptablesJumpFlag, - util.IptablesDrop, - util.IptablesModuleFlag, - util.IptablesCommentModuleFlag, - util.IptablesCommentFlag, - "DROP-"+except+ - "-TO-"+targetSelectorComment, - ) - fromRuleEntries = append(fromRuleEntries, exceptEntry) - } - addedIngressFromEntry = true - } if len(fromRule.IPBlock.CIDR) > 0 { if portRuleExists { for _, portRule := range rule.Ports { @@ -316,6 +291,31 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne fromRuleEntries = append(fromRuleEntries, cidrEntry) addedIngressFromEntry = true } + if len(fromRule.IPBlock.Except) > 0 { + for _, except := range fromRule.IPBlock.Except { + exceptEntry := &iptm.IptEntry{ + Chain: util.IptablesAzureIngressFromChain, + } + exceptEntry.Specs = append( + exceptEntry.Specs, + util.IptablesSFlag, + except, + ) + exceptEntry.Specs = append(exceptEntry.Specs, targetSelectorIptEntrySpec...) + exceptEntry.Specs = append( + exceptEntry.Specs, + util.IptablesJumpFlag, + util.IptablesDrop, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "DROP-"+except+ + "-TO-"+targetSelectorComment, + ) + fromRuleEntries = append(fromRuleEntries, exceptEntry) + } + addedIngressFromEntry = true + } } continue } @@ -565,14 +565,17 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne } } + // prepending fromRuleEntries (which is in reverse order) so that they will retain correct ordering + // of drop->allow... when the rules are beind prepended to their corresponding chain if len(fromRuleEntries) > 0 { - entries = append(entries, fromRuleEntries...) + entries = append(fromRuleEntries, entries...) } if addedPortEntry && !addedIngressFromEntry { entry := &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, - Specs: targetSelectorIptEntrySpec, + Chain: util.IptablesAzureIngressPortChain, + Specs: targetSelectorIptEntrySpec, + IsJumpEntry: true, } entry.Specs = append( entry.Specs, @@ -588,8 +591,9 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne entries = append(entries, entry) } else if addedIngressFromEntry { portEntry := &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, - Specs: targetSelectorIptEntrySpec, + Chain: util.IptablesAzureIngressPortChain, + Specs: targetSelectorIptEntrySpec, + IsJumpEntry: true, } portEntry.Specs = append( portEntry.Specs, @@ -604,8 +608,9 @@ func translateIngress(ns string, targetSelector metav1.LabelSelector, rules []ne ) entries = append(entries, portEntry) entry := &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, - Specs: targetSelectorIptEntrySpec, + Chain: util.IptablesAzureIngressFromChain, + Specs: targetSelectorIptEntrySpec, + IsJumpEntry: true, } entry.Specs = append( entry.Specs, @@ -718,31 +723,6 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net for _, toRule := range rule.To { // Handle IPBlock field of NetworkPolicyPeer if toRule.IPBlock != nil { - if len(toRule.IPBlock.Except) > 0 { - for _, except := range toRule.IPBlock.Except { - exceptEntry := &iptm.IptEntry{ - Chain: util.IptablesAzureEgressToChain, - Specs: targetSelectorIptEntrySpec, - } - exceptEntry.Specs = append( - exceptEntry.Specs, - util.IptablesDFlag, - except, - ) - exceptEntry.Specs = append( - exceptEntry.Specs, - util.IptablesJumpFlag, - util.IptablesDrop, - util.IptablesModuleFlag, - util.IptablesCommentModuleFlag, - util.IptablesCommentFlag, - "DROP-"+except+ - "-FROM-"+targetSelectorComment, - ) - toRuleEntries = append(toRuleEntries, exceptEntry) - } - addedEgressToEntry = true - } if len(toRule.IPBlock.CIDR) > 0 { if portRuleExists { for _, portRule := range rule.Ports { @@ -798,6 +778,31 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net toRuleEntries = append(toRuleEntries, cidrEntry) addedEgressToEntry = true } + if len(toRule.IPBlock.Except) > 0 { + for _, except := range toRule.IPBlock.Except { + exceptEntry := &iptm.IptEntry{ + Chain: util.IptablesAzureEgressToChain, + Specs: targetSelectorIptEntrySpec, + } + exceptEntry.Specs = append( + exceptEntry.Specs, + util.IptablesDFlag, + except, + ) + exceptEntry.Specs = append( + exceptEntry.Specs, + util.IptablesJumpFlag, + util.IptablesDrop, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + "DROP-"+except+ + "-FROM-"+targetSelectorComment, + ) + toRuleEntries = append(toRuleEntries, exceptEntry) + } + addedEgressToEntry = true + } } continue } @@ -1048,14 +1053,17 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net } } + // prepending toRuleEntries (which is in reverse order) so that they will retain correct ordering + // of drop->allow... when the rules are beind prepended to their corresponding chain if len(toRuleEntries) > 0 { - entries = append(entries, toRuleEntries...) + entries = append(toRuleEntries, entries...) } if addedPortEntry && !addedEgressToEntry { entry := &iptm.IptEntry{ - Chain: util.IptablesAzureEgressPortChain, - Specs: targetSelectorIptEntrySpec, + Chain: util.IptablesAzureEgressPortChain, + Specs: targetSelectorIptEntrySpec, + IsJumpEntry: true, } entry.Specs = append( entry.Specs, @@ -1071,8 +1079,9 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net entries = append(entries, entry) } else if addedEgressToEntry { portEntry := &iptm.IptEntry{ - Chain: util.IptablesAzureEgressPortChain, - Specs: targetSelectorIptEntrySpec, + Chain: util.IptablesAzureEgressPortChain, + Specs: targetSelectorIptEntrySpec, + IsJumpEntry: true, } portEntry.Specs = append( portEntry.Specs, @@ -1087,8 +1096,9 @@ func translateEgress(ns string, targetSelector metav1.LabelSelector, rules []net ) entries = append(entries, portEntry) entry := &iptm.IptEntry{ - Chain: util.IptablesAzureEgressToChain, - Specs: targetSelectorIptEntrySpec, + Chain: util.IptablesAzureEgressToChain, + Specs: