github.com/cilium/cilium@v1.16.2/pkg/policy/mapstate_test.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package policy 5 6 import ( 7 "fmt" 8 "testing" 9 10 "github.com/stretchr/testify/assert" 11 "github.com/stretchr/testify/require" 12 13 "github.com/cilium/cilium/pkg/identity" 14 "github.com/cilium/cilium/pkg/labels" 15 "github.com/cilium/cilium/pkg/policy/trafficdirection" 16 "github.com/cilium/cilium/pkg/u8proto" 17 ) 18 19 func Test_IsSuperSetOf(t *testing.T) { 20 tests := []struct { 21 superSet Key 22 subSet Key 23 res int 24 }{ 25 {key(0, 0, 0, 0), key(0, 0, 0, 0), 0}, 26 {key(0, 0, 0, 0), key(42, 0, 6, 0), 1}, 27 {key(0, 0, 0, 0), key(42, 80, 6, 0), 1}, 28 {key(0, 0, 0, 0), key(42, 0, 0, 0), 1}, 29 {key(0, 0, 6, 0), key(42, 0, 6, 0), 3}, // port is the same 30 {key(0, 0, 6, 0), key(42, 80, 6, 0), 2}, 31 {keyWithPortMask(0, 64, 0xffc0, 6, 0), key(42, 80, 6, 0), 2}, // port range 64-127,80 32 {key(0, 80, 6, 0), key(42, 80, 6, 0), 3}, 33 {keyWithPortMask(0, 64, 0xffc0, 6, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 3}, // port ranges are the same 34 {key(0, 80, 6, 0), key(42, 80, 17, 0), 0}, // proto is different 35 {key(2, 80, 6, 0), key(42, 80, 6, 0), 0}, // id is different 36 {key(0, 8080, 6, 0), key(42, 80, 6, 0), 0}, // port is different 37 {keyWithPortMask(0, 64, 0xffc0, 6, 0), key(42, 8080, 6, 0), 0}, // port range is different from port 38 {key(42, 0, 0, 0), key(42, 0, 0, 0), 0}, // same key 39 {key(42, 0, 0, 0), key(42, 0, 6, 0), 4}, 40 {key(42, 0, 0, 0), key(42, 80, 6, 0), 4}, 41 {keyWithPortMask(42, 64, 0xffc0, 0, 0), key(42, 80, 6, 0), 4}, // port range 64-127,80 42 {key(42, 0, 0, 0), key(42, 0, 17, 0), 4}, 43 {key(42, 0, 0, 0), key(42, 80, 17, 0), 4}, 44 {keyWithPortMask(42, 64, 0xffc0, 0, 0), key(42, 80, 17, 0), 4}, 45 {key(42, 0, 6, 0), key(42, 0, 6, 0), 0}, // same key 46 {key(42, 0, 6, 0), key(42, 80, 6, 0), 5}, 47 {keyWithPortMask(42, 64, 0xffc0, 6, 0), key(42, 80, 6, 0), 5}, 48 {key(42, 0, 6, 0), key(42, 8080, 6, 0), 5}, 49 {key(42, 80, 6, 0), key(42, 80, 6, 0), 0}, // same key 50 {keyWithPortMask(42, 64, 0xffc0, 6, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 0}, // same key 51 {key(42, 80, 6, 0), key(42, 8080, 6, 0), 0}, // different port 52 {keyWithPortMask(42, 64, 0xffc0, 6, 0), keyWithPortMask(42, 128, 0xff80, 6, 0), 0}, // different port ranges 53 {key(42, 80, 6, 0), key(42, 80, 17, 0), 0}, // different proto 54 {key(42, 80, 6, 0), key(42, 8080, 17, 0), 0}, // different port and proto 55 56 // increasing specificity for a L3/L4 key 57 {key(0, 0, 0, 0), key(42, 80, 6, 0), 1}, 58 {keyWithPortMask(0, 64, 0xffc0, 0, 0), key(42, 80, 6, 0), 1}, 59 {key(0, 0, 6, 0), key(42, 80, 6, 0), 2}, 60 {keyWithPortMask(0, 64, 0xffc0, 6, 0), key(42, 80, 6, 0), 2}, 61 {key(0, 80, 6, 0), key(42, 80, 6, 0), 3}, 62 {keyWithPortMask(0, 64, 0xffc0, 6, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 3}, 63 {key(42, 0, 0, 0), key(42, 80, 6, 0), 4}, 64 {keyWithPortMask(42, 64, 0xffc0, 0, 0), key(42, 80, 6, 0), 4}, 65 {key(42, 0, 6, 0), key(42, 80, 6, 0), 5}, 66 {keyWithPortMask(42, 64, 0xffc0, 6, 0), key(42, 80, 6, 0), 5}, 67 {key(42, 80, 6, 0), key(42, 80, 6, 0), 0}, // same key 68 {keyWithPortMask(42, 64, 0xffc0, 6, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 0}, // same key 69 70 // increasing specificity for a L3-only key 71 {key(0, 0, 0, 0), key(42, 0, 0, 0), 1}, 72 {keyWithPortMask(0, 64, 0xffc0, 0, 0), key(42, 0, 0, 0), 1}, 73 {key(0, 0, 6, 0), key(42, 0, 0, 0), 0}, // not a superset 74 {key(0, 80, 6, 0), key(42, 0, 0, 0), 0}, // not a superset 75 {keyWithPortMask(0, 64, 0xffc0, 6, 0), key(42, 0, 0, 0), 0}, // not a superset 76 {key(42, 0, 0, 0), key(42, 0, 0, 0), 0}, // same key 77 {key(42, 0, 6, 0), key(42, 0, 0, 0), 0}, // not a superset 78 {keyWithPortMask(42, 64, 0xffc0, 6, 0), keyWithPortMask(42, 64, 0xffc0, 0, 0), 0}, // not a superset 79 {key(42, 80, 6, 0), key(42, 0, 0, 0), 0}, // not a superset 80 {keyWithPortMask(42, 64, 0xffc0, 6, 0), key(42, 0, 0, 0), 0}, // not a superset 81 82 // increasing specificity for a L3/proto key 83 {key(0, 0, 0, 0), key(42, 0, 6, 0), 1}, // wildcard 84 {keyWithPortMask(0, 64, 0xffc0, 0, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 1}, 85 {key(0, 0, 6, 0), key(42, 0, 6, 0), 3}, // ports are the same 86 {keyWithPortMask(0, 64, 0xffc0, 6, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 3}, // port ranges are the same 87 {key(0, 80, 6, 0), key(42, 0, 6, 0), 0}, // not a superset 88 {key(0, 80, 6, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 0}, // not a superset 89 {key(42, 0, 0, 0), key(42, 0, 6, 0), 4}, 90 {keyWithPortMask(42, 64, 0xffc0, 0, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 4}, 91 {key(42, 0, 6, 0), key(42, 0, 6, 0), 0}, // same key 92 {keyWithPortMask(42, 64, 0xffc0, 6, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 0}, // same key 93 {key(42, 80, 6, 0), key(42, 0, 6, 0), 0}, // not a superset 94 {key(42, 80, 6, 0), keyWithPortMask(42, 64, 0xffc0, 6, 0), 0}, // not a superset 95 96 // increasing specificity for a proto-only key 97 {key(0, 0, 0, 0), key(0, 0, 6, 0), 1}, 98 {keyWithPortMask(0, 64, 0xffc0, 0, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 1}, 99 {key(0, 0, 6, 0), key(0, 0, 6, 0), 0}, // same key 100 {keyWithPortMask(0, 64, 0xffc0, 6, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 0}, // same key 101 {key(0, 80, 6, 0), key(0, 0, 6, 0), 0}, // not a superset 102 {key(0, 80, 6, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 0}, // not a superset 103 {key(42, 0, 0, 0), key(0, 0, 6, 0), 0}, // not a superset 104 {keyWithPortMask(42, 64, 0xffc0, 0, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 0}, // not a superset 105 {key(42, 0, 6, 0), key(0, 0, 6, 0), 0}, // not a superset 106 {keyWithPortMask(42, 64, 0xffc0, 6, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 0}, // not a superset 107 {key(42, 80, 6, 0), key(0, 0, 6, 0), 0}, // not a superset 108 {key(42, 80, 6, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 0}, // not a superset 109 110 // increasing specificity for a L4-only key 111 {key(0, 0, 0, 0), key(0, 80, 6, 0), 1}, 112 {keyWithPortMask(0, 64, 0xffc0, 0, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 1}, 113 {key(0, 0, 6, 0), key(0, 80, 6, 0), 2}, 114 {keyWithPortMask(0, 64, 0xffc0, 6, 0), key(0, 80, 6, 0), 2}, 115 {key(0, 80, 6, 0), key(0, 80, 6, 0), 0}, // same key 116 {keyWithPortMask(0, 64, 0xffc0, 6, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 0}, // same key 117 {key(42, 0, 0, 0), key(0, 80, 6, 0), 0}, // not a superset 118 {keyWithPortMask(42, 64, 0xffc0, 0, 0), key(0, 80, 6, 0), 0}, // not a superset 119 {key(42, 0, 6, 0), key(0, 80, 6, 0), 0}, // not a superset 120 {keyWithPortMask(42, 64, 0xffc0, 6, 0), key(0, 80, 6, 0), 0}, // not a superset 121 {key(42, 80, 6, 0), key(0, 80, 6, 0), 0}, // not a superset 122 {keyWithPortMask(42, 64, 0xffc0, 6, 0), keyWithPortMask(0, 64, 0xffc0, 6, 0), 0}, // not a superset 123 124 } 125 for i, tt := range tests { 126 assert.Equal(t, tt.res, IsSuperSetOf(tt.superSet, tt.subSet), fmt.Sprintf("IsSuperSetOf failed on round %d", i+1)) 127 if tt.res != 0 { 128 assert.Equal(t, 0, IsSuperSetOf(tt.subSet, tt.superSet), fmt.Sprintf("Reverse IsSuperSetOf succeeded on round %d", i+1)) 129 } 130 } 131 } 132 133 // WithOwners replaces owners of 'e' with 'owners'. 