[NPM] RETURN early on MARK in DROP chains (#881)

vakalapa · web-flow · commit c2b2db10427c · 2021-06-15T10:06:37.000-07:00
* Returning in DROP chains

* adding a comment about future cleanup of chains:

* Removing duplicate rules in PORT chains of TO/FROM and DROP chain jumps

* Adding a image of new chains behavior

* Addressing comments

* addressing some comments

* Correcting some UTs to not have the jump rules

* removing jump flag
diff --git a/docs/images/npmIptableChainEval.png b/docs/images/npmIptableChainEval.png
diff --git a/npm/iptm/helper.go b/npm/iptm/helper.go
@@ -6,17 +6,17 @@ import (
 	"github.com/Azure/azure-container-networking/npm/util"
 )
 
-// GetAllChainsAndRules returns all NPM chains and rules
-func getAllChainsAndRules() [][]string {
+// getAllDefaultRules returns all NPM chains and rules
+func getAllDefaultRules() [][]string {
 	funcList := []func() [][]string{
 		getAzureNPMChainRules,
 		getAzureNPMAcceptChainRules,
 		getAzureNPMIngressChainRules,
 		getAzureNPMIngressPortChainRules,
-		getAzureNPMIngressFromChainRules,
 		getAzureNPMEgressChainRules,
 		getAzureNPMEgressPortChainRules,
-		getAzureNPMEgressToChainRules,
+		getAzureNPMIngressDropsChainRules,
+		getAzureNPMEgressDropsChainRules,
 	}
 
 	chainsAndRules := [][]string{}
@@ -168,14 +168,23 @@ func getAzureNPMIngressPortChainRules() [][]string {
 			util.IptablesCommentFlag,
 			fmt.Sprintf("RETURN-on-INGRESS-mark-%s", util.IptablesAzureIngressMarkHex),
 		},
+		{
+			util.IptablesAzureIngressPortChain,
+			util.IptablesJumpFlag,
+			util.IptablesAzureIngressFromChain,
+			util.IptablesModuleFlag,
+			util.IptablesCommentModuleFlag,
+			util.IptablesCommentFlag,
+			fmt.Sprintf("ALL-JUMP-TO-%s", util.IptablesAzureIngressFromChain),
+		},
 	}
 }
 
-// getAzureNPMIngressFromChainRules returns rules for AZURE-NPM-INGRESS-PORT
-func getAzureNPMIngressFromChainRules() [][]string {
+// getAzureNPMIngressDropsChainRules returns rules for AZURE-NPM-INGRESS-DROPS
+func getAzureNPMIngressDropsChainRules() [][]string {
 	return [][]string{
 		{
-			util.IptablesAzureIngressFromChain,
+			util.IptablesAzureIngressDropsChain,
 			util.IptablesJumpFlag,
 			util.IptablesReturn,
 			util.IptablesModuleFlag,
@@ -232,7 +241,7 @@ func getAzureNPMEgressChainRules() [][]string {
 	}
 }
 
-// getAzureNPMEgressPortChainRules returns rules for AZURE-NPM-INGRESS-PORT
+// getAzureNPMEgressPortChainRules returns rules for AZURE-NPM-EGRESS-PORT
 func getAzureNPMEgressPortChainRules() [][]string {
 	return [][]string{
 		{
@@ -261,14 +270,23 @@ func getAzureNPMEgressPortChainRules() [][]string {
 			util.IptablesCommentFlag,
 			fmt.Sprintf("RETURN-on-EGRESS-mark-%s", util.IptablesAzureEgressMarkHex),
 		},
+		{
+			util.IptablesAzureEgressPortChain,
+			util.IptablesJumpFlag,
+			util.IptablesAzureEgressToChain,
+			util.IptablesModuleFlag,
+			util.IptablesCommentModuleFlag,
+			util.IptablesCommentFlag,
+			fmt.Sprintf("ALL-JUMP-TO-%s", util.IptablesAzureEgressToChain),
+		},
 	}
 }
 
