Named Ports Support (#553)

* Initial changes to support named ports.

* add support for named ports via ipset ip+port hash

* fixing a couple of operational bugs

* adding simple test to validate named port parsing

Author: jaer-tsun

npm/azure-npm.yaml

@@ -95,6 +95,8 @@ spec:
             mountPath: /run/xtables.lock
           - name: log
             mountPath: /var/log
+          - name: protocols
+            mountPath: /etc/protocols
       hostNetwork: true
       volumes:
       - name: log
@@ -105,4 +107,8 @@ spec:
         hostPath:
           path: /run/xtables.lock
           type: File
+      - name: protocols
+        hostPath:
+          path: /etc/protocols
+          type: File
       serviceAccountName: azure-npm

npm/ipsm/ipsm.go

@@ -84,7 +84,7 @@ func (ipsMgr *IpsetManager) CreateList(listName string) error {
 		spec:          util.IpsetSetListFlag,
 	}
 	log.Printf("Creating List: %+v", entry)
-	if _, err := ipsMgr.Run(entry); err != nil {
+	if errCode, err := ipsMgr.Run(entry); err != nil && errCode != 1 {
 		log.Errorf("Error: failed to create ipset list %s.", listName)
 		return err
 	}
@@ -101,10 +101,8 @@ func (ipsMgr *IpsetManager) DeleteList(listName string) error {
 		set:           util.GetHashedName(listName),
 	}
 
-	errCode, err := ipsMgr.Run(entry)
-	if err != nil {
+	if errCode, err := ipsMgr.Run(entry); err != nil {
 		if errCode == 1 {
-			log.Printf("Error: Cannot delete list %s as it's being referred or doesn't exist.", listName)
 			return nil
 		}
 
@@ -137,7 +135,7 @@ func (ipsMgr *IpsetManager) AddToList(listName string, setName string) error {
 		spec:          util.GetHashedName(setName),
 	}
 
-	if _, err := ipsMgr.Run(entry); err != nil {
+	if errCode, err := ipsMgr.Run(entry); err != nil && errCode != 1 {
 		log.Errorf("Error: failed to create ipset rules. rule: %+v", entry)
 		return err
 	}
@@ -166,8 +164,8 @@ func (ipsMgr *IpsetManager) DeleteFromList(listName string, setName string) erro
 		set:           hashedListName,
 		spec:          hashedSetName,
 	}
-	errCode, err := ipsMgr.Run(entry)
-	if errCode > 1 && err != nil {
+
+	if _, err := ipsMgr.Run(entry); err != nil {
 		log.Errorf("Error: failed to delete ipset entry. %+v", entry)
 		return err
 	}
@@ -183,7 +181,7 @@ func (ipsMgr *IpsetManager) DeleteFromList(listName string, setName string) erro
 }
 
 // CreateSet creates an ipset.
-func (ipsMgr *IpsetManager) CreateSet(setName string) error {
+func (ipsMgr *IpsetManager) CreateSet(setName, spec string) error {
 	if _, exists := ipsMgr.setMap[setName]; exists {
 		return nil
 	}
@@ -193,10 +191,10 @@ func (ipsMgr *IpsetManager) CreateSet(setName string) error {
 		operationFlag: util.IpsetCreationFlag,
 		// Use hashed string for set name to avoid string length limit of ipset.
 		set:  util.GetHashedName(setName),
-		spec: util.IpsetNetHashFlag,
+		spec: spec,
 	}
 	log.Printf("Creating Set: %+v", entry)
-	if _, err := ipsMgr.Run(entry); err != nil {
+	if errCode, err := ipsMgr.Run(entry); err != nil && errCode != 1 {
 		log.Errorf("Error: failed to create ipset.")
 		return err
 	}
@@ -221,10 +219,9 @@ func (ipsMgr *IpsetManager) DeleteSet(setName string) error {
 		operationFlag: util.IpsetDestroyFlag,
 		set:           util.GetHashedName(setName),
 	}
-	errCode, err := ipsMgr.Run(entry)
-	if err != nil {
+
+	if errCode, err := ipsMgr.Run(entry); err != nil {
 		if errCode == 1 {
-			log.Printf("Cannot delete set %s as it's being referred.", setName)
 			return nil
 		}
 
@@ -238,12 +235,12 @@ func (ipsMgr *IpsetManager) DeleteSet(setName string) error {
 }
 