134 // No owners is represented with a 'nil' map. 135 func (e MapStateEntry) WithOwners(owners ...MapStateOwner) MapStateEntry { 136 e.owners = make(map[MapStateOwner]struct{}, len(owners)) 137 for _, cs := range owners { 138 e.owners[cs] = struct{}{} 139 } 140 return e 141 } 142 143 // WithAuthType sets auth type field as indicated. 144 func (e MapStateEntry) WithAuthType(authType AuthType) MapStateEntry { 145 e.hasAuthType = ExplicitAuthType 146 e.AuthType = authType 147 return e 148 } 149 150 // WithoutOwners empties the 'owners' of 'e'. 151 // Note: This is used only in unit tests and helps test readability. 152 func (e MapStateEntry) WithoutOwners() MapStateEntry { 153 e.owners = make(map[MapStateOwner]struct{}) 154 return e 155 } 156 157 // WithDependents 'e' adds 'keys' to 'e.dependents'. 158 func (e MapStateEntry) WithDependents(keys ...Key) MapStateEntry { 159 if e.dependents == nil { 160 e.dependents = make(map[Key]struct{}) 161 } 162 for _, key := range keys { 163 e.AddDependent(key) 164 } 165 return e 166 } 167 168 func TestPolicyKeyTrafficDirection(t *testing.T) { 169 k := Key{TrafficDirection: trafficdirection.Ingress.Uint8()} 170 require.True(t, k.IsIngress()) 171 require.Equal(t, false, k.IsEgress()) 172 173 k = Key{TrafficDirection: trafficdirection.Egress.Uint8()} 174 require.Equal(t, false, k.IsIngress()) 175 require.True(t, k.IsEgress()) 176 } 177 178 // validatePortProto makes sure each Key in MapState abides by the contract that protocol/nexthdr 179 // can only be wildcarded if the destination port is also wildcarded. 180 func (ms *mapState) validatePortProto(t *testing.T) { 181 ms.ForEach(func(k Key, _ MapStateEntry) bool { 182 if k.Nexthdr == 0 { 183 require.Equal(t, uint16(0), k.DestPort) 184 } 185 return true 186 }) 187 } 188 189 func TestMapState_denyPreferredInsertWithChanges(t *testing.T) { 190 type args struct { 191 key Key 192 entry MapStateEntry 193 } 194 tests := []struct { 195 name string 196 ms, want *mapState 197 wantAdds, wantDeletes Keys 198 wantOld map[Key]MapStateEntry 199 args args 200 }{ 201 { 202 name: "test-1 - no KV added, map should remain the same", 203 ms: newMapState(map[Key]MapStateEntry{ 204 { 205 Identity: 0, 206 DestPort: 0, 207 InvertedPortMask: 0xffff, 208 Nexthdr: 0, 209 TrafficDirection: 0, 210 }: { 211 ProxyPort: 0, 212 DerivedFromRules: nil, 213 IsDeny: false, 214 }, 215 }), 216 args: args{ 217 key: Key{ 218 InvertedPortMask: 0xffff, 219 }, 220 entry: MapStateEntry{}, 221 }, 222 want: newMapState(map[Key]MapStateEntry{ 223 { 224 Identity: 0, 225 DestPort: 0, 226 InvertedPortMask: 0xffff, 227 Nexthdr: 0, 228 TrafficDirection: 0, 229 }: { 230 ProxyPort: 0, 231 DerivedFromRules: nil, 232 IsDeny: false, 233 }, 234 }), 235 wantAdds: Keys{}, 236 wantDeletes: Keys{}, 237 wantOld: map[Key]MapStateEntry{}, 238 }, 239 { 240 name: "test-2a - L3 allow KV should not overwrite deny entry", 241 ms: newMapState(map[Key]MapStateEntry{ 242 { 243 Identity: 1, 244 DestPort: 80, 245 Nexthdr: 3, 246 TrafficDirection: trafficdirection.Ingress.Uint8(), 247 }: { 248 ProxyPort: 0, 249 DerivedFromRules: nil, 250 IsDeny: true, 251 }, 252 }), 253 args: args{ 254 key: Key{ 255 Identity: 1, 256 DestPort: 0, 257 InvertedPortMask: 0xffff, 258 Nexthdr: 0, 259 TrafficDirection: trafficdirection.Ingress.Uint8(), 260 }, 261 entry: MapStateEntry{ 262 ProxyPort: 0, 263 DerivedFromRules: nil, 264 IsDeny: false, 265 }, 266 }, 267 want: newMapState(map[Key]MapStateEntry{ 268 { 269 Identity: 1, 270 DestPort: 0, 271 InvertedPortMask: 0xffff, 272 Nexthdr: 0, 273 TrafficDirection: trafficdirection.Ingress.Uint8(), 274 }: { 275 ProxyPort: 0, 276 DerivedFromRules: nil, 277 IsDeny: false, 278 }, 279 { 280 Identity: 1, 281 DestPort: 80, 282 Nexthdr: 3, 283 TrafficDirection: trafficdirection.Ingress.Uint8(), 284 }: { 285 ProxyPort: 0, 286 DerivedFromRules: nil, 287 IsDeny: true, 288 }, 289 }), 290 wantAdds: Keys{ 291 Key{ 292 Identity: 1, 293 DestPort: 0, 294 InvertedPortMask: 0xffff, 295 Nexthdr: 0, 296 TrafficDirection: trafficdirection.Ingress.Uint8(), 297 }: struct{}{}, 298 }, 299 wantDeletes: Keys{}, 300 wantOld: map[Key]MapStateEntry{}, 301 }, 302 { 303 name: "test-2b - L3 port-range allow KV should not overwrite deny entry", 304 ms: newMapState(map[Key]MapStateEntry{ 305 { 306 Identity: 1, 307 DestPort: 80, 308 Nexthdr: 3, 309 TrafficDirection: trafficdirection.Ingress.Uint8(), 310 }: { 311 ProxyPort: 0, 312 DerivedFromRules: nil, 313 IsDeny: true, 314 }, 315 }), 316 args: args{ 317 key: Key{ 318 Identity: 1, 319 DestPort: 64, 320 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 321 Nexthdr: 3, 322 TrafficDirection: trafficdirection.Ingress.Uint8(), 323 }, 324 entry: MapStateEntry{ 325 ProxyPort: 0, 326 DerivedFromRules: nil, 327 IsDeny: false, 328 }, 329 }, 330 want: newMapState(map[Key]MapStateEntry{ 331 { 332 Identity: 1, 333 DestPort: 64, 334 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 335 Nexthdr: 3, 336 TrafficDirection: trafficdirection.Ingress.Uint8(), 337 }: { 338 ProxyPort: 0, 339 DerivedFromRules: nil, 340 IsDeny: false, 341 }, 342 { 343 Identity: 1, 344 DestPort: 80, 345 Nexthdr: 3, 346 TrafficDirection: trafficdirection.Ingress.Uint8(), 347 }: { 348 ProxyPort: 0, 349 DerivedFromRules: nil, 350 IsDeny: true, 351 }, 352 }), 353 wantAdds: Keys{ 354 Key{ 355 Identity: 1, 356 DestPort: 64, 357 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 358 Nexthdr: 3, 359 TrafficDirection: trafficdirection.Ingress.Uint8(), 360 }: struct{}{}, 361 }, 362 wantDeletes: Keys{}, 363 wantOld: map[Key]MapStateEntry{}, 364 }, 365 { 366 name: "test-3a - L3-L4 allow KV should not overwrite deny entry", 367 ms: newMapState(map[Key]MapStateEntry{ 368 { 369 Identity: 1, 370 DestPort: 80, 371 Nexthdr: 3, 372 TrafficDirection: trafficdirection.Ingress.Uint8(), 373 }: { 374 ProxyPort: 0, 375 DerivedFromRules: nil, 376 IsDeny: true, 377 }, 378 }), 379 args: args{ 380 key: Key{ 381 Identity: 1, 382 DestPort: 80, 383 Nexthdr: 3, 384 TrafficDirection: trafficdirection.Ingress.Uint8(), 385 }, 386 entry: MapStateEntry{ 387 ProxyPort: 0, 388 DerivedFromRules: nil, 389 IsDeny: false, 390 }, 391 }, 392 want: newMapState(map[Key]MapStateEntry{ 393 { 394 Identity: 1, 395 DestPort: 80, 396 Nexthdr: 3, 397 TrafficDirection: trafficdirection.Ingress.Uint8(), 398 }: { 399 ProxyPort: 0, 400 DerivedFromRules: nil, 401 IsDeny: true, 402 }, 403 }), 404 wantAdds: Keys{}, 405 wantDeletes: Keys{}, 406 wantOld: map[Key]MapStateEntry{}, 407 }, 408 { 409 name: "test-3b - L3-L4 port-range allow KV should not overwrite deny entry", 410 ms: newMapState(map[Key]MapStateEntry{ 411 { 412 Identity: 1, 413 DestPort: 64, 414 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 415 Nexthdr: 3, 416 TrafficDirection: trafficdirection.Ingress.Uint8(), 417 }: { 418 ProxyPort: 0, 419 DerivedFromRules: nil, 420 IsDeny: true, 421 }, 422 }), 423 args: args{ 424 key: Key{ 425 Identity: 1, 426 DestPort: 64, 427 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 428 Nexthdr: 3, 429 TrafficDirection: trafficdirection.Ingress.Uint8(), 430 }, 431 entry: MapStateEntry{ 432 ProxyPort: 0, 433 