-// getAzureNPMEgressToChainRules returns rules for AZURE-NPM-INGRESS-PORT
-func getAzureNPMEgressToChainRules() [][]string {
+// getAzureNPMEgressDropsChainRules returns rules for AZURE-NPM-EGRESS-DROPS
+func getAzureNPMEgressDropsChainRules() [][]string {
 	return [][]string{
 		{
-			util.IptablesAzureEgressToChain,
+			util.IptablesAzureEgressDropsChain,
 			util.IptablesJumpFlag,
 			util.IptablesReturn,
 			util.IptablesModuleFlag,
@@ -281,7 +299,7 @@ func getAzureNPMEgressToChainRules() [][]string {
 			fmt.Sprintf("RETURN-on-EGRESS-and-INGRESS-mark-%s", util.IptablesAzureAcceptMarkHex),
 		},
 		{
-			util.IptablesAzureEgressToChain,
+			util.IptablesAzureEgressDropsChain,
 			util.IptablesJumpFlag,
 			util.IptablesReturn,
 			util.IptablesModuleFlag,
diff --git a/npm/iptm/helper_test.go b/npm/iptm/helper_test.go
@@ -7,7 +7,7 @@ import (
 )
 
 func TestGetAllChainsAndRules(t *testing.T) {
-	allChainsandRules := getAllChainsAndRules()
+	allChainsandRules := getAllDefaultRules()
 
 	parentNpmRulesCount := 6
 
diff --git a/npm/iptm/iptm.go b/npm/iptm/iptm.go
@@ -47,7 +47,6 @@ type IptEntry struct {
 	Chain                 string
 	Flag                  string
 	LockWaitTimeInSeconds string
-	IsJumpEntry           bool
 	Specs                 []string
 }
 
@@ -56,6 +55,16 @@ type IptablesManager struct {
 	OperationFlag string
 }
 
+func isDropsChain(chainName string) bool {
+
+	// Check if the chain name is one of the two DROP chains
+	if (chainName == util.IptablesAzureIngressDropsChain) ||
+		(chainName == util.IptablesAzureEgressDropsChain) {
+		return true
+	}
+	return false
+}
+
 // NewIptablesManager creates a new instance for IptablesManager object.
 func NewIptablesManager() *IptablesManager {
 	iptMgr := &IptablesManager{
@@ -213,8 +222,8 @@ func (iptMgr *IptablesManager) UninitNpmChains() error {
 // AddAllRulesToChains Checks and adds all the rules in NPM chains
 func (iptMgr *IptablesManager) AddAllRulesToChains() error {
 
-	allChainsAndRules := getAllChainsAndRules()
-	for _, rule := range allChainsAndRules {
+	allDefaultRules := getAllDefaultRules()
+	for _, rule := range allDefaultRules {
 		entry := &IptEntry{
 			Chain: rule[0],
 			Specs: rule[1:],
@@ -359,7 +368,9 @@ func (iptMgr *IptablesManager) Add(entry *IptEntry) error {
 
 	log.Logf("Adding iptables entry: %+v.", entry)
 
-	if entry.IsJumpEntry {
+	// Since there is a RETURN statement added to each DROP chain, we need to make sure
+	// any new DROP rule added to ingress or egress DROPS chain is added at the BOTTOM
+	if isDropsChain(entry.Chain) {
 		iptMgr.OperationFlag = util.IptablesAppendFlag
 	} else {
 		iptMgr.OperationFlag = util.IptablesInsertionFlag
diff --git a/npm/translatePolicy.go b/npm/translatePolicy.go
@@ -162,14 +162,14 @@ func craftPartialIptablesCommentFromSelector(ns string, selector *metav1.LabelSe
 
 func translateIngress(ns string, policyName string, targetSelector metav1.LabelSelector, rules []networkingv1.NetworkPolicyIngressRule) ([]string, []string, []string, [][]string, []*iptm.IptEntry) {
 	var (
-		sets                                  []string // ipsets with type: net:hash
-		namedPorts                            []string // ipsets with type: hash:ip,port
-		lists                                 []string // ipsets with type: list:set
-		ipCidrs                               [][]string
-		entries                               []*iptm.IptEntry
-		fromRuleEntries                       []*iptm.IptEntry
-		addedCidrEntry                        bool // all cidr entry will be added in one set per from/to rule
-		addedIngressFromEntry, addedPortEntry bool // add drop entries at the end of the chain when there are non ALLOW-ALL* rules
+		sets            []string // ipsets with type: net:hash
+		namedPorts      []string // ipsets with type: hash:ip,port
+		lists           []string // ipsets with type: list:set
+		ipCidrs         [][]string
+		entries         []*iptm.IptEntry
+		fromRuleEntries []*iptm.IptEntry
+		addedCidrEntry  bool // all cidr entry will be added in one set per from/to rule
+		addedPortEntry  bool // add drop entries at the end of the chain when there are non ALLOW-ALL* rules
 	)
 
