NPM adhering to both ingress and egress rules #765
Conversation
Codecov Report
@@ Coverage Diff @@
## master #765 +/- ##
==========================================
+ Coverage 41.43% 41.79% +0.35%
==========================================
Files 141 142 +1
Lines 13461 13763 +302
==========================================
+ Hits 5578 5752 +174
- Misses 7191 7293 +102
- Partials 692 718 +26 |
vakalapa
changed the title
vakalapa
requested review from
csfmomo,
matmerr,
neaggarwMS and
tamilmani1989
|
Do we want to add a test case to hit this scenario? For example, ingress allow the certain packet however egress deny it, then the final result should be packet be denied. I think the test can be added in translatePolicy_test.go. Not sure whether our current test already covered it since I saw you also updated translatePolicy_test.go |
| IptablesAzureEgressToPodChain string = "AZURE-NPM-EGRESS-TO-POD" | ||
| // Below are the ctmark NPM will use for different criteria | ||
| IptablesAzureIngressMarkHex string = "0x2000" | ||
| IptablesAzureEgressXMarkHex string = "0x1000/0x1000" |
There was a problem hiding this comment.
What does this ctmark mean?
There was a problem hiding this comment.
Correcting this, it is not a Connection Tracker mark, instead a mark field in skb.
There was a problem hiding this comment.
What is the difference between EgressX vs Egress. Can you update the comments and explain the significance of these margers
There was a problem hiding this comment.
I guess you explained the difference in the Brownbag meeting, can you add comment here as well explaining what all these marks represent
|
@csfmomo Looks like the 2 policies are individually covered in our unit tests already. And with k8s e2e we will be covering them together, so I am skipping adding any new testcases. Let me know if you think otherwise |
| IptablesAzureEgressToPodChain string = "AZURE-NPM-EGRESS-TO-POD" | ||
| // Below are the ctmark NPM will use for different criteria | ||
| IptablesAzureIngressMarkHex string = "0x2000" | ||
| IptablesAzureEgressXMarkHex string = "0x1000/0x1000" |
There was a problem hiding this comment.
I guess you explained the difference in the Brownbag meeting, can you add comment here as well explaining what all these marks represent
tamilmani1989
left a comment
tamilmani1989
left a comment
There was a problem hiding this comment.
i didn't do detailed review as i don't have much context on this code. Looks like one big function. should break this function. May be separate PR.
Should add more comments wherever you are changing it. I see you added in few places. can you add in places wherever you could find
@tamilmani1989 totally agree with cutting down the large functions translateIngressPolicy and translateEgressPolicy. I will log it as a separate WI. |
Currently NPM accepts a packet if it hits at least one rule in either ingress chain or egress chain. This behavior had an obvious flaw where if ingress allowed and egress blocked it, NPM would send the packets through.
This change will help evaluate both INGRESS and EGRESS rules before accepting/taking a decision on a packet. NPM will now MARK a packet for ingress/egress and RETURN the MARK'ed packet. Then packet will be accepted in the main chain after all the ingress and egress rules are processed.
Below is an example