DerivedFromRules: nil, 434 IsDeny: false, 435 }, 436 }, 437 want: newMapState(map[Key]MapStateEntry{ 438 { 439 Identity: 1, 440 DestPort: 64, 441 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 442 Nexthdr: 3, 443 TrafficDirection: trafficdirection.Ingress.Uint8(), 444 }: { 445 ProxyPort: 0, 446 DerivedFromRules: nil, 447 IsDeny: true, 448 }, 449 }), 450 wantAdds: Keys{}, 451 wantDeletes: Keys{}, 452 wantOld: map[Key]MapStateEntry{}, 453 }, 454 { 455 name: "test-4a - L3-L4 deny KV should overwrite allow entry", 456 ms: newMapState(map[Key]MapStateEntry{ 457 { 458 Identity: 1, 459 DestPort: 80, 460 Nexthdr: 3, 461 TrafficDirection: trafficdirection.Ingress.Uint8(), 462 }: { 463 ProxyPort: 0, 464 DerivedFromRules: nil, 465 IsDeny: false, 466 }, 467 }), 468 args: args{ 469 key: Key{ 470 Identity: 1, 471 DestPort: 80, 472 Nexthdr: 3, 473 TrafficDirection: trafficdirection.Ingress.Uint8(), 474 }, 475 entry: MapStateEntry{ 476 ProxyPort: 0, 477 DerivedFromRules: nil, 478 IsDeny: true, 479 }, 480 }, 481 want: newMapState(map[Key]MapStateEntry{ 482 { 483 Identity: 1, 484 DestPort: 80, 485 Nexthdr: 3, 486 TrafficDirection: trafficdirection.Ingress.Uint8(), 487 }: { 488 ProxyPort: 0, 489 DerivedFromRules: nil, 490 IsDeny: true, 491 }, 492 }), 493 wantAdds: Keys{ 494 Key{ 495 Identity: 1, 496 DestPort: 80, 497 Nexthdr: 3, 498 TrafficDirection: trafficdirection.Ingress.Uint8(), 499 }: struct{}{}, 500 }, 501 wantDeletes: Keys{}, 502 wantOld: map[Key]MapStateEntry{ 503 { 504 Identity: 1, 505 DestPort: 80, 506 Nexthdr: 3, 507 TrafficDirection: trafficdirection.Ingress.Uint8(), 508 }: { 509 ProxyPort: 0, 510 DerivedFromRules: nil, 511 IsDeny: false, 512 }, 513 }, 514 }, 515 { 516 name: "test-4b - L3-L4 port-range deny KV should overwrite allow entry", 517 ms: newMapState(map[Key]MapStateEntry{ 518 { 519 Identity: 1, 520 DestPort: 80, 521 Nexthdr: 3, 522 TrafficDirection: trafficdirection.Ingress.Uint8(), 523 }: { 524 ProxyPort: 0, 525 DerivedFromRules: nil, 526 IsDeny: false, 527 }, 528 }), 529 args: args{ 530 key: Key{ 531 Identity: 1, 532 DestPort: 64, 533 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 534 Nexthdr: 3, 535 TrafficDirection: trafficdirection.Ingress.Uint8(), 536 }, 537 entry: MapStateEntry{ 538 ProxyPort: 0, 539 DerivedFromRules: nil, 540 IsDeny: true, 541 }, 542 }, 543 want: newMapState(map[Key]MapStateEntry{ 544 { 545 Identity: 1, 546 DestPort: 64, 547 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 548 Nexthdr: 3, 549 TrafficDirection: trafficdirection.Ingress.Uint8(), 550 }: { 551 ProxyPort: 0, 552 DerivedFromRules: nil, 553 IsDeny: true, 554 }, 555 }), 556 wantAdds: Keys{ 557 Key{ 558 Identity: 1, 559 DestPort: 64, 560 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 561 Nexthdr: 3, 562 TrafficDirection: trafficdirection.Ingress.Uint8(), 563 }: struct{}{}, 564 }, 565 wantDeletes: Keys{ 566 Key{ 567 Identity: 1, 568 DestPort: 80, 569 Nexthdr: 3, 570 TrafficDirection: trafficdirection.Ingress.Uint8(), 571 }: struct{}{}, 572 }, 573 wantOld: map[Key]MapStateEntry{ 574 { 575 Identity: 1, 576 DestPort: 80, 577 Nexthdr: 3, 578 TrafficDirection: trafficdirection.Ingress.Uint8(), 579 }: { 580 ProxyPort: 0, 581 DerivedFromRules: nil, 582 IsDeny: false, 583 }, 584 }, 585 }, 586 { 587 name: "test-5a - L3 deny KV should overwrite all L3-L4 allow and L3 allow entries for the same L3", 588 ms: newMapState(map[Key]MapStateEntry{ 589 { 590 Identity: 1, 591 DestPort: 80, 592 Nexthdr: 3, 593 TrafficDirection: trafficdirection.Ingress.Uint8(), 594 }: { 595 ProxyPort: 0, 596 DerivedFromRules: nil, 597 IsDeny: false, 598 }, 599 { 600 Identity: 1, 601 DestPort: 0, 602 InvertedPortMask: 0xffff, 603 Nexthdr: 0, 604 TrafficDirection: trafficdirection.Ingress.Uint8(), 605 }: { 606 ProxyPort: 0, 607 DerivedFromRules: nil, 608 IsDeny: false, 609 }, 610 { 611 Identity: 2, 612 DestPort: 80, 613 Nexthdr: 3, 614 TrafficDirection: trafficdirection.Ingress.Uint8(), 615 }: { 616 ProxyPort: 0, 617 DerivedFromRules: nil, 618 IsDeny: false, 619 }, 620 { 621 Identity: 2, 622 DestPort: 0, 623 InvertedPortMask: 0xffff, 624 Nexthdr: 0, 625 TrafficDirection: trafficdirection.Ingress.Uint8(), 626 }: { 627 ProxyPort: 0, 628 DerivedFromRules: nil, 629 IsDeny: false, 630 }, 631 }), 632 args: args{ 633 key: Key{ 634 Identity: 1, 635 DestPort: 0, 636 InvertedPortMask: 0xffff, 637 Nexthdr: 0, 638 TrafficDirection: trafficdirection.Ingress.Uint8(), 639 }, 640 entry: MapStateEntry{ 641 ProxyPort: 0, 642 DerivedFromRules: nil, 643 IsDeny: true, 644 }, 645 }, 646 want: newMapState(map[Key]MapStateEntry{ 647 { 648 Identity: 1, 649 DestPort: 0, 650 InvertedPortMask: 0xffff, 651 Nexthdr: 0, 652 TrafficDirection: trafficdirection.Ingress.Uint8(), 653 }: { 654 ProxyPort: 0, 655 DerivedFromRules: nil, 656 IsDeny: true, 657 }, 658 { 659 Identity: 2, 660 DestPort: 80, 661 Nexthdr: 3, 662 TrafficDirection: trafficdirection.Ingress.Uint8(), 663 }: { 664 ProxyPort: 0, 665 DerivedFromRules: nil, 666 IsDeny: false, 667 }, 668 { 669 Identity: 2, 670 DestPort: 0, 671 InvertedPortMask: 0xffff, 672 Nexthdr: 0, 673 TrafficDirection: trafficdirection.Ingress.Uint8(), 674 }: { 675 ProxyPort: 0, 676 DerivedFromRules: nil, 677 IsDeny: false, 678 }, 679 }), 680 wantAdds: Keys{ 681 Key{ 682 Identity: 1, 683 DestPort: 0, 684 InvertedPortMask: 0xffff, 685 Nexthdr: 0, 686 TrafficDirection: trafficdirection.Ingress.Uint8(), 687 }: struct{}{}, 688 }, 689 wantDeletes: Keys{ 690 Key{ 691 Identity: 1, 692 DestPort: 80, 693 Nexthdr: 3, 694 TrafficDirection: trafficdirection.Ingress.Uint8(), 695 }: struct{}{}, 696 }, 697 wantOld: map[Key]MapStateEntry{ 698 { 699 Identity: 1, 700 DestPort: 0, 701 InvertedPortMask: 0xffff, 702 Nexthdr: 0, 703 TrafficDirection: trafficdirection.Ingress.Uint8(), 704 }: { 705 ProxyPort: 0, 706 DerivedFromRules: nil, 707 IsDeny: false, 708 }, 709 { 710 Identity: 1, 711 DestPort: 80, 712 Nexthdr: 3, 713 TrafficDirection: trafficdirection.Ingress.Uint8(), 714 }: { 715 ProxyPort: 0, 716 DerivedFromRules: nil, 717 IsDeny: false, 718 }, 719 }, 720 }, 721 { 722 name: "test-5b - L3 port-range deny KV should overwrite all L3-L4 allow and L3 allow entries for the same L3", 723 ms: newMapState(map[Key]MapStateEntry{ 724 { 725 Identity: 1, 726 DestPort: 80, 727 Nexthdr: 3, 728 TrafficDirection: trafficdirection.Ingress.Uint8(), 729 }: { 730 ProxyPort: 0, 731 DerivedFromRules: nil, 732 IsDeny: false, 733 }, 734 { 735 Identity: 1, 736 DestPort: 64, 737 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 738 Nexthdr: 3, 739 TrafficDirection: trafficdirection.Ingress.Uint8(), 740 }: { 741 ProxyPort: 0, 742 DerivedFromRules: nil, 743 IsDeny: false, 744 }, 745 { 746 Identity: 2, 747 DestPort: 80, 748 Nexthdr: 3, 749 TrafficDirection: trafficdirection.Ingress.Uint8(), 750 }: { 751 ProxyPort: 0, 752 DerivedFromRules: nil, 753 IsDeny: false, 754 }, 755 { 756 Identity: 2, 757 DestPort: 64, 758 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 759 Nexthdr: 3, 760 TrafficDirection: trafficdirection.Ingress.Uint8(), 761 }: { 762 ProxyPort: 0, 763 DerivedFromRules: nil, 764 IsDeny: false, 765 }, 766 }), 767 args: args{ 768 key: Key{ 769 Identity: 1, 770 DestPort: 64, 771 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 