 	log.Logf("started parsing ingress rule")
@@ -308,7 +308,6 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 							// TODO move IP cidrs rule to allow based only
 							ipCidrs[i] = append(ipCidrs[i], except+util.IpsetNomatch)
 						}
-						addedIngressFromEntry = true
 					}
 					if j != 0 && addedCidrEntry {
 						continue
@@ -408,7 +407,6 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 								"-TO-"+targetSelectorComment,
 						)
 						fromRuleEntries = append(fromRuleEntries, entry)
-						addedIngressFromEntry = true
 					}
 					addedCidrEntry = true
 				}
@@ -524,7 +522,6 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 							"-TO-"+targetSelectorComment,
 					)
 					entries = append(entries, entry)
-					addedIngressFromEntry = true
 				}
 				continue
 			}
@@ -627,7 +624,6 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 							"-TO-"+targetSelectorComment,
 					)
 					entries = append(entries, entry)
-					addedIngressFromEntry = true
 				}
 				continue
 			}
@@ -758,7 +754,6 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 						"-TO-"+targetSelectorComment,
 				)
 				entries = append(entries, entry)
-				addedIngressFromEntry = true
 			}
 		}
 
@@ -790,75 +785,20 @@ func translateIngress(ns string, policyName string, targetSelector metav1.LabelS
 		entries = append(fromRuleEntries, entries...)
 	}
 
-	if addedPortEntry && !addedIngressFromEntry {
-		entry := &iptm.IptEntry{
-			Chain:       util.IptablesAzureIngressPortChain,
-			Specs:       append([]string(nil), targetSelectorIptEntrySpec...),
-			IsJumpEntry: true,
-		}
-		entry.Specs = append(
-			entry.Specs,
-			util.IptablesJumpFlag,
-			util.IptablesAzureIngressDropsChain,
-			util.IptablesModuleFlag,
-			util.IptablesCommentModuleFlag,
-			util.IptablesCommentFlag,
-			"ALLOW-ALL-TO-"+
-				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain,
-		)
-		entries = append(entries, entry)
-	} else if addedIngressFromEntry {
-		portEntry := &iptm.IptEntry{
-			Chain:       util.IptablesAzureIngressPortChain,
-			Specs:       append([]string(nil), targetSelectorIptEntrySpec...),
-			IsJumpEntry: true,
-		}
-		portEntry.Specs = append(
-			portEntry.Specs,
-			util.IptablesJumpFlag,
-			util.IptablesAzureIngressFromChain,
-			util.IptablesModuleFlag,
-			util.IptablesCommentModuleFlag,
-			util.IptablesCommentFlag,
-			"ALLOW-ALL-TO-"+
-				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureIngressFromChain,
-		)
-		entries = append(entries, portEntry)
-		entry := &iptm.IptEntry{
-			Chain:       util.IptablesAzureIngressFromChain,
-			Specs:       append([]string(nil), targetSelectorIptEntrySpec...),
-			IsJumpEntry: true,
-		}
-		entry.Specs = append(
-			entry.Specs,
-			util.IptablesJumpFlag,
-			util.IptablesAzureIngressDropsChain,
-			util.IptablesModuleFlag,
-			util.IptablesCommentModuleFlag,
-			util.IptablesCommentFlag,
-			"ALLOW-ALL-TO-"+
-				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureIngressDropsChain,
-		)
-		entries = append(entries, entry)
-	}
-
 	log.Logf("finished parsing ingress rule")
 	return util.DropEmptyFields(sets), util.DropEmptyFields(namedPorts), util.DropEmptyFields(lists), ipCidrs, entries
 }
 
 func translateEgress(ns string, policyName string, targetSelector metav1.LabelSelector, rules []networkingv1.NetworkPolicyEgressRule) ([]string, []string, []string, [][]string, []*iptm.IptEntry) {
 	var (
-		sets                               []string // ipsets with type: net:hash
-		namedPorts                         []string // ipsets with type: hash:ip,port
-		lists                              []string // ipsets with type: list:set
-		ipCidrs                            [][]string
-		entries                            []*iptm.IptEntry
-		toRuleEntries                      []*iptm.IptEntry
-		addedCidrEntry                     bool // all cidr entry will be added in one set per from/to rule
-		addedEgressToEntry, addedPortEntry bool // add drop entry when there are non ALLOW-ALL* rules
+		sets           []string // ipsets with type: net:hash
+		namedPorts     []string // ipsets with type: hash:ip,port
+		lists          []string // ipsets with type: list:set
+		ipCidrs        [][]string
+		entries        []*iptm.IptEntry
+		toRuleEntries  []*iptm.IptEntry
+		addedCidrEntry bool // all cidr entry will be added in one set per from/to rule
+		addedPortEntry bool // add drop entry when there are non ALLOW-ALL* rules
 	)
 
