From cb57f7184248b8206b92c098419d35aa66d5ee8a Mon Sep 17 00:00:00 2001 From: Marc Paquette Date: Mon, 18 Apr 2022 19:30:50 +0000 Subject: [PATCH 1/2] Remove documentation referencing Dynamic Egress in favor of Dynamic ASG --- jobs/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jobs/README.md b/jobs/README.md index 03c6449dd..b40e2aeab 100644 --- a/jobs/README.md +++ b/jobs/README.md @@ -9,4 +9,4 @@ This is the README for Silk-release jobs. To learn more about `silk-release`, go | `silk-cni` | Short-lived [CNI](https://github.com/containernetworking/cni) job, executed along with the [`cni-wrapper-plugin`](https://github.com/cloudfoundry/silk-release/tree/master/src/cni-wrapper-plugin) to provision the network namespace and configure the network interface and routing rules for a container. | When executed, it obtains an overlay subnet and MTU from the `silk-daemon` for the container. Optionally limits bandwidth in and out of each container with the [`bandwidth` plugin](https://github.com/containernetworking/plugins/tree/master/plugins/meta/bandwidth). Uses iptables mutex lock.| | `silk-controller` | Manages IP subnet lease allocation for the Diego cell. State that maps the Diego cell to the leased overlay subnet is stored in a SQL database. | | | `silk-daemon` | Daemon that polls the `silk-controller` API to acquire and renew the overlay subnet lease for the Diego cell. Polling frequency can be configured and is 5s by default. It also serves an API that the `silk-cni` calls to retrieve information about the overlay subnet lease. | | -| `vxlan-policy-agent` | Polls the the [Policy Server Internal API](https://github.com/cloudfoundry/cf-networking-release/tree/develop/jobs) for desired network policies (container networking and dynamic egress) and writes IPTables rules on the Diego cell to enforce those policies for network traffic between applications. For container networking policies, the IPtables rules tag traffic from applications with network policies on egress, and separate rules at the destination allow traffic with tags whitelisted by policies to applications on ingress. | Uses iptables mutex lock. | +| `vxlan-policy-agent` | Polls the the [Policy Server Internal API](https://github.com/cloudfoundry/cf-networking-release/tree/develop/jobs) for desired network policies (container networking and dynamic application security groups) and writes IPTables rules on the Diego cell to enforce those policies for network traffic between applications. For container networking policies, the IPtables rules tag traffic from applications with network policies on egress, and separate rules at the destination allow traffic with tags whitelisted by policies to applications on ingress. | Uses iptables mutex lock. | From c0544843e33c6a4cbf6ac730218d94dba9935497 Mon Sep 17 00:00:00 2001 From: Geoff Franks Date: Wed, 20 Apr 2022 20:40:12 +0000 Subject: [PATCH 2/2] Remove Dynamic Egress features in favor of Dynamic ASG feature --- src/code.cloudfoundry.org/go.mod | 2 +- src/code.cloudfoundry.org/go.sum | 4 + .../policy_client/api.go | 19 - .../policy_client/internal_policy_client.go | 22 +- .../policy_client/policy_slice.go | 24 - src/code.cloudfoundry.org/vendor/modules.txt | 2 +- .../cmd/vxlan-policy-agent/main.go | 2 +- .../integration/linux/linux_test.go | 75 +-- .../planner/fakes/policy_client.go | 33 +- .../vxlan-policy-agent/planner/planner.go | 2 +- .../planner/planner_linux.go | 82 +--- .../planner/planner_linux_test.go | 460 +----------------- 12 files changed, 50 insertions(+), 677 deletions(-) diff --git a/src/code.cloudfoundry.org/go.mod b/src/code.cloudfoundry.org/go.mod index edc30a620..5a3d9220b 100644 --- a/src/code.cloudfoundry.org/go.mod +++ b/src/code.cloudfoundry.org/go.mod @@ -25,7 +25,7 @@ require ( code.cloudfoundry.org/garden v0.0.0-20210608104724-fa3a10d59c82 code.cloudfoundry.org/go-loggregator/v8 v8.0.5 code.cloudfoundry.org/lager v2.0.0+incompatible - code.cloudfoundry.org/policy_client v0.0.0-20220203234022-670e720134e3 + code.cloudfoundry.org/policy_client v0.0.0-20220420200808-7feb15de93f1 code.cloudfoundry.org/runtimeschema v0.0.0-00010101000000-000000000000 code.cloudfoundry.org/silk v0.0.0-20211004235850-da152076940f github.com/cloudfoundry/dropsonde v1.0.0 diff --git a/src/code.cloudfoundry.org/go.sum b/src/code.cloudfoundry.org/go.sum index 98d3a23d2..994b5bb71 100644 --- a/src/code.cloudfoundry.org/go.sum +++ b/src/code.cloudfoundry.org/go.sum @@ -27,6 +27,10 @@ code.cloudfoundry.org/lager v1.1.1-0.20210513163233-569157d2803b h1:jgCg9ARoZ2ME code.cloudfoundry.org/lager v1.1.1-0.20210513163233-569157d2803b/go.mod h1:SF6BAZkl2+itWGVny2ILQCY9UNXIRwgi/m181VkHfrI= code.cloudfoundry.org/policy_client v0.0.0-20220203234022-670e720134e3 h1:qjjgXJEYFcd8FVQ367yji8jjGfIJg5sjRz4j7mzUy8g= code.cloudfoundry.org/policy_client v0.0.0-20220203234022-670e720134e3/go.mod h1:bzqpNvN9V1gJd0ny82Qnqxow5MFAnU97Sti/l4ORHWY= +code.cloudfoundry.org/policy_client v0.0.0-20220420173332-5d4bff348a33 h1:JN7bKt1Bp0P/aw9xvQfbtdN04kx29zb4I1Zmyd8hi+U= +code.cloudfoundry.org/policy_client v0.0.0-20220420173332-5d4bff348a33/go.mod h1:bzqpNvN9V1gJd0ny82Qnqxow5MFAnU97Sti/l4ORHWY= +code.cloudfoundry.org/policy_client v0.0.0-20220420200808-7feb15de93f1 h1:BwWhTaj7V/cot+S3/IKd93SO1t3wQlB8kMLNlzBRu3I= +code.cloudfoundry.org/policy_client v0.0.0-20220420200808-7feb15de93f1/go.mod h1:bzqpNvN9V1gJd0ny82Qnqxow5MFAnU97Sti/l4ORHWY= code.cloudfoundry.org/routing-info v0.0.0-20220215234142-7d023ecb0fad h1:FHI7/GgnWlgG97a0bEf+UezN0dJez2YoNTjkwOOImj8= code.cloudfoundry.org/routing-info