772 Nexthdr: 3, 773 TrafficDirection: trafficdirection.Ingress.Uint8(), 774 }, 775 entry: MapStateEntry{ 776 ProxyPort: 0, 777 DerivedFromRules: nil, 778 IsDeny: true, 779 }, 780 }, 781 want: newMapState(map[Key]MapStateEntry{ 782 { 783 Identity: 1, 784 DestPort: 64, 785 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 786 Nexthdr: 3, 787 TrafficDirection: trafficdirection.Ingress.Uint8(), 788 }: { 789 ProxyPort: 0, 790 DerivedFromRules: nil, 791 IsDeny: true, 792 }, 793 { 794 Identity: 2, 795 DestPort: 80, 796 Nexthdr: 3, 797 TrafficDirection: trafficdirection.Ingress.Uint8(), 798 }: { 799 ProxyPort: 0, 800 DerivedFromRules: nil, 801 IsDeny: false, 802 }, 803 { 804 Identity: 2, 805 DestPort: 64, 806 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 807 Nexthdr: 3, 808 TrafficDirection: trafficdirection.Ingress.Uint8(), 809 }: { 810 ProxyPort: 0, 811 DerivedFromRules: nil, 812 IsDeny: false, 813 }, 814 }), 815 wantAdds: Keys{ 816 Key{ 817 Identity: 1, 818 DestPort: 64, 819 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 820 Nexthdr: 3, 821 TrafficDirection: trafficdirection.Ingress.Uint8(), 822 }: struct{}{}, 823 }, 824 wantDeletes: Keys{ 825 Key{ 826 Identity: 1, 827 DestPort: 80, 828 Nexthdr: 3, 829 TrafficDirection: trafficdirection.Ingress.Uint8(), 830 }: struct{}{}, 831 }, 832 wantOld: map[Key]MapStateEntry{ 833 { 834 Identity: 1, 835 DestPort: 64, 836 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 837 Nexthdr: 3, 838 TrafficDirection: trafficdirection.Ingress.Uint8(), 839 }: { 840 ProxyPort: 0, 841 DerivedFromRules: nil, 842 IsDeny: false, 843 }, 844 { 845 Identity: 1, 846 DestPort: 80, 847 Nexthdr: 3, 848 TrafficDirection: trafficdirection.Ingress.Uint8(), 849 }: { 850 ProxyPort: 0, 851 DerivedFromRules: nil, 852 IsDeny: false, 853 }, 854 }, 855 }, 856 { 857 name: "test-6a - L3 egress deny KV should not overwrite any existing ingress allow", 858 ms: newMapState(map[Key]MapStateEntry{ 859 { 860 Identity: 1, 861 DestPort: 80, 862 Nexthdr: 3, 863 TrafficDirection: trafficdirection.Ingress.Uint8(), 864 }: { 865 ProxyPort: 0, 866 DerivedFromRules: nil, 867 IsDeny: false, 868 }, 869 { 870 Identity: 1, 871 DestPort: 0, 872 InvertedPortMask: 0xffff, 873 Nexthdr: 0, 874 TrafficDirection: trafficdirection.Ingress.Uint8(), 875 }: { 876 ProxyPort: 0, 877 DerivedFromRules: nil, 878 IsDeny: false, 879 }, 880 { 881 Identity: 2, 882 DestPort: 80, 883 Nexthdr: 3, 884 TrafficDirection: trafficdirection.Ingress.Uint8(), 885 }: { 886 ProxyPort: 0, 887 DerivedFromRules: nil, 888 IsDeny: false, 889 }, 890 { 891 Identity: 2, 892 DestPort: 0, 893 InvertedPortMask: 0xffff, 894 Nexthdr: 0, 895 TrafficDirection: trafficdirection.Ingress.Uint8(), 896 }: { 897 ProxyPort: 0, 898 DerivedFromRules: nil, 899 IsDeny: false, 900 }, 901 }), 902 args: args{ 903 key: Key{ 904 Identity: 1, 905 DestPort: 0, 906 InvertedPortMask: 0xffff, 907 Nexthdr: 0, 908 TrafficDirection: trafficdirection.Egress.Uint8(), 909 }, 910 entry: MapStateEntry{ 911 ProxyPort: 0, 912 DerivedFromRules: nil, 913 IsDeny: true, 914 }, 915 }, 916 want: newMapState(map[Key]MapStateEntry{ 917 { 918 Identity: 1, 919 DestPort: 80, 920 Nexthdr: 3, 921 TrafficDirection: trafficdirection.Ingress.Uint8(), 922 }: { 923 ProxyPort: 0, 924 DerivedFromRules: nil, 925 IsDeny: false, 926 }, 927 { 928 Identity: 1, 929 DestPort: 0, 930 InvertedPortMask: 0xffff, 931 Nexthdr: 0, 932 TrafficDirection: trafficdirection.Ingress.Uint8(), 933 }: { 934 ProxyPort: 0, 935 DerivedFromRules: nil, 936 IsDeny: false, 937 }, 938 { 939 Identity: 1, 940 DestPort: 0, 941 InvertedPortMask: 0xffff, 942 Nexthdr: 0, 943 TrafficDirection: trafficdirection.Egress.Uint8(), 944 }: { 945 ProxyPort: 0, 946 DerivedFromRules: nil, 947 IsDeny: true, 948 }, 949 { 950 Identity: 2, 951 DestPort: 80, 952 Nexthdr: 3, 953 TrafficDirection: trafficdirection.Ingress.Uint8(), 954 }: { 955 ProxyPort: 0, 956 DerivedFromRules: nil, 957 IsDeny: false, 958 }, 959 { 960 Identity: 2, 961 DestPort: 0, 962 InvertedPortMask: 0xffff, 963 Nexthdr: 0, 964 TrafficDirection: trafficdirection.Ingress.Uint8(), 965 }: { 966 ProxyPort: 0, 967 DerivedFromRules: nil, 968 IsDeny: false, 969 }, 970 }), 971 wantAdds: Keys{ 972 Key{ 973 Identity: 1, 974 DestPort: 0, 975 InvertedPortMask: 0xffff, 976 Nexthdr: 0, 977 TrafficDirection: trafficdirection.Egress.Uint8(), 978 }: struct{}{}, 979 }, 980 wantDeletes: Keys{}, 981 wantOld: map[Key]MapStateEntry{}, 982 }, 983 { 984 name: "test-6b - L3 egress port-range deny KV should not overwrite any existing ingress allow", 985 ms: newMapState(map[Key]MapStateEntry{ 986 { 987 Identity: 1, 988 DestPort: 80, 989 Nexthdr: 3, 990 TrafficDirection: trafficdirection.Ingress.Uint8(), 991 }: { 992 ProxyPort: 0, 993 DerivedFromRules: nil, 994 IsDeny: false, 995 }, 996 { 997 Identity: 1, 998 DestPort: 64, 999 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1000 Nexthdr: 3, 1001 TrafficDirection: trafficdirection.Ingress.Uint8(), 1002 }: { 1003 ProxyPort: 0, 1004 DerivedFromRules: nil, 1005 IsDeny: false, 1006 }, 1007 { 1008 Identity: 2, 1009 DestPort: 80, 1010 Nexthdr: 3, 1011 TrafficDirection: trafficdirection.Ingress.Uint8(), 1012 }: { 1013 ProxyPort: 0, 1014 DerivedFromRules: nil, 1015 IsDeny: false, 1016 }, 1017 { 1018 Identity: 2, 1019 DestPort: 64, 1020 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1021 Nexthdr: 3, 1022 TrafficDirection: trafficdirection.Ingress.Uint8(), 1023 }: { 1024 ProxyPort: 0, 1025 DerivedFromRules: nil, 1026 IsDeny: false, 1027 }, 1028 }), 1029 args: args{ 1030 key: Key{ 1031 Identity: 1, 1032 DestPort: 64, 1033 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1034 Nexthdr: 3, 1035 TrafficDirection: trafficdirection.Egress.Uint8(), 1036 }, 1037 entry: MapStateEntry{ 1038 ProxyPort: 0, 1039 DerivedFromRules: nil, 1040 IsDeny: true, 1041 }, 1042 }, 1043 want: newMapState(map[Key]MapStateEntry{ 1044 { 1045 Identity: 1, 1046 DestPort: 80, 1047 Nexthdr: 3, 1048 TrafficDirection: trafficdirection.Ingress.Uint8(), 1049 }: { 1050 ProxyPort: 0, 1051 DerivedFromRules: nil, 1052 IsDeny: false, 1053 }, 1054 { 1055 Identity: 1, 1056 DestPort: 64, 1057 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1058 Nexthdr: 3, 1059 TrafficDirection: trafficdirection.Ingress.Uint8(), 1060 }: { 1061 ProxyPort: 0, 1062 DerivedFromRules: nil, 1063 IsDeny: false, 1064 }, 1065 { 1066 Identity: 1, 1067 DestPort: 64, 1068 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1069 Nexthdr: 3, 1070 TrafficDirection: trafficdirection.Egress.Uint8(), 1071 }: { 1072 ProxyPort: 0, 1073 DerivedFromRules: nil, 1074 IsDeny: true, 1075 }, 1076 { 1077 Identity: 2, 1078 DestPort: 80, 1079 Nexthdr: 3, 1080 TrafficDirection: trafficdirection.Ingress.Uint8(), 1081 }: { 1082 ProxyPort: 0, 1083 DerivedFromRules: nil, 1084 IsDeny: false, 1085 }, 1086 { 1087 Identity: 2, 1088 DestPort: 64, 1089 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1090 Nexthdr: 3, 1091 TrafficDirection: trafficdirection.Ingress.Uint8(), 1092 }: { 1093 ProxyPort: 0, 1094 DerivedFromRules: nil, 1095 IsDeny: false, 1096 }, 1097 }), 1098 wantAdds: Keys{ 1099 Key{ 1100 Identity: 1, 1101 DestPort: 64, 1102 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1103 Nexthdr: 3, 1104 TrafficDirection: