added logic to bypass ipsets for /32 cidrs with npm lite

Author: rejain789

npm/pkg/controlplane/translation/translatePolicy.go

@@ -3,6 +3,7 @@ package translation
 import (
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/Azure/azure-container-networking/npm/pkg/dataplane/ipsets"
 	"github.com/Azure/azure-container-networking/npm/pkg/dataplane/policies"
@@ -362,6 +363,53 @@ func peerAndPortRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Di
 	return nil
 }
 
+func directPeerAndPortRule(npmNetPol *policies.NPMNetworkPolicy, direction policies.Direction, ports []networkingv1.NetworkPolicyPort, cidr string, npmLiteToggle bool) error {
+	ip := strings.TrimSuffix(cidr, "/32")
+	if len(ports) == 0 {
+		acl := policies.NewACLPolicy(policies.Allowed, direction)
+		// bypasses ipset creation for /32 cidrs and directly creates an acl with the cidr
+		if direction == policies.Ingress {
+			acl.SrcDirectIPs = []string{ip}
+		} else {
+			acl.DstDirectIPs = []string{ip}
+		}
+		npmNetPol.ACLs = append(npmNetPol.ACLs, acl)
+		return nil
+	} else {
+		// handle each port separately
+		for i := range ports {
+			portKind, err := portType(ports[i])
+			if err != nil {
+				return err
+			}
+
+			err = checkForNamedPortType(portKind, npmLiteToggle)
+			if err != nil {
+				return err
+			}
+
+			acl := policies.NewACLPolicy(policies.Allowed, direction)
+
+			// Set direct IP based on direction
+			if direction == policies.Ingress {
+				acl.SrcDirectIPs = []string{ip}
+			} else {
+				acl.DstDirectIPs = []string{ip}
+			}
+
+			// Handle ports
+			if portKind == numericPortType {
+				portInfo, protocol := numericPortRule(&ports[i])
+				acl.DstPorts = portInfo
+				acl.Protocol = policies.Protocol(protocol)
+			}
+			npmNetPol.ACLs = append(npmNetPol.ACLs, acl)
+
+		}
+	}
+	return nil
+}
+
 // translateRule translates ingress or egress rules and update npmNetPol object.
 func translateRule(npmNetPol *policies.NPMNetworkPolicy,
 	netPolName string,
@@ -405,6 +453,16 @@ func translateRule(npmNetPol *policies.NPMNetworkPolicy,
 		// #2.1 Handle IPBlock and port if exist
 		if peer.IPBlock != nil {
 			if len(peer.IPBlock.CIDR) > 0 {
+				// add logic that if the peer is only IPBlock and npm lite is enabled and is a /32 cidr block
+				// then skip creating IpBlockIPSet
+				if npmLiteToggle && util.IsCIDR32(peer.IPBlock.CIDR) {
+					err = directPeerAndPortRule(npmNetPol, direction, ports, peer.IPBlock.CIDR, npmLiteToggle)
+					if err != nil {
+						return err
+					}
+					continue
+				}
+
 				ipBlockIPSet, ipBlockSetInfo, err := ipBlockRule(netPolName, npmNetPol.Namespace, direction, matchType, ruleIndex, peerIdx, peer.IPBlock)
 				if err != nil {
 					return err
@@ -417,12 +475,6 @@ func translateRule(npmNetPol *policies.NPMNetworkPolicy,
 				}
 			}
 
-			// if npm lite is configured, check network policy only consists of CIDR blocks
-			err := npmLiteValidPolicy(peer, npmLiteToggle)
-			if err != nil {
-				return err
-			}
-
 			// Do not need to run below code to translate PodSelector and NamespaceSelector
 			// since IPBlock field is exclusive in NetworkPolicyPeer (i.e., peer in this code).
 