 // AddToSet inserts an ip to an entry in setMap, and creates/updates the corresponding ipset.
-func (ipsMgr *IpsetManager) AddToSet(setName string, ip string) error {
-	if ipsMgr.Exists(setName, ip, util.IpsetNetHashFlag) {
+func (ipsMgr *IpsetManager) AddToSet(setName, ip, spec string) error {
+	if ipsMgr.Exists(setName, ip, spec) {
 		return nil
 	}
 
-	if err := ipsMgr.CreateSet(setName); err != nil {
+	if err := ipsMgr.CreateSet(setName, spec); err != nil {
 		return err
 	}
 
@@ -253,7 +250,7 @@ func (ipsMgr *IpsetManager) AddToSet(setName string, ip string) error {
 		spec:          ip,
 	}
 
-	if _, err := ipsMgr.Run(entry); err != nil {
+	if errCode, err := ipsMgr.Run(entry); err != nil && errCode != 1 {
 		log.Printf("Error: failed to create ipset rules. %+v", entry)
 		return err
 	}
@@ -264,7 +261,7 @@ func (ipsMgr *IpsetManager) AddToSet(setName string, ip string) error {
 }
 
 // DeleteFromSet removes an ip from an entry in setMap, and delete/update the corresponding ipset.
-func (ipsMgr *IpsetManager) DeleteFromSet(setName string, ip string) error {
+func (ipsMgr *IpsetManager) DeleteFromSet(setName, ip string) error {
 	if _, exists := ipsMgr.setMap[setName]; !exists {
 		log.Printf("ipset with name %s not found", setName)
 		return nil
@@ -281,11 +278,18 @@ func (ipsMgr *IpsetManager) DeleteFromSet(setName string, ip string) error {
 		set:           util.GetHashedName(setName),
 		spec:          ip,
 	}
-	if _, err := ipsMgr.Run(entry); err != nil {
+
+	if errCode, err := ipsMgr.Run(entry); err != nil {
+		if errCode == 1 {
+			return nil
+		}
+
 		log.Errorf("Error: failed to delete ipset entry. Entry: %+v", entry)
 		return err
 	}
 
+	ipsMgr.DeleteSet(setName)
+
 	return nil
 }
 

npm/ipsm/ipsm_test.go

@@ -3,8 +3,8 @@
 package ipsm
 
 import (
-	"testing"
 	"os"
+	"testing"
 
 	"github.com/Azure/azure-container-networking/npm/util"
 )
@@ -77,7 +77,7 @@ func TestAddToList(t *testing.T) {
 		}
 	}()
 
-	if err := ipsMgr.CreateSet("test-set"); err != nil {
+	if err := ipsMgr.CreateSet("test-set", util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestAddToList failed @ ipsMgr.CreateSet")
 	}
 
@@ -98,7 +98,7 @@ func TestDeleteFromList(t *testing.T) {
 		}
 	}()
 
-	if err := ipsMgr.CreateSet("test-set"); err != nil {
+	if err := ipsMgr.CreateSet("test-set", util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestDeleteFromList failed @ ipsMgr.CreateSet")
 	}
 
@@ -127,7 +127,7 @@ func TestCreateSet(t *testing.T) {
 		}
 	}()
 
-	if err := ipsMgr.CreateSet("test-set"); err != nil {
+	if err := ipsMgr.CreateSet("test-set", util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestCreateSet failed @ ipsMgr.CreateSet")
 	}
 }
@@ -144,7 +144,7 @@ func TestDeleteSet(t *testing.T) {
 		}
 	}()
 
-	if err := ipsMgr.CreateSet("test-set"); err != nil {
+	if err := ipsMgr.CreateSet("test-set", util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestDeleteSet failed @ ipsMgr.CreateSet")
 	}
 
@@ -165,7 +165,7 @@ func TestAddToSet(t *testing.T) {
 		}
 	}()
 
-	if err := ipsMgr.AddToSet("test-set", "1.2.3.4"); err != nil {
+	if err := ipsMgr.AddToSet("test-set", "1.2.3.4", util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestAddToSet failed @ ipsMgr.AddToSet")
 	}
 }
@@ -182,7 +182,7 @@ func TestDeleteFromSet(t *testing.T) {
 		}
 	}()
 