trafficdirection.Egress.Uint8(), 1105 }: struct{}{}, 1106 }, 1107 wantDeletes: Keys{}, 1108 wantOld: map[Key]MapStateEntry{}, 1109 }, 1110 { 1111 name: "test-7a - L3 ingress deny KV should not be overwritten by a L3-L4 ingress allow", 1112 ms: newMapState(map[Key]MapStateEntry{ 1113 { 1114 Identity: 1, 1115 DestPort: 0, 1116 InvertedPortMask: 0xffff, 1117 Nexthdr: 0, 1118 TrafficDirection: trafficdirection.Ingress.Uint8(), 1119 }: { 1120 ProxyPort: 0, 1121 DerivedFromRules: nil, 1122 IsDeny: true, 1123 }, 1124 }), 1125 args: args{ 1126 key: Key{ 1127 Identity: 1, 1128 DestPort: 80, 1129 Nexthdr: 3, 1130 TrafficDirection: trafficdirection.Ingress.Uint8(), 1131 }, 1132 entry: MapStateEntry{ 1133 ProxyPort: 0, 1134 DerivedFromRules: nil, 1135 IsDeny: false, 1136 }, 1137 }, 1138 want: newMapState(map[Key]MapStateEntry{ 1139 { 1140 Identity: 1, 1141 DestPort: 0, 1142 InvertedPortMask: 0xffff, 1143 Nexthdr: 0, 1144 TrafficDirection: trafficdirection.Ingress.Uint8(), 1145 }: { 1146 ProxyPort: 0, 1147 DerivedFromRules: nil, 1148 IsDeny: true, 1149 }, 1150 }), 1151 wantAdds: Keys{}, 1152 wantDeletes: Keys{}, 1153 wantOld: map[Key]MapStateEntry{}, 1154 }, 1155 { 1156 name: "test-7b - L3 ingress deny KV should not be overwritten by a L3-L4 port-range ingress allow", 1157 ms: newMapState(map[Key]MapStateEntry{ 1158 { 1159 Identity: 1, 1160 DestPort: 0, 1161 InvertedPortMask: 0xffff, 1162 Nexthdr: 0, 1163 TrafficDirection: trafficdirection.Ingress.Uint8(), 1164 }: { 1165 ProxyPort: 0, 1166 DerivedFromRules: nil, 1167 IsDeny: true, 1168 }, 1169 }), 1170 args: args{ 1171 key: Key{ 1172 Identity: 1, 1173 DestPort: 64, 1174 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1175 Nexthdr: 3, 1176 TrafficDirection: trafficdirection.Ingress.Uint8(), 1177 }, 1178 entry: MapStateEntry{ 1179 ProxyPort: 0, 1180 DerivedFromRules: nil, 1181 IsDeny: false, 1182 }, 1183 }, 1184 want: newMapState(map[Key]MapStateEntry{ 1185 { 1186 Identity: 1, 1187 DestPort: 0, 1188 InvertedPortMask: 0xffff, 1189 Nexthdr: 0, 1190 TrafficDirection: trafficdirection.Ingress.Uint8(), 1191 }: { 1192 ProxyPort: 0, 1193 DerivedFromRules: nil, 1194 IsDeny: true, 1195 }, 1196 }), 1197 wantAdds: Keys{}, 1198 wantDeletes: Keys{}, 1199 wantOld: map[Key]MapStateEntry{}, 1200 }, 1201 { 1202 name: "test-8a - L3 ingress deny KV should not be overwritten by a L3-L4-L7 ingress allow", 1203 ms: newMapState(map[Key]MapStateEntry{ 1204 { 1205 Identity: 1, 1206 DestPort: 0, 1207 InvertedPortMask: 0xffff, 1208 Nexthdr: 0, 1209 TrafficDirection: trafficdirection.Ingress.Uint8(), 1210 }: { 1211 ProxyPort: 0, 1212 DerivedFromRules: nil, 1213 IsDeny: true, 1214 }, 1215 }), 1216 args: args{ 1217 key: Key{ 1218 Identity: 1, 1219 DestPort: 80, 1220 Nexthdr: 3, 1221 TrafficDirection: trafficdirection.Ingress.Uint8(), 1222 }, 1223 entry: MapStateEntry{ 1224 ProxyPort: 8080, 1225 priority: 8080, 1226 DerivedFromRules: nil, 1227 IsDeny: false, 1228 }, 1229 }, 1230 want: newMapState(map[Key]MapStateEntry{ 1231 { 1232 Identity: 1, 1233 DestPort: 0, 1234 InvertedPortMask: 0xffff, 1235 Nexthdr: 0, 1236 TrafficDirection: trafficdirection.Ingress.Uint8(), 1237 }: { 1238 ProxyPort: 0, 1239 DerivedFromRules: nil, 1240 IsDeny: true, 1241 }, 1242 }), 1243 wantAdds: Keys{}, 1244 wantDeletes: Keys{}, 1245 wantOld: map[Key]MapStateEntry{}, 1246 }, 1247 { 1248 name: "test-8b - L3 ingress deny KV should not be overwritten by a L3-L4-L7 port-range ingress allow", 1249 ms: newMapState(map[Key]MapStateEntry{ 1250 { 1251 Identity: 1, 1252 DestPort: 0, 1253 InvertedPortMask: 0xffff, 1254 Nexthdr: 0, 1255 TrafficDirection: trafficdirection.Ingress.Uint8(), 1256 }: { 1257 ProxyPort: 0, 1258 DerivedFromRules: nil, 1259 IsDeny: true, 1260 }, 1261 }), 1262 args: args{ 1263 key: Key{ 1264 Identity: 1, 1265 DestPort: 64, 1266 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1267 Nexthdr: 3, 1268 TrafficDirection: trafficdirection.Ingress.Uint8(), 1269 }, 1270 entry: MapStateEntry{ 1271 ProxyPort: 8080, 1272 priority: 8080, 1273 DerivedFromRules: nil, 1274 IsDeny: false, 1275 }, 1276 }, 1277 want: newMapState(map[Key]MapStateEntry{ 1278 { 1279 Identity: 1, 1280 DestPort: 0, 1281 InvertedPortMask: 0xffff, 1282 Nexthdr: 0, 1283 TrafficDirection: trafficdirection.Ingress.Uint8(), 1284 }: { 1285 ProxyPort: 0, 1286 DerivedFromRules: nil, 1287 IsDeny: true, 1288 }, 1289 }), 1290 wantAdds: Keys{}, 1291 wantDeletes: Keys{}, 1292 wantOld: map[Key]MapStateEntry{}, 1293 }, 1294 { 1295 name: "test-9a - L3 ingress deny KV should overwrite a L3-L4-L7 ingress allow", 1296 ms: newMapState(map[Key]MapStateEntry{ 1297 { 1298 Identity: 1, 1299 DestPort: 80, 1300 Nexthdr: 3, 1301 TrafficDirection: trafficdirection.Ingress.Uint8(), 1302 }: { 1303 ProxyPort: 8080, 1304 priority: 8080, 1305 DerivedFromRules: nil, 1306 IsDeny: false, 1307 }, 1308 }), 1309 args: args{ 1310 key: Key{ 1311 Identity: 1, 1312 DestPort: 0, 1313 InvertedPortMask: 0xffff, 1314 Nexthdr: 0, 1315 TrafficDirection: trafficdirection.Ingress.Uint8(), 1316 }, 1317 entry: MapStateEntry{ 1318 ProxyPort: 0, 1319 DerivedFromRules: nil, 1320 IsDeny: true, 1321 }, 1322 }, 1323 want: newMapState(map[Key]MapStateEntry{ 1324 { 1325 Identity: 1, 1326 DestPort: 0, 1327 InvertedPortMask: 0xffff, 1328 Nexthdr: 0, 1329 TrafficDirection: trafficdirection.Ingress.Uint8(), 1330 }: { 1331 ProxyPort: 0, 1332 DerivedFromRules: nil, 1333 IsDeny: true, 1334 }, 1335 }), 1336 wantAdds: Keys{ 1337 Key{ 1338 Identity: 1, 1339 DestPort: 0, 1340 InvertedPortMask: 0xffff, 1341 Nexthdr: 0, 1342 TrafficDirection: trafficdirection.Ingress.Uint8(), 1343 }: struct{}{}, 1344 }, 1345 wantDeletes: Keys{ 1346 Key{ 1347 Identity: 1, 1348 DestPort: 80, 1349 Nexthdr: 3, 1350 TrafficDirection: trafficdirection.Ingress.Uint8(), 1351 }: struct{}{}, 1352 }, 1353 wantOld: map[Key]MapStateEntry{ 1354 { 1355 Identity: 1, 1356 DestPort: 80, 1357 Nexthdr: 3, 1358 TrafficDirection: trafficdirection.Ingress.Uint8(), 1359 }: { 1360 ProxyPort: 8080, 1361 priority: 8080, 1362 DerivedFromRules: nil, 1363 IsDeny: false, 1364 }, 1365 }, 1366 }, 1367 { 1368 name: "test-9b - L3 ingress deny KV should overwrite a L3-L4-L7 port-range ingress allow", 1369 ms: newMapState(map[Key]MapStateEntry{ 1370 { 1371 Identity: 1, 1372 DestPort: 64, 1373 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1374 Nexthdr: 3, 1375 TrafficDirection: trafficdirection.Ingress.Uint8(), 1376 }: { 1377 ProxyPort: 8080, 1378 priority: 8080, 1379 DerivedFromRules: nil, 1380 IsDeny: false, 1381 }, 1382 }), 1383 args: args{ 1384 key: Key{ 1385 Identity: 1, 1386 DestPort: 0, 1387 InvertedPortMask: 0xffff, 1388 Nexthdr: 0, 1389 TrafficDirection: trafficdirection.Ingress.Uint8(), 1390 }, 1391 entry: MapStateEntry{ 1392 ProxyPort: 0, 1393 DerivedFromRules: nil, 1394 IsDeny: true, 1395 }, 1396 }, 1397 want: newMapState(map[Key]MapStateEntry{ 1398 { 1399 Identity: 1, 1400 DestPort: 0, 1401 InvertedPortMask: 0xffff, 1402 Nexthdr: 0, 1403 TrafficDirection: trafficdirection.Ingress.Uint8(), 1404 }: { 1405 ProxyPort: 0, 1406 DerivedFromRules: nil, 1407 IsDeny: true, 1408 }, 1409 }), 1410 wantAdds: Keys{ 1411 Key{ 1412 Identity: 1, 1413 DestPort: 0, 1414 InvertedPortMask: 0xffff, 1415 Nexthdr: 0, 1416 TrafficDirection: