Add nil pointer checker when reading port value to avoid panic. (#606)

Author: csfmomo

npm/testpolicies/allow-backend-to-frontend-with-missing-port.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-backend-to-frontend-on-port-8000-policy
+  namespace: testnamespace
+spec:
+  policyTypes:
+    - Ingress
+  podSelector:
+    matchLabels:
+      app: frontend
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: backend
+      ports:
+        - port:

npm/translatePolicy.go

@@ -231,7 +231,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 		// Only Ports rules exist
 		if portRuleExists && !fromRuleExists && !allowExternal {
 			for _, portRule := range rule.Ports {
-				if portRule.Port.IntValue() == 0 {
+				if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 					portName := portRule.Port.String()
 					namedPorts = append(namedPorts, portName)
 					entry := &iptm.IptEntry{
@@ -297,7 +297,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 					}
 					if portRuleExists {
 						for _, portRule := range rule.Ports {
-							if portRule.Port.IntValue() == 0 {
+							if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 								portName := portRule.Port.String()
 								namedPorts = append(namedPorts, portName)
 								entry := &iptm.IptEntry{
@@ -413,7 +413,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 				iptPartialNsComment := craftPartialIptablesCommentFromSelector("", fromRule.NamespaceSelector, true)
 				if portRuleExists {
 					for _, portRule := range rule.Ports {
-						if portRule.Port.IntValue() == 0 {
+						if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 							portName := portRule.Port.String()
 							namedPorts = append(namedPorts, portName)
 							entry := &iptm.IptEntry{
@@ -507,7 +507,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 				iptPartialPodComment := craftPartialIptablesCommentFromSelector(ns, fromRule.PodSelector, false)
 				if portRuleExists {
 					for _, portRule := range rule.Ports {
-						if portRule.Port.IntValue() == 0 {
+						if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 							portName := portRule.Port.String()
 							namedPorts = append(namedPorts, portName)
 							entry := &iptm.IptEntry{
@@ -614,7 +614,7 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 			iptPartialPodComment := craftPartialIptablesCommentFromSelector("", fromRule.PodSelector, false)
 			if portRuleExists {
 				for _, portRule := range rule.Ports {
-					if portRule.Port.IntValue() == 0 {
+					if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 						portName := portRule.Port.String()
 						namedPorts = append(namedPorts, portName)
 						entry := &iptm.IptEntry{
@@ -869,7 +869,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 		// Only Ports rules exist
 		if portRuleExists && !toRuleExists && !allowExternal {
 			for _, portRule := range rule.Ports {
-				if portRule.Port.IntValue() == 0 {
+				if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 					portName := portRule.Port.String()
 					namedPorts = append(namedPorts, portName)
 					entry := &iptm.IptEntry{
@@ -935,7 +935,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 					}
 					if portRuleExists {
 						for _, portRule := range rule.Ports {
-							if portRule.Port.IntValue() == 0 {
+							if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 								portName := portRule.Port.String()
 								namedPorts = append(namedPorts, portName)
 								entry := &iptm.IptEntry{
@@ -1057,7 +1057,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 				iptPartialNsComment := craftPartialIptablesCommentFromSelector("", toRule.NamespaceSelector, true)
 				if portRuleExists {
 					for _, portRule := range rule.Ports {
-						if portRule.Port.IntValue() == 0 {
+						if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 							portName := portRule.Port.String()
 							namedPorts = append(namedPorts, portName)
 							entry := &iptm.IptEntry{
@@ -1151,7 +1151,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 				iptPartialPodComment := craftPartialIptablesCommentFromSelector(ns, toRule.PodSelector, false)
 				if portRuleExists {
 					for _, portRule := range rule.Ports {
-						if portRule.Port.IntValue() == 0 {
+						if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 							portName := portRule.Port.String()
 							namedPorts = append(namedPorts, portName)
 							entry := &iptm.IptEntry{
@@ -1258,7 +1258,7 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 			iptPartialPodComment := craftPartialIptablesCommentFromSelector("", toRule.PodSelector, false)
 			if portRuleExists {
 				for _, portRule := range rule.Ports {
-					if portRule.Port.IntValue() == 0 {
+					if portRule.Port != nil && portRule.Port.IntValue() == 0 {
 						portName := portRule.Port.String()
 						namedPorts = append(namedPorts, portName)
 						entry := &iptm.IptEntry{

npm/translatePolicy_test.go

@@ -2368,6 +2368,121 @@ func TestAllowBackendToFrontendPort8000(t *testing.T) {
 	}
 }
 
