Skip to content

Commit 08f0006

Browse files
authored
[NPM] Default-Deny all bug fix with design change (#799)
* Changed init NPM chains with new chains * Rearranging target sets * Fixing UTs * Fixing UTs * Fixing UTs
1 parent f590717 commit 08f0006

File tree

6 files changed

+168
-85
lines changed

6 files changed

+168
-85
lines changed

npm/iptm/helper.go

Lines changed: 75 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,8 +10,10 @@ import (
1010
func getAllChainsAndRules() [][]string {
1111
funcList := []func() [][]string{
1212
getAzureNPMChainRules,
13+
getAzureNPMIngressChainRules,
1314
getAzureNPMIngressPortChainRules,
1415
getAzureNPMIngressFromChainRules,
16+
getAzureNPMEgressChainRules,
1517
getAzureNPMEgressPortChainRules,
1618
getAzureNPMEgressToChainRules,
1719
}
@@ -32,12 +34,12 @@ func getAzureNPMChainRules() [][]string {
3234
{
3335
util.IptablesAzureChain,
3436
util.IptablesJumpFlag,
35-
util.IptablesAzureIngressPortChain,
37+
util.IptablesAzureIngressChain,
3638
},
3739
{
3840
util.IptablesAzureChain,
3941
util.IptablesJumpFlag,
40-
util.IptablesAzureEgressPortChain,
42+
util.IptablesAzureEgressChain,
4143
},
4244
{
4345
util.IptablesAzureChain,
@@ -78,11 +80,6 @@ func getAzureNPMChainRules() [][]string {
7880
util.IptablesCommentFlag,
7981
fmt.Sprintf("ACCEPT-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex),
8082
},
81-
{
82-
util.IptablesAzureChain,
83-
util.IptablesJumpFlag,
84-
util.IptablesAzureTargetSetsChain,
85-
},
8683
{
8784
util.IptablesAzureChain,
8885
util.IptablesModuleFlag,
@@ -99,6 +96,35 @@ func getAzureNPMChainRules() [][]string {
9996
}
10097
}
10198

99+
// getAzureNPMIngressChainRules returns rules for AZURE-NPM-INGRESS-PORT
100+
func getAzureNPMIngressChainRules() [][]string {
101+
return [][]string{
102+
{
103+
util.IptablesAzureIngressChain,
104+
util.IptablesJumpFlag,
105+
util.IptablesAzureIngressPortChain,
106+
},
107+
{
108+
util.IptablesAzureIngressChain,
109+
util.IptablesJumpFlag,
110+
util.IptablesReturn,
111+
util.IptablesModuleFlag,
112+
util.IptablesMarkVerb,
113+
util.IptablesMarkFlag,
114+
util.IptablesAzureIngressMarkHex,
115+
util.IptablesModuleFlag,
116+
util.IptablesCommentModuleFlag,
117+
util.IptablesCommentFlag,
118+
fmt.Sprintf("RETURN-on-INGRESS-mark-%s", util.IptablesAzureIngressMarkHex),
119+
},
120+
{
121+
util.IptablesAzureIngressChain,
122+
util.IptablesJumpFlag,
123+
util.IptablesAzureIngressDropsChain,
124+
},
125+
}
126+
}
127+
102128
// getAzureNPMIngressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT
103129
func getAzureNPMIngressPortChainRules() [][]string {
104130
return [][]string{
@@ -137,6 +163,48 @@ func getAzureNPMIngressFromChainRules() [][]string {
137163
}
138164
}
139165

166+
// getAzureNPMEgressChainRules returns rules for AZURE-NPM-INGRESS-PORT
167+
func getAzureNPMEgressChainRules() [][]string {
168+
return [][]string{
169+
{
170+
util.IptablesAzureEgressChain,
171+
util.IptablesJumpFlag,
172+
util.IptablesAzureEgressPortChain,
173+
},
174+
{
175+
util.IptablesAzureEgressChain,
176+
util.IptablesJumpFlag,
177+
util.IptablesReturn,
178+
util.IptablesModuleFlag,
179+
util.IptablesMarkVerb,
180+
util.IptablesMarkFlag,
181+
util.IptablesAzureAcceptMarkHex,
182+
util.IptablesModuleFlag,
183+
util.IptablesCommentModuleFlag,
184+
util.IptablesCommentFlag,
185+
fmt.Sprintf("RETURN-on-EGRESS-and-INGRESS-mark-%s", util.IptablesAzureAcceptMarkHex),
186+
},
187+
{
188+
util.IptablesAzureEgressChain,
189+
util.IptablesJumpFlag,
190+
util.IptablesReturn,
191+
util.IptablesModuleFlag,
192+
util.IptablesMarkVerb,
193+
util.IptablesMarkFlag,
194+
util.IptablesAzureEgressMarkHex,
195+
util.IptablesModuleFlag,
196+
util.IptablesCommentModuleFlag,
197+
util.IptablesCommentFlag,
198+
fmt.Sprintf("RETURN-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex),
199+
},
200+
{
201+
util.IptablesAzureEgressChain,
202+
util.IptablesJumpFlag,
203+
util.IptablesAzureEgressDropsChain,
204+
},
205+
}
206+
}
207+
140208
// getAzureNPMEgressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT
141209
func getAzureNPMEgressPortChainRules() [][]string {
142210
return [][]string{

npm/iptm/helper_test.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ import (
99
func TestGetAllChainsAndRules(t *testing.T) {
1010
allChainsandRules := getAllChainsAndRules()
1111