trafficdirection.Ingress.Uint8(), 1417 }: struct{}{}, 1418 }, 1419 wantDeletes: Keys{ 1420 Key{ 1421 Identity: 1, 1422 DestPort: 64, 1423 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1424 Nexthdr: 3, 1425 TrafficDirection: trafficdirection.Ingress.Uint8(), 1426 }: struct{}{}, 1427 }, 1428 wantOld: map[Key]MapStateEntry{ 1429 { 1430 Identity: 1, 1431 DestPort: 64, 1432 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1433 Nexthdr: 3, 1434 TrafficDirection: trafficdirection.Ingress.Uint8(), 1435 }: { 1436 ProxyPort: 8080, 1437 priority: 8080, 1438 DerivedFromRules: nil, 1439 IsDeny: false, 1440 }, 1441 }, 1442 }, 1443 { 1444 name: "test-10a - L3 ingress deny KV should overwrite a L3-L4-L7 ingress allow and a L3-L4 deny", 1445 ms: newMapState(map[Key]MapStateEntry{ 1446 { 1447 Identity: 1, 1448 DestPort: 80, 1449 Nexthdr: 3, 1450 TrafficDirection: trafficdirection.Ingress.Uint8(), 1451 }: { 1452 ProxyPort: 8080, 1453 priority: 8080, 1454 DerivedFromRules: nil, 1455 IsDeny: false, 1456 }, 1457 { 1458 Identity: 1, 1459 DestPort: 80, 1460 Nexthdr: 3, 1461 TrafficDirection: trafficdirection.Ingress.Uint8(), 1462 }: { 1463 ProxyPort: 0, 1464 DerivedFromRules: nil, 1465 IsDeny: true, 1466 }, 1467 }), 1468 args: args{ 1469 key: Key{ 1470 Identity: 1, 1471 DestPort: 0, 1472 InvertedPortMask: 0xffff, 1473 Nexthdr: 0, 1474 TrafficDirection: trafficdirection.Ingress.Uint8(), 1475 }, 1476 entry: MapStateEntry{ 1477 ProxyPort: 0, 1478 DerivedFromRules: nil, 1479 IsDeny: true, 1480 }, 1481 }, 1482 want: newMapState(map[Key]MapStateEntry{ 1483 { 1484 Identity: 1, 1485 DestPort: 0, 1486 InvertedPortMask: 0xffff, 1487 Nexthdr: 0, 1488 TrafficDirection: trafficdirection.Ingress.Uint8(), 1489 }: { 1490 ProxyPort: 0, 1491 DerivedFromRules: nil, 1492 IsDeny: true, 1493 }, 1494 }), 1495 wantAdds: Keys{ 1496 Key{ 1497 Identity: 1, 1498 DestPort: 0, 1499 InvertedPortMask: 0xffff, 1500 Nexthdr: 0, 1501 TrafficDirection: trafficdirection.Ingress.Uint8(), 1502 }: struct{}{}, 1503 }, 1504 wantDeletes: Keys{ 1505 Key{ 1506 Identity: 1, 1507 DestPort: 80, 1508 Nexthdr: 3, 1509 TrafficDirection: trafficdirection.Ingress.Uint8(), 1510 }: struct{}{}, 1511 Key{ 1512 Identity: 1, 1513 DestPort: 80, 1514 Nexthdr: 3, 1515 TrafficDirection: trafficdirection.Ingress.Uint8(), 1516 }: struct{}{}, 1517 }, 1518 wantOld: map[Key]MapStateEntry{ 1519 { 1520 Identity: 1, 1521 DestPort: 80, 1522 Nexthdr: 3, 1523 TrafficDirection: trafficdirection.Ingress.Uint8(), 1524 }: { 1525 ProxyPort: 8080, 1526 priority: 8080, 1527 DerivedFromRules: nil, 1528 IsDeny: false, 1529 }, 1530 { 1531 Identity: 1, 1532 DestPort: 80, 1533 Nexthdr: 3, 1534 TrafficDirection: trafficdirection.Ingress.Uint8(), 1535 }: { 1536 ProxyPort: 0, 1537 DerivedFromRules: nil, 1538 IsDeny: true, 1539 }, 1540 }, 1541 }, 1542 { 1543 name: "test-10b - L3 ingress deny KV should overwrite a L3-L4-L7 port-range ingress allow and a L3-L4 port-range deny", 1544 ms: newMapState(map[Key]MapStateEntry{ 1545 { 1546 Identity: 1, 1547 DestPort: 64, 1548 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1549 Nexthdr: 3, 1550 TrafficDirection: trafficdirection.Ingress.Uint8(), 1551 }: { 1552 ProxyPort: 8080, 1553 priority: 8080, 1554 DerivedFromRules: nil, 1555 IsDeny: false, 1556 }, 1557 { 1558 Identity: 1, 1559 DestPort: 64, 1560 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1561 Nexthdr: 3, 1562 TrafficDirection: trafficdirection.Ingress.Uint8(), 1563 }: { 1564 ProxyPort: 0, 1565 DerivedFromRules: nil, 1566 IsDeny: true, 1567 }, 1568 }), 1569 args: args{ 1570 key: Key{ 1571 Identity: 1, 1572 DestPort: 0, 1573 InvertedPortMask: 0xffff, 1574 Nexthdr: 0, 1575 TrafficDirection: trafficdirection.Ingress.Uint8(), 1576 }, 1577 entry: MapStateEntry{ 1578 ProxyPort: 0, 1579 DerivedFromRules: nil, 1580 IsDeny: true, 1581 }, 1582 }, 1583 want: newMapState(map[Key]MapStateEntry{ 1584 { 1585 Identity: 1, 1586 DestPort: 0, 1587 InvertedPortMask: 0xffff, 1588 Nexthdr: 0, 1589 TrafficDirection: trafficdirection.Ingress.Uint8(), 1590 }: { 1591 ProxyPort: 0, 1592 DerivedFromRules: nil, 1593 IsDeny: true, 1594 }, 1595 }), 1596 wantAdds: Keys{ 1597 Key{ 1598 Identity: 1, 1599 DestPort: 0, 1600 InvertedPortMask: 0xffff, 1601 Nexthdr: 0, 1602 TrafficDirection: trafficdirection.Ingress.Uint8(), 1603 }: struct{}{}, 1604 }, 1605 wantDeletes: Keys{ 1606 Key{ 1607 Identity: 1, 1608 DestPort: 64, 1609 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1610 Nexthdr: 3, 1611 TrafficDirection: trafficdirection.Ingress.Uint8(), 1612 }: struct{}{}, 1613 Key{ 1614 Identity: 1, 1615 DestPort: 64, 1616 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1617 Nexthdr: 3, 1618 TrafficDirection: trafficdirection.Ingress.Uint8(), 1619 }: struct{}{}, 1620 }, 1621 wantOld: map[Key]MapStateEntry{ 1622 { 1623 Identity: 1, 1624 DestPort: 64, 1625 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1626 Nexthdr: 3, 1627 TrafficDirection: trafficdirection.Ingress.Uint8(), 1628 }: { 1629 ProxyPort: 8080, 1630 priority: 8080, 1631 DerivedFromRules: nil, 1632 IsDeny: false, 1633 }, 1634 { 1635 Identity: 1, 1636 DestPort: 64, 1637 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1638 Nexthdr: 3, 1639 TrafficDirection: trafficdirection.Ingress.Uint8(), 1640 }: { 1641 ProxyPort: 0, 1642 DerivedFromRules: nil, 1643 IsDeny: true, 1644 }, 1645 }, 1646 }, 1647 { 1648 name: "test-11a - L3 ingress allow should not be allowed if there is a L3 'all' deny", 1649 ms: newMapState(map[Key]MapStateEntry{ 1650 { 1651 Identity: 1, 1652 DestPort: 80, 1653 Nexthdr: 3, 1654 TrafficDirection: trafficdirection.Egress.Uint8(), 1655 }: { 1656 ProxyPort: 8080, 1657 priority: 8080, 1658 DerivedFromRules: nil, 1659 IsDeny: false, 1660 }, 1661 { 1662 Identity: 0, 1663 DestPort: 0, 1664 InvertedPortMask: 0xffff, 1665 Nexthdr: 0, 1666 TrafficDirection: trafficdirection.Ingress.Uint8(), 1667 }: { 1668 ProxyPort: 0, 1669 DerivedFromRules: nil, 1670 IsDeny: true, 1671 }, 1672 }), 1673 args: args{ 1674 key: Key{ 1675 Identity: 100, 1676 DestPort: 0, 1677 InvertedPortMask: 0xffff, 1678 Nexthdr: 0, 1679 TrafficDirection: trafficdirection.Ingress.Uint8(), 1680 }, 1681 entry: MapStateEntry{ 1682 ProxyPort: 0, 1683 DerivedFromRules: nil, 1684 IsDeny: false, 1685 }, 1686 }, 1687 want: newMapState(map[Key]MapStateEntry{ 1688 { 1689 Identity: 1, 1690 DestPort: 80, 1691 Nexthdr: 3, 1692 TrafficDirection: trafficdirection.Egress.Uint8(), 1693 }: { 1694 ProxyPort: 8080, 1695 priority: 8080, 1696 DerivedFromRules: nil, 1697 IsDeny: false, 1698 }, 1699 { 1700 Identity: 0, 1701 DestPort: 0, 1702 InvertedPortMask: 0xffff, 1703 Nexthdr: 0, 1704 TrafficDirection: trafficdirection.Ingress.Uint8(), 1705 }: { 1706 ProxyPort: 0, 1707 DerivedFromRules: nil, 1708 IsDeny: true, 1709 }, 1710 }), 1711 wantAdds: Keys{}, 1712 wantDeletes: Keys{}, 1713 wantOld: map[Key]MapStateEntry{}, 1714 }, 1715 { 1716 name: "test-11b - L3 ingress allow should not be allowed if there is a L3 'all' deny", 1717 ms: newMapState(map[Key]MapStateEntry{ 1718 { 1719 Identity: 1, 1720 DestPort: 64, 1721 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1722 Nexthdr: 3, 1723 TrafficDirection: trafficdirection.Egress.Uint8(), 1724 }: { 1725 ProxyPort: 8080, 1726 priority: 8080, 1727 