 	log.Logf("started parsing egress rule")
@@ -993,7 +933,6 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 							// TODO move IP cidrs rule to allow based only
 							ipCidrs[i] = append(ipCidrs[i], except+util.IpsetNomatch)
 						}
-						addedEgressToEntry = true
 					}
 					if j != 0 && addedCidrEntry {
 						continue
@@ -1099,7 +1038,6 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 								"-FROM-"+targetSelectorComment,
 						)
 						toRuleEntries = append(toRuleEntries, entry)
-						addedEgressToEntry = true
 					}
 					addedCidrEntry = true
 				}
@@ -1215,7 +1153,6 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 							"-TO-"+iptPartialNsComment,
 					)
 					entries = append(entries, entry)
-					addedEgressToEntry = true
 				}
 				continue
 			}
@@ -1318,7 +1255,6 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 							"-TO-"+iptPartialPodComment,
 					)
 					entries = append(entries, entry)
-					addedEgressToEntry = true
 				}
 				continue
 			}
@@ -1449,7 +1385,6 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 						"-AND-"+iptPartialPodComment,
 				)
 				entries = append(entries, entry)
-				addedEgressToEntry = true
 			}
 		}
 
@@ -1482,61 +1417,6 @@ func translateEgress(ns string, policyName string, targetSelector metav1.LabelSe
 		entries = append(toRuleEntries, entries...)
 	}
 
-	if addedPortEntry && !addedEgressToEntry {
-		entry := &iptm.IptEntry{
-			Chain:       util.IptablesAzureEgressPortChain,
-			Specs:       append([]string(nil), targetSelectorIptEntrySpec...),
-			IsJumpEntry: true,
-		}
-		entry.Specs = append(
-			entry.Specs,
-			util.IptablesJumpFlag,
-			util.IptablesAzureEgressDropsChain,
-			util.IptablesModuleFlag,
-			util.IptablesCommentModuleFlag,
-			util.IptablesCommentFlag,
-			"ALLOW-ALL-FROM-"+
-				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain,
-		)
-		entries = append(entries, entry)
-	} else if addedEgressToEntry {
-		portEntry := &iptm.IptEntry{
-			Chain:       util.IptablesAzureEgressPortChain,
-			Specs:       append([]string(nil), targetSelectorIptEntrySpec...),
-			IsJumpEntry: true,
-		}
-		portEntry.Specs = append(
-			portEntry.Specs,
-			util.IptablesJumpFlag,
-			util.IptablesAzureEgressToChain,
-			util.IptablesModuleFlag,
-			util.IptablesCommentModuleFlag,
-			util.IptablesCommentFlag,
-			"ALLOW-ALL-FROM-"+
-				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureEgressToChain,
-		)
-		entries = append(entries, portEntry)
-		entry := &iptm.IptEntry{
-			Chain:       util.IptablesAzureEgressToChain,
-			Specs:       append([]string(nil), targetSelectorIptEntrySpec...),
-			IsJumpEntry: true,
-		}
-		entry.Specs = append(
-			entry.Specs,
-			util.IptablesJumpFlag,
-			util.IptablesAzureEgressDropsChain,
-			util.IptablesModuleFlag,
-			util.IptablesCommentModuleFlag,
-			util.IptablesCommentFlag,
-			"ALLOW-ALL-FROM-"+
-				targetSelectorComment+
-				"-TO-JUMP-TO-"+util.IptablesAzureEgressDropsChain,
-		)
-		entries = append(entries, entry)
-	}
-
 	log.Logf("finished parsing egress rule")
 	return util.DropEmptyFields(sets), util.DropEmptyFields(namedPorts), util.DropEmptyFields(lists), ipCidrs, entries
 }
diff --git a/npm/translatePolicy_test.go b/npm/translatePolicy_test.go

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import (`
`7`	`7`	`)`
`8`	`8`
`9`	`9`	`func TestGetAllChainsAndRules(t *testing.T) {`
`10`		`- allChainsandRules := getAllChainsAndRules()`
	`10`	`+ allChainsandRules := getAllDefaultRules()`
`11`	`11`
`12`	`12`	`parentNpmRulesCount := 6`
`13`	`13`