diff --git a/npm/iptm/helper.go b/npm/iptm/helper.go index 96b39d3a8a..60320f8012 100755 --- a/npm/iptm/helper.go +++ b/npm/iptm/helper.go @@ -10,8 +10,10 @@ import ( func getAllChainsAndRules() [][]string { funcList := []func() [][]string{ getAzureNPMChainRules, + getAzureNPMIngressChainRules, getAzureNPMIngressPortChainRules, getAzureNPMIngressFromChainRules, + getAzureNPMEgressChainRules, getAzureNPMEgressPortChainRules, getAzureNPMEgressToChainRules, } @@ -32,12 +34,12 @@ func getAzureNPMChainRules() [][]string { { util.IptablesAzureChain, util.IptablesJumpFlag, - util.IptablesAzureIngressPortChain, + util.IptablesAzureIngressChain, }, { util.IptablesAzureChain, util.IptablesJumpFlag, - util.IptablesAzureEgressPortChain, + util.IptablesAzureEgressChain, }, { util.IptablesAzureChain, @@ -78,11 +80,6 @@ func getAzureNPMChainRules() [][]string { util.IptablesCommentFlag, fmt.Sprintf("ACCEPT-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex), }, - { - util.IptablesAzureChain, - util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, - }, { util.IptablesAzureChain, util.IptablesModuleFlag, @@ -99,6 +96,35 @@ func getAzureNPMChainRules() [][]string { } } +// getAzureNPMIngressChainRules returns rules for AZURE-NPM-INGRESS-PORT +func getAzureNPMIngressChainRules() [][]string { + return [][]string{ + { + util.IptablesAzureIngressChain, + util.IptablesJumpFlag, + util.IptablesAzureIngressPortChain, + }, + { + util.IptablesAzureIngressChain, + util.IptablesJumpFlag, + util.IptablesReturn, + util.IptablesModuleFlag, + util.IptablesMarkVerb, + util.IptablesMarkFlag, + util.IptablesAzureIngressMarkHex, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + fmt.Sprintf("RETURN-on-INGRESS-mark-%s", util.IptablesAzureIngressMarkHex), + }, + { + util.IptablesAzureIngressChain, + util.IptablesJumpFlag, + util.IptablesAzureIngressDropsChain, + }, + } +} + // getAzureNPMIngressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT func getAzureNPMIngressPortChainRules() [][]string { return [][]string{ @@ -137,6 +163,48 @@ func getAzureNPMIngressFromChainRules() [][]string { } } +// getAzureNPMEgressChainRules returns rules for AZURE-NPM-INGRESS-PORT +func getAzureNPMEgressChainRules() [][]string { + return [][]string{ + { + util.IptablesAzureEgressChain, + util.IptablesJumpFlag, + util.IptablesAzureEgressPortChain, + }, + { + util.IptablesAzureEgressChain, + util.IptablesJumpFlag, + util.IptablesReturn, + util.IptablesModuleFlag, + util.IptablesMarkVerb, + util.IptablesMarkFlag, + util.IptablesAzureAcceptMarkHex, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + fmt.Sprintf("RETURN-on-EGRESS-and-INGRESS-mark-%s", util.IptablesAzureAcceptMarkHex), + }, + { + util.IptablesAzureEgressChain, + util.IptablesJumpFlag, + util.IptablesReturn, + util.IptablesModuleFlag, + util.IptablesMarkVerb, + util.IptablesMarkFlag, + util.IptablesAzureEgressMarkHex, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + fmt.Sprintf("RETURN-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex), + }, + { + util.IptablesAzureEgressChain, + util.IptablesJumpFlag, + util.IptablesAzureEgressDropsChain, + }, + } +} + // getAzureNPMEgressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT func getAzureNPMEgressPortChainRules() [][]string { return [][]string{ diff --git a/npm/iptm/helper_test.go b/npm/iptm/helper_test.go index c495914a60..6f5386835a 100644 --- a/npm/iptm/helper_test.go +++ b/npm/iptm/helper_test.go @@ -9,7 +9,7 @@ import ( func TestGetAllChainsAndRules(t *testing.T) { allChainsandRules := getAllChainsAndRules() - parentNpmRulesCount := 7 + parentNpmRulesCount := 6 if len(allChainsandRules[0]) > 3 { t.Errorf("TestGetAllChainsAndRules failed @ INGRESS target check") diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index ae6ad7379d..86281b56dd 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -29,11 +29,14 @@ var ( // IptablesAzureChainList contains list of all NPM chains IptablesAzureChainList = []string{ util.IptablesAzureChain, + util.IptablesAzureIngressChain, + util.IptablesAzureEgressChain, util.IptablesAzureIngressPortChain, util.IptablesAzureIngressFromChain, util.IptablesAzureEgressPortChain, util.IptablesAzureEgressToChain, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, + util.IptablesAzureEgressDropsChain, } ) diff --git a/npm/translatePolicy.go b/npm/translatePolicy.go index 62d72ec16b..288d309b35 100644 --- a/npm/translatePolicy.go +++ b/npm/translatePolicy.go @@ -799,13 +799,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain, + "-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain, ) entries = append(entries, entry) } else if addedIngressFromEntry { @@ -834,13 +834,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain, + "-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain, ) entries = append(entries, entry) } @@ -1491,13 +1491,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-FROM-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain, + "-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain, ) entries = append(entries, entry) } else if addedEgressToEntry { @@ -1526,13 +1526,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-FROM-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain, + "-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain, ) entries = append(entries, entry) } @@ -1554,7 +1554,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn if hasIngress { entry := &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: append([]string(nil), targetSelectorIngressIptEntrySpec...), } entry.Specs = append( @@ -1571,7 +1571,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn if hasEgress { entry := &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: append([]string(nil), targetSelectorEgressIptEntrySpec...), } entry.Specs = append( diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go index 1cb614b4da..f1e28c9f64 100644 --- a/npm/translatePolicy_test.go +++ b/npm/translatePolicy_test.go @@ -2,6 +2,7 @@ package npm import ( "encoding/json" + "fmt" "io/ioutil" "reflect" "testing" @@ -401,7 +402,7 @@ func TestGetDefaultDropEntries(t *testing.T) { expectedIptIngressEntries := []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -441,7 +442,7 @@ func TestGetDefaultDropEntries(t *testing.T) { expectedIptEgressEntries := []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -481,7 +482,7 @@ func TestGetDefaultDropEntries(t *testing.T) { expectedIptIngressEgressEntries := []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -508,7 +509,7 @@ func TestGetDefaultDropEntries(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -837,11 +838,12 @@ func TestTranslateIngress(t *testing.T) { util.GetHashedName("testNotIn:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-context:dev-AND-!testNotIn:frontend-IN-ns-testnamespace-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-TO-context:dev-AND-!testNotIn:frontend-IN-ns-testnamespace-TO-JUMP-TO-%s", + util.IptablesAzureIngressDropsChain), }, }, } @@ -1148,11 +1150,12 @@ func TestTranslateEgress(t *testing.T) { util.GetHashedName("testNotIn:frontend"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-context:dev-AND-!testNotIn:frontend-IN-ns-testnamespace-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-FROM-context:dev-AND-!testNotIn:frontend-IN-ns-testnamespace-TO-JUMP-TO-%s", + util.IptablesAzureEgressDropsChain), }, }, } @@ -1311,16 +1314,16 @@ func TestAllowBackendToFrontend(t *testing.T) { util.GetHashedName("app:backend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:backend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1543,16 +1546,16 @@ func TestNamespaceToFrontend(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1678,16 +1681,16 @@ func TestAllowAllNamespacesToAppFrontend(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1828,16 +1831,16 @@ func TestAllowNamespaceDevToAppFrontend(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2014,16 +2017,16 @@ func TestAllowAllToK0AndK1AndAppFrontend(t *testing.T) { util.GetHashedName("k1:v1"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-AND-!k0-AND-k1:v0-AND-k1:v1-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2174,16 +2177,16 @@ func TestAllowNsDevAndAppBackendToAppFrontend(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2357,15 +2360,15 @@ func TestAllowBackendToFrontendPort8000(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2474,15 +2477,15 @@ func TestAllowBackendToFrontendWithMissingPort(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2681,15 +2684,15 @@ func TestAllowMultipleLabelsToMultipleLabels(t *testing.T) { util.GetHashedName("team:aks"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:k8s-AND-team:aks-IN-ns-acn-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-TO-app:k8s-AND-team:aks-IN-ns-acn-TO-JUMP-TO-" + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2828,11 +2831,12 @@ func TestAllowAllFromAppBackend(t *testing.T) { util.GetHashedName("app:backend"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-app:backend-IN-ns-testnamespace-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-FROM-app:backend-IN-ns-testnamespace-TO-JUMP-TO-%s", + util.IptablesAzureEgressDropsChain), }, }, } @@ -3031,15 +3035,15 @@ func TestAllowAppFrontendToTCPPort53UDPPort53Policy(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-FROM-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureEgressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3263,11 +3267,11 @@ func TestComplexPolicy(t *testing.T) { util.GetHashedName("role:db"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-role:db-IN-ns-default-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-TO-role:db-IN-ns-default-TO-JUMP-TO-" + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ @@ -3339,15 +3343,15 @@ func TestComplexPolicy(t *testing.T) { util.GetHashedName("role:db"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-role:db-IN-ns-default-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-FROM-role:db-IN-ns-default-TO-JUMP-TO-" + util.IptablesAzureEgressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3368,7 +3372,7 @@ func TestComplexPolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3535,7 +3539,7 @@ func TestDropPrecedenceOverAllow(t *testing.T) { nonKubeSystemEntries := []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3685,11 +3689,12 @@ func TestDropPrecedenceOverAllow(t *testing.T) { util.GetHashedName("testIn:pod-A"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:test-AND-testIn:pod-A-IN-ns-default-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-TO-app:test-AND-testIn:pod-A-IN-ns-default-TO-JUMP-TO-%s", + util.IptablesAzureIngressDropsChain), }, }, &iptm.IptEntry{ @@ -3773,15 +3778,16 @@ func TestDropPrecedenceOverAllow(t *testing.T) { util.GetHashedName("testIn:pod-A"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-app:test-AND-testIn:pod-A-IN-ns-default-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-FROM-app:test-AND-testIn:pod-A-IN-ns-default-TO-JUMP-TO-%s", + util.IptablesAzureEgressDropsChain), }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3807,7 +3813,7 @@ func TestDropPrecedenceOverAllow(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3925,15 +3931,16 @@ func TestNamedPorts(t *testing.T) { util.GetHashedName("app:server"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:server-IN-ns-test-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-TO-app:server-IN-ns-test-TO-JUMP-TO-%s", + util.IptablesAzureIngressDropsChain), }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, diff --git a/npm/util/const.go b/npm/util/const.go index 4678b8ed3e..48b4cef362 100644 --- a/npm/util/const.go +++ b/npm/util/const.go @@ -65,16 +65,21 @@ const ( IptablesCommentModuleFlag string = "comment" IptablesCommentFlag string = "--comment" IptablesAddCommentFlag - IptablesAzureChain string = "AZURE-NPM" - IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" - IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" - IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" - IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" - IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" - IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS" - IptablesKubeServicesChain string = "KUBE-SERVICES" - IptablesForwardChain string = "FORWARD" - IptablesInputChain string = "INPUT" + IptablesAzureChain string = "AZURE-NPM" + IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" + IptablesAzureIngressChain string = "AZURE-NPM-INGRESS" + IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" + IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" + IptablesAzureEgressChain string = "AZURE-NPM-EGRESS" + IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" + IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" + IptablesKubeServicesChain string = "KUBE-SERVICES" + IptablesForwardChain string = "FORWARD" + IptablesInputChain string = "INPUT" + IptablesAzureIngressDropsChain string = "AZURE-NPM-INRGESS-DROPS" + IptablesAzureEgressDropsChain string = "AZURE-NPM-EGRESS-DROPS" + // Below chain exists only in NPM before v1.2.6 + IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS" // Below chains exists only for before Azure-NPM:v1.0.27 // and should be removed after a baking period. IptablesAzureIngressFromNsChain string = "AZURE-NPM-INGRESS-FROM-NS"