DerivedFromRules: nil, 1728 IsDeny: false, 1729 }, 1730 { 1731 Identity: 0, 1732 DestPort: 0, 1733 InvertedPortMask: 0xffff, 1734 Nexthdr: 0, 1735 TrafficDirection: trafficdirection.Ingress.Uint8(), 1736 }: { 1737 ProxyPort: 0, 1738 DerivedFromRules: nil, 1739 IsDeny: true, 1740 }, 1741 }), 1742 args: args{ 1743 key: Key{ 1744 Identity: 100, 1745 DestPort: 0, 1746 InvertedPortMask: 0xffff, 1747 Nexthdr: 0, 1748 TrafficDirection: trafficdirection.Ingress.Uint8(), 1749 }, 1750 entry: MapStateEntry{ 1751 ProxyPort: 0, 1752 DerivedFromRules: nil, 1753 IsDeny: false, 1754 }, 1755 }, 1756 want: newMapState(map[Key]MapStateEntry{ 1757 { 1758 Identity: 1, 1759 DestPort: 64, 1760 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1761 Nexthdr: 3, 1762 TrafficDirection: trafficdirection.Egress.Uint8(), 1763 }: { 1764 ProxyPort: 8080, 1765 priority: 8080, 1766 DerivedFromRules: nil, 1767 IsDeny: false, 1768 }, 1769 { 1770 Identity: 0, 1771 DestPort: 0, 1772 InvertedPortMask: 0xffff, 1773 Nexthdr: 0, 1774 TrafficDirection: trafficdirection.Ingress.Uint8(), 1775 }: { 1776 ProxyPort: 0, 1777 DerivedFromRules: nil, 1778 IsDeny: true, 1779 }, 1780 }), 1781 wantAdds: Keys{}, 1782 wantDeletes: Keys{}, 1783 wantOld: map[Key]MapStateEntry{}, 1784 }, 1785 { 1786 name: "test-12a - inserting a L3 'all' deny should delete all entries for that direction", 1787 ms: newMapState(map[Key]MapStateEntry{ 1788 { 1789 Identity: 1, 1790 DestPort: 80, 1791 Nexthdr: 3, 1792 TrafficDirection: trafficdirection.Ingress.Uint8(), 1793 }: { 1794 ProxyPort: 8080, 1795 priority: 8080, 1796 DerivedFromRules: nil, 1797 IsDeny: false, 1798 }, 1799 { 1800 Identity: 1, 1801 DestPort: 5, 1802 Nexthdr: 3, 1803 TrafficDirection: trafficdirection.Ingress.Uint8(), 1804 }: { 1805 ProxyPort: 8080, 1806 priority: 8080, 1807 DerivedFromRules: nil, 1808 IsDeny: false, 1809 }, 1810 { 1811 Identity: 100, 1812 DestPort: 5, 1813 Nexthdr: 3, 1814 TrafficDirection: trafficdirection.Egress.Uint8(), 1815 }: { 1816 ProxyPort: 8080, 1817 priority: 8080, 1818 DerivedFromRules: nil, 1819 IsDeny: true, 1820 }, 1821 }), 1822 args: args{ 1823 key: Key{ 1824 Identity: 0, 1825 DestPort: 0, 1826 InvertedPortMask: 0xffff, 1827 Nexthdr: 0, 1828 TrafficDirection: trafficdirection.Ingress.Uint8(), 1829 }, 1830 entry: MapStateEntry{ 1831 ProxyPort: 0, 1832 DerivedFromRules: nil, 1833 IsDeny: true, 1834 }, 1835 }, 1836 want: newMapState(map[Key]MapStateEntry{ 1837 { 1838 Identity: 0, 1839 DestPort: 0, 1840 InvertedPortMask: 0xffff, 1841 Nexthdr: 0, 1842 TrafficDirection: trafficdirection.Ingress.Uint8(), 1843 }: { 1844 ProxyPort: 0, 1845 DerivedFromRules: nil, 1846 IsDeny: true, 1847 }, 1848 { 1849 Identity: 100, 1850 DestPort: 5, 1851 Nexthdr: 3, 1852 TrafficDirection: trafficdirection.Egress.Uint8(), 1853 }: { 1854 ProxyPort: 8080, 1855 priority: 8080, 1856 DerivedFromRules: nil, 1857 IsDeny: true, 1858 }, 1859 }), 1860 wantAdds: Keys{ 1861 Key{ 1862 Identity: 0, 1863 DestPort: 0, 1864 InvertedPortMask: 0xffff, 1865 Nexthdr: 0, 1866 TrafficDirection: trafficdirection.Ingress.Uint8(), 1867 }: struct{}{}, 1868 }, 1869 wantDeletes: Keys{ 1870 Key{ 1871 Identity: 1, 1872 DestPort: 80, 1873 Nexthdr: 3, 1874 TrafficDirection: trafficdirection.Ingress.Uint8(), 1875 }: struct{}{}, 1876 Key{ 1877 Identity: 1, 1878 DestPort: 5, 1879 Nexthdr: 3, 1880 TrafficDirection: trafficdirection.Ingress.Uint8(), 1881 }: struct{}{}, 1882 }, 1883 wantOld: map[Key]MapStateEntry{ 1884 { 1885 Identity: 1, 1886 DestPort: 80, 1887 Nexthdr: 3, 1888 TrafficDirection: trafficdirection.Ingress.Uint8(), 1889 }: { 1890 ProxyPort: 8080, 1891 priority: 8080, 1892 DerivedFromRules: nil, 1893 IsDeny: false, 1894 }, 1895 { 1896 Identity: 1, 1897 DestPort: 5, 1898 Nexthdr: 3, 1899 TrafficDirection: trafficdirection.Ingress.Uint8(), 1900 }: { 1901 ProxyPort: 8080, 1902 priority: 8080, 1903 DerivedFromRules: nil, 1904 IsDeny: false, 1905 }, 1906 }, 1907 }, 1908 { 1909 name: "test-12b - inserting a L3 'all' deny should delete all entries for that direction (including port ranges)", 1910 ms: newMapState(map[Key]MapStateEntry{ 1911 { 1912 Identity: 1, 1913 DestPort: 64, 1914 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 1915 Nexthdr: 3, 1916 TrafficDirection: trafficdirection.Ingress.Uint8(), 1917 }: { 1918 ProxyPort: 8080, 1919 priority: 8080, 1920 DerivedFromRules: nil, 1921 IsDeny: false, 1922 }, 1923 { 1924 Identity: 1, 1925 DestPort: 4, 1926 InvertedPortMask: ^uint16(0xfffc), // port range 4-7 1927 Nexthdr: 3, 1928 TrafficDirection: trafficdirection.Ingress.Uint8(), 1929 }: { 1930 ProxyPort: 8080, 1931 priority: 8080, 1932 DerivedFromRules: nil, 1933 IsDeny: false, 1934 }, 1935 { 1936 Identity: 100, 1937 DestPort: 4, 1938 InvertedPortMask: ^uint16(0xfffc), // port range 4-7 1939 Nexthdr: 3, 1940 TrafficDirection: trafficdirection.Egress.Uint8(), 1941 }: { 1942 ProxyPort: 8080, 1943 priority: 8080, 1944 DerivedFromRules: nil, 1945 IsDeny: true, 1946 }, 1947 }), 1948 args: args{ 1949 key: Key{ 1950 Identity: 0, 1951 DestPort: 0, 1952 InvertedPortMask: 0xffff, 1953 Nexthdr: 0, 1954 TrafficDirection: trafficdirection.Ingress.Uint8(), 1955 }, 1956 entry: MapStateEntry{ 1957 ProxyPort: 0, 1958 DerivedFromRules: nil, 1959 IsDeny: true, 1960 }, 1961 }, 1962 want: newMapState(map[Key]MapStateEntry{ 1963 { 1964 Identity: 0, 1965 DestPort: 0, 1966 InvertedPortMask: 0xffff, 1967 Nexthdr: 0, 1968 TrafficDirection: trafficdirection.Ingress.Uint8(), 1969 }: { 1970 ProxyPort: 0, 1971 DerivedFromRules: nil, 1972 IsDeny: true, 1973 }, 1974 { 1975 Identity: 100, 1976 DestPort: 4, 1977 InvertedPortMask: ^uint16(0xfffc), // port range 4-7 1978 Nexthdr: 3, 1979 TrafficDirection: trafficdirection.Egress.Uint8(), 1980 }: { 1981 ProxyPort: 8080, 1982 priority: 8080, 1983 DerivedFromRules: nil, 1984 IsDeny: true, 1985 }, 1986 }), 1987 wantAdds: Keys{ 1988 Key{ 1989 Identity: 0, 1990 DestPort: 0, 1991 InvertedPortMask: 0xffff, 1992 Nexthdr: 0, 1993 TrafficDirection: trafficdirection.Ingress.Uint8(), 1994 }: struct{}{}, 1995 }, 1996 wantDeletes: Keys{ 1997 Key{ 1998 Identity: 1, 1999 DestPort: 64, 2000 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 2001 Nexthdr: 3, 2002 TrafficDirection: trafficdirection.Ingress.Uint8(), 2003 }: struct{}{}, 2004 Key{ 2005 Identity: 1, 2006 DestPort: 4, 2007 InvertedPortMask: ^uint16(0xfffc), // port range 4-7 2008 Nexthdr: 3, 2009 TrafficDirection: trafficdirection.Ingress.Uint8(), 2010 }: struct{}{}, 2011 }, 2012 wantOld: map[Key]MapStateEntry{ 2013 { 2014 Identity: 1, 2015 DestPort: 64, 2016 InvertedPortMask: ^uint16(0xffc0), // port range 64-127 2017 Nexthdr: 3, 2018 TrafficDirection: trafficdirection.Ingress.Uint8(), 2019 }: { 2020 ProxyPort: 8080, 2021 priority: 8080, 2022 DerivedFromRules: nil, 2023 IsDeny: false, 2024 }, 2025 { 2026 Identity: 1, 2027 DestPort: 4, 2028 InvertedPortMask: ^uint16(0xfffc), // port range 4-7 2029 Nexthdr: 3, 2030 TrafficDirection: trafficdirection.Ingress.Uint8(), 2031 }: { 2032 ProxyPort: 8080, 2033 priority: 8080, 2034 DerivedFromRules: nil, 2035 IsDeny: false, 2036 }, 2037 }, 2038 }, 2039 { 2040 name: "test-13a - L3-L4-L7 ingress allow should overwrite a L3-L4-L7 ingress allow due to lower priority", 2041 ms: newMapState(map[Key]MapStateEntry{ 