resolved pr comments

rejain789 · rejain789 · commit 19fbf1e90bb2 · 2025-11-10T22:53:47.000Z
diff --git a/npm/pkg/controlplane/translation/translatePolicy.go b/npm/pkg/controlplane/translation/translatePolicy.go
@@ -362,7 +362,7 @@ func peerAndPortRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Di
 	return nil
 }
 
-func directPeerAndPortRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Direction, ports []networkingv1.NetworkPolicyPort, cidr string, npmLiteToggle bool) error {
+func directPeerAndPortAllowRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Direction, ports []networkingv1.NetworkPolicyPort, cidr string, npmLiteToggle bool) error {
 	if len(ports) == 0 {
 		acl := policies.NewACLPolicy(policies.Allowed, direction)
 		// bypasses ipset creation for /32 cidrs and directly creates an acl with the cidr
@@ -397,7 +397,8 @@ func directPeerAndPortRule(npmNetPol *policies.NPMNetworkPolicy, direction polic
 
 			// Handle ports
 			if portKind == namedPortType {
-				return ErrUnsupportedNamedPort
+				return fmt.Errorf("named port not supported in policy %s (namespace: %s, direction: %s, cidr: %s, port: %v): %w",
+					npmNetPol.PolicyKey, npmNetPol.Namespace, direction, cidr, ports[i].Port, ErrUnsupportedNamedPort)
 			}
 			if portKind == numericPortType {
 				portInfo, protocol := numericPortRule(&ports[i])
@@ -455,7 +456,7 @@ func translateRule(npmNetPol *policies.NPMNetworkPolicy,
 		if peer.IPBlock != nil {
 			if len(peer.IPBlock.CIDR) > 0 {
 				if npmLiteToggle {
-					err = directPeerAndPortRule(npmNetPol, direction, ports, peer.IPBlock.CIDR, npmLiteToggle)
+					err = directPeerAndPortAllowRule(npmNetPol, direction, ports, peer.IPBlock.CIDR, npmLiteToggle)
 					if err != nil {
 						return err
 					}
diff --git a/npm/pkg/controlplane/translation/translatePolicy_test.go b/npm/pkg/controlplane/translation/translatePolicy_test.go
@@ -1458,7 +1458,7 @@ func TestPeerAndPortRule(t *testing.T) {
 	}
 }
 
-func TestDirectPeerAndPortRule(t *testing.T) {
+func TestDirectPeerAndPortAllowRule(t *testing.T) {
 	namedPort := intstr.FromString(namedPortStr)
 	port8000 := intstr.FromInt(8000)
 	var endPort int32 = 8100
@@ -1636,7 +1636,7 @@ func TestDirectPeerAndPortRule(t *testing.T) {
 				PolicyKey:   namedPortPolicyKey,
 				ACLPolicyID: fmt.Sprintf("azure-acl-%s-%s", defaultNS, namedPortPolicyKey),
 			}
-			err := directPeerAndPortRule(npmNetPol, tt.direction, tt.ports, tt.cidr, npmLiteToggle)
+			err := directPeerAndPortAllowRule(npmNetPol, tt.direction, tt.ports, tt.cidr, npmLiteToggle)
 			if tt.skipWindows {
 				require.Error(t, err)
 			} else {
diff --git a/npm/pkg/dataplane/policies/policy_windows.go b/npm/pkg/dataplane/policies/policy_windows.go
@@ -101,19 +101,6 @@ func (acl *ACLPolicy) convertToAclSettings(aclID string) (*NPMACLPolSettings, er
 	// Ignore adding ruletype for now as there is a bug
 	// policySettings.RuleType = hcn.RuleTypeSwitch
 
-	// ACLPolicy settings uses ID field of SetPolicy in LocalAddresses or RemoteAddresses
-	var srcListStr, dstListStr string
-	// Check if we have direct IPs (NPM Lite /32 bypass)
-	if len(acl.SrcDirectIPs) > 0 || len(acl.DstDirectIPs) > 0 {
-		srcListStr = strings.Join(acl.SrcDirectIPs, ",")
-		dstListStr = strings.Join(acl.DstDirectIPs, ",")
-	} else {
-		// Original IPSet-based approach
-		srcListStr = getAddrListFromSetInfo(acl.SrcList)
-		dstListStr = getAddrListFromSetInfo(acl.DstList)
-	}
-	dstPortStr := getPortStrFromPorts(acl.DstPorts)
-
 	// HNS has confusing Local and Remote address defintions
 	// For Traffic Direction INGRESS
 	// 	    LocalAddresses  = Source Sets
@@ -135,8 +122,11 @@ func (acl *ACLPolicy) convertToAclSettings(aclID string) (*NPMACLPolSettings, er
 	// 		LocalAddresses  = Destination IPs
 	// 		RemoteAddresses = Source IPs
 
+	var srcListStr, dstListStr string
 	// if direct IPs are used, we leave local addresses to be an empty string
 	if len(acl.SrcDirectIPs) > 0 || len(acl.DstDirectIPs) > 0 {
+		srcListStr = strings.Join(acl.SrcDirectIPs, ",")
+		dstListStr = strings.Join(acl.DstDirectIPs, ",")
 		policySettings.LocalAddresses = ""
 		if policySettings.Direction == hcn.DirectionTypeOut {
 			// EGRESS: Remote = Destination IPs from policy
@@ -146,10 +136,15 @@ func (acl *ACLPolicy) convertToAclSettings(aclID string) (*NPMACLPolSettings, er
 			policySettings.RemoteAddresses = srcListStr
 		}
 	} else {
+		// Original IPSet-based approach
+		srcListStr = getAddrListFromSetInfo(acl.SrcList)
+		dstListStr = getAddrListFromSetInfo(acl.DstList)
 		policySettings.LocalAddresses = srcListStr
 		policySettings.RemoteAddresses = dstListStr
 	}
 
+	dstPortStr := getPortStrFromPorts(acl.DstPorts)
+
 	// Switch ports based on direction
 	policySettings.RemotePorts = ""
 	policySettings.LocalPorts = dstPortStr

Original file line number	Diff line number	Diff line change
`@@ -1458,7 +1458,7 @@ func TestPeerAndPortRule(t *testing.T) {`
`1458`	`1458`	`}`
`1459`	`1459`	`}`
`1460`	`1460`
`1461`		`-func TestDirectPeerAndPortRule(t *testing.T) {`
	`1461`	`+func TestDirectPeerAndPortAllowRule(t *testing.T) {`
`1462`	`1462`	`namedPort := intstr.FromString(namedPortStr)`
`1463`	`1463`	`port8000 := intstr.FromInt(8000)`
`1464`	`1464`	`var endPort int32 = 8100`
`@@ -1636,7 +1636,7 @@ func TestDirectPeerAndPortRule(t *testing.T) {`
`1636`	`1636`	`PolicyKey: namedPortPolicyKey,`
`1637`	`1637`	`ACLPolicyID: fmt.Sprintf("azure-acl-%s-%s", defaultNS, namedPortPolicyKey),`
`1638`	`1638`	`}`
`1639`		`- err := directPeerAndPortRule(npmNetPol, tt.direction, tt.ports, tt.cidr, npmLiteToggle)`
	`1639`	`+ err := directPeerAndPortAllowRule(npmNetPol, tt.direction, tt.ports, tt.cidr, npmLiteToggle)`
`1640`	`1640`	`if tt.skipWindows {`
`1641`	`1641`	`require.Error(t, err)`
`1642`	`1642`	`} else {`