targetSelectorIptEntrySpec, + IsJumpEntry: true, } entry.Specs = append( entry.Specs, diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go index ba8f839322..9466bb6e1e 100644 --- a/npm/translatePolicy_test.go +++ b/npm/translatePolicy_test.go @@ -754,7 +754,8 @@ func TestTranslateIngress(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1032,7 +1033,8 @@ func TestTranslateEgress(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureEgressPortChain, + Chain: util.IptablesAzureEgressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1182,7 +1184,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1199,7 +1202,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1436,7 +1440,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1453,7 +1458,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1567,7 +1573,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1584,7 +1591,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1727,7 +1735,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1744,7 +1753,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1889,7 +1899,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1922,7 +1933,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2086,7 +2098,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2103,7 +2116,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2303,7 +2317,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2476,7 +2491,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2498,7 +2514,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2848,7 +2865,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureEgressPortChain, + Chain: util.IptablesAzureEgressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2865,7 +2883,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureEgressToChain, + Chain: util.IptablesAzureEgressToChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3012,11 +3031,8 @@ func TestTranslatePolicy(t *testing.T) { util.IptablesMatchSetFlag, util.GetHashedName("role:db"), util.IptablesDstFlag, - util.IptablesModuleFlag, - util.IptablesSetModuleFlag, - util.IptablesMatchSetFlag, - util.GetHashedName("ns-project:myproject"), - util.IptablesSrcFlag, + util.IptablesSFlag, + "172.17.0.0/16", util.IptablesProtFlag, "TCP", util.IptablesDstPortFlag, @@ -3026,50 +3042,50 @@ func TestTranslatePolicy(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ns-project:myproject-AND-TCP-PORT-6379-TO-role:db", + "ALLOW-172.17.0.0/16-:-TCP-PORT-6379-TO-role:db", }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressFromChain, Specs: []string{ + util.IptablesSFlag, + "172.17.1.0/24", util.IptablesModuleFlag, util.IptablesSetModuleFlag, util.IptablesMatchSetFlag, util.GetHashedName("role:db"), util.IptablesDstFlag, - util.IptablesModuleFlag, - util.IptablesSetModuleFlag, - util.IptablesMatchSetFlag, - util.GetHashedName("role:frontend"), - util.IptablesSrcFlag, - util.IptablesProtFlag, - "TCP", - util.IptablesDstPortFlag, - "6379", util.IptablesJumpFlag, - util.IptablesAccept, + util.IptablesDrop, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-role:frontend-AND-TCP-PORT-6379-TO-role:db", + "DROP-172.17.1.0/24-TO-role:db", }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressPortChain, Specs: []string{ - util.IptablesSFlag, - "172.17.1.0/24", util.IptablesModuleFlag, util.IptablesSetModuleFlag, util.IptablesMatchSetFlag, util.GetHashedName("role:db"), util.IptablesDstFlag, + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("ns-project:myproject"), + util.IptablesSrcFlag, + util.IptablesProtFlag, + "TCP", + util.IptablesDstPortFlag, + "6379", util.IptablesJumpFlag, - util.IptablesDrop, + util.IptablesAccept, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "DROP-172.17.1.0/24-TO-role:db", + "ALLOW-ns-project:myproject-AND-TCP-PORT-6379-TO-role:db", }, }, &iptm.IptEntry{ @@ -3080,8 +3096,11 @@ func TestTranslatePolicy(t *testing.T) { util.IptablesMatchSetFlag, util.GetHashedName("role:db"), util.IptablesDstFlag, - util.IptablesSFlag, - "172.17.0.0/16", + util.IptablesModuleFlag, + util.IptablesSetModuleFlag, + util.IptablesMatchSetFlag, + util.GetHashedName("role:frontend"), + util.IptablesSrcFlag, util.IptablesProtFlag, "TCP", util.IptablesDstPortFlag, @@ -3091,11 +3110,12 @@ func TestTranslatePolicy(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-172.17.0.0/16-:-TCP-PORT-6379-TO-role:db", + "ALLOW-role:frontend-AND-TCP-PORT-6379-TO-role:db", }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3111,7 +3131,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3149,7 +3170,8 @@ func TestTranslatePolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureEgressPortChain, + Chain: util.IptablesAzureEgressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3422,7 +3444,8 @@ func TestDropPrecedenceOverAllow(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressPortChain, + Chain: util.IptablesAzureIngressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3444,7 +3467,8 @@ func TestDropPrecedenceOverAllow(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureIngressFromChain, + Chain: util.IptablesAzureIngressFromChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3491,7 +3515,8 @@ func TestDropPrecedenceOverAllow(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureEgressPortChain, + Chain: util.IptablesAzureEgressPortChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3513,7 +3538,8 @@ func TestDropPrecedenceOverAllow(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureEgressToChain, + Chain: util.IptablesAzureEgressToChain, + IsJumpEntry: true, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag,