[NPM] Default-Deny all bug fix with design change (#799)

vakalapa · web-flow · commit 08f0006dda1d · 2021-02-26T15:43:12.000-08:00
* Changed init NPM chains with new chains

* Rearranging target sets

* Fixing UTs

* Fixing UTs

* Fixing UTs
diff --git a/npm/iptm/helper.go b/npm/iptm/helper.go
@@ -10,8 +10,10 @@ import (
 func getAllChainsAndRules() [][]string {
 	funcList := []func() [][]string{
 		getAzureNPMChainRules,
+		getAzureNPMIngressChainRules,
 		getAzureNPMIngressPortChainRules,
 		getAzureNPMIngressFromChainRules,
+		getAzureNPMEgressChainRules,
 		getAzureNPMEgressPortChainRules,
 		getAzureNPMEgressToChainRules,
 	}
@@ -32,12 +34,12 @@ func getAzureNPMChainRules() [][]string {
 		{
 			util.IptablesAzureChain,
 			util.IptablesJumpFlag,
-			util.IptablesAzureIngressPortChain,
+			util.IptablesAzureIngressChain,
 		},
 		{
 			util.IptablesAzureChain,
 			util.IptablesJumpFlag,
-			util.IptablesAzureEgressPortChain,
+			util.IptablesAzureEgressChain,
 		},
 		{
 			util.IptablesAzureChain,
@@ -78,11 +80,6 @@ func getAzureNPMChainRules() [][]string {
 			util.IptablesCommentFlag,
 			fmt.Sprintf("ACCEPT-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex),
 		},
-		{
-			util.IptablesAzureChain,
-			util.IptablesJumpFlag,
-			util.IptablesAzureTargetSetsChain,
-		},
 		{
 			util.IptablesAzureChain,
 			util.IptablesModuleFlag,
@@ -99,6 +96,35 @@ func getAzureNPMChainRules() [][]string {
 	}
 }
 
+// getAzureNPMIngressChainRules returns rules for AZURE-NPM-INGRESS-PORT
+func getAzureNPMIngressChainRules() [][]string {
+	return [][]string{
+		{
+			util.IptablesAzureIngressChain,
+			util.IptablesJumpFlag,
+			util.IptablesAzureIngressPortChain,
+		},
+		{
+			util.IptablesAzureIngressChain,
+			util.IptablesJumpFlag,
+			util.IptablesReturn,
+			util.IptablesModuleFlag,
+			util.IptablesMarkVerb,
+			util.IptablesMarkFlag,
+			util.IptablesAzureIngressMarkHex,
+			util.IptablesModuleFlag,
+			util.IptablesCommentModuleFlag,
+			util.IptablesCommentFlag,
+			fmt.Sprintf("RETURN-on-INGRESS-mark-%s", util.IptablesAzureIngressMarkHex),
+		},
+		{
+			util.IptablesAzureIngressChain,
+			util.IptablesJumpFlag,
+			util.IptablesAzureIngressDropsChain,
+		},
+	}
+}
+
 // getAzureNPMIngressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT
 func getAzureNPMIngressPortChainRules() [][]string {
 	return [][]string{
@@ -137,6 +163,48 @@ func getAzureNPMIngressFromChainRules() [][]string {
 	}
 }
 
+// getAzureNPMEgressChainRules returns rules for AZURE-NPM-INGRESS-PORT
+func getAzureNPMEgressChainRules() [][]string {
+	return [][]string{
+		{
+			util.IptablesAzureEgressChain,
+			util.IptablesJumpFlag,
+			util.IptablesAzureEgressPortChain,
+		},
+		{
+			util.IptablesAzureEgressChain,
+			util.IptablesJumpFlag,
+			util.IptablesReturn,
+			util.IptablesModuleFlag,
+			util.IptablesMarkVerb,
+			util.IptablesMarkFlag,
+			util.IptablesAzureAcceptMarkHex,
+			util.IptablesModuleFlag,
+			util.IptablesCommentModuleFlag,
+			util.IptablesCommentFlag,
+			fmt.Sprintf("RETURN-on-EGRESS-and-INGRESS-mark-%s", util.IptablesAzureAcceptMarkHex),
+		},
+		{
+			util.IptablesAzureEgressChain,
+			util.IptablesJumpFlag,
+			util.IptablesReturn,
+			util.IptablesModuleFlag,
+			util.IptablesMarkVerb,
+			util.IptablesMarkFlag,
+			util.IptablesAzureEgressMarkHex,
+			util.IptablesModuleFlag,
+			util.IptablesCommentModuleFlag,
+			util.IptablesCommentFlag,
+			fmt.Sprintf("RETURN-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex),
+		},
+		{
+			util.IptablesAzureEgressChain,
+			util.IptablesJumpFlag,
+			util.IptablesAzureEgressDropsChain,
+		},
+	}
+}
+
 // getAzureNPMEgressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT
 func getAzureNPMEgressPortChainRules() [][]string {
 	return [][]string{
diff --git a/npm/iptm/helper_test.go b/npm/iptm/helper_test.go
@@ -9,7 +9,7 @@ import (
 func TestGetAllChainsAndRules(t *testing.T) {
 	allChainsandRules := getAllChainsAndRules()
 
