From b596f03bc43bd613d20a0724a8c975de53cbf8ae Mon Sep 17 00:00:00 2001 From: vakr Date: Tue, 23 Feb 2021 14:49:15 -0800 Subject: [PATCH 1/5] Changed init NPM chains with new chains --- npm/iptm/helper.go | 82 ++++++++++++++++++++++++++++++++++++++++++---- npm/iptm/iptm.go | 5 ++- npm/util/const.go | 25 ++++++++------ 3 files changed, 94 insertions(+), 18 deletions(-) diff --git a/npm/iptm/helper.go b/npm/iptm/helper.go index 96b39d3a8a..92ed50e88c 100755 --- a/npm/iptm/helper.go +++ b/npm/iptm/helper.go @@ -10,8 +10,10 @@ import ( func getAllChainsAndRules() [][]string { funcList := []func() [][]string{ getAzureNPMChainRules, + getAzureNPMIngressChainRules, getAzureNPMIngressPortChainRules, getAzureNPMIngressFromChainRules, + getAzureNPMEgressChainRules, getAzureNPMEgressPortChainRules, getAzureNPMEgressToChainRules, } @@ -32,12 +34,12 @@ func getAzureNPMChainRules() [][]string { { util.IptablesAzureChain, util.IptablesJumpFlag, - util.IptablesAzureIngressPortChain, + util.IptablesAzureIngressChain, }, { util.IptablesAzureChain, util.IptablesJumpFlag, - util.IptablesAzureEgressPortChain, + util.IptablesAzureEgressChain, }, { util.IptablesAzureChain, @@ -78,11 +80,6 @@ func getAzureNPMChainRules() [][]string { util.IptablesCommentFlag, fmt.Sprintf("ACCEPT-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex), }, - { - util.IptablesAzureChain, - util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, - }, { util.IptablesAzureChain, util.IptablesModuleFlag, @@ -99,6 +96,35 @@ func getAzureNPMChainRules() [][]string { } } +// getAzureNPMIngressChainRules returns rules for AZURE-NPM-INGRESS-PORT +func getAzureNPMIngressChainRules() [][]string { + return [][]string{ + { + util.IptablesAzureIngressChain, + util.IptablesJumpFlag, + util.IptablesAzureIngressPortChain, + }, + { + util.IptablesAzureIngressChain, + util.IptablesJumpFlag, + util.IptablesReturn, + util.IptablesModuleFlag, + util.IptablesMarkVerb, + util.IptablesMarkFlag, + util.IptablesAzureIngressMarkHex, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + fmt.Sprintf("RETURN-on-INGRESS-mark-%s", util.IptablesAzureIngressMarkHex), + }, + { + util.IptablesAzureIngressChain, + util.IptablesJumpFlag, + util.IptablesAzureIngressTargetChain, + }, + } +} + // getAzureNPMIngressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT func getAzureNPMIngressPortChainRules() [][]string { return [][]string{ @@ -137,6 +163,48 @@ func getAzureNPMIngressFromChainRules() [][]string { } } +// getAzureNPMEgressChainRules returns rules for AZURE-NPM-INGRESS-PORT +func getAzureNPMEgressChainRules() [][]string { + return [][]string{ + { + util.IptablesAzureEgressChain, + util.IptablesJumpFlag, + util.IptablesAzureEgressPortChain, + }, + { + util.IptablesAzureEgressChain, + util.IptablesJumpFlag, + util.IptablesReturn, + util.IptablesModuleFlag, + util.IptablesMarkVerb, + util.IptablesMarkFlag, + util.IptablesAzureAcceptMarkHex, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + fmt.Sprintf("RETURN-on-EGRESS-and-INGRESS-mark-%s", util.IptablesAzureAcceptMarkHex), + }, + { + util.IptablesAzureEgressChain, + util.IptablesJumpFlag, + util.IptablesReturn, + util.IptablesModuleFlag, + util.IptablesMarkVerb, + util.IptablesMarkFlag, + util.IptablesAzureEgressMarkHex, + util.IptablesModuleFlag, + util.IptablesCommentModuleFlag, + util.IptablesCommentFlag, + fmt.Sprintf("RETURN-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex), + }, + { + util.IptablesAzureEgressChain, + util.IptablesJumpFlag, + util.IptablesAzureEgressTargetChain, + }, + } +} + // getAzureNPMEgressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT func getAzureNPMEgressPortChainRules() [][]string { return [][]string{ diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index ae6ad7379d..2277cf9950 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -29,11 +29,14 @@ var ( // IptablesAzureChainList contains list of all NPM chains IptablesAzureChainList = []string{ util.IptablesAzureChain, + util.IptablesAzureIngressChain, + util.IptablesAzureEgressChain, util.IptablesAzureIngressPortChain, util.IptablesAzureIngressFromChain, util.IptablesAzureEgressPortChain, util.IptablesAzureEgressToChain, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressTargetChain, + util.IptablesAzureEgressTargetChain, } ) diff --git a/npm/util/const.go b/npm/util/const.go index 4678b8ed3e..53ba593d36 