v0.0.0-20220215234142-7d023ecb0fad/go.mod h1:ykLgqzJGV5PTkvxtfyOy8hcQy7wxPaoV5ZPyk74aqp8= code.cloudfoundry.org/runtimeschema v0.0.0-20180622181441-7dcd19348be6 h1:J08p1/LBnhv5BDDf0WLpHRyMJFCws3vd3fLCFL/iVnQ= diff --git a/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/api.go b/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/api.go index 92449c6e5..c8574d796 100644 --- a/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/api.go +++ b/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/api.go @@ -15,12 +15,6 @@ type Policy struct { Destination Destination `json:"destination"` } -type EgressPolicy struct { - Source *EgressSource `json:"source"` - Destination *EgressDestination `json:"destination"` - AppLifecycle string `json:"app_lifecycle"` -} - type SecurityGroup struct { Guid string `json:"guid"` Name string `json:"name"` @@ -31,19 +25,6 @@ type SecurityGroup struct { RunningSpaceGuids []string `json:"running_space_guids"` } -type EgressSource struct { - ID string `json:"id"` - Type string `json:"type"` -} - -type EgressDestination struct { - Protocol string `json:"protocol"` - Ports []Ports `json:"ports"` - IPRanges []IPRange `json:"ips"` - ICMPType int `json:"icmp_type"` - ICMPCode int `json:"icmp_code"` -} - type IPRange struct { Start string `json:"start"` End string `json:"end"` diff --git a/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/internal_policy_client.go b/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/internal_policy_client.go index 8fc241faf..8777be8e2 100644 --- a/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/internal_policy_client.go +++ b/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/internal_policy_client.go @@ -11,7 +11,7 @@ import ( //go:generate counterfeiter -o fakes/internal_policy_client.go --fake-name InternalPolicyClient . InternalPolicyClient type InternalPolicyClient interface { - GetPolicies() ([]*Policy, []*EgressPolicy, error) + GetPolicies() ([]*Policy, error) GetSecurityGroupsForSpace(spaceGuids []string) ([]*SecurityGroup, error) } @@ -45,31 +45,29 @@ func NewInternal(logger lager.Logger, httpClient json_client.HttpClient, baseURL } } -func (c *InternalClient) GetPolicies() ([]*Policy, []*EgressPolicy, error) { +func (c *InternalClient) GetPolicies() ([]*Policy, error) { var policies struct { - Policies []*Policy `json:"policies"` - EgressPolicies []*EgressPolicy `json:"egress_policies"` + Policies []*Policy `json:"policies"` } err := c.JsonClient.Do("GET", "/networking/v1/internal/policies", nil, &policies, "") if err != nil { - return nil, nil, err + return nil, err } - return policies.Policies, policies.EgressPolicies, nil + return policies.Policies, nil } -func (c *InternalClient) GetPoliciesByID(ids ...string) ([]Policy, []EgressPolicy, error) { +func (c *InternalClient) GetPoliciesByID(ids ...string) ([]Policy, error) { var policies struct { - Policies []Policy `json:"policies"` - EgressPolicies []EgressPolicy `json:"egress_policies"` + Policies []Policy `json:"policies"` } if len(ids) == 0 { - return nil, nil, errors.New("ids cannot be empty") + return nil, errors.New("ids cannot be empty") } err := c.JsonClient.Do("GET", "/networking/v1/internal/policies?id="+strings.Join(ids, ","), nil, &policies, "") if err != nil { - return nil, nil, err + return nil, err } - return policies.Policies, policies.EgressPolicies, nil + return policies.Policies, nil } func (c *InternalClient) GetSecurityGroupsForSpace(spaceGuids ...string) ([]SecurityGroup, error) { diff --git a/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/policy_slice.go b/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/policy_slice.go index 18eb3f68d..b6f353834 100644 --- a/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/policy_slice.go +++ b/src/code.cloudfoundry.org/vendor/code.cloudfoundry.org/policy_client/policy_slice.go @@ -28,27 +28,3 @@ func (s PolicySlice) Less(i, j int) bool { func (s PolicySlice) Swap(i, j int) { s[i], s[j] = s[j], s[i] } - -type EgressPolicySlice []EgressPolicy - -func (s EgressPolicySlice) Len() int { - return len(s) -} - -func (s EgressPolicySlice) Less(i, j int) bool { - a, err := json.Marshal(s[i]) - if err != nil { - panic(err) - } - - b, err := json.Marshal(s[j]) - if err != nil { - panic(err) - } - - return strings.Compare(string(a), string(b)) < 0 -} - -func (s EgressPolicySlice) Swap(i, j int) { - s[i], s[j] = s[j], s[i] -} diff --git a/src/code.cloudfoundry.org/vendor/modules.txt b/src/code.cloudfoundry.org/vendor/modules.txt index 8a386ac58..50d71a368 100644 --- a/src/code.cloudfoundry.org/vendor/modules.txt +++ b/src/code.cloudfoundry.org/vendor/modules.txt @@ -49,7 +49,7 @@ code.cloudfoundry.org/lager/internal/truncate code.cloudfoundry.org/lager/lagerctx code.cloudfoundry.org/lager/lagerflags code.cloudfoundry.org/lager/lagertest -# code.cloudfoundry.org/policy_client v0.0.0-20220203234022-670e720134e3 +# code.cloudfoundry.org/policy_client v0.0.0-20220420200808-7feb15de93f1 ## explicit; go 1.17 code.cloudfoundry.org/policy_client # code.cloudfoundry.org/routing-info v0.0.0-20220215234142-7d023ecb0fad diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/cmd/vxlan-policy-agent/main.go b/src/code.cloudfoundry.org/vxlan-policy-agent/cmd/vxlan-policy-agent/main.go index 9df2c4101..7c456582e 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/cmd/vxlan-policy-agent/main.