Address comments

Signed-off-by: Dyanngg <dingyang@vmware.com>
antrea-io · Sep 26, 2024 · 1a0c157 · 1a0c157
1 parent 4ee3365
commit 1a0c157
Show file tree

Hide file tree

Showing 2 changed files with 111 additions and 28 deletions.
diff --git a/pkg/controller/networkpolicy/crd_utils_test.go b/pkg/controller/networkpolicy/crd_utils_test.go
@@ -594,3 +594,100 @@ func TestCreateAppliedToGroupsForGroup(t *testing.T) {
 		})
 	}
 }
+
+func TestComputeEffectiveIPNetForIPBlocks(t *testing.T) {
+	tests := []struct {
+		name                   string
+		inputIPBlocks          []crdv1beta1.IPBlock
+		expectedResultingCIDRs []string
+	}{
+		{
+			name: "single-ipblock-without-except",
+			inputIPBlocks: []crdv1beta1.IPBlock{
+				{CIDR: "10.20.0.0/24"},
+			},
+			expectedResultingCIDRs: []string{"10.20.0.0/24"},
+		},
+		{
+			name: "single-ipblock-with-except",
+			inputIPBlocks: []crdv1beta1.IPBlock{
+				{
+					CIDR: "10.20.0.0/24",
+					Except: []string{
+						"10.20.0.64/26",
+					},
+				},
+			},
+			expectedResultingCIDRs: []string{
+				"10.20.0.0/26",
+				"10.20.0.128/25",
+			},
+		},
+		{
+			name: "single-ipblock-with-multiple-except",
+			inputIPBlocks: []crdv1beta1.IPBlock{
+				{
+					CIDR: "10.20.0.0/24",
+					Except: []string{
+						"10.20.0.64/26",
+						"10.20.0.192/28",
+					},
+				},
+			},
+			expectedResultingCIDRs: []string{
+				"10.20.0.0/26",
+				"10.20.0.128/26",
+				"10.20.0.208/28",
+				"10.20.0.224/27",
+			},
+		},
+		{
+			name: "single-ipblock-with-except-v6",
+			inputIPBlocks: []crdv1beta1.IPBlock{
+				{
+					CIDR: "fd00:192:168::/48",
+					Except: []string{
+						"fd00:192:168:8000::/50",
+					},
+				},
+			},
+			expectedResultingCIDRs: []string{
+				"fd00:192:168::/49",
+				"fd00:192:168:c000::/50",
+			},
+		},
+		{
+			name: "multiple-ipblocks-with-except",
+			inputIPBlocks: []crdv1beta1.IPBlock{
+				{
+					CIDR: "10.20.0.0/24",
+					Except: []string{
+						"10.20.0.64/26",
+					},
+				},
+				{
+					CIDR: "10.20.1.0/24",
+					Except: []string{
+						"10.20.1.64/26",
+					},
+				},
+			},
+			expectedResultingCIDRs: []string{
+				"10.20.0.0/26",
+				"10.20.0.128/25",
+				"10.20.1.0/26",
+				"10.20.1.128/25",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actualIPNets := computeEffectiveIPNetForIPBlocks(tt.inputIPBlocks)
+			var actualCIDRs []string
+			for _, ipNet := range actualIPNets {
+				actualCIDRs = append(actualCIDRs, ipNet.String())
+			}
+			assert.ElementsMatch(t, tt.expectedResultingCIDRs, actualCIDRs)
+		})
+	}
+}
diff --git a/test/e2e/antreapolicy_test.go b/test/e2e/antreapolicy_test.go
@@ -688,7 +688,7 @@ func testACNPDropIPBlockWithExcept(t *testing.T) {
 		SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("y")}}})
 	podXAIP, _ := podIPs[getPodName("x", "a")]
 	podXBIP, _ := podIPs[getPodName("x", "b")]
-	ipBlocks := genIPBlockWithExceptIPs(append(podXAIP, podXBIP...))
+	ipBlocks := genIPBlockForAllIPsExcept(append(podXAIP, podXBIP...))
 	for i := range ipBlocks {
 		builder.AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, ipBlocks[i], nil, nil, nil, nil, nil, nil, nil, nil,
 			crdv1beta1.RuleActionDrop, "", "egress-drop-"+strconv.Itoa(i), nil)
@@ -713,7 +713,7 @@ func testACNPDropIPBlockWithExcept(t *testing.T) {
 		SetAppliedToGroup([]ACNPAppliedToSpec{{PodSelector: map[string]string{"pod": "a"}, NSSelector: map[string]string{"ns": getNS("y")}}}).
 		AddEgress(ProtocolTCP, &p80, nil, nil, nil, nil, nil, nil, nil, map[string]string{"pod": "a"}, nil, map[string]string{"ns": getNS("x")}, nil, nil, nil, nil, nil,
 			crdv1beta1.RuleActionDrop, "", "egress-drop-xa", nil)
-	// Make sure that the except IPs in the previous policy excluded from the drop rule but not explicitly allowed
+	// Make sure that the except IPs in the previous policy can still be blocked with additional rules.
 	reachability2 := NewReachability(allPods, Connected)
 	reachability2.ExpectAllEgress(getPod("y", "a"), Dropped)
 	reachability2.Expect(getPod("y", "a"), getPod("x", "b"), Connected)
@@ -1093,25 +1093,21 @@ func testACNPClusterGroupRefRulePodAdd(t *testing.T, data *TestData) {
 	executeTestsWithData(t, testCase, data)
 }
 