100644 --- a/npm/util/const.go +++ b/npm/util/const.go @@ -65,16 +65,21 @@ const ( IptablesCommentModuleFlag string = "comment" IptablesCommentFlag string = "--comment" IptablesAddCommentFlag - IptablesAzureChain string = "AZURE-NPM" - IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" - IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" - IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" - IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" - IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" - IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS" - IptablesKubeServicesChain string = "KUBE-SERVICES" - IptablesForwardChain string = "FORWARD" - IptablesInputChain string = "INPUT" + IptablesAzureChain string = "AZURE-NPM" + IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" + IptablesAzureIngressChain string = "AZURE-NPM-INGRESS" + IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" + IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" + IptablesAzureEgressChain string = "AZURE-NPM-EGRESS" + IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" + IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" + IptablesKubeServicesChain string = "KUBE-SERVICES" + IptablesForwardChain string = "FORWARD" + IptablesInputChain string = "INPUT" + IptablesAzureIngressTargetChain string = "AZURE-NPM-INRGESS-TARGET" + IptablesAzureEgressTargetChain string = "AZURE-NPM-EGRESS-TARGET" + // Below chain exists only in NPM before v1.2.6 + IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS" // Below chains exists only for before Azure-NPM:v1.0.27 // and should be removed after a baking period. IptablesAzureIngressFromNsChain string = "AZURE-NPM-INGRESS-FROM-NS" From 540d122cf793b109aa6c3d730b462924f0cafa5d Mon Sep 17 00:00:00 2001 From: vakr Date: Wed, 24 Feb 2021 08:57:57 -0800 Subject: [PATCH 2/5] Rearranging target sets --- npm/translatePolicy.go | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/npm/translatePolicy.go b/npm/translatePolicy.go index 62d72ec16b..9cf38a4c37 100644 --- a/npm/translatePolicy.go +++ b/npm/translatePolicy.go @@ -799,13 +799,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressTargetChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain, + "-TO-JUMP-TO-"+util.IptablesAzureIngressTargetChain, ) entries = append(entries, entry) } else if addedIngressFromEntry { @@ -834,13 +834,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressTargetChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain, + "-TO-JUMP-TO-"+util.IptablesAzureIngressTargetChain, ) entries = append(entries, entry) } @@ -1491,13 +1491,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressTargetChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-FROM-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain, + "-TO-JUMP-TO-"+util.IptablesAzureEgressTargetChain, ) entries = append(entries, entry) } else if addedEgressToEntry { @@ -1526,13 +1526,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressTargetChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-FROM-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain, + "-TO-JUMP-TO-"+util.IptablesAzureEgressTargetChain, ) entries = append(entries, entry) } @@ -1554,7 +1554,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn if hasIngress { entry := &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressTargetChain, Specs: append([]string(nil), targetSelectorIngressIptEntrySpec...), } entry.Specs = append( @@ -1571,7 +1571,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn if hasEgress { entry := &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressTargetChain, Specs: append([]string(nil), targetSelectorEgressIptEntrySpec...), } entry.Specs = append( From 6d7f081e4f7b04226f8c887da40044536f666167 Mon Sep 17 00:00:00 2001 From: vakr Date: Wed, 24 Feb 2021 09:28:58 -0800 Subject: [PATCH 3/5] Fixing UTs --- npm/iptm/helper.go | 4 +- npm/iptm/helper_test.go | 2 +- npm/iptm/iptm.go | 4 +- npm/translatePolicy.go | 20 ++++---- npm/translatePolicy_test.go | 100 ++++++++++++++++++------------------ npm/util/const.go | 26 +++++----- 6 files changed, 78 insertions(+), 78 deletions(-) diff --git a/npm/iptm/helper.go b/npm/iptm/helper.go index 92ed50e88c..60320f8012 100755 --- a/npm/iptm/helper.go +++ b/npm/iptm/helper.go @@ -120,7 +120,7 @@ func getAzureNPMIngressChainRules() [][]string { { util.IptablesAzureIngressChain, util.IptablesJumpFlag, - util.IptablesAzureIngressTargetChain, + util.IptablesAzureIngressDropsChain, }, } } @@ -200,7 +200,7 @@ func getAzureNPMEgressChainRules() [][]string { { util.IptablesAzureEgressChain, util.IptablesJumpFlag, - util.IptablesAzureEgressTargetChain, + util.IptablesAzureEgressDropsChain, }, } } diff --git a/npm/iptm/helper_test.go b/npm/iptm/helper_test.go index c495914a60..6f5386835a 100644 --- a/npm/iptm/helper_test.go +++ b/npm/iptm/helper_test.go @@ -9,7 +9,7 @@ import ( func TestGetAllChainsAndRules(t *testing.T) { allChainsandRules := getAllChainsAndRules() - parentNpmRulesCount := 7 + parentNpmRulesCount := 6 if len(allChainsandRules[0]) > 3 { t.Errorf("TestGetAllChainsAndRules failed @ INGRESS target check") diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go index 2277cf9950..86281b56dd 100644 --- a/npm/iptm/iptm.go +++ b/npm/iptm/iptm.go @@ -35,8 +35,8 @@ var ( util.IptablesAzureIngressFromChain, util.IptablesAzureEgressPortChain, util.IptablesAzureEgressToChain, - util.IptablesAzureIngressTargetChain, - util.IptablesAzureEgressTargetChain, + util.IptablesAzureIngressDropsChain, + util.IptablesAzureEgressDropsChain, } ) diff --git a/npm/translatePolicy.go b/npm/translatePolicy.go index 9cf38a4c37..288d309b35 100644 --- a/npm/translatePolicy.go +++ b/npm/translatePolicy.go @@ -799,13 +799,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureIngressTargetChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureIngressTargetChain, + "-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain, ) entries = append(entries, entry) } else if addedIngressFromEntry { @@ -834,13 +834,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureIngressTargetChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureIngressTargetChain, + "-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain, ) entries = append(entries, entry) } @@ -1491,13 +1491,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureEgressTargetChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-FROM-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureEgressTargetChain, + "-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain, ) entries = append(entries, entry) } else if addedEgressToEntry { @@ -1526,13 +1526,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe entry.Specs = append( entry.Specs, util.IptablesJumpFlag, - util.IptablesAzureEgressTargetChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-FROM-"+ targetSelectorComment+ - "-TO-JUMP-TO-"+util.IptablesAzureEgressTargetChain, + "-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain, ) entries = append(entries, entry) } @@ -1554,7 +1554,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn if hasIngress { entry := &iptm.IptEntry{ - Chain: util.IptablesAzureIngressTargetChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: append([]string(nil), targetSelectorIngressIptEntrySpec...), } entry.Specs = append( @@ -1571,7 +1571,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn if hasEgress { entry := &iptm.IptEntry{ - Chain: util.IptablesAzureEgressTargetChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: append([]string(nil), targetSelectorEgressIptEntrySpec...), } entry.Specs = append( diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go index 1cb614b4da..bf9db40616 100644 --- a/npm/translatePolicy_test.go +++ b/npm/translatePolicy_test.go @@ -401,7 +401,7 @@ func TestGetDefaultDropEntries(t *testing.T) { expectedIptIngressEntries := []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -441,7 +441,7 @@ func TestGetDefaultDropEntries(t *testing.T) { expectedIptEgressEntries := []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -481,7 +481,7 @@ func TestGetDefaultDropEntries(t *testing.T) { expectedIptIngressEgressEntries := []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -508,7 +508,7 @@ func TestGetDefaultDropEntries(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -837,7 +837,7 @@ func TestTranslateIngress(t *testing.T) { util.GetHashedName("testNotIn:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, @@ -1148,7 +1148,7 @@ func TestTranslateEgress(t *testing.T) { util.GetHashedName("testNotIn:frontend"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, @@ -1311,16 +1311,16 @@ func TestAllowBackendToFrontend(t *testing.T) { util.GetHashedName("app:backend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:backend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1543,16 +1543,16 @@ func TestNamespaceToFrontend(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1678,16 +1678,16 @@ func TestAllowAllNamespacesToAppFrontend(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -1828,16 +1828,16 @@ func TestAllowNamespaceDevToAppFrontend(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2014,16 +2014,16 @@ func TestAllowAllToK0AndK1AndAppFrontend(t *testing.T) { util.GetHashedName("k1:v1"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-AND-!k0-AND-k1:v0-AND-k1:v1-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2174,16 +2174,16 @@ func TestAllowNsDevAndAppBackendToAppFrontend(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2357,15 +2357,15 @@ func TestAllowBackendToFrontendPort8000(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2474,15 +2474,15 @@ func TestAllowBackendToFrontendWithMissingPort(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2681,15 +2681,15 @@ func TestAllowMultipleLabelsToMultipleLabels(t *testing.T) { util.GetHashedName("team:aks"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:k8s-AND-team:aks-IN-ns-acn-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-TO-app:k8s-AND-team:aks-IN-ns-acn-TO-JUMP-TO-" + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -2828,7 +2828,7 @@ func TestAllowAllFromAppBackend(t *testing.T) { util.GetHashedName("app:backend"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, @@ -3031,15 +3031,15 @@ func TestAllowAppFrontendToTCPPort53UDPPort53Policy(t *testing.T) { util.GetHashedName("app:frontend"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-FROM-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureEgressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3263,11 +3263,11 @@ func TestComplexPolicy(t *testing.T) { util.GetHashedName("role:db"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-role:db-IN-ns-default-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-TO-role:db-IN-ns-default-TO-JUMP-TO-" + util.IptablesAzureIngressDropsChain, }, }, &iptm.IptEntry{ @@ -3339,15 +3339,15 @@ func TestComplexPolicy(t *testing.T) { util.GetHashedName("role:db"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-role:db-IN-ns-default-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain, + "ALLOW-ALL-FROM-role:db-IN-ns-default-TO-JUMP-TO-" + util.IptablesAzureEgressDropsChain, }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3368,7 +3368,7 @@ func TestComplexPolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3535,7 +3535,7 @@ func TestDropPrecedenceOverAllow(t *testing.T) { nonKubeSystemEntries := []*iptm.IptEntry{ &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3685,7 +3685,7 @@ func TestDropPrecedenceOverAllow(t *testing.T) { util.GetHashedName("testIn:pod-A"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, @@ -3773,7 +3773,7 @@ func TestDropPrecedenceOverAllow(t *testing.T) { util.GetHashedName("testIn:pod-A"), util.IptablesSrcFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureEgressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, @@ -3781,7 +3781,7 @@ func TestDropPrecedenceOverAllow(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3807,7 +3807,7 @@ func TestDropPrecedenceOverAllow(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureEgressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, @@ -3925,7 +3925,7 @@ func TestNamedPorts(t *testing.T) { util.GetHashedName("app:server"), util.IptablesDstFlag, util.IptablesJumpFlag, - util.IptablesAzureTargetSetsChain, + util.IptablesAzureIngressDropsChain, util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, @@ -3933,7 +3933,7 @@ func TestNamedPorts(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureTargetSetsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag, diff --git a/npm/util/const.go b/npm/util/const.go index 53ba593d36..48b4cef362 100644 --- a/npm/util/const.go +++ b/npm/util/const.go @@ -65,19 +65,19 @@ const ( IptablesCommentModuleFlag string = "comment" IptablesCommentFlag string = "--comment" IptablesAddCommentFlag - IptablesAzureChain string = "AZURE-NPM" - IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" - IptablesAzureIngressChain string = "AZURE-NPM-INGRESS" - IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" - IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" - IptablesAzureEgressChain