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/cmd/vxlan-policy-agent/main.go @@ -120,7 +120,7 @@ func main() { policy_client.DefaultConfig, ) - _, _, err = policyClient.GetPolicies() + _, err = policyClient.GetPolicies() if err != nil { die(logger, "policy-client-get-policies", err) diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/integration/linux/linux_test.go b/src/code.cloudfoundry.org/vxlan-policy-agent/integration/linux/linux_test.go index 5974d5951..bd7adf8fa 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/integration/linux/linux_test.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/integration/linux/linux_test.go @@ -209,14 +209,6 @@ var _ = Describe("VXLAN Policy Agent", func() { return resp.StatusCode, nil }).Should(Equal(http.StatusOK)) - Eventually(iptablesFilterRules, "4s", "1s").Should(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m tcp --dport 8080:8081 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.3-10.27.1.4 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.3-10.27.1.4 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.2.1-10.27.2.2 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 3/4 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 8 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.28.2.3-10.28.2.5 -j ACCEPT`)) }) }) @@ -243,16 +235,6 @@ var _ = Describe("VXLAN Policy Agent", func() { Expect(iptablesFilterRules()).To(ContainSubstring(`-d 10.255.100.21/32 -p udp -m udp --dport 7000:8000 -m mark --mark 0xd -m comment --comment "src:yet-another-app-guid_dst:some-very-very-long-app-guid" -j ACCEPT`)) }) - It("enforces egress policies", func() { - Eventually(iptablesFilterRules, "4s", "1s").Should(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m tcp --dport 8080:8081 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.3-10.27.1.4 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 3/4 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 8 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.2.1-10.27.2.2 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.28.2.3-10.28.2.5 -j ACCEPT`)) - }) - Context("when the container is staging", func() { BeforeEach(func() { containerMetadata := `{ @@ -269,13 +251,6 @@ var _ = Describe("VXLAN Policy Agent", func() { }` Expect(ioutil.WriteFile(datastorePath, []byte(containerMetadata), os.ModePerm)) }) - - It("enforces the egress policies for staging", func() { - Eventually(iptablesFilterRules, "4s", "1s").Should(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m tcp --dport 8080:8081 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p icmp -m iprange --dst-range 10.27.1.1-10.27.1.2 -m icmp --icmp-type 8 -j ACCEPT`)) - Expect(iptablesFilterRules()).To(ContainSubstring(`-s 10.255.100.21/32 -o underlay1 -p tcp -m iprange --dst-range 1.1.1.1-2.9.9.9 -m tcp --dport 8080:8081 -j ACCEPT`)) - }) }) It("writes only one mark rule for a single container", func() { @@ -370,7 +345,7 @@ var _ = Describe("VXLAN Policy Agent", func() { runIptablesCommand("-N", "netout--some-handle--log") }) - It("enforces the egress policies for staging", func() { + It("enforces the ASG policies for staging", func() { Eventually(iptablesFilterRules, "4s", "1s").Should(MatchRegexp(`-A asg-[a-zA-Z0-9]+ -p tcp -m iprange --dst-range 10.0.11.0-10.0.11.255 -m tcp --dport 443 -g netout--some-handle--log`)) Consistently(iptablesFilterRules, "2s", "1s").Should(MatchRegexp(`-A asg-[a-zA-Z0-9]+ -p tcp -m iprange --dst-range 10.0.11.0-10.0.11.255 -m tcp --dport 80 -g netout--some-handle--log`)) Consistently(iptablesFilterRules, "2s", "1s").Should(MatchRegexp(`-A asg-[a-zA-Z0-9]+ -m iprange --dst-range 11.0.0.0-169.253.255.255 -j ACCEPT`)) @@ -671,54 +646,6 @@ func startServer(serverListenAddr string, tlsConfig *tls.Config) ifrit.Process { "source": {"id":"yet-another-app-guid", "tag":"D"}, "destination": {"id": "some-very-very-long-app-guid", "tag":"A", "protocol":"udp", "ports":{"start":7000, "end":8000}} } - ], - "total_egress_policies": 7, - "egress_policies": [ - { - "source": {"id": "some-space", "type": "space" }, - "destination": {"ips": [{"start": "10.27.2.1", "end": "10.27.2.2"}], "protocol": "tcp"}, - "app_lifecycle": "running" - }, - { - "source": {"id": "some-very-very-long-app-guid" }, - "destination": {"ips": [{"start": "10.27.1.1", "end": "10.27.1.2"}], "protocol": "icmp", "icmp_type": 3, "icmp_code": 4}, - "app_lifecycle": "running" - }, - { - "source": {"id": "some-very-very-long-app-guid" }, - "destination": {"ips": [{"start": "1.1.1.1", "end": "2.9.9.9"}], "ports": [{"start": 8080, "end": 8081}], "protocol": "tcp"}, - "app_lifecycle": "staging" - }, - { - "source": {"id": "some-very-very-long-app-guid" }, - "destination": {"ips": [{"start": "10.27.1.1", "end": "10.27.1.2"}], "protocol": "icmp", "icmp_type": -1, "icmp_code": -1}, - "app_lifecycle": "all" - }, - { - "source": {"id": "some-very-very-long-app-guid" }, - "destination": {"ips": [{"start": "10.27.1.1", "end": "10.27.1.2"}], "protocol": "icmp", "icmp_type": 8, "icmp_code": -1}, - "app_lifecycle": "all" - }, - { - "source": {"id": "some-very-very-long-app-guid" }, - "destination": {"ips": [{"start": "10.27.1.1", "end": "10.27.1.2"}], "ports": [{"start": 8080, "end": 8081}], "protocol": "tcp"}, - "app_lifecycle": "all" - }, - { - "source": {"id": "some-app-guid-no-ports" }, - "destination": {"ips": [{"start": "10.27.1.3", "end": "10.27.1.4"}], "protocol": "tcp"}, - "app_lifecycle": "all" - }, - { - "source": {"id": "not-deployed-on-this-cell-why-did-you-query-for-this-id" }, - "destination": {"ips": [{"start": "10.27.2.3", "end": "10.27.2.5"}], "protocol": "udp"}, - "app_lifecycle": "all" - }, - { - "source": {"id": "", "type": "default" }, - "destination": {"ips": [{"start": "10.28.2.3", "end": "10.28.2.5"}], "protocol": "tcp"}, - "app_lifecycle": "all" - } ] }`)) return diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/planner/fakes/policy_client.go b/src/code.cloudfoundry.org/vxlan-policy-agent/planner/fakes/policy_client.go index 64f11644f..b69d10f6e 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/planner/fakes/policy_client.