+func TestAllowBackendToFrontendWithMissingPort(t *testing.T) {
+	allowBackendToFrontendMissingPortPolicy, err := readPolicyYaml("testpolicies/allow-backend-to-frontend-with-missing-port.yaml")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	sets, _, lists, _, _, iptEntries := translatePolicy(allowBackendToFrontendMissingPortPolicy)
+
+	expectedSets := []string{
+		"app:frontend",
+		"ns-testnamespace",
+		"app:backend",
+	}
+	if !reflect.DeepEqual(sets, expectedSets) {
+		t.Errorf("translatedPolicy failed @ ALLOW-app:backend-TO-app:frontend-port-8000-policy sets comparison")
+		t.Errorf("sets: %v", sets)
+		t.Errorf("expectedSets: %v", expectedSets)
+	}
+
+	expectedLists := []string{}
+	if !reflect.DeepEqual(lists, expectedLists) {
+		t.Errorf("translatedPolicy failed @ ALLOW-app:backend-TO-app:frontend-port-8000-policy lists comparison")
+		t.Errorf("lists: %v", lists)
+		t.Errorf("expectedLists: %v", expectedLists)
+	}
+
+	expectedIptEntries := []*iptm.IptEntry{}
+	nonKubeSystemEntries := []*iptm.IptEntry{
+		&iptm.IptEntry{
+			Chain: util.IptablesAzureIngressPortChain,
+			Specs: []string{
+				util.IptablesModuleFlag,
+				util.IptablesSetModuleFlag,
+				util.IptablesMatchSetFlag,
+				util.GetHashedName("ns-testnamespace"),
+				util.IptablesDstFlag,
+				util.IptablesModuleFlag,
+				util.IptablesSetModuleFlag,
+				util.IptablesMatchSetFlag,
+				util.GetHashedName("app:frontend"),
+				util.IptablesDstFlag,
+				util.IptablesModuleFlag,
+				util.IptablesSetModuleFlag,
+				util.IptablesMatchSetFlag,
+				util.GetHashedName("ns-testnamespace"),
+				util.IptablesSrcFlag,
+				util.IptablesModuleFlag,
+				util.IptablesSetModuleFlag,
+				util.IptablesMatchSetFlag,
+				util.GetHashedName("app:backend"),
+				util.IptablesSrcFlag,
+				util.IptablesJumpFlag,
+				util.IptablesAccept,
+				util.IptablesModuleFlag,
+				util.IptablesCommentModuleFlag,
+				util.IptablesCommentFlag,
+				"ALLOW-app:backend-IN-ns-testnamespace-AND--TO-app:frontend-IN-ns-testnamespace",
+			},
+		},
+		&iptm.IptEntry{
+			Chain:       util.IptablesAzureIngressPortChain,
+			IsJumpEntry: true,
+			Specs: []string{
+				util.IptablesModuleFlag,
+				util.IptablesSetModuleFlag,
+				util.IptablesMatchSetFlag,
+				util.GetHashedName("ns-testnamespace"),
+				util.IptablesDstFlag,
+				util.IptablesModuleFlag,
+				util.IptablesSetModuleFlag,
+				util.IptablesMatchSetFlag,
+				util.GetHashedName("app:frontend"),
+				util.IptablesDstFlag,
+				util.IptablesJumpFlag,
+				util.IptablesAzureTargetSetsChain,
+				util.IptablesModuleFlag,
+				util.IptablesCommentModuleFlag,
+				util.IptablesCommentFlag,
+				"ALLOW-ALL-TO-app:frontend-IN-ns-testnamespace-TO-JUMP-TO-" + util.IptablesAzureTargetSetsChain,
+			},
+		},
+		&iptm.IptEntry{
+			Chain: util.IptablesAzureTargetSetsChain,
+			Specs: []string{
+				util.IptablesModuleFlag,
+				util.IptablesSetModuleFlag,
+				util.IptablesMatchSetFlag,
+				util.GetHashedName("ns-testnamespace"),
+				util.IptablesDstFlag,
+				util.IptablesModuleFlag,
+				util.IptablesSetModuleFlag,
+				util.IptablesMatchSetFlag,
+				util.GetHashedName("app:frontend"),
+				util.IptablesDstFlag,
+				util.IptablesJumpFlag,
+				util.IptablesDrop,
+				util.IptablesModuleFlag,
+				util.IptablesCommentModuleFlag,
+				util.IptablesCommentFlag,
+				"DROP-ALL-TO-app:frontend-IN-ns-testnamespace",
+			},
+		},
+	}
+
+	expectedIptEntries = append(expectedIptEntries, nonKubeSystemEntries...)
+	expectedIptEntries = append(expectedIptEntries, getDefaultDropEntries("dangerous", allowBackendToFrontendMissingPortPolicy.Spec.PodSelector, false, false)...)
+	if !reflect.DeepEqual(iptEntries, expectedIptEntries) {
+		t.Errorf("translatedPolicy failed @ ALLOW-ALL-TO-app:backdoor-policy policy comparison")
+		marshalledIptEntries, _ := json.Marshal(iptEntries)
+		marshalledExpectedIptEntries, _ := json.Marshal(expectedIptEntries)
+		t.Errorf("iptEntries: %s", marshalledIptEntries)
+		t.Errorf("expectedIptEntries: %s", marshalledExpectedIptEntries)
+	}
+}
+
 func TestAllowMultipleLabelsToMultipleLabels(t *testing.T) {
 	allowCniOrCnsToK8sPolicy, err := readPolicyYaml("testpolicies/allow-multiple-labels-to-multiple-labels.yaml")
 	if err != nil {