From f2c03b722c8dd87ddd8361ece3af5abea6d5080f Mon Sep 17 00:00:00 2001 From: Joseph Chen Date: Fri, 19 Jul 2024 22:19:30 +0000 Subject: [PATCH] Rule sorting/strict mode fix --- .go-version | 2 +- go.mod | 2 +- go.sum | 4 ---- pkg/ebpf/bpf_client.go | 3 ++- pkg/rpc/rpc_handler.go | 8 ++++++++ pkg/utils/utils.go | 2 ++ 6 files changed, 14 insertions(+), 7 deletions(-) diff --git a/.go-version b/.go-version index 88863fd..26d7b6e 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.21.11 +1.21.12 diff --git a/go.mod b/go.mod index f9f9413..14a7f4c 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/aws/aws-network-policy-agent -go 1.21.11 +go 1.21.12 require ( github.com/aws/amazon-vpc-cni-k8s v1.18.1 diff --git a/go.sum b/go.sum index c1e68ed..da32270 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,5 @@ github.com/aws/amazon-vpc-cni-k8s v1.18.1 h1:u/OeBgnUUX6f3PCEOpA4dbG0+iZ71CnY6tEljjrl3iw= github.com/aws/amazon-vpc-cni-k8s v1.18.1/go.mod h1:m/J5GsxF0Th2iQTOE3ww4W9LFvwdC0tGyA9dIL4h6iQ= -github.com/aws/aws-ebpf-sdk-go v1.0.9-rc1 h1:vDtkvNEvdF8L+2/qBahIuyLvOTeQs+ToVbkGw4QGJvI= -github.com/aws/aws-ebpf-sdk-go v1.0.9-rc1/go.mod h1:6lwTHtNgTp/kQzx4pdnp09LJevvIVqYf0ce8pP2u66E= -github.com/aws/aws-ebpf-sdk-go v1.0.9-rc2 h1:W2mdC1KjMk/fh7jfF/YP6s+Y9FsiEYc33PdJVsfix1g= -github.com/aws/aws-ebpf-sdk-go v1.0.9-rc2/go.mod h1:SBy1vl1WXMingLbqPZfHd1VXTqB9cD473JwUfoEM+Qs= github.com/aws/aws-ebpf-sdk-go v1.0.9 h1:FvkyeRUKNvbUFgzh+Ia7XbBb5U86dHW6dCrljt76Fao= github.com/aws/aws-ebpf-sdk-go v1.0.9/go.mod h1:SBy1vl1WXMingLbqPZfHd1VXTqB9cD473JwUfoEM+Qs= github.com/aws/aws-sdk-go v1.50.30 h1:2OelKH1eayeaH7OuL1Y9Ombfw4HK+/k0fEnJNWjyLts= diff --git a/pkg/ebpf/bpf_client.go b/pkg/ebpf/bpf_client.go index 5b63fc9..de8a557 100644 --- a/pkg/ebpf/bpf_client.go +++ b/pkg/ebpf/bpf_client.go @@ -745,7 +745,8 @@ func (l *bpfClient) updateEbpfMap(mapToUpdate goebpfmaps.BpfMap, firewallRules [ func sortFirewallRulesByPrefixLength(rules []EbpfFirewallRules, prefixLenStr string) { sort.Slice(rules, func(i, j int) bool { - prefixLen, _ := strconv.Atoi(prefixLenStr) + prefixSplit := strings.Split(prefixLenStr, "/") + prefixLen, _ := strconv.Atoi(prefixSplit[1]) prefixLenIp1 := prefixLen prefixLenIp2 := prefixLen diff --git a/pkg/rpc/rpc_handler.go b/pkg/rpc/rpc_handler.go index 79957a6..c00ad07 100644 --- a/pkg/rpc/rpc_handler.go +++ b/pkg/rpc/rpc_handler.go @@ -44,6 +44,14 @@ type server struct { // EnforceNpToPod processes CNI Enforce NP network request func (s *server) EnforceNpToPod(ctx context.Context, in *rpc.EnforceNpRequest) (*rpc.EnforceNpReply, error) { + if s.policyReconciler.GeteBPFClient() == nil { + s.log.Info("Network policy is disabled, returning success") + success := rpc.EnforceNpReply{ + Success: true, + } + return &success, nil + } + s.log.Info("Received Enforce Network Policy Request for Pod", "Name", in.K8S_POD_NAME, "Namespace", in.K8S_POD_NAMESPACE) var err error diff --git a/pkg/utils/utils.go b/pkg/utils/utils.go index 77b2aca..0e49b96 100644 --- a/pkg/utils/utils.go +++ b/pkg/utils/utils.go @@ -4,6 +4,7 @@ import ( "crypto/sha1" "encoding/binary" "encoding/hex" + "errors" "fmt" "net" "strings" @@ -165,6 +166,7 @@ func ComputeTrieValue(l4Info []v1alpha1.Port, log logr.Logger, allowAll, denyAll for _, l4Entry := range l4Info { if startOffset >= TRIE_VALUE_LENGTH { + log.Error(errors.New("trie value exceeds max trie value length"), "trie value exceeds the 24 port/protocol combinations") return value } endPort = 0