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/planner/fakes/policy_client.go @@ -22,20 +22,18 @@ type PolicyClient struct { result1 string result2 error } - GetPoliciesByIDStub func(...string) ([]policy_client.Policy, []policy_client.EgressPolicy, error) + GetPoliciesByIDStub func(...string) ([]policy_client.Policy, error) getPoliciesByIDMutex sync.RWMutex getPoliciesByIDArgsForCall []struct { arg1 []string } getPoliciesByIDReturns struct { result1 []policy_client.Policy - result2 []policy_client.EgressPolicy - result3 error + result2 error } getPoliciesByIDReturnsOnCall map[int]struct { result1 []policy_client.Policy - result2 []policy_client.EgressPolicy - result3 error + result2 error } GetSecurityGroupsForSpaceStub func(...string) ([]policy_client.SecurityGroup, error) getSecurityGroupsForSpaceMutex sync.RWMutex @@ -119,7 +117,7 @@ func (fake *PolicyClient) CreateOrGetTagReturnsOnCall(i int, result1 string, res }{result1, result2} } -func (fake *PolicyClient) GetPoliciesByID(arg1 ...string) ([]policy_client.Policy, []policy_client.EgressPolicy, error) { +func (fake *PolicyClient) GetPoliciesByID(arg1 ...string) ([]policy_client.Policy, error) { fake.getPoliciesByIDMutex.Lock() ret, specificReturn := fake.getPoliciesByIDReturnsOnCall[len(fake.getPoliciesByIDArgsForCall)] fake.getPoliciesByIDArgsForCall = append(fake.getPoliciesByIDArgsForCall, struct { @@ -133,9 +131,9 @@ func (fake *PolicyClient) GetPoliciesByID(arg1 ...string) ([]policy_client.Polic return stub(arg1...) } if specificReturn { - return ret.result1, ret.result2, ret.result3 + return ret.result1, ret.result2 } - return fakeReturns.result1, fakeReturns.result2, fakeReturns.result3 + return fakeReturns.result1, fakeReturns.result2 } func (fake *PolicyClient) GetPoliciesByIDCallCount() int { @@ -144,7 +142,7 @@ func (fake *PolicyClient) GetPoliciesByIDCallCount() int { return len(fake.getPoliciesByIDArgsForCall) } -func (fake *PolicyClient) GetPoliciesByIDCalls(stub func(...string) ([]policy_client.Policy, []policy_client.EgressPolicy, error)) { +func (fake *PolicyClient) GetPoliciesByIDCalls(stub func(...string) ([]policy_client.Policy, error)) { fake.getPoliciesByIDMutex.Lock() defer fake.getPoliciesByIDMutex.Unlock() fake.GetPoliciesByIDStub = stub @@ -157,33 +155,30 @@ func (fake *PolicyClient) GetPoliciesByIDArgsForCall(i int) []string { return argsForCall.arg1 } -func (fake *PolicyClient) GetPoliciesByIDReturns(result1 []policy_client.Policy, result2 []policy_client.EgressPolicy, result3 error) { +func (fake *PolicyClient) GetPoliciesByIDReturns(result1 []policy_client.Policy, result2 error) { fake.getPoliciesByIDMutex.Lock() defer fake.getPoliciesByIDMutex.Unlock() fake.GetPoliciesByIDStub = nil fake.getPoliciesByIDReturns = struct { result1 []policy_client.Policy - result2 []policy_client.EgressPolicy - result3 error - }{result1, result2, result3} + result2 error + }{result1, result2} } -func (fake *PolicyClient) GetPoliciesByIDReturnsOnCall(i int, result1 []policy_client.Policy, result2 []policy_client.EgressPolicy, result3 error) { +func (fake *PolicyClient) GetPoliciesByIDReturnsOnCall(i int, result1 []policy_client.Policy, result2 error) { fake.getPoliciesByIDMutex.Lock() defer fake.getPoliciesByIDMutex.Unlock() fake.GetPoliciesByIDStub = nil if fake.getPoliciesByIDReturnsOnCall == nil { fake.getPoliciesByIDReturnsOnCall = make(map[int]struct { result1 []policy_client.Policy - result2 []policy_client.EgressPolicy - result3 error + result2 error }) } fake.getPoliciesByIDReturnsOnCall[i] = struct { result1 []policy_client.Policy - result2 []policy_client.EgressPolicy - result3 error - }{result1, result2, result3} + result2 error + }{result1, result2} } func (fake *PolicyClient) GetSecurityGroupsForSpace(arg1 ...string) ([]policy_client.SecurityGroup, error) { diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner.go b/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner.go index c71f0a1db..ed4c314e0 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner.go @@ -47,7 +47,7 @@ type dstore interface { //go:generate counterfeiter -o fakes/policy_client.go --fake-name PolicyClient . policyClient type policyClient interface { - GetPoliciesByID(ids ...string) ([]policy_client.Policy, []policy_client.EgressPolicy, error) + GetPoliciesByID(ids ...string) ([]policy_client.Policy, error) GetSecurityGroupsForSpace(spaceGuids ...string) ([]policy_client.SecurityGroup, error) CreateOrGetTag(id, groupType string) (string, error) } diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner_linux.go b/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner_linux.go index 20eb54969..1a35231d2 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner_linux.