@@ -1458,6 +1458,195 @@ func TestPeerAndPortRule(t *testing.T) {
14581458 }
14591459}
14601460
1461+ func TestDirectPeerAndPortRule (t * testing.T ) {
1462+ namedPort := intstr .FromString (namedPortStr )
1463+ port8000 := intstr .FromInt (8000 )
1464+ var endPort int32 = 8100
1465+ tcp := v1 .ProtocolTCP
1466+
1467+ tests := []struct {
1468+ name string
1469+ direction policies.Direction
1470+ ports []networkingv1.NetworkPolicyPort
1471+ cidr string
1472+ npmNetPol * policies.NPMNetworkPolicy
1473+ skipWindows bool
1474+ }{
1475+ {
1476+ name : "egress tcp port 8000-8100 with /28 subnet" ,
1477+ direction : policies .Egress ,
1478+ ports : []networkingv1.NetworkPolicyPort {
1479+ {
1480+ Protocol : & tcp ,
1481+ Port : & port8000 ,
1482+ EndPort : & endPort ,
1483+ },
1484+ },
1485+ cidr : "10.0.1.0/28" ,
1486+ npmNetPol : & policies.NPMNetworkPolicy {
1487+ Namespace : defaultNS ,
1488+ PolicyKey : namedPortPolicyKey ,
1489+ ACLPolicyID : fmt .Sprintf ("azure-acl-%s-%s" , defaultNS , namedPortPolicyKey ),
1490+ ACLs : []* policies.ACLPolicy {
1491+ {
1492+ Target : policies .Allowed ,
1493+ Direction : policies .Egress ,
1494+ DstDirectIPs : []string {"10.0.1.0/28" },
1495+ DstPorts : policies.Ports {
1496+ Port : 8000 ,
1497+ EndPort : 8100 ,
1498+ },
1499+ Protocol : "TCP" ,
1500+ },
1501+ },
1502+ },
1503+ },
1504+ {
1505+ name : "ingress no ports - single IP (/32)" ,
1506+ direction : policies .Ingress ,
1507+ ports : []networkingv1.NetworkPolicyPort {},
1508+ cidr : "10.226.0.49/32" ,
1509+ npmNetPol : & policies.NPMNetworkPolicy {
1510+ Namespace : defaultNS ,
1511+ PolicyKey : namedPortPolicyKey ,
1512+ ACLPolicyID : fmt .Sprintf ("azure-acl-%s-%s" , defaultNS , namedPortPolicyKey ),
1513+ ACLs : []* policies.ACLPolicy {
1514+ {
1515+ Target : policies .Allowed ,
1516+ Direction : policies .Ingress ,
1517+ SrcDirectIPs : []string {"10.226.0.49/32" },
1518+ },
1519+ },
1520+ },
1521+ },
1522+ {
1523+ name : "egress no ports - subnet (/24)" ,
1524+ direction : policies .Egress ,
1525+ ports : []networkingv1.NetworkPolicyPort {},
1526+ cidr : "192.168.1.0/24" ,
1527+ npmNetPol : & policies.NPMNetworkPolicy {
1528+ Namespace : defaultNS ,
1529+ PolicyKey : namedPortPolicyKey ,
1530+ ACLPolicyID : fmt .Sprintf ("azure-acl-%s-%s" , defaultNS , namedPortPolicyKey ),
1531+ ACLs : []* policies.ACLPolicy {
1532+ {
1533+ Target : policies .Allowed ,
1534+ Direction : policies .Egress ,
1535+ DstDirectIPs : []string {"192.168.1.0/24" },
1536+ },
1537+ },
1538+ },
1539+ },
1540+ {
1541+ name : "ingress no ports - large subnet (/16)" ,
1542+ direction : policies .Ingress ,
1543+ ports : []networkingv1.NetworkPolicyPort {},
1544+ cidr : "172.16.0.0/16" ,
1545+ npmNetPol : & policies.NPMNetworkPolicy {
1546+ Namespace : defaultNS ,
1547+ PolicyKey : namedPortPolicyKey ,
1548+ ACLPolicyID : fmt .Sprintf ("azure-acl-%s-%s" , defaultNS , namedPortPolicyKey ),
1549+ ACLs : []* policies.ACLPolicy {
1550+ {
1551+ Target : policies .Allowed ,
1552+ Direction : policies .Ingress ,
1553+ SrcDirectIPs : []string {"172.16.0.0/16" },
1554+ },
1555+ },
1556+ },
1557+ },
1558+ {
1559+ name : "egress tcp port 8000-8100 with /28 subnet" ,
1560+ direction : policies .Egress ,
1561+ ports : []networkingv1.NetworkPolicyPort {
1562+ {
1563+ Protocol : & tcp ,
1564+ Port : & port8000 ,
1565+ EndPort : & endPort ,
1566+ },
1567+ },
1568+ cidr : "10.0.1.0/28" ,
1569+ npmNetPol : & policies.NPMNetworkPolicy {
1570+ Namespace : defaultNS ,
1571+ PolicyKey : namedPortPolicyKey ,
1572+ ACLPolicyID : fmt .Sprintf ("azure-acl-%s-%s" , defaultNS , namedPortPolicyKey ),
1573+ ACLs : []* policies.ACLPolicy {
1574+ {
1575+ Target : policies .Allowed ,
1576+ Direction : policies .Egress ,
1577+ DstDirectIPs : []string {"10.0.1.0/28" },
1578+ DstPorts : policies.Ports {
1579+ Port : 8000 ,
1580+ EndPort : 8100 ,
1581+ },
1582+ Protocol : "TCP" ,
1583+ },
1584+ },
1585+ },
1586+ },
1587+ {
1588+ name : "ingress udp port 53 with /32" ,
1589+ direction : policies .Ingress ,
1590+ ports : []networkingv1.NetworkPolicyPort {
1591+ {
1592+ Protocol : & []v1.Protocol {v1 .ProtocolUDP }[0 ],
1593+ Port : & intstr.IntOrString {Type : intstr .Int , IntVal : 53 },
1594+ },
1595+ },
1596+ cidr : "8.8.8.8/32" ,
1597+ npmNetPol : & policies.NPMNetworkPolicy {
1598+ Namespace : defaultNS ,
1599+ PolicyKey : namedPortPolicyKey ,
1600+ ACLPolicyID : fmt .Sprintf ("azure-acl-%s-%s" , defaultNS , namedPortPolicyKey ),
1601+ ACLs : []* policies.ACLPolicy {
1602+ {
1603+ Target : policies .Allowed ,
1604+ Direction : policies .Ingress ,
1605+ SrcDirectIPs : []string {"8.8.8.8/32" },
1606+ DstPorts : policies.Ports {
1607+ Port : 53 ,
1608+ EndPort : 0 ,
1609+ },
1610+ Protocol : "UDP" ,
1611+ },
1612+ },
1613+ },
1614+ },
1615+ {
1616+ name : "named port should fail in NPM Lite" ,
1617+ direction : policies .Ingress ,
1618+ ports : []networkingv1.NetworkPolicyPort {
1619+ {
1620+ Protocol : & tcp ,
1621+ Port : & namedPort ,
1622+ },
1623+ },
1624+ cidr : "10.226.0.49/32" ,
1625+ skipWindows : true , // Should fail on both platforms
1626+ },
1627+ }
1628+
1629+ for _ , tt := range tests {
1630+ tt := tt
1631+ npmLiteToggle := true
1632+ t .Run (tt .name , func (t * testing.T ) {
1633+ t .Parallel ()
1634+ npmNetPol := & policies.NPMNetworkPolicy {
1635+ Namespace : defaultNS ,
1636+ PolicyKey : namedPortPolicyKey ,
1637+ ACLPolicyID : fmt .Sprintf ("azure-acl-%s-%s" , defaultNS , namedPortPolicyKey ),
1638+ }
1639+ err := directPeerAndPortRule (npmNetPol , tt .direction , tt .ports , tt .cidr , npmLiteToggle )
1640+ if tt .skipWindows {
1641+ require .Error (t , err )
1642+ } else {
1643+ require .NoError (t , err )
1644+ require .Equal (t , tt .npmNetPol , npmNetPol )
1645+ }
1646+ })
1647+ }
1648+ }
1649+
14611650func TestIngressPolicy (t * testing.T ) {
14621651 tcp := v1 .ProtocolTCP
14631652 targetPodMatchType := policies .EitherMatch
0 commit comments