-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: optimized rules allowList count #36
fix: optimized rules allowList count #36
Conversation
util/secrules/secruleset.go
Outdated
@@ -59,6 +62,8 @@ func (srs SecurityRuleSet) equals(srs1 SecurityRuleSet) bool { | |||
if len(srs) != len(srs1) { | |||
return false | |||
} | |||
sort.Sort(srs) | |||
sort.Sort(srs1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
equals()不应该变更输入参数内容
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
已删除
util/secrules/secruleset.go
Outdated
@@ -190,6 +195,120 @@ func (srs SecurityRuleSet) collapse() SecurityRuleSet { | |||
} | |||
// save that contains, intersects | |||
} | |||
if srs1[i].PortStart <= 1 && srs1[i].PortEnd >= 65535 && len(srs1[i].Ports) == 0 { | |||
srs1[i].PortStart = -1 | |||
srs1[i].PortEnd = -1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
应该是s < 1 && e > 65535
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
已去掉端口转换
if sr0.GetPortsString() != sr1.GetPortsString() { | ||
return sr0.GetPortsString() < sr1.GetPortsString() | ||
} | ||
return sr0.Priority < sr1.Priority |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这里可以再以startip, endip排序
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
已更新
util/secrules/secruleset.go
Outdated
for j := range addrRanges { | ||
_merged = compareRange(addrRanges[i], addrRanges[j]) | ||
if _merged != nil { | ||
addrRanges[i] = *_merged |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
这个复杂度太高,可以简化。相邻rule若protocol, port相同,只需要考虑range.IsOverlap()的情况,直接merge就可以。考虑给IPV4AddrRange添加一个Merge方法,返回指针
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
已优化
dafef6b
to
b3bddc8
Compare
b3bddc8
to
3aa6b83
Compare
util/secrules/secruleset.go
Outdated
} | ||
range0 := netutils.NewIPV4AddrRangeFromIPNet(sr0.IPNet) | ||
range1 := netutils.NewIPV4AddrRangeFromIPNet(sr1.IPNet) | ||
return range0.EndIp() < range1.StartIp() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
startip同endip比无法保证full order,是鸡同鸭比
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
已更新
c15bf24
to
5b17d5d
Compare
util/secrules/secruleset.go
Outdated
preNet := ranges[len(ranges)-1] | ||
nextNet := netutils.NewIPV4AddrRangeFromIPNet(srs[i].IPNet) | ||
if preNet.IsOverlap(nextNet) || preNet.EndIp()+1 == nextNet.StartIp() { | ||
ranges[len(ranges)-1] = netutils.NewIPV4AddrRange(preNet.StartIp(), nextNet.EndIp()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
考虑把这段封装成range.Merge()方法
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
已封装
dd751ca
to
e6b64d6
Compare
util/secrules/secruleset_test.go
Outdated
} | ||
rules := srs0.AllowList() | ||
for _, rule := range rules { | ||
t.Logf("rule: %s", rule.String()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test用Logf写没有意义
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
已更新
e6b64d6
to
a1b1426
Compare
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: yousong The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…/add-signal-handler to master * commit '557c3fe63902e89b894a3c6dd95a1932d9cc7883': add profiler add signal utils
优化AllowList输出数量
/cc @yousong @swordqiu