@@ -642,14 +694,6 @@ func TranslatePolicy(npObj *networkingv1.NetworkPolicy, npmLiteToggle bool) (*po
 	return npmNetPol, nil
 }
 
-// validates only CIDR based peer is present + no combination of CIDR with pod/namespace selectors are present
-func npmLiteValidPolicy(peer networkingv1.NetworkPolicyPeer, npmLiteEnabled bool) error {
-	if npmLiteEnabled && (peer.PodSelector != nil || peer.NamespaceSelector != nil) {
-		return ErrUnsupportedNonCIDR
-	}
-	return nil
-}
-
 func checkForNamedPortType(portKind netpolPortType, npmLiteToggle bool) error {
 	if npmLiteToggle && portKind == namedPortType {
 		return ErrUnsupportedNonCIDR

npm/pkg/controlplane/translation/translatePolicy_test.go

@@ -2921,169 +2921,6 @@ func TestEgressPolicy(t *testing.T) {
 	}
 }
 
-func TestNpmLiteCidrPolicy(t *testing.T) {
-	// Test 1) Npm lite enabled, CIDR + Namespace label Peers, returns error
-	// Test 2) NPM lite disabled, CIDR + Namespace label Peers, returns no error
-	// Test 3) Npm Lite enabled, CIDR Peers , returns no error
-	// Test 4) NPM Lite enabled, Combination of CIDR + Label in same peer, returns an error
-	// test 5) NPM Lite enabled, no peer, returns no error
-	// test 6) NPM Lite enabled, no cidr, no peer, only ports + protocol
-
-	port8000 := intstr.FromInt(8000)
-	tcp := v1.ProtocolTCP
-	tests := []struct {
-		name           string
-		targetSelector *metav1.LabelSelector
-		ports          []networkingv1.NetworkPolicyPort
-		peersFrom      []networkingv1.NetworkPolicyPeer
-		peersTo        []networkingv1.NetworkPolicyPeer
-		npmLiteEnabled bool
-		wantErr        bool
-	}{
-		{
-			name:           "CIDR + port + namespace",
-			targetSelector: nil,
-			ports: []networkingv1.NetworkPolicyPort{
-				{
-					Protocol: &tcp,
-					Port:     &port8000,
-				},
-			},
-			peersFrom: []networkingv1.NetworkPolicyPeer{
-				{
-					NamespaceSelector: &metav1.LabelSelector{
-						MatchLabels: map[string]string{
-							"peer-nsselector-kay": "peer-nsselector-value",
-						},
-					},
-				},
-				{
-					IPBlock: &networkingv1.IPBlock{
-						CIDR:   "172.17.0.0/16",
-						Except: []string{"172.17.1.0/24", "172.17.2.0/24"},
-					},
-				},
-				{
-					IPBlock: &networkingv1.IPBlock{
-						CIDR: "172.17.0.0/16",
-					},
-				},
-			},
-			peersTo:        []networkingv1.NetworkPolicyPeer{},
-			npmLiteEnabled: true,
-			wantErr:        true,
-		},
-		{
-			name:           "cidr + namespace label + disabledLite ",
-			targetSelector: nil,
-			peersFrom: []networkingv1.NetworkPolicyPeer{
-				{
-					NamespaceSelector: &metav1.LabelSelector{
-						MatchLabels: map[string]string{
-							"peer-nsselector-kay": "peer-nsselector-value",
-						},
-					},
-				},
-				{
-					IPBlock: &networkingv1.IPBlock{
-						CIDR:   "172.17.0.0/16",
-						Except: []string{"172.17.1.0/24", "172.17.2.0/24"},
-					},
-				},
-				{
-					IPBlock: &networkingv1.IPBlock{
-						CIDR: "172.17.0.0/16",
-					},
-				},
-			},
-			peersTo:        []networkingv1.NetworkPolicyPeer{},
-			npmLiteEnabled: false,
-			wantErr:        false,
-		},
-		{
-			name:           "CIDR Only",
-			targetSelector: nil,
-			peersFrom: []networkingv1.NetworkPolicyPeer{
-				{
-					IPBlock: &networkingv1.IPBlock{
-						CIDR:   "172.17.0.0/16",
-						Except: []string{"172.17.1.0/24", "172.17.2.0/24"},
-					},
-				},
-				{
-					IPBlock: &networkingv1.IPBlock{
-						CIDR: "172.17.0.0/16",
-					},
-				},
-			},
-			peersTo:        []networkingv1.NetworkPolicyPeer{},
-			npmLiteEnabled: true,
-			wantErr:        false,
-		},
-		{
-			name:           "CIDR + namespace labels",
-			targetSelector: nil,
-			peersFrom: []networkingv1.NetworkPolicyPeer{
-				{
-					IPBlock: &networkingv1.IPBlock{
-						CIDR:   "172.17.0.0/17",
-						Except: []string{"172.17.1.0/24", "172.17.2.0/24"},
-					},
-					NamespaceSelector: &metav1.LabelSelector{
-						MatchLabels: map[string]string{
-							"peer-nsselector-kay": "peer-nsselector-value",
-						},
-					},
-				},
-			},
-			peersTo:        []networkingv1.NetworkPolicyPeer{},
-			npmLiteEnabled: true,
-			wantErr:        true,
-		},
-		{
-			name:           "no peers",
-			targetSelector: nil,
-			peersFrom:      []networkingv1.NetworkPolicyPeer{},
-			peersTo:        []networkingv1.NetworkPolicyPeer{},
-			npmLiteEnabled: true,
-			wantErr:        false,
-		},
-		{
-			name:           "port only",
-			targetSelector: nil,
-			ports: []networkingv1.NetworkPolicyPort{
-				{
-					Protocol: &tcp,
-					Port:     &port8000,
-				},
-			},
-			peersFrom:      []networkingv1.NetworkPolicyPeer{},
-			peersTo:        []networkingv1.NetworkPolicyPeer{},
-			npmLiteEnabled: true,
-			wantErr:        false,
-		},
-	}
-
-	for _, tt := range tests {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			// run the function passing in peers and a flag indicating whether npm lite is enabled
-			var err error
-			for _, peer := range tt.peersFrom {
-				err = npmLiteValidPolicy(peer, tt.npmLiteEnabled)
-				if err != nil {
-					break
-				}
-			}
-			if tt.wantErr {
-				require.Error(t, err)
-			} else {
-				require.NoError(t, err)
-			}
-		})
-	}
-}
-
 func TestCheckForNamedPortType(t *testing.T) {
 	port8000 := intstr.FromInt(8000)
 	namedPort := intstr.FromString("namedPort")

