-
Notifications
You must be signed in to change notification settings - Fork 260
TSG: NPM v1.3.0 breaking changes
#Existing Behavior <v1.3.0
NPM used to take a decision on a given packets based on rules in a single direction. If there is a DENY rule in EGRESS and ALLOW rule in INGRESS, NPM would have ALLOWED the packet, even though it should have been blocked. This is incorrect behavior. Original behavior logic examples:
-
(Ingress allow rule 1 OR egress deny rule 1) - Packet ALLOWED
-
(Ingress deny rule 1 OR egress allow rule 1) - Packet ALLOWED
-
(Ingress allow rule 1 OR NO EGRESS rules) - Packet ALLOWED
-
(NO INGRESS rules OR Egress allowrule 1) - Packet ALLOWED
-
(NO RULES) - Packet ALLOWED
#New and correct behavior >v1.3.0 With the latest update, NPM evaluates both ingress and egress rules to take a decision on the packet. In either direction, if there is one or more explicit deny rules without a ALLOW in that particular packet direction, NPM will drop the packet. Current Behavior:
- (Ingress allow rule 1 ) AND (egress deny rule 1) - Packet DROPPED
- (Ingress deny rule 1 AND egress allow rule 1) - Packet DROPPED
- (Ingress allow rule 1 AND NO EGRESS rules) - Packet ALLOWED
- (NO INGRESS rules AND Egress allowrule 1) - Packet ALLOWED
- (NO RULES) - Packet ALLOWED
Some rule example of this behavior
- If there is one allow rule in INGRESS and no rules in EGRESS - applicable traffic will be allowed
- If there is one allow rule in EGRESS and no rules in INGRESS - applicable traffic will be allowed
- If there is one allow rule in EGRESS and one (or more) DENY rule(s) in INGRESS - applicable traffic will be DENIED
- If there is one allow rule in INGRESS and one (or more) DENY rule(s) in EGRESS - applicable traffic will be DENIED
- If INGRESS and EGRESS have allow rules - traffic is allowed.
Azure Container Networking