-// There are three situations of a Pod's IP(s):
-// 1. Only one IPv4 address.
-// 2. Only one IPv6 address.
-// 3. One IPv4 and one IPv6 address, and we don't know the order in list.
-// We need to add all IP(s) of Pods as CIDR to IPBlock.
-func genIPBlock(ip string) *crdv1beta1.IPBlock {
+// genIPBlockForIP creates an IPBlock containing only the IP address in the input.
+func genIPBlockForIP(ip string) crdv1beta1.IPBlock {
 	switch IPFamily(ip) {
 	case "v4":
-		return &crdv1beta1.IPBlock{CIDR: ip + "/32"}
+		return crdv1beta1.IPBlock{CIDR: ip + "/32"}
 	case "v6":
-		return &crdv1beta1.IPBlock{CIDR: ip + "/128"}
+		return crdv1beta1.IPBlock{CIDR: ip + "/128"}
 	default:
-		return nil
+		return crdv1beta1.IPBlock{}
 	}
 }
 
-// genIPBlockWithExceptIPs generates ipBlocks which contains all the IP addresses in the
+// genIPBlockForAllIPsExcept generates ipBlocks which contains all the IP addresses in the
 // provided IPs' address family(s), except for the addresses in the input slice.
-func genIPBlockWithExceptIPs(except []string) []*crdv1beta1.IPBlock {
+func genIPBlockForAllIPsExcept(except []string) []*crdv1beta1.IPBlock {
 	var v4Excepts, v6Excepts []string
 	var ipbs []*crdv1beta1.IPBlock
 	for _, e := range except {
@@ -1144,13 +1140,9 @@ func testACNPClusterGroupRefRuleIPBlocks(t *testing.T) {
 	var ipBlock1, ipBlock2 []crdv1beta1.IPBlock
 	for i := 0; i < len(podXAIP); i++ {
 		for _, ips := range [][]string{podXAIP, podXBIP, podXCIP} {
-			if ipb := genIPBlock(ips[i]); ipb != nil {
-				ipBlock1 = append(ipBlock1, *ipb)
-			}
-		}
-		if ipbZA := genIPBlock(podZAIP[i]); ipbZA != nil {
-			ipBlock2 = append(ipBlock2, *ipbZA)
+			ipBlock1 = append(ipBlock1, genIPBlockForIP(ips[i]))
 		}
+		ipBlock2 = append(ipBlock2, genIPBlockForIP(podZAIP[i]))
 	}
 	cgName := "cg-ipblocks-pod-in-ns-x"
 	cgBuilder := &ClusterGroupSpecBuilder{}
@@ -1596,9 +1588,7 @@ func testANNPGroupRefRuleIPBlocks(t *testing.T) {
 	var ipBlock []crdv1beta1.IPBlock
 	for i := 0; i < len(podXBIP); i++ {
 		for _, podIP := range []string{podXBIP[i], podXCIP[i]} {
-			if ipb := genIPBlock(podIP); ipb != nil {
-				ipBlock = append(ipBlock, *ipb)
-			}
+			ipBlock = append(ipBlock, genIPBlockForIP(podIP))
 		}
 	}
 
@@ -3114,12 +3104,8 @@ func testACNPNestedIPBlockClusterGroupCreateAndUpdate(t *testing.T) {
 	cgParentName := "cg-parent"
 	var ipBlockXA, ipBlockXB []crdv1beta1.IPBlock
 	for i := 0; i < len(podXAIP); i++ {
-		if ipb := genIPBlock(podXAIP[i]); ipb != nil {
-			ipBlockXA = append(ipBlockXA, *ipb)
-		}
-		if ipb := genIPBlock(podXBIP[i]); ipb != nil {
-			ipBlockXB = append(ipBlockXB, *ipb)
-		}
+		ipBlockXA = append(ipBlockXA, genIPBlockForIP(podXAIP[i]))
+		ipBlockXB = append(ipBlockXB, genIPBlockForIP(podXBIP[i]))
 	}
 	cgBuilder1 := &ClusterGroupSpecBuilder{}
 	cgBuilder1 = cgBuilder1.SetName(cg1Name).SetIPBlocks(ipBlockXA)