Minor policy refactoring for CIDR+L4 work#3883
Conversation
There was a problem hiding this comment.
comment on exported function CreateL4EgressFilter should be of the form "CreateL4EgressFilter ..."
There was a problem hiding this comment.
comment on exported function CreateL4EgressFilter should be of the form "CreateL4EgressFilter ..."
3671882 to
3f8e395
Compare
|
test-me-please |
There was a problem hiding this comment.
It might be worth noting that we expect perfect input in the function doc. We will, inevitably, call this with unsanitized addresses some day.
There was a problem hiding this comment.
Do we also want to call ip.CoalesceCIDRs ?
Was the rational to add this function and types here because we need the auto-generated serialisation functions? It seems like a useful extension to the other package.
There was a problem hiding this comment.
Any chance you can make ingress bool a TrafficDirection type with two possible values? Calls to this function will then not have a mysterious boolean parament but we could also drop the ingress/egress wrappers.
There was a problem hiding this comment.
Good point, I'll fix this up.
There was a problem hiding this comment.
hrm, we have a TrafficDirection type, but it's specific to the BPF datapath at the moment. Are you suggesting introducing another such type for this layer? /cc @ianvernon
There was a problem hiding this comment.
:/ I would prefer to reuse types if possible, but it's unlikely to be safe in this case. Perhaps it's out of scope since this is basically a bike-shed type thing on where such a thing should live and what it should be called.
Ultimately, my hope was to have a little less code. As it stands, it's readable since the Ingress/Egress is in the wrappers.
There was a problem hiding this comment.
I took a stab at it, it removed about 20LoC and seems about as clear. Please take a look.
EDIT: Turns out I forgot to include the new file I added. It adds an extra 20 LoC, but that's mostly copyright header.
There was a problem hiding this comment.
very keen! I might prefer the direction earlier in the parameter list but I'm not sure if a caller considers it the most important/global property of the filter (I do but I also asked you to expose the parameter directly so I am biased).
There was a problem hiding this comment.
Putting TrafficDirection in the BPF datapath layer was a mistake on my part. IMO we can have it as its own little package? It'd make it much more portable and reusable.
There was a problem hiding this comment.
This seems like a reasonable suggestion, but it's getting further and further from what I'm trying to achieve so I intend to just drop this for now.
3f8e395 to
97d5688
Compare
1922b02 to
5b1f2e0
Compare
|
test-me-please |
There was a problem hiding this comment.
Why is this deliberately distinct from policymap.TrafficDirection? Wouldn't it make more sense to put the type into its own package so it's more portable?
There was a problem hiding this comment.
I thought about that, but then you're basically saying that the details of one datapath implementation should define the behaviour all the way up the userspace layers. Worst case, we do this and someone ends up thinking they can just extend the field later on or change its meaning and it breaks the datapath.
I'll drop that patch, it doesn't make a big difference and I'd rather focus on other things. Thanks for looking it over.
5b1f2e0 to
cd82457
Compare
|
test-me-please |
jrajahalme
left a comment
There was a problem hiding this comment.
I may have spotted one functional change, please check it out.
There was a problem hiding this comment.
This looks like a functional change to me. Previously the incoming parameter was passed on. Now the possibly modified form is passed on.
There was a problem hiding this comment.
I believe that this is the right behaviour. We should ensure that we are setting up the endpointselectors in the L4Filter, rather than relying on layers further down to treat the empty list of peerEndpoints as a wildcard selector.
/cc @ianvernon
There was a problem hiding this comment.
Filter endpoints is only modified if the filter selects all endpoints. If it does, then this is just an optimization, which I don't see a problem with at face value.
|
Saw what I believe to be a CI flake, filed #3901 to follow up. Will re-run tests. |
Combine the ingress/egress cases into one core function to reduce code duplication. Signed-off-by: Joe Stringer <joe@covalent.io>
If the peerEndpoints selector selected all endpoints, the local filterEndpoints variable would be set to the wildcard selector, but we used to still use the peerEndpoints selector for creating the L7RulesPerEp map. Be more consistent by using the version on the stack. Signed-off-by: Joe Stringer <joe@covalent.io>
Describe in more detail what `L4Policy` and `L3L4Policy` are. Signed-off-by: Joe Stringer <joe@covalent.io>
An upcoming commit will need to make use of this functionality from the policy/api package, so shift it there. Signed-off-by: Joe Stringer <joe@covalent.io>
These typed slices will allow for upcoming converters to translate these rule objects into EndpointSelectors. Signed-off-by: Joe Stringer <joe@covalent.io>
Signed-off-by: Joe Stringer <joe@covalent.io>
cd82457 to
6359ad2
Compare
|
test-me-please |
Re-reviewed the relevant patch, I don't have any concern with it.
[Split out from #3835 for easier review]
This PR includes the policy-only pieces of refactoring that are useful for #3835 . No functional changes should be observed.
This change is