-	parentNpmRulesCount := 7
+	parentNpmRulesCount := 6
 
 	if len(allChainsandRules[0]) > 3 {
 		t.Errorf("TestGetAllChainsAndRules failed @ INGRESS target check")
diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go
@@ -29,11 +29,14 @@ var (
 	// IptablesAzureChainList contains list of all NPM chains
 	IptablesAzureChainList = []string{
 		util.IptablesAzureChain,
+		util.IptablesAzureIngressChain,
+		util.IptablesAzureEgressChain,
 		util.IptablesAzureIngressPortChain,
 		util.IptablesAzureIngressFromChain,
 		util.IptablesAzureEgressPortChain,
 		util.IptablesAzureEgressToChain,
-		util.IptablesAzureTargetSetsChain,
+		util.IptablesAzureIngressDropsChain,
+		util.IptablesAzureEgressDropsChain,
 	}
 )
 
diff --git a/npm/translatePolicy.go b/npm/translatePolicy.go
@@ -799,13 +799,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 		entry.Specs = append(
 			entry.Specs,
 			util.IptablesJumpFlag,
-			util.IptablesAzureTargetSetsChain,
+			util.IptablesAzureIngressDropsChain,
 			util.IptablesModuleFlag,
 			util.IptablesCommentModuleFlag,
 			util.IptablesCommentFlag,
 			"ALLOW-ALL-TO-"+
 				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain,
 		)
 		entries = append(entries, entry)
 	} else if addedIngressFromEntry {
@@ -834,13 +834,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 		entry.Specs = append(
 			entry.Specs,
 			util.IptablesJumpFlag,
-			util.IptablesAzureTargetSetsChain,
+			util.IptablesAzureIngressDropsChain,
 			util.IptablesModuleFlag,
 			util.IptablesCommentModuleFlag,
 			util.IptablesCommentFlag,
 			"ALLOW-ALL-TO-"+
 				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain,
 		)
 		entries = append(entries, entry)
 	}
@@ -1491,13 +1491,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 		entry.Specs = append(
 			entry.Specs,
 			util.IptablesJumpFlag,
-			util.IptablesAzureTargetSetsChain,
+			util.IptablesAzureEgressDropsChain,
 			util.IptablesModuleFlag,
 			util.IptablesCommentModuleFlag,
 			util.IptablesCommentFlag,
 			"ALLOW-ALL-FROM-"+
 				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain,
 		)
 		entries = append(entries, entry)
 	} else if addedEgressToEntry {
@@ -1526,13 +1526,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 		entry.Specs = append(
 			entry.Specs,
 			util.IptablesJumpFlag,
-			util.IptablesAzureTargetSetsChain,
+			util.IptablesAzureEgressDropsChain,
 			util.IptablesModuleFlag,
 			util.IptablesCommentModuleFlag,
 			util.IptablesCommentFlag,
 			"ALLOW-ALL-FROM-"+
 				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
+				"-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain,
 		)
 		entries = append(entries, entry)
 	}
@@ -1554,7 +1554,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn
 
 	if hasIngress {
 		entry := &iptm.IptEntry{
-			Chain: util.IptablesAzureTargetSetsChain,
+			Chain: util.IptablesAzureIngressDropsChain,
 			Specs: append([]string(nil), targetSelectorIngressIptEntrySpec...),
 		}
 		entry.Specs = append(
@@ -1571,7 +1571,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn
 
 	if hasEgress {
 		entry := &iptm.IptEntry{
-			Chain: util.IptablesAzureTargetSetsChain,
+			Chain: util.IptablesAzureEgressDropsChain,
 			Specs: append([]string(nil), targetSelectorEgressIptEntrySpec...),
 		}
 		entry.Specs = append(
diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go
diff --git a/npm/util/const.go b/npm/util/const.go