npm/pkg/dataplane/policies/policy.go

@@ -114,6 +114,10 @@ type ACLPolicy struct {
 	SrcList []SetInfo
 	// DstList destination IPSets condition setinfos
 	DstList []SetInfo
+	// SrcDirectIPs holds direct IPs for source matching (used for /32 CIDRs on Windows with npm lite enabled)
+	SrcDirectIPs []string
+	// DstDirectIPs holds direct IPs for destination matching (used for /32 CIDRs on Windows with npm lite enabled)
+	DstDirectIPs []string
 	// Target defines a target in iptables for linux. i,e, Mark, Accept, Drop
 	// in windows, this is either ALLOW or DENY
 	Target Verdict
@@ -282,7 +286,9 @@ func translatedIPSetsToString(items []*ipsets.TranslatedIPSet) string {
 // Included is false when match set have "!".
 // MatchType captures match direction flags.
 // For example match set in linux:
-//             ! azure-npm-123 src
+//
+//	! azure-npm-123 src
+//
 // "!" this indicates a negative match (Included is false) of an azure-npm-123
 // MatchType is "src"
 type SetInfo struct {

npm/pkg/dataplane/policies/policy_windows.go

@@ -3,6 +3,7 @@ package policies
 import (
 	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/Azure/azure-container-networking/npm/pkg/dataplane/ipsets"
 	"github.com/Microsoft/hcsshim/hcn"
@@ -101,8 +102,16 @@ func (acl *ACLPolicy) convertToAclSettings(aclID string) (*NPMACLPolSettings, er
 	// policySettings.RuleType = hcn.RuleTypeSwitch
 
 	// ACLPolicy settings uses ID field of SetPolicy in LocalAddresses or RemoteAddresses
-	srcListStr := getAddrListFromSetInfo(acl.SrcList)
-	dstListStr := getAddrListFromSetInfo(acl.DstList)
+	var srcListStr, dstListStr string
+	// Check if we have direct IPs (NPM Lite /32 bypass)
+	if len(acl.SrcDirectIPs) > 0 || len(acl.DstDirectIPs) > 0 {
+		srcListStr = strings.Join(acl.SrcDirectIPs, ",")
+		dstListStr = strings.Join(acl.DstDirectIPs, ",")
+	} else {
+		// Original IPSet-based approach
+		srcListStr = getAddrListFromSetInfo(acl.SrcList)
+		dstListStr = getAddrListFromSetInfo(acl.DstList)
+	}
 	dstPortStr := getPortStrFromPorts(acl.DstPorts)
 
 	// HNS has confusing Local and Remote address defintions

npm/util/util.go

@@ -359,3 +359,7 @@ func NodeIP() (string, error) {
 
 	return nodeIP, nil
 }
+
+func IsCIDR32(cidr string) bool {
+	return strings.HasSuffix(cidr, "/32")
+}