12-
parentNpmRulesCount := 7
12+
parentNpmRulesCount := 6
1313

1414
if len(allChainsandRules[0]) > 3 {
1515
t.Errorf("TestGetAllChainsAndRules failed @ INGRESS target check")

npm/iptm/iptm.go

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,11 +29,14 @@ var (
2929
// IptablesAzureChainList contains list of all NPM chains
3030
IptablesAzureChainList = []string{
3131
util.IptablesAzureChain,
32+
util.IptablesAzureIngressChain,
33+
util.IptablesAzureEgressChain,
3234
util.IptablesAzureIngressPortChain,
3335
util.IptablesAzureIngressFromChain,
3436
util.IptablesAzureEgressPortChain,
3537
util.IptablesAzureEgressToChain,
36-
util.IptablesAzureTargetSetsChain,
38+
util.IptablesAzureIngressDropsChain,
39+
util.IptablesAzureEgressDropsChain,
3740
}
3841
)
3942

npm/translatePolicy.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -799,13 +799,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
799799
entry.Specs = append(
800800
entry.Specs,
801801
util.IptablesJumpFlag,
802-
util.IptablesAzureTargetSetsChain,
802+
util.IptablesAzureIngressDropsChain,
803803
util.IptablesModuleFlag,
804804
util.IptablesCommentModuleFlag,
805805
util.IptablesCommentFlag,
806806
"ALLOW-ALL-TO-"+
807807
targetSelectorComment+
808-
"-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
808+
"-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain,
809809
)
810810
entries = append(entries, entry)
811811
} else if addedIngressFromEntry {
@@ -834,13 +834,13 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
834834
entry.Specs = append(
835835
entry.Specs,
836836
util.IptablesJumpFlag,
837-
util.IptablesAzureTargetSetsChain,
837+
util.IptablesAzureIngressDropsChain,
838838
util.IptablesModuleFlag,
839839
util.IptablesCommentModuleFlag,
840840
util.IptablesCommentFlag,
841841
"ALLOW-ALL-TO-"+
842842
targetSelectorComment+
843-
"-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
843+
"-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain,
844844
)
845845
entries = append(entries, entry)
846846
}
@@ -1491,13 +1491,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
14911491
entry.Specs = append(
14921492
entry.Specs,
14931493
util.IptablesJumpFlag,
1494-
util.IptablesAzureTargetSetsChain,
1494+
util.IptablesAzureEgressDropsChain,
14951495
util.IptablesModuleFlag,
14961496
util.IptablesCommentModuleFlag,
14971497
util.IptablesCommentFlag,
14981498
"ALLOW-ALL-FROM-"+
14991499
targetSelectorComment+
1500-
"-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
1500+
"-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain,
15011501
)
15021502
entries = append(entries, entry)
15031503
} else if addedEgressToEntry {
@@ -1526,13 +1526,13 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
15261526
entry.Specs = append(
15271527
entry.Specs,
15281528
util.IptablesJumpFlag,
1529-
util.IptablesAzureTargetSetsChain,
1529+
util.IptablesAzureEgressDropsChain,
15301530
util.IptablesModuleFlag,
15311531
util.IptablesCommentModuleFlag,
15321532
util.IptablesCommentFlag,
15331533
"ALLOW-ALL-FROM-"+
15341534
targetSelectorComment+
1535-
"-TO-JUMP-TO-"+util.IptablesAzureTargetSetsChain,
1535+
"-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain,
15361536
)
15371537
entries = append(entries, entry)
15381538
}
@@ -1554,7 +1554,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn
15541554

15551555
if hasIngress {
15561556
entry := &iptm.IptEntry{
1557-
Chain: util.IptablesAzureTargetSetsChain,
1557+
Chain: util.IptablesAzureIngressDropsChain,
15581558
Specs: append([]string(nil), targetSelectorIngressIptEntrySpec...),
15591559
}
15601560
entry.Specs = append(
@@ -1571,7 +1571,7 @@ func getDefaultDropEntries(ns string, targetSelector metav1.LabelSelector, hasIn
15711571

15721572
if hasEgress {
15731573
entry := &iptm.IptEntry{
1574-
Chain: util.IptablesAzureTargetSetsChain,
1574+
Chain: util.IptablesAzureEgressDropsChain,
15751575
Specs: append([]string(nil), targetSelectorEgressIptEntrySpec...),
15761576
}
15771577
entry.Specs = append(

0 commit comments

Comments
 (0)