From fb42eea9776fd5155c96c2d13bdcc3d5f13ef0af Mon Sep 17 00:00:00 2001 From: Shufang Date: Sun, 28 Jun 2020 22:33:05 -0700 Subject: [PATCH 1/2] Add logic to deal with 0.0.0.0/0 which ipset not support. --- npm/nwpolicy.go | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/npm/nwpolicy.go b/npm/nwpolicy.go index b444c05f4d..ff96b7012d 100644 --- a/npm/nwpolicy.go +++ b/npm/nwpolicy.go @@ -211,8 +211,19 @@ func createCidrsRule(ingressOrEgress, policyName, ns string, ipsetEntries [][]st log.Printf("Error creating ipset %s", ipCidrSet) } for _, ipCidrEntry := range util.DropEmptyFields(ipCidrSet) { - if err := ipsMgr.AddToSet(setName, ipCidrEntry, util.IpsetNetHashFlag); err != nil { - log.Printf("Error adding ip cidrs %s into ipset %s", ipCidrEntry, ipCidrSet) + // Ipset doesn't allow 0.0.0.0/0 to be added. A general solution is split 0.0.0.0/1 in half which convert to + // 1.0.0.0/1 and 128.0.0.0/1 + if (ipCidrEntry == "0.0.0.0/0") { + splitEntry := [2]string{"1.0.0.0/1", "128.0.0.0/1"} + for _, entry := range splitEntry { + if err := ipsMgr.AddToSet(setName, entry, util.IpsetNetHashFlag); err != nil { + log.Printf("Error adding ip cidrs %s into ipset %s", entry, ipCidrSet) + } + } + } else { + if err := ipsMgr.AddToSet(setName, ipCidrEntry, util.IpsetNetHashFlag); err != nil { + log.Printf("Error adding ip cidrs %s into ipset %s", ipCidrEntry, ipCidrSet) + } } } } From 9b7ba85268dc70aec9336fb90d019424b2fc585f Mon Sep 17 00:00:00 2001 From: Shufang Date: Tue, 7 Jul 2020 17:56:38 -0700 Subject: [PATCH 2/2] Add unit test for checking 0.0.0.0/0 ipset entry logic. --- npm/nwpolicy_test.go | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/npm/nwpolicy_test.go b/npm/nwpolicy_test.go index 892fa71fb7..afb0432d99 100644 --- a/npm/nwpolicy_test.go +++ b/npm/nwpolicy_test.go @@ -77,11 +77,18 @@ func TestAddNetworkPolicy(t *testing.T) { Spec: networkingv1.NetworkPolicySpec{ Ingress: []networkingv1.NetworkPolicyIngressRule{ networkingv1.NetworkPolicyIngressRule{ - From: []networkingv1.NetworkPolicyPeer{{ - PodSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"app": "test"}, + From: []networkingv1.NetworkPolicyPeer{ + networkingv1.NetworkPolicyPeer{ + PodSelector: &metav1.LabelSelector{ + MatchLabels: map[string]string{"app": "test"}, + }, }, - }}, + networkingv1.NetworkPolicyPeer{ + IPBlock: &networkingv1.IPBlock{ + CIDR: "0.0.0.0/0", + }, + }, + }, Ports: []networkingv1.NetworkPolicyPort{{ Protocol: &tcp, Port: &port8000, @@ -98,6 +105,17 @@ func TestAddNetworkPolicy(t *testing.T) { } npMgr.Unlock() + ipsMgr = npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr + + // Check whether 0.0.0.0/0 got translated to 1.0.0.0/1 and 128.0.0.0/1 + if ! ipsMgr.Exists("allow-ingress-in-ns-test-nwpolicy-0in", "1.0.0.0/1", util.IpsetNetHashFlag) { + t.Errorf("TestDeleteFromSet failed @ ipsMgr.AddToSet") + } + + if ! ipsMgr.Exists("allow-ingress-in-ns-test-nwpolicy-0in", "128.0.0.0/1", util.IpsetNetHashFlag) { + t.Errorf("TestDeleteFromSet failed @ ipsMgr.AddToSet") + } + allowEgress := &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-egress",