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner_linux.go @@ -22,7 +22,6 @@ type containerPolicySet struct { Source sourceSlice Destination destinationSlice Ingress ingressSlice - Egress egressSlice } type source struct { @@ -88,41 +87,6 @@ func (s destinationSlice) Swap(i, j int) { s[i], s[j] = s[j], s[i] } -type egress struct { - SourceIP string - Protocol string - IpStart string - IpEnd string - IcmpType int - IcmpCode int - PortStart int - PortEnd int -} - -type egressSlice []egress - -func (s egressSlice) Len() int { - return len(s) -} - -func (s egressSlice) Less(i, j int) bool { - a, err := json.Marshal(s[i]) - if err != nil { - panic(err) - } - - b, err := json.Marshal(s[j]) - if err != nil { - panic(err) - } - - return strings.Compare(string(a), string(b)) < 0 -} - -func (s egressSlice) Swap(i, j int) { - s[i], s[j] = s[j], s[i] -} - type ingress struct { IngressTag string IP string @@ -288,10 +252,9 @@ func (p *VxlanPolicyPlanner) getContainerPolicies(allContainers []container) (co guids := extractGUIDs(allContainers) var policies []policy_client.Policy - var egressPolicies []policy_client.EgressPolicy if len(guids) > 0 { var err error - policies, egressPolicies, err = p.PolicyClient.GetPoliciesByID(guids...) + policies, err = p.PolicyClient.GetPoliciesByID(guids...) if err != nil { err = fmt.Errorf("failed to get policies: %s", err) return containerPolicySet{}, err @@ -341,33 +304,6 @@ func (p *VxlanPolicyPlanner) getContainerPolicies(allContainers []container) (co } } - for _, egressPolicy := range egressPolicies { - if (egressPolicy.Source.ID == container.AppID) || - (egressPolicy.Source.ID == container.SpaceID && egressPolicy.Source.Type == "space") || - egressPolicy.Source.Type == "default" { - if containerPurposeMatchesAppLifecycle(container.Purpose, egressPolicy.AppLifecycle) { - var startPort, endPort int - - if len(egressPolicy.Destination.Ports) > 0 { - startPort = egressPolicy.Destination.Ports[0].Start - endPort = egressPolicy.Destination.Ports[0].End - } - - containerPolicy := egress{ - SourceIP: container.IP, - Protocol: egressPolicy.Destination.Protocol, - IpStart: egressPolicy.Destination.IPRanges[0].Start, - IpEnd: egressPolicy.Destination.IPRanges[0].End, - IcmpType: egressPolicy.Destination.ICMPType, - IcmpCode: egressPolicy.Destination.ICMPCode, - PortStart: startPort, - PortEnd: endPort, - } - containerPolicySet.Egress = append(containerPolicySet.Egress, containerPolicy) - } - } - } - if p.EnableOverlayIngressRules { if container.Ports != "" { for _, port := range strings.Split(container.Ports, ",") { @@ -388,7 +324,6 @@ func (p *VxlanPolicyPlanner) getContainerPolicies(allContainers []container) (co sort.Sort(containerPolicySet.Source) sort.Sort(containerPolicySet.Destination) - sort.Sort(containerPolicySet.Egress) sort.Sort(containerPolicySet.Ingress) return containerPolicySet, nil @@ -426,21 +361,6 @@ func (p *VxlanPolicyPlanner) planIPTableRules(containerPolicySet containerPolicy )) } - for _, egressSource := range containerPolicySet.Egress { - for _, hostInterfaceName := range p.HostInterfaceNames { - ruleset = append(ruleset, rules.NewEgress( - hostInterfaceName, - egressSource.SourceIP, - egressSource.Protocol, - egressSource.IpStart, - egressSource.IpEnd, - egressSource.IcmpType, - egressSource.IcmpCode, - egressSource.PortStart, - egressSource.PortEnd)) - } - } - for _, ingressSource := range containerPolicySet.Ingress { ruleset = append(ruleset, rules.NewMarkAllowRuleNoComment( ingressSource.IP, diff --git a/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner_linux_test.go b/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner_linux_test.go index 1312ec5f6..61c1be55e 100644 --- a/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner_linux_test.go +++ b/src/code.cloudfoundry.org/vxlan-policy-agent/planner/planner_linux_test.go @@ -27,17 +27,16 @@ import ( var _ = Describe("Planner", func() { var ( - policyPlanner *planner.VxlanPolicyPlanner - policyClient *fakes.PolicyClient - policyServerResponse []policy_client.Policy - egressPolicyServerResponse []policy_client.EgressPolicy - store *libfakes.Datastore - metricsSender *fakes.MetricsSender - logger *lagertest.TestLogger - chain enforcer.Chain - data map[string]datastore.Container - loggingStateGetter *fakes.LoggingStateGetter - netOutChain *fakes.NetOutChain + policyPlanner *planner.VxlanPolicyPlanner + policyClient *fakes.PolicyClient + policyServerResponse []policy_client.Policy + store *libfakes.Datastore + metricsSender *fakes.MetricsSender + logger *lagertest.TestLogger + chain enforcer.Chain + data map[string]datastore.Container + loggingStateGetter *fakes.LoggingStateGetter + netOutChain *fakes.NetOutChain ) BeforeEach(func() { @@ -147,135 +146,7 @@ var _ = Describe("Planner", func() { }, } - egressPolicyServerResponse = []policy_client.EgressPolicy{ - { - Source: &policy_client.EgressSource{ - ID: "some-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "tcp", - Ports: []policy_client.Ports{ - {Start: 8080, End: 8081}, - }, - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.4", End: "1.2.3.5"}, - }, - }, - AppLifecycle: "all", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "udp", - Ports: []policy_client.Ports{ - {Start: 8080, End: 8081}, - }, - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.4", End: "1.2.3.5"}, - }, - }, - AppLifecycle: "all", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-other-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "icmp", - ICMPType: 2, - ICMPCode: 3, - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.6", End: "1.2.3.7"}, - }, - }, - AppLifecycle: "all", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-other-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "icmp", - ICMPType: 8, - ICMPCode: -1, - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.6", End: "1.2.3.7"}, - }, - }, - AppLifecycle: "all", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-other-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "icmp", - ICMPType: -1, - ICMPCode: -1, - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.6", End: "1.2.3.7"}, - }, - }, - AppLifecycle: "all", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-other-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "tcp", - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.6", End: "1.2.3.7"}, - }, - }, - AppLifecycle: "all", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-space-guid", - Type: "space", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "udp", - IPRanges: []policy_client.IPRange{ - {Start: "2.3.4.5", End: "3.3.3.3"}, - }, - }, - AppLifecycle: "all", - }, - { - Source: &policy_client.EgressSource{ - ID: "", - Type: "default", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "udp", - IPRanges: []policy_client.IPRange{ - {Start: "8.7.6.5", End: "4.3.2.1"}, - }, - }, - AppLifecycle: "all", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-other-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "all", - IPRanges: []policy_client.IPRange{ - {Start: "8.8.4.4", End: "8.8.8.8"}, - }, - Ports: []policy_client.Ports{ - {Start: 8080, End: 8081}, - }, - }, - AppLifecycle: "all", - }, - } - - policyClient.GetPoliciesByIDReturns(policyServerResponse, egressPolicyServerResponse, nil) + policyClient.GetPoliciesByIDReturns(policyServerResponse, nil) policyClient.CreateOrGetTagReturns("5476", nil) chain = enforcer.Chain{ @@ -309,39 +180,6 @@ var _ = Describe("Planner", func() { rulesWithChain, err := policyPlanner.GetPolicyRulesAndChain() Expect(err).NotTo(HaveOccurred()) Expect(rulesWithChain.Chain).To(Equal(chain)) - Expect(rulesWithChain.Rules).To(ConsistOf([]rules.IPTablesRule{ - {"-s", "10.255.1.2", "-o", "eth0", "-p", "tcp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "tcp", "--dport", "8080:8081", "-j", "ACCEPT"}, - {"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "udp", "--dport", "8080:8081", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth0", "-p", "icmp", "-m", "iprange", "--dst-range", "1.2.3.6-1.2.3.7", "-m", "icmp", "--icmp-type", "2/3", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth0", "-p", "icmp", "-m", "iprange", "--dst-range", "1.2.3.6-1.2.3.7", "-m", "icmp", "--icmp-type", "8", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth0", "-p", "icmp", "-m", "iprange", "--dst-range", "1.2.3.6-1.2.3.7", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth0", "-p", "tcp", "-m", "iprange", "--dst-range", "1.2.3.6-1.2.3.7", "-j", "ACCEPT"}, - {"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "2.3.4.5-3.3.3.3", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth0", "-p", "all", "-m", "iprange", "--dst-range", "8.8.4.4-8.8.8.8", "-j", "ACCEPT"}, - {"-s", "10.255.1.2", "-o", "eth1", "-p", "tcp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "tcp", "--dport", "8080:8081", "-j", "ACCEPT"}, - {"-s", "10.255.1.2", "-o", "eth1", "-p", "udp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "udp", "--dport", "8080:8081", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth1", "-p", "icmp", "-m", "iprange", "--dst-range", "1.2.3.6-1.2.3.7", "-m", "icmp", "--icmp-type", "2/3", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth1", "-p", "icmp", "-m", "iprange", "--dst-range", "1.2.3.6-1.2.3.7", "-m", "icmp", "--icmp-type", "8", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth1", "-p", "icmp", "-m", "iprange", "--dst-range", "1.2.3.6-1.2.3.7", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth1", "-p", "tcp", "-m", "iprange", "--dst-range", "1.2.3.6-1.2.3.7", "-j", "ACCEPT"}, - {"-s", "10.255.1.2", "-o", "eth1", "-p", "udp", "-m", "iprange", "--dst-range", "2.3.4.5-3.3.3.3", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth1", "-p", "all", "-m", "iprange", "--dst-range", "8.8.4.4-8.8.8.8", "-j", "ACCEPT"}, - // allow based on mark - {"-d", "10.255.1.3", "-p", "udp", "--dport", "5555:5555", "-m", "mark", "--mark", "0xBB", "--jump", "ACCEPT", "-m", "comment", "--comment", "src:another-app-guid_dst:some-other-app-guid"}, - {"-d", "10.255.1.3", "-p", "tcp", "--dport", "1234:1234", "-m", "mark", "--mark", "0xAA", "--jump", "ACCEPT", "-m", "comment", "--comment", "src:some-app-guid_dst:some-other-app-guid"}, - {"-d", "10.255.1.2", "-p", "tcp", "--dport", "8080:8080", "-m", "mark", "--mark", "0xAA", "--jump", "ACCEPT", "-m", "comment", "--comment", "src:some-app-guid_dst:some-app-guid"}, - {"-d", "10.255.1.2", "-p", "tcp", "-m", "tcp", "--dport", "8080", "-m", "mark", "--mark", "0x5476", "--jump", "ACCEPT"}, - {"-d", "10.255.1.3", "-p", "tcp", "-m", "tcp", "--dport", "9090", "-m", "mark", "--mark", "0x5476", "--jump", "ACCEPT"}, - {"-d", "10.255.1.3", "-p", "tcp", "-m", "tcp", "--dport", "8181", "-m", "mark", "--mark", "0x5476", "--jump", "ACCEPT"}, - // set tags on all outgoing packets, regardless of local vs remote - {"--source", "10.255.1.2", "--jump", "MARK", "--set-xmark", "0xAA", "-m", "comment", "--comment", "src:some-app-guid"}, - {"--source", "10.255.1.3", "--jump", "MARK", "--set-xmark", "0xCC", "-m", "comment", "--comment", "src:some-other-app-guid"}, - // default - {"-s", "10.255.1.3", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "8.7.6.5-4.3.2.1", "-j", "ACCEPT"}, - {"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "8.7.6.5-4.3.2.1", "-j", "ACCEPT"}, - {"-s", "10.255.1.3", "-o", "eth1", "-p", "udp", "-m", "iprange", "--dst-range", "8.7.6.5-4.3.2.1", "-j", "ACCEPT"}, - {"-s", "10.255.1.2", "-o", "eth1", "-p", "udp", "-m", "iprange", "--dst-range", "8.7.6.5-4.3.2.1", "-j", "ACCEPT"}, - })) }) }) It("gets