Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge multiple rules into one rule if they have the same destinations #473

Merged
merged 1 commit into from
Jan 24, 2024
Merged

Merge multiple rules into one rule if they have the same destinations #473

merged 1 commit into from
Jan 24, 2024

Conversation

zhengxiexie
Copy link
Contributor

@zhengxiexie zhengxiexie commented Jan 8, 2024
edited
Loading

When expand rules for named-port and non-named-port, we should merge the multiple service entries into one rule.
e.g.
Src Dst Services
ruleA: Any Any TCP (Source: Any | Destination: 80-8888)
ruleB: Any Any TCP (Source: Any | Destination: 9999)
----->
Src Dst Services
rule: Any Any TCP (Source: Any | Destination: 80-8888)
************** TCP (Source: Any | Destination: 9999)

However,
Src Dst Services
ruleA: Any IPSetGroup1 TCP (Source: Any | Destination: 80-8888)
ruleB: Any IPSetGroup2 TCP (Source: Any | Destination: 9999)
Can't merge since the Destinations are different.

@zhengxiexie
Copy link
Contributor Author

Tests Done

  1. non-named-port security policy
    apiVersion: nsx.vmware.com/v1alpha1
    kind: SecurityPolicy
    metadata:
    name: named-port-policy
    namespace: web
    spec:
    priority: 10
    appliedTo:
    • podSelector:
      matchLabels:
      role: web
      rules:
    • direction: in
      action: allow
      ports:
      • protocol: TCP
        port: 80
        endPort: 8888
      • protocol: TCP
        port: 9999
image 2. named-port policy with different destinations test/e2e/testSecurityPolicy/rule-out-rule-applied-to-with-dst-with-dup-port-multi.yaml image 2. named-port policy with same destinations test/e2e/testSecurityPolicy/rule-out-rule-applied-to-with-dst-with-dup-port.yaml image

@zhengxiexie
Copy link
Contributor Author

/e2e

@zhengxiexie
Copy link
Contributor Author

/e2e

@timdengyun
Copy link
Contributor

/e2e

1 similar comment
@zhengxiexie
Copy link
Contributor Author

/e2e

@timdengyun
Copy link
Contributor

For this case, named-port policy with same destinations test/e2e/testSecurityPolicy/rule-out-rule-applied-to-with-dst-with-dup-port.yaml
There is only one port number after parsing named port, so there is only one ip set group generated.

@zhengxiexie
Copy link
Contributor Author

/e2e

@zhengxiexie
Merge multiple rules into one rule if they have the same destinations
63a6bc0 
When expand rules for named-port and non-named-port, we should
merge the multiple service entries into one rule.
e.g.
          Src  Dst Services
ruleA: Any Any TCP (Source: Any | Destination: 80-8888)
ruleB: Any Any TCP (Source: Any | Destination: 9999)
----->
          Src  Dst Services
ruleA: Any Any TCP (Source: Any | Destination: 80-8888)
                     TCP (Source: Any | Destination: 9999)

However,

          Src  Dst Services
ruleA: Any IPSetGroup1 TCP (Source: Any | Destination: 80-8888)
ruleB: Any IPSetGroup2 TCP (Source: Any | Destination: 9999)
Can't merge since the Destinations are different.
@zhengxiexie zhengxiexie merged commit 2207ee2 into vmware-tanzu:main Jan 24, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timdengyun timdengyun timdengyun approved these changes

@heypnus heypnus Awaiting requested review from heypnus

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zhengxiexie @timdengyun @vmwclabot