-	if err := ipsMgr.AddToSet("test-set", "1.2.3.4"); err != nil {
+	if err := ipsMgr.AddToSet("test-set", "1.2.3.4", util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestDeleteFromSet failed @ ipsMgr.AddToSet")
 	}
 
@@ -203,7 +203,7 @@ func TestClean(t *testing.T) {
 		}
 	}()
 
-	if err := ipsMgr.CreateSet("test-set"); err != nil {
+	if err := ipsMgr.CreateSet("test-set", util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestClean failed @ ipsMgr.CreateSet")
 	}
 
@@ -224,7 +224,7 @@ func TestDestroy(t *testing.T) {
 		}
 	}()
 
-	if err := ipsMgr.AddToSet("test-set", "1.2.3.4"); err != nil {
+	if err := ipsMgr.AddToSet("test-set", "1.2.3.4", util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestDestroy failed @ ipsMgr.AddToSet")
 	}
 
@@ -262,6 +262,6 @@ func TestMain(m *testing.M) {
 	exitCode := m.Run()
 
 	ipsMgr.Restore(util.IpsetConfigFile)
-	
+
 	os.Exit(exitCode)
 }

npm/namespace.go

@@ -95,7 +95,7 @@ func (npMgr *NetworkPolicyManager) AddNamespace(nsObj *corev1.Namespace) error {
 
 	ipsMgr := npMgr.nsMap[util.KubeAllNamespacesFlag].ipsMgr
 	// Create ipset for the namespace.
-	if err = ipsMgr.CreateSet(nsName); err != nil {
+	if err = ipsMgr.CreateSet(nsName, util.IpsetNetHashFlag); err != nil {
 		log.Errorf("Error: failed to create ipset for namespace %s.", nsName)
 		return err
 	}

npm/npm.go

@@ -250,7 +250,7 @@ func NewNetworkPolicyManager(clientset *kubernetes.Clientset, informerFactory in
 
 	// Create ipset for the namespace.
 	kubeSystemNs := "ns-" + util.KubeSystemFlag
-	if err := allNs.ipsMgr.CreateSet(kubeSystemNs); err != nil {
+	if err := allNs.ipsMgr.CreateSet(kubeSystemNs, util.IpsetNetHashFlag); err != nil {
 		log.Logf("Error: failed to create ipset for namespace %s.", kubeSystemNs)
 	}
 

npm/nwpolicy.go

@@ -49,7 +49,7 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
 	}
 
 	if !npMgr.isAzureNpmChainCreated {
-		if err = allNs.ipsMgr.CreateSet(util.KubeSystemFlag); err != nil {
+		if err = allNs.ipsMgr.CreateSet(util.KubeSystemFlag, util.IpsetNetHashFlag); err != nil {
 			log.Errorf("Error: failed to initialize kube-system ipset.")
 			return err
 		}
@@ -63,10 +63,11 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
 	}
 
 	var (
-		hashedSelector = HashSelector(&npObj.Spec.PodSelector)
-		addedPolicy    *networkingv1.NetworkPolicy
-		sets, lists    []string
-		iptEntries     []*iptm.IptEntry
+		hashedSelector          = HashSelector(&npObj.Spec.PodSelector)
+		addedPolicy             *networkingv1.NetworkPolicy
+		sets, namedPorts, lists []string
+		iptEntries              []*iptm.IptEntry
+		ipsMgr                  = allNs.ipsMgr
 	)
 
 	// Remove the existing policy from processed (merged) network policy map
@@ -92,30 +93,31 @@ func (npMgr *NetworkPolicyManager) AddNetworkPolicy(npObj *networkingv1.NetworkP
 
 	ns.rawNpMap[npObj.ObjectMeta.Name] = npObj
 
-	sets, lists, iptEntries = translatePolicy(npObj)
-	ipsMgr := allNs.ipsMgr
+	sets, namedPorts, lists, iptEntries = translatePolicy(npObj)
 	for _, set := range sets {
 		log.Printf("Creating set: %v, hashedSet: %v", set, util.GetHashedName(set))
-		if err = ipsMgr.CreateSet(set); err != nil {
+		if err = ipsMgr.CreateSet(set, util.IpsetNetHashFlag); err != nil {
 			log.Printf("Error creating ipset %s", set)
-			return err
+		}
+	}
+	for _, set := range namedPorts {
+		log.Printf("Creating set: %v, hashedSet: %v", set, util.GetHashedName(set))
+		if err = ipsMgr.CreateSet(set, util.IpsetIPPortHashFlag); err != nil {
+			log.Printf("Error creating ipset named port %s", set)
 		}
 	}
 	for _, list := range lists {
 		if err = ipsMgr.CreateList(list); err != nil {
 			log.Printf("Error creating ipset list %s", list)
-			return err
 		}
 	}
 	if err = npMgr.InitAllNsList(); err != nil {
 		log.Printf("Error initializing all-namespace ipset list.")
-		return err
 	}
 	iptMgr := allNs.iptMgr
 	for _, iptEntry := range iptEntries {
 		if err = iptMgr.Add(iptEntry); err != nil {
 			log.Errorf("Error: failed to apply iptables rule. Rule: %+v", iptEntry)
-			return err
 		}
 	}
 