string = "AZURE-NPM-EGRESS" - IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" - IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" - IptablesKubeServicesChain string = "KUBE-SERVICES" - IptablesForwardChain string = "FORWARD" - IptablesInputChain string = "INPUT" - IptablesAzureIngressTargetChain string = "AZURE-NPM-INRGESS-TARGET" - IptablesAzureEgressTargetChain string = "AZURE-NPM-EGRESS-TARGET" + IptablesAzureChain string = "AZURE-NPM" + IptablesAzureKubeSystemChain string = "AZURE-NPM-KUBE-SYSTEM" + IptablesAzureIngressChain string = "AZURE-NPM-INGRESS" + IptablesAzureIngressPortChain string = "AZURE-NPM-INGRESS-PORT" + IptablesAzureIngressFromChain string = "AZURE-NPM-INGRESS-FROM" + IptablesAzureEgressChain string = "AZURE-NPM-EGRESS" + IptablesAzureEgressPortChain string = "AZURE-NPM-EGRESS-PORT" + IptablesAzureEgressToChain string = "AZURE-NPM-EGRESS-TO" + IptablesKubeServicesChain string = "KUBE-SERVICES" + IptablesForwardChain string = "FORWARD" + IptablesInputChain string = "INPUT" + IptablesAzureIngressDropsChain string = "AZURE-NPM-INRGESS-DROPS" + IptablesAzureEgressDropsChain string = "AZURE-NPM-EGRESS-DROPS" // Below chain exists only in NPM before v1.2.6 IptablesAzureTargetSetsChain string = "AZURE-NPM-TARGET-SETS" // Below chains exists only for before Azure-NPM:v1.0.27 From 327ff40c0e5f69de922b0e4de890628493de6eb5 Mon Sep 17 00:00:00 2001 From: vakr Date: Wed, 24 Feb 2021 10:33:01 -0800 Subject: [PATCH 4/5] Fixing UTs --- npm/translatePolicy_test.go | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go index bf9db40616..dae56c96c2 100644 --- a/npm/translatePolicy_test.go +++ b/npm/translatePolicy_test.go @@ -2,6 +2,7 @@ package npm import ( "encoding/json" + "fmt" "io/ioutil" "reflect" "testing" @@ -841,7 +842,8 @@ func TestTranslateIngress(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-context:dev-AND-!testNotIn:frontend-IN-ns-testnamespace-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-TO-context:dev-AND-!testNotIn:frontend-IN-ns-testnamespace-TO-JUMP-TO-%s", + util.IptablesAzureIngressDropsChain), }, }, } @@ -1152,7 +1154,8 @@ func TestTranslateEgress(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-context:dev-AND-!testNotIn:frontend-IN-ns-testnamespace-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-FROM-context:dev-AND-!testNotIn:frontend-IN-ns-testnamespace-TO-JUMP-TO-%s", + util.IptablesAzureEgressDropsChain), }, }, } @@ -2832,7 +2835,8 @@ func TestAllowAllFromAppBackend(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-app:backend-IN-ns-testnamespace-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-FROM-app:backend-IN-ns-testnamespace-TO-JUMP-TO-%s", + util.IptablesAzureEgressDropsChain), }, }, } @@ -3689,7 +3693,8 @@ func TestDropPrecedenceOverAllow(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:test-AND-testIn:pod-A-IN-ns-default-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-TO-app:test-AND-testIn:pod-A-IN-ns-default-TO-JUMP-TO-%s", + util.IptablesAzureIngressDropsChain), }, }, &iptm.IptEntry{ @@ -3777,7 +3782,8 @@ func TestDropPrecedenceOverAllow(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-FROM-app:test-AND-testIn:pod-A-IN-ns-default-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-FROM-app:test-AND-testIn:pod-A-IN-ns-default-TO-JUMP-TO-%s", + util.IptablesAzureEgressDropsChain), }, }, &iptm.IptEntry{ @@ -3929,7 +3935,8 @@ func TestNamedPorts(t *testing.T) { util.IptablesModuleFlag, util.IptablesCommentModuleFlag, util.IptablesCommentFlag, - "ALLOW-ALL-TO-app:server-IN-ns-test-TO-JUMP-TO-AZURE-NPM-TARGET-SETS", + fmt.Sprintf("ALLOW-ALL-TO-app:server-IN-ns-test-TO-JUMP-TO-%s", + util.IptablesAzureIngressDropsChain), }, }, &iptm.IptEntry{ From 4ec8886bb1ddf3558a6b771a8bea03719a872ec4 Mon Sep 17 00:00:00 2001 From: vakr Date: Wed, 24 Feb 2021 11:01:15 -0800 Subject: [PATCH 5/5] Fixing UTs --- npm/translatePolicy_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go index dae56c96c2..f1e28c9f64 100644 --- a/npm/translatePolicy_test.go +++ b/npm/translatePolicy_test.go @@ -3351,7 +3351,7 @@ func TestComplexPolicy(t *testing.T) { }, }, &iptm.IptEntry{ - Chain: util.IptablesAzureEgressDropsChain, + Chain: util.IptablesAzureIngressDropsChain, Specs: []string{ util.IptablesModuleFlag, util.IptablesSetModuleFlag,