Rule sorting/strict mode fix

aws · Jul 24, 2024 · f2c03b7 · f2c03b7
1 parent da05900
commit f2c03b7
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 7 deletions.
diff --git a/.go-version b/.go-version
@@ -1 +1 @@
-1.21.11
+1.21.12
diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/aws/aws-network-policy-agent
 
-go 1.21.11
+go 1.21.12
 
 require (
 	github.com/aws/amazon-vpc-cni-k8s v1.18.1

diff --git a/go.sum b/go.sum
@@ -1,9 +1,5 @@
 github.com/aws/amazon-vpc-cni-k8s v1.18.1 h1:u/OeBgnUUX6f3PCEOpA4dbG0+iZ71CnY6tEljjrl3iw=
 github.com/aws/amazon-vpc-cni-k8s v1.18.1/go.mod h1:m/J5GsxF0Th2iQTOE3ww4W9LFvwdC0tGyA9dIL4h6iQ=
-github.com/aws/aws-ebpf-sdk-go v1.0.9-rc1 h1:vDtkvNEvdF8L+2/qBahIuyLvOTeQs+ToVbkGw4QGJvI=
-github.com/aws/aws-ebpf-sdk-go v1.0.9-rc1/go.mod h1:6lwTHtNgTp/kQzx4pdnp09LJevvIVqYf0ce8pP2u66E=
-github.com/aws/aws-ebpf-sdk-go v1.0.9-rc2 h1:W2mdC1KjMk/fh7jfF/YP6s+Y9FsiEYc33PdJVsfix1g=
-github.com/aws/aws-ebpf-sdk-go v1.0.9-rc2/go.mod h1:SBy1vl1WXMingLbqPZfHd1VXTqB9cD473JwUfoEM+Qs=
 github.com/aws/aws-ebpf-sdk-go v1.0.9 h1:FvkyeRUKNvbUFgzh+Ia7XbBb5U86dHW6dCrljt76Fao=
 github.com/aws/aws-ebpf-sdk-go v1.0.9/go.mod h1:SBy1vl1WXMingLbqPZfHd1VXTqB9cD473JwUfoEM+Qs=
 github.com/aws/aws-sdk-go v1.50.30 h1:2OelKH1eayeaH7OuL1Y9Ombfw4HK+/k0fEnJNWjyLts=

diff --git a/pkg/ebpf/bpf_client.go b/pkg/ebpf/bpf_client.go
@@ -745,7 +745,8 @@ func (l *bpfClient) updateEbpfMap(mapToUpdate goebpfmaps.BpfMap, firewallRules [
 func sortFirewallRulesByPrefixLength(rules []EbpfFirewallRules, prefixLenStr string) {
 	sort.Slice(rules, func(i, j int) bool {
 
-		prefixLen, _ := strconv.Atoi(prefixLenStr)
+		prefixSplit := strings.Split(prefixLenStr, "/")
+		prefixLen, _ := strconv.Atoi(prefixSplit[1])
 		prefixLenIp1 := prefixLen
 		prefixLenIp2 := prefixLen
 

diff --git a/pkg/rpc/rpc_handler.go b/pkg/rpc/rpc_handler.go
@@ -44,6 +44,14 @@ type server struct {
 
 // EnforceNpToPod processes CNI Enforce NP network request
 func (s *server) EnforceNpToPod(ctx context.Context, in *rpc.EnforceNpRequest) (*rpc.EnforceNpReply, error) {
+	if s.policyReconciler.GeteBPFClient() == nil {
+		s.log.Info("Network policy is disabled, returning success")
+		success := rpc.EnforceNpReply{
+			Success: true,
+		}
+		return &success, nil
+	}
+
 	s.log.Info("Received Enforce Network Policy Request for Pod", "Name", in.K8S_POD_NAME, "Namespace", in.K8S_POD_NAMESPACE)
 	var err error
 

diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go
@@ -4,6 +4,7 @@ import (
 	"crypto/sha1"
 	"encoding/binary"
 	"encoding/hex"
+	"errors"
 	"fmt"
 	"net"
 	"strings"
@@ -165,6 +166,7 @@ func ComputeTrieValue(l4Info []v1alpha1.Port, log logr.Logger, allowAll, denyAll
 
 	for _, l4Entry := range l4Info {
 		if startOffset >= TRIE_VALUE_LENGTH {
+			log.Error(errors.New("trie value exceeds max trie value length"), "trie value exceeds the 24 port/protocol combinations")
 			return value
 		}
 		endPort = 0