@@ -135,8 +137,10 @@ func (npMgr *NetworkPolicyManager) UpdateNetworkPolicy(oldNpObj *networkingv1.Ne
 // DeleteNetworkPolicy handles deleting network policy from iptables.
 func (npMgr *NetworkPolicyManager) DeleteNetworkPolicy(npObj *networkingv1.NetworkPolicy) error {
 	var (
-		err error
-		ns  *namespace
+		err    error
+		ns     *namespace
+		allNs  = npMgr.nsMap[util.KubeAllNamespacesFlag]
+		ipsMgr = allNs.ipsMgr
 	)
 
 	npNs, npName := "ns-"+npObj.ObjectMeta.Namespace, npObj.ObjectMeta.Name
@@ -151,20 +155,27 @@ func (npMgr *NetworkPolicyManager) DeleteNetworkPolicy(npObj *networkingv1.Netwo
 		npMgr.nsMap[npNs] = ns
 	}
 
-	allNs := npMgr.nsMap[util.KubeAllNamespacesFlag]
-
-	_, _, iptEntries := translatePolicy(npObj)
+	sets, namedPorts, lists, iptEntries := translatePolicy(npObj)
 
 	iptMgr := allNs.iptMgr
 	for _, iptEntry := range iptEntries {
 		if err = iptMgr.Delete(iptEntry); err != nil {
 			log.Errorf("Error: failed to apply iptables rule. Rule: %+v", iptEntry)
-			return err
 		}
 	}
 
 	delete(ns.rawNpMap, npObj.ObjectMeta.Name)
 
+	for _, set := range sets {
+		ipsMgr.DeleteSet(set)
+	}
+	for _, set := range namedPorts {
+		ipsMgr.DeleteSet(set)
+	}
+	for _, list := range lists {
+		ipsMgr.DeleteList(list)
+	}
+
 	hashedSelector := HashSelector(&npObj.Spec.PodSelector)
 	if oldPolicy, oldPolicyExists := ns.processedNpMap[hashedSelector]; oldPolicyExists {
 		deductedPolicy, err := deductPolicy(oldPolicy, npObj)

npm/nwpolicy_test.go

@@ -38,7 +38,7 @@ func TestAddNetworkPolicy(t *testing.T) {
 	}
 
 	// Create ns-kube-system set
-	if err := ipsMgr.CreateSet("ns-" + util.KubeSystemFlag); err != nil {
+	if err := ipsMgr.CreateSet("ns-"+util.KubeSystemFlag, util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestAddNetworkPolicy failed @ ipsMgr.CreateSet, adding kube-system set%+v", err)
 	}
 
@@ -161,7 +161,7 @@ func TestUpdateNetworkPolicy(t *testing.T) {
 	}()
 
 	// Create ns-kube-system set
-	if err := ipsMgr.CreateSet("ns-" + util.KubeSystemFlag); err != nil {
+	if err := ipsMgr.CreateSet("ns-"+util.KubeSystemFlag, util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestUpdateNetworkPolicy failed @ ipsMgr.CreateSet, adding kube-system set%+v", err)
 	}
 
@@ -273,7 +273,7 @@ func TestDeleteNetworkPolicy(t *testing.T) {
 	}()
 
 	// Create ns-kube-system set
-	if err := ipsMgr.CreateSet("ns-" + util.KubeSystemFlag); err != nil {
+	if err := ipsMgr.CreateSet("ns-"+util.KubeSystemFlag, util.IpsetNetHashFlag); err != nil {
 		t.Errorf("TestDeleteNetworkPolicy failed @ ipsMgr.CreateSet, adding kube-system set%+v", err)
 	}