diff --git a/npm/ipsm/ipsm.go b/npm/ipsm/ipsm.go index 8acfb27855..b2564958ce 100644 --- a/npm/ipsm/ipsm.go +++ b/npm/ipsm/ipsm.go @@ -6,6 +6,7 @@ package ipsm import ( "os" "os/exec" + "regexp" "strings" "syscall" @@ -70,12 +71,12 @@ func (ipsMgr *IpsetManager) Exists(key string, val string, kind string) bool { // SetExists checks whehter an ipset exists. func (ipsMgr *IpsetManager) SetExists(setName, kind string) bool { - m := ipsMgr.setMap - if kind == util.IpsetSetListFlag { - m = ipsMgr.listMap - } - _, exists := m[setName] - return exists + m := ipsMgr.setMap + if kind == util.IpsetSetListFlag { + m = ipsMgr.listMap + } + _, exists := m[setName] + return exists } func isNsSet(setName string) bool { @@ -459,4 +460,73 @@ func (ipsMgr *IpsetManager) Restore(configFile string) error { //TODO based on the set name and number of entries in the config file, update IPSetInventory return nil -} \ No newline at end of file +} + +// DestroyNpmIpsets destroys only ipsets created by NPM +func (ipsMgr *IpsetManager) DestroyNpmIpsets() error { + + cmdName := util.Ipset + cmdArgs := util.IPsetCheckListFlag + + reply, err := exec.Command(cmdName, cmdArgs).Output() + if msg, failed := err.(*exec.ExitError); failed { + errCode := msg.Sys().(syscall.WaitStatus).ExitStatus() + if errCode > 0 { + metrics.SendErrorMetric(util.IpsmID, "{DestroyNpmIpsets} Error: There was an error running command: [%s] Stderr: [%v, %s]", cmdName, err, strings.TrimSuffix(string(msg.Stderr), "\n")) + } + + return err + } + if reply == nil { + metrics.SendErrorMetric(util.IpsmID, "{DestroyNpmIpsets} Received empty string from ipset list while destroying azure-npm ipsets") + return nil + } + + log.Logf("{DestroyNpmIpsets} Reply from command %s executed is %s", cmdName+" "+cmdArgs, reply) + re := regexp.MustCompile("Name: (" + util.AzureNpmPrefix + "\\d+)") + ipsetRegexSlice := re.FindAllSubmatch(reply, -1) + + if len(ipsetRegexSlice) == 0 { + log.Logf("No Azure-NPM IPsets are found in the Node.") + return nil + } + + ipsetLists := make([]string, 0) + for _, matchedItem := range ipsetRegexSlice { + if len(matchedItem) == 2 { + itemString := string(matchedItem[1]) + if strings.Contains(itemString, util.AzureNpmFlag) { + ipsetLists = append(ipsetLists, itemString) + } + } + } + + if len(ipsetLists) == 0 { + return nil + } + + entry := &ipsEntry{ + operationFlag: util.IpsetFlushFlag, + } + + for _, ipsetName := range ipsetLists { + entry := &ipsEntry{ + operationFlag: util.IpsetFlushFlag, + set: ipsetName, + } + + if _, err := ipsMgr.Run(entry); err != nil { + metrics.SendErrorMetric(util.IpsmID, "{DestroyNpmIpsets} Error: failed to flush ipset %s", ipsetName) + } + } + + for _, ipsetName := range ipsetLists { + entry.operationFlag = util.IpsetDestroyFlag + entry.set = ipsetName + if _, err := ipsMgr.Run(entry); err != nil { + metrics.SendErrorMetric(util.IpsmID, "{DestroyNpmIpsets} Error: failed to destroy ipset %s", ipsetName) + } + } + + return nil +} diff --git a/npm/ipsm/ipsm_test.go b/npm/ipsm/ipsm_test.go index b5a21115fe..405075b39a 100644 --- a/npm/ipsm/ipsm_test.go +++ b/npm/ipsm/ipsm_test.go @@ -521,6 +521,28 @@ func TestRun(t *testing.T) { } } +func TestDestroyNpmIpsets(t *testing.T) { + ipsMgr := NewIpsetManager() + + err := ipsMgr.CreateSet("azure-npm-123456", []string{"nethash"}) + if err != nil { + t.Errorf("TestDestroyNpmIpsets failed @ ipsMgr.CreateSet") + t.Errorf(err.Error()) + } + + err = ipsMgr.CreateSet("azure-npm-56543", []string{"nethash"}) + if err != nil { + t.Errorf("TestDestroyNpmIpsets failed @ ipsMgr.CreateSet") + t.Errorf(err.Error()) + } + + err = ipsMgr.DestroyNpmIpsets() + if err != nil { + t.Errorf("TestDestroyNpmIpsets failed @ ipsMgr.DestroyNpmIpsets") + t.Errorf(err.Error()) + } +} + func TestMain(m *testing.M) { metrics.InitializeAll() ipsMgr := NewIpsetManager() diff --git a/npm/npm.go b/npm/npm.go index df6530e409..5d39be79a1 100644 --- a/npm/npm.go +++ b/npm/npm.go @@ -11,6 +11,7 @@ import ( "github.com/Azure/azure-container-networking/aitelemetry" "github.com/Azure/azure-container-networking/log" + "github.com/Azure/azure-container-networking/npm/ipsm" "github.com/Azure/azure-container-networking/npm/iptm" "github.com/Azure/azure-container-networking/npm/metrics" "github.com/Azure/azure-container-networking/npm/util" @@ -188,6 +189,9 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in iptMgr := iptm.NewIptablesManager() iptMgr.UninitNpmChains() + log.Logf("Azure-NPM creating, cleaning existing Azure NPM IPSets") + ipsm.NewIpsetManager().DestroyNpmIpsets() + var ( podInformer = informerFactory.Core().V1().Pods() nsInformer = informerFactory.Core().V1().Namespaces() diff --git a/npm/pod.go b/npm/pod.go index 64ad54c22e..1c2a11560c 100644 --- a/npm/pod.go +++ b/npm/pod.go @@ -92,7 +92,14 @@ func (npMgr *NetworkPolicyManager) AddPod(podObj *corev1.Pod) error { case v1.ProtocolSCTP: protocol = util.IpsetSCTPFlag } - ipsMgr.AddToSet(port.Name, fmt.Sprintf("%s,%s%d", podIP, protocol, port.ContainerPort), util.IpsetIPPortHashFlag, podUid) + namedPortname := util.NamedPortIPSetPrefix + port.Name + ipsMgr.AddToSet( + namedPortname, + fmt.Sprintf("%s,%s%d", podIP, protocol, port.ContainerPort), + util.IpsetIPPortHashFlag, + podUid, + ) + } } } @@ -209,7 +216,12 @@ func (npMgr *NetworkPolicyManager) DeletePod(podObj *corev1.Pod) error { case v1.ProtocolSCTP: protocol = util.IpsetSCTPFlag } - ipsMgr.DeleteFromSet(port.Name, fmt.Sprintf("%s,%s%d", cachedPodIp, protocol, port.ContainerPort), podUid) + namedPortname := util.NamedPortIPSetPrefix + port.Name + ipsMgr.DeleteFromSet( + namedPortname, + fmt.Sprintf("%s,%s%d", cachedPodIp, protocol, port.ContainerPort), + podUid, + ) } } } diff --git a/npm/pod_test.go b/npm/pod_test.go index 057d996b09..2f114ba55d 100644 --- a/npm/pod_test.go +++ b/npm/pod_test.go @@ -70,6 +70,18 @@ func TestAddPod(t *testing.T) { Phase: "Running", PodIP: "1.2.3.4", }, + Spec: corev1.PodSpec{ + Containers: []corev1.Container{ + corev1.Container{ + Ports: []corev1.ContainerPort{ + corev1.ContainerPort{ + Name: "app:test-pod", + ContainerPort: 8080, + }, + }, + }, + }, + }, } npMgr.Lock() diff --git a/npm/translatePolicy.go b/npm/translatePolicy.go index 4e8eef1cc9..3c70cc835c 100644 --- a/npm/translatePolicy.go +++ b/npm/translatePolicy.go @@ -38,6 +38,15 @@ func craftPartialIptEntrySpecFromPort(portRule networkingv1.NetworkPolicyPort, s return partialSpec } +func getPortType(portRule networkingv1.NetworkPolicyPort) string { + if portRule.Port == nil || portRule.Port.IntValue() != 0 { + return "validport" + } else if portRule.Port.IntValue() == 0 && portRule.Port.String() != "" { + return "namedport" + } + return "invalid" +} + func craftPartialIptablesCommentFromPort(portRule networkingv1.NetworkPolicyPort, sPortOrDPortFlag string) string { partialComment := "" if portRule.Protocol != nil { @@ -231,8 +240,9 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS // Only Ports rules exist if portRuleExists && !fromRuleExists && !allowExternal { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, @@ -255,7 +265,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) entries = append(entries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, Specs: craftPartialIptEntrySpecFromPort(portRule, util.IptablesDstPortFlag), @@ -273,6 +283,8 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) entries = append(entries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } continue @@ -288,7 +300,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS if len(fromRule.IPBlock.Except) > 0 { for _, except := range fromRule.IPBlock.Except { // TODO move IP cidrs rule to allow based only - ipCidrs[i] = append(ipCidrs[i], except + util.IpsetNomatch) + ipCidrs[i] = append(ipCidrs[i], except+util.IpsetNomatch) } addedIngressFromEntry = true } @@ -297,8 +309,9 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS } if portRuleExists { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, @@ -329,7 +342,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) fromRuleEntries = append(fromRuleEntries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, Specs: append([]string(nil), targetSelectorIptEntrySpec...), @@ -358,6 +371,8 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) fromRuleEntries = append(fromRuleEntries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } } else { @@ -413,8 +428,9 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS iptPartialNsComment := craftPartialIptablesCommentFromSelector("", fromRule.NamespaceSelector, true) if portRuleExists { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, @@ -441,7 +457,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) entries = append(entries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, Specs: append([]string(nil), targetSelectorIptEntrySpec...), @@ -466,6 +482,8 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) entries = append(entries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } } else { @@ -507,8 +525,9 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS iptPartialPodComment := craftPartialIptablesCommentFromSelector(ns, fromRule.PodSelector, false) if portRuleExists { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, @@ -535,7 +554,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) entries = append(entries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, Specs: append([]string(nil), targetSelectorIptEntrySpec...), @@ -560,6 +579,8 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) entries = append(entries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } } else { @@ -614,8 +635,9 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS iptPartialPodComment := craftPartialIptablesCommentFromSelector("", fromRule.PodSelector, false) if portRuleExists { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, @@ -647,7 +669,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) entries = append(entries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureIngressPortChain, Specs: append([]string(nil), iptPartialNsSpec...), @@ -677,6 +699,8 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS "-TO-"+targetSelectorComment, ) entries = append(entries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } } else { @@ -869,8 +893,9 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe // Only Ports rules exist if portRuleExists && !toRuleExists && !allowExternal { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, @@ -893,7 +918,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-FROM-"+targetSelectorComment, ) entries = append(entries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, Specs: craftPartialIptEntrySpecFromPort(portRule, util.IptablesDstPortFlag), @@ -911,6 +936,8 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-FROM-"+targetSelectorComment, ) entries = append(entries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } continue @@ -935,8 +962,9 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe } if portRuleExists { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, @@ -967,7 +995,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-FROM-"+targetSelectorComment, ) toRuleEntries = append(toRuleEntries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, Specs: craftPartialIptEntrySpecFromPort(portRule, util.IptablesDstPortFlag), @@ -984,7 +1012,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe util.GetHashedName(cidrIpsetName), util.IptablesDstFlag, ) - entry.Specs = append( + entry.Specs = append( entry.Specs, util.IptablesJumpFlag, util.IptablesAccept, @@ -996,6 +1024,8 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-FROM-"+targetSelectorComment, ) toRuleEntries = append(toRuleEntries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } } else { @@ -1057,8 +1087,9 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe iptPartialNsComment := craftPartialIptablesCommentFromSelector("", toRule.NamespaceSelector, true) if portRuleExists { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, @@ -1085,7 +1116,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-FROM-"+targetSelectorComment, ) entries = append(entries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, Specs: append([]string(nil), iptPartialNsSpec...), @@ -1110,6 +1141,8 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-FROM-"+targetSelectorComment, ) entries = append(entries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } } else { @@ -1151,8 +1184,9 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe iptPartialPodComment := craftPartialIptablesCommentFromSelector(ns, toRule.PodSelector, false) if portRuleExists { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, @@ -1179,7 +1213,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-FROM-"+targetSelectorComment, ) entries = append(entries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, Specs: append([]string(nil), iptPartialPodSpec...), @@ -1204,6 +1238,8 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-FROM-"+targetSelectorComment, ) entries = append(entries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } } else { @@ -1258,8 +1294,9 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe iptPartialPodComment := craftPartialIptablesCommentFromSelector("", toRule.PodSelector, false) if portRuleExists { for _, portRule := range rule.Ports { - if portRule.Port != nil && portRule.Port.IntValue() == 0 { - portName := portRule.Port.String() + switch portCheck := getPortType(portRule); portCheck { + case "namedport": + portName := util.NamedPortIPSetPrefix + portRule.Port.String() namedPorts = append(namedPorts, portName) entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, @@ -1291,7 +1328,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-AND-"+craftPartialIptablesCommentFromPort(portRule, util.IptablesDstPortFlag), ) entries = append(entries, entry) - } else { + case "validport": entry := &iptm.IptEntry{ Chain: util.IptablesAzureEgressPortChain, Specs: append([]string(nil), targetSelectorIptEntrySpec...), @@ -1321,6 +1358,8 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe "-AND-"+craftPartialIptablesCommentFromPort(portRule, util.IptablesDstPortFlag), ) entries = append(entries, entry) + default: + log.Logf("Invalid NetworkPolicyPort.") } } } else { diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go index 236de93e46..66e09c398e 100644 --- a/npm/translatePolicy_test.go +++ b/npm/translatePolicy_test.go @@ -547,7 +547,7 @@ func TestGetDefaultDropEntries(t *testing.T) { func TestTranslateIngress(t *testing.T) { ns := "testnamespace" - name := "testnetworkpolicyname" + name := "testnetworkpolicyname" targetSelector := metav1.LabelSelector{ MatchLabels: map[string]string{ "context": "dev", @@ -3057,15 +3057,15 @@ func TestComplexPolicy(t *testing.T) { t.Errorf("expectedLists: %v", expectedLists) } - expectedIngressIPCidrs := [][]string { + expectedIngressIPCidrs := [][]string{ {"", "", "", "172.17.0.0/16", "172.17.1.0/24nomatch"}, } - expectedEgressIPCidrs := [][]string { + expectedEgressIPCidrs := [][]string{ {"", "10.0.0.0/24", "10.0.0.1/32nomatch"}, } - if !reflect.DeepEqual(ingressIPCidrs, expectedIngressIPCidrs) || !reflect.DeepEqual(ingressIPCidrsDiffOrder, expectedIngressIPCidrs){ + if !reflect.DeepEqual(ingressIPCidrs, expectedIngressIPCidrs) || !reflect.DeepEqual(ingressIPCidrsDiffOrder, expectedIngressIPCidrs) { t.Errorf("translatedPolicy failed @ k8s-example-policy ingress IP Cidrs comparison") t.Errorf("ingress IP Cidrs: %v", ingressIPCidrs) t.Errorf("expected ingress IP Cidrs: %v", expectedIngressIPCidrs) @@ -3807,7 +3807,7 @@ func TestNamedPorts(t *testing.T) { } expectedNamedPorts := []string{ - "serve-80", + "namedport:serve-80", } if !reflect.DeepEqual(namedPorts, expectedNamedPorts) { t.Errorf("translatedPolicy failed @ ALLOW-ALL-TCP-PORT-serve-80-TO-app:server-IN-ns-test-policy namedPorts comparison") @@ -3840,7 +3840,7 @@ func TestNamedPorts(t *testing.T) { util.IptablesModuleFlag, util.IptablesSetModuleFlag, util.IptablesMatchSetFlag, - util.GetHashedName("serve-80"), + util.GetHashedName("namedport:serve-80"), util.IptablesDstFlag + "," + util.IptablesDstFlag, util.IptablesJumpFlag, util.IptablesAccept, diff --git a/npm/util/const.go b/npm/util/const.go index e553b4e683..0e0e9319ab 100644 --- a/npm/util/const.go +++ b/npm/util/const.go @@ -109,6 +109,9 @@ const ( IpsetMaxelemNum string = "4294967295" IpsetNomatch string = "nomatch" + + //Prefixes for ipsets + NamedPortIPSetPrefix string = "namedport:" ) //NPM telemetry constants.