every container's properties from the datastore", func() { @@ -375,78 +213,6 @@ var _ = Describe("Planner", func() { Expect(err).NotTo(HaveOccurred()) Expect(rulesWithChain.Chain).To(Equal(chain)) Expect(rulesWithChain.Rules).To(ConsistOf([]rules.IPTablesRule{ - { - "-s", "10.255.1.2", - "-o", "eth0", - "-p", "tcp", - "-m", "iprange", - "--dst-range", "1.2.3.4-1.2.3.5", - "-m", "tcp", - "--dport", "8080:8081", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.2", - "-o", "eth0", - "-p", "udp", - "-m", "iprange", - "--dst-range", "1.2.3.4-1.2.3.5", - "-m", "udp", - "--dport", "8080:8081", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "icmp", - "-m", "iprange", - "--dst-range", "1.2.3.6-1.2.3.7", - "-m", "icmp", - "--icmp-type", "2/3", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "icmp", - "-m", "iprange", - "--dst-range", "1.2.3.6-1.2.3.7", - "-m", "icmp", - "--icmp-type", "8", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "icmp", - "-m", "iprange", - "--dst-range", "1.2.3.6-1.2.3.7", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "tcp", - "-m", "iprange", - "--dst-range", "1.2.3.6-1.2.3.7", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.2", - "-o", "eth0", - "-p", "udp", - "-m", "iprange", - "--dst-range", "2.3.4.5-3.3.3.3", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "all", - "-m", "iprange", - "--dst-range", "8.8.4.4-8.8.8.8", - "-j", "ACCEPT", - }, // allow based on mark { "-d", "10.255.1.3", @@ -504,13 +270,6 @@ var _ = Describe("Planner", func() { "--jump", "MARK", "--set-xmark", "0xCC", "-m", "comment", "--comment", "src:some-other-app-guid", }, - // default - { - "-s", "10.255.1.3", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "8.7.6.5-4.3.2.1", "-j", "ACCEPT", - }, - { - "-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "8.7.6.5-4.3.2.1", "-j", "ACCEPT", - }, })) }) }) @@ -525,133 +284,6 @@ var _ = Describe("Planner", func() { Expect(err).NotTo(HaveOccurred()) Expect(rulesWithChain.Chain).To(Equal(chain)) - Expect(rulesWithChain.Rules).To(ConsistOf([]rules.IPTablesRule{ - { - "-s", "10.255.1.2", - "-o", "eth0", - "-p", "udp", - "-m", "iprange", - "--dst-range", "1.2.3.4-1.2.3.5", - "-m", "udp", - "--dport", "8080:8081", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.2", - "-o", "eth0", - "-p", "tcp", - "-m", "iprange", - "--dst-range", "1.2.3.4-1.2.3.5", - "-m", "tcp", - "--dport", "8080:8081", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "tcp", - "-m", "iprange", - "--dst-range", "1.2.3.6-1.2.3.7", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "icmp", - "-m", "iprange", - "--dst-range", "1.2.3.6-1.2.3.7", - "-m", "icmp", - "--icmp-type", "2/3", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "icmp", - "-m", "iprange", - "--dst-range", "1.2.3.6-1.2.3.7", - "-m", "icmp", - "--icmp-type", "8", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "icmp", - "-m", "iprange", - "--dst-range", "1.2.3.6-1.2.3.7", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.2", - "-o", "eth0", - "-p", "udp", - "-m", "iprange", - "--dst-range", "2.3.4.5-3.3.3.3", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "all", - "-m", "iprange", - "--dst-range", "8.8.4.4-8.8.8.8", - "-j", "ACCEPT", - }, - // allow based on mark - { - "-d", "10.255.1.3", - "-p", "udp", - "--dport", "5555:5555", - "-m", "mark", "--mark", "0xBB", - "--jump", "ACCEPT", - "-m", "comment", "--comment", "src:another-app-guid_dst:some-other-app-guid", - }, - { - "-d", "10.255.1.3", - "-p", "tcp", - "--dport", "1234:1234", - "-m", "mark", "--mark", "0xAA", - "--jump", "ACCEPT", - "-m", "comment", "--comment", "src:some-app-guid_dst:some-other-app-guid", - }, - { - "-d", "10.255.1.2", - "-p", "tcp", - "--dport", "8080:8080", - "-m", "mark", "--mark", "0xAA", - "--jump", "ACCEPT", - "-m", "comment", "--comment", "src:some-app-guid_dst:some-app-guid", - }, - // set tags on all outgoing packets, regardless of local vs remote - { - "--source", "10.255.1.2", - "--jump", "MARK", "--set-xmark", "0xAA", - "-m", "comment", "--comment", "src:some-app-guid", - }, - { - "--source", "10.255.1.3", - "--jump", "MARK", "--set-xmark", "0xCC", - "-m", "comment", "--comment", "src:some-other-app-guid", - }, - // default policies - { - "-s", "10.255.1.3", - "-o", "eth0", - "-p", "udp", - "-m", "iprange", - "--dst-range", "8.7.6.5-4.3.2.1", - "-j", "ACCEPT", - }, - { - "-s", "10.255.1.2", - "-o", "eth0", - "-p", "udp", - "-m", "iprange", - "--dst-range", "8.7.6.5-4.3.2.1", - "-j", "ACCEPT", - }, - })) }) }) @@ -744,20 +376,16 @@ var _ = Describe("Planner", func() { Context("when the policies are returned from the server in a different order", func() { var reversed []policy_client.Policy - var reversedEgress []policy_client.EgressPolicy BeforeEach(func() { for i := range policyServerResponse { reversed = append(reversed, policyServerResponse[len(policyServerResponse)-i-1]) } - for i := range egressPolicyServerResponse { - reversedEgress = append(reversedEgress, egressPolicyServerResponse[len(egressPolicyServerResponse)-i-1]) - } }) It("the order of the rules is not affected", func() { rulesWithChain, err := policyPlanner.GetPolicyRulesAndChain() Expect(err).NotTo(HaveOccurred()) - policyClient.GetPoliciesByIDReturns(reversed, reversedEgress, nil) + policyClient.GetPoliciesByIDReturns(reversed, nil) rulesWithChain2, err := policyPlanner.GetPolicyRulesAndChain() Expect(err).NotTo(HaveOccurred()) @@ -798,7 +426,7 @@ var _ = Describe("Planner", func() { }, }, } - policyClient.GetPoliciesByIDReturns(policyServerResponse, nil, nil) + policyClient.GetPoliciesByIDReturns(policyServerResponse, nil) }) It("writes only one set mark rule", func() { @@ -863,55 +491,8 @@ var _ = Describe("Planner", func() { Context("when there are app lifecycle limitations", func() { BeforeEach(func() { - egressPolicyServerResponse = []policy_client.EgressPolicy{ - { - Source: &policy_client.EgressSource{ - ID: "some-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "tcp", - Ports: []policy_client.Ports{ - {Start: 1234, End: 1234}, - }, - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.4", End: "1.2.3.5"}, - }, - }, - AppLifecycle: "running", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "udp", - Ports: []policy_client.Ports{ - {Start: 5678, End: 5678}, - }, - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.4", End: "1.2.3.5"}, - }, - }, - AppLifecycle: "staging", - }, - { - Source: &policy_client.EgressSource{ - ID: "some-app-guid", - }, - Destination: &policy_client.EgressDestination{ - Protocol: "udp", - Ports: []policy_client.Ports{ - {Start: 9999, End: 9999}, - }, - IPRanges: []policy_client.IPRange{ - {Start: "1.2.3.4", End: "1.2.3.5"}, - }, - }, - AppLifecycle: "all", - }, - } - policyClient.GetPoliciesByIDReturns(policyServerResponse, egressPolicyServerResponse, nil) + policyClient.GetPoliciesByIDReturns(policyServerResponse, nil) }) Context("and the purpose is app", func() { @@ -936,8 +517,6 @@ var _ = Describe("Planner", func() { Expect(rulesWithChain.Rules).To(ConsistOf( rules.IPTablesRule{"--source", "10.255.1.2", "--jump", "MARK", "--set-xmark", "0xAA", "-m", "comment", "--comment", "src:some-app-guid"}, rules.IPTablesRule{"-d", "10.255.1.2", "-p", "tcp", "--dport", "8080:8080", "-m", "mark", "--mark", "0xAA", "--jump", "ACCEPT", "-m", "comment", "--comment", "src:some-app-guid_dst:some-app-guid"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "tcp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "tcp", "--dport", "1234:1234", "-j", "ACCEPT"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "udp", "--dport", "9999:9999", "-j", "ACCEPT"}, rules.IPTablesRule{"-d", "10.255.1.2", "-p", "tcp", "-m", "tcp", "--dport", "8080", "-m", "mark", "--mark", "0x5476", "--jump", "ACCEPT"}, )) }) @@ -965,8 +544,6 @@ var _ = Describe("Planner", func() { Expect(rulesWithChain.Rules).To(ConsistOf( rules.IPTablesRule{"--source", "10.255.1.2", "--jump", "MARK", "--set-xmark", "0xAA", "-m", "comment", "--comment", "src:some-app-guid"}, rules.IPTablesRule{"-d", "10.255.1.2", "-p", "tcp", "--dport", "8080:8080", "-m", "mark", "--mark", "0xAA", "--jump", "ACCEPT", "-m", "comment", "--comment", "src:some-app-guid_dst:some-app-guid"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "tcp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "tcp", "--dport", "1234:1234", "-j", "ACCEPT"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "udp", "--dport", "9999:9999", "-j", "ACCEPT"}, rules.IPTablesRule{"-d", "10.255.1.2", "-p", "tcp", "-m", "tcp", "--dport", "8080", "-m", "mark", "--mark", "0x5476", "--jump", "ACCEPT"}, )) }) @@ -994,8 +571,6 @@ var _ = Describe("Planner", func() { Expect(rulesWithChain.Rules).To(ConsistOf( rules.IPTablesRule{"--source", "10.255.1.2", "--jump", "MARK", "--set-xmark", "0xAA", "-m", "comment", "--comment", "src:some-app-guid"}, rules.IPTablesRule{"-d", "10.255.1.2", "-p", "tcp", "--dport", "8080:8080", "-m", "mark", "--mark", "0xAA", "--jump", "ACCEPT", "-m", "comment", "--comment", "src:some-app-guid_dst:some-app-guid"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "udp", "--dport", "5678:5678", "-j", "ACCEPT"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "udp", "--dport", "9999:9999", "-j", "ACCEPT"}, rules.IPTablesRule{"-d", "10.255.1.2", "-p", "tcp", "-m", "tcp", "--dport", "8080", "-m", "mark", "--mark", "0x5476", "--jump", "ACCEPT"}, )) }) @@ -1022,9 +597,6 @@ var _ = Describe("Planner", func() { Expect(rulesWithChain.Rules).To(ConsistOf( rules.IPTablesRule{"--source", "10.255.1.2", "--jump", "MARK", "--set-xmark", "0xAA", "-m", "comment", "--comment", "src:some-app-guid"}, rules.IPTablesRule{"-d", "10.255.1.2", "-p", "tcp", "--dport", "8080:8080", "-m", "mark", "--mark", "0xAA", "--jump", "ACCEPT", "-m", "comment", "--comment", "src:some-app-guid_dst:some-app-guid"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "tcp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "tcp", "--dport", "1234:1234", "-j", "ACCEPT"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "udp", "--dport", "5678:5678", "-j", "ACCEPT"}, - rules.IPTablesRule{"-s", "10.255.1.2", "-o", "eth0", "-p", "udp", "-m", "iprange", "--dst-range", "1.2.3.4-1.2.3.5", "-m", "udp", "--dport", "9999:9999", "-j", "ACCEPT"}, rules.IPTablesRule{"-d", "10.255.1.2", "-p", "tcp", "-m", "tcp", "--dport", "8080", "-m", "mark", "--mark", "0x5476", "--jump", "ACCEPT"}, )) }) @@ -1033,7 +605,7 @@ var _ = Describe("Planner", func() { Context("when there are no policies", func() { BeforeEach(func() { - policyClient.GetPoliciesByIDReturns([]policy_client.Policy{}, nil, nil) + policyClient.GetPoliciesByIDReturns([]policy_client.Policy{}, nil) }) It("returns an chain with only the ingress rules", func() { rulesWithChain, err := policyPlanner.GetPolicyRulesAndChain() @@ -1157,7 +729,7 @@ var _ = Describe("Planner", func() { Context("when getting policies fails", func() { BeforeEach(func() { - policyClient.GetPoliciesByIDReturns(nil, nil, errors.New("kiwi")) + policyClient.GetPoliciesByIDReturns(nil, errors.New("kiwi")) }) It("logs and returns the error", func() {