2042 { 2043 Identity: 1, 2044 DestPort: 80, 2045 Nexthdr: 3, 2046 TrafficDirection: trafficdirection.Ingress.Uint8(), 2047 }: { 2048 ProxyPort: 8080, 2049 priority: 8080, 2050 Listener: "listener1", 2051 }, 2052 }), 2053 args: args{ 2054 key: Key{ 2055 Identity: 1, 2056 DestPort: 80, 2057 Nexthdr: 3, 2058 TrafficDirection: trafficdirection.Ingress.Uint8(), 2059 }, 2060 entry: MapStateEntry{ 2061 ProxyPort: 9090, 2062 priority: 1, 2063 Listener: "listener2", 2064 }, 2065 }, 2066 want: newMapState(map[Key]MapStateEntry{ 2067 { 2068 Identity: 1, 2069 DestPort: 80, 2070 Nexthdr: 3, 2071 TrafficDirection: trafficdirection.Ingress.Uint8(), 2072 }: { 2073 ProxyPort: 9090, 2074 priority: 1, 2075 Listener: "listener2", 2076 }, 2077 }), 2078 wantAdds: Keys{ 2079 Key{ 2080 Identity: 1, 2081 DestPort: 80, 2082 Nexthdr: 3, 2083 TrafficDirection: trafficdirection.Ingress.Uint8(), 2084 }: struct{}{}, 2085 }, 2086 wantDeletes: Keys{}, 2087 wantOld: map[Key]MapStateEntry{ 2088 { 2089 Identity: 1, 2090 DestPort: 80, 2091 Nexthdr: 3, 2092 TrafficDirection: trafficdirection.Ingress.Uint8(), 2093 }: { 2094 ProxyPort: 8080, 2095 priority: 8080, 2096 Listener: "listener1", 2097 }, 2098 }, 2099 }, 2100 { 2101 name: "test-13b - L3-L4-L7 port-range ingress allow should overwrite a L3-L4-L7 port-range ingress allow due to lower priority", 2102 ms: newMapState(map[Key]MapStateEntry{ 2103 { 2104 Identity: 1, 2105 DestPort: 64, 2106 InvertedPortMask: ^uint16(0xffc0), 2107 Nexthdr: 3, 2108 TrafficDirection: trafficdirection.Ingress.Uint8(), 2109 }: { 2110 ProxyPort: 8080, 2111 priority: 8080, 2112 Listener: "listener1", 2113 }, 2114 }), 2115 args: args{ 2116 key: Key{ 2117 Identity: 1, 2118 DestPort: 64, 2119 InvertedPortMask: ^uint16(0xffc0), 2120 Nexthdr: 3, 2121 TrafficDirection: trafficdirection.Ingress.Uint8(), 2122 }, 2123 entry: MapStateEntry{ 2124 ProxyPort: 9090, 2125 priority: 1, 2126 Listener: "listener2", 2127 }, 2128 }, 2129 want: newMapState(map[Key]MapStateEntry{ 2130 { 2131 Identity: 1, 2132 DestPort: 64, 2133 InvertedPortMask: ^uint16(0xffc0), 2134 Nexthdr: 3, 2135 TrafficDirection: trafficdirection.Ingress.Uint8(), 2136 }: { 2137 ProxyPort: 9090, 2138 priority: 1, 2139 Listener: "listener2", 2140 }, 2141 }), 2142 wantAdds: Keys{ 2143 Key{ 2144 Identity: 1, 2145 DestPort: 64, 2146 InvertedPortMask: ^uint16(0xffc0), 2147 Nexthdr: 3, 2148 TrafficDirection: trafficdirection.Ingress.Uint8(), 2149 }: struct{}{}, 2150 }, 2151 wantDeletes: Keys{}, 2152 wantOld: map[Key]MapStateEntry{ 2153 { 2154 Identity: 1, 2155 DestPort: 64, 2156 InvertedPortMask: ^uint16(0xffc0), 2157 Nexthdr: 3, 2158 TrafficDirection: trafficdirection.Ingress.Uint8(), 2159 }: { 2160 ProxyPort: 8080, 2161 priority: 8080, 2162 Listener: "listener1", 2163 }, 2164 }, 2165 }, 2166 { 2167 name: "test-14a - L4-L7 ingress allow should overwrite a L3-L4-L7 ingress allow due to lower priority on the same port", 2168 ms: newMapState(map[Key]MapStateEntry{ 2169 { 2170 Identity: 1, 2171 DestPort: 80, 2172 Nexthdr: 3, 2173 TrafficDirection: trafficdirection.Ingress.Uint8(), 2174 }: { 2175 ProxyPort: 8080, 2176 priority: 8080, 2177 Listener: "listener1", 2178 }, 2179 }), 2180 args: args{ 2181 key: Key{ 2182 Identity: 1, 2183 DestPort: 80, 2184 Nexthdr: 3, 2185 TrafficDirection: trafficdirection.Ingress.Uint8(), 2186 }, 2187 entry: MapStateEntry{ 2188 ProxyPort: 8080, 2189 priority: 1, 2190 Listener: "listener1", 2191 }, 2192 }, 2193 want: newMapState(map[Key]MapStateEntry{ 2194 { 2195 Identity: 1, 2196 DestPort: 80, 2197 Nexthdr: 3, 2198 TrafficDirection: trafficdirection.Ingress.Uint8(), 2199 }: { 2200 ProxyPort: 8080, 2201 priority: 1, 2202 Listener: "listener1", 2203 }, 2204 }), 2205 wantAdds: Keys{}, 2206 wantDeletes: Keys{}, 2207 wantOld: map[Key]MapStateEntry{ 2208 { 2209 Identity: 1, 2210 DestPort: 80, 2211 Nexthdr: 3, 2212 TrafficDirection: trafficdirection.Ingress.Uint8(), 2213 }: { 2214 ProxyPort: 8080, 2215 priority: 8080, 2216 Listener: "listener1", 2217 }, 2218 }, 2219 }, 2220 { 2221 name: "test-14b - L4-L7 port-range ingress allow should overwrite a L3-L4-L7 port-range ingress allow due to lower priority on the same port", 2222 ms: newMapState(map[Key]MapStateEntry{ 2223 { 2224 Identity: 1, 2225 DestPort: 64, 2226 InvertedPortMask: ^uint16(0xffc0), 2227 Nexthdr: 3, 2228 TrafficDirection: trafficdirection.Ingress.Uint8(), 2229 }: { 2230 ProxyPort: 8080, 2231 priority: 8080, 2232 Listener: "listener1", 2233 }, 2234 }), 2235 args: args{ 2236 key: Key{ 2237 Identity: 1, 2238 DestPort: 64, 2239 InvertedPortMask: ^uint16(0xffc0), 2240 Nexthdr: 3, 2241 TrafficDirection: trafficdirection.Ingress.Uint8(), 2242 }, 2243 entry: MapStateEntry{ 2244 ProxyPort: 8080, 2245 priority: 1, 2246 Listener: "listener1", 2247 }, 2248 }, 2249 want: newMapState(map[Key]MapStateEntry{ 2250 { 2251 Identity: 1, 2252 DestPort: 64, 2253 InvertedPortMask: ^uint16(0xffc0), 2254 Nexthdr: 3, 2255 TrafficDirection: trafficdirection.Ingress.Uint8(), 2256 }: { 2257 ProxyPort: 8080, 2258 priority: 1, 2259 Listener: "listener1", 2260 }, 2261 }), 2262 wantAdds: Keys{}, 2263 wantDeletes: Keys{}, 2264 wantOld: map[Key]MapStateEntry{ 2265 { 2266 Identity: 1, 2267 DestPort: 64, 2268 InvertedPortMask: ^uint16(0xffc0), 2269 Nexthdr: 3, 2270 TrafficDirection: trafficdirection.Ingress.Uint8(), 2271 }: { 2272 ProxyPort: 8080, 2273 priority: 8080, 2274 Listener: "listener1", 2275 }, 2276 }, 2277 }, 2278 } 2279 for _, tt := range tests { 2280 changes := ChangeState{ 2281 Adds: make(Keys), 2282 Deletes: make(Keys), 2283 Old: make(map[Key]MapStateEntry), 2284 } 2285 // copy the starting point 2286 ms := newMapState(make(map[Key]MapStateEntry, tt.ms.Len())) 2287 tt.ms.ForEach(func(k Key, v MapStateEntry) bool { 2288 ms.Insert(k, v) 2289 return true 2290 }) 2291 2292 ms.denyPreferredInsertWithChanges(tt.args.key, tt.args.entry, nil, denyRules, changes) 2293 ms.validatePortProto(t) 2294 require.Truef(t, ms.Equals(tt.want), "%s: MapState mismatch:\n%s", tt.name, ms.Diff(tt.want)) 2295 require.EqualValuesf(t, tt.wantAdds, changes.Adds, "%s: Adds mismatch", tt.name) 2296 require.EqualValuesf(t, tt.wantDeletes, changes.Deletes, "%s: Deletes mismatch", tt.name) 2297 require.EqualValuesf(t, tt.wantOld, changes.Old, "%s: OldValues mismatch allows", tt.name) 2298 2299 // Revert changes and check that we get the original mapstate 2300 ms.RevertChanges(changes) 2301 require.Truef(t, ms.Equals(tt.ms), "%s: MapState mismatch:\n%s", tt.name, ms.Diff(tt.ms)) 2302 } 2303 } 2304 2305 func testKey(id int, port uint16, proto uint8, direction trafficdirection.TrafficDirection) Key { 2306 var invertedPortMask uint16 2307 if port == 0 { 2308 invertedPortMask = 0xffff 2309 } 2310 return Key{ 2311 Identity: uint32(id), 2312 DestPort: port, 2313 InvertedPortMask: invertedPortMask, 2314 Nexthdr: proto, 2315 TrafficDirection: direction.Uint8(), 2316 } 2317 } 2318 2319 func testIngressKey(id int, port uint16, proto uint8) Key { 2320 return testKey(id, port, proto, trafficdirection.Ingress) 2321 } 2322 2323 func testEgressKey(id int, port uint16, proto uint8) Key { 2324 return testKey(id, port, proto, trafficdirection.Egress) 2325 } 2326 2327 func DNSUDPEgressKey(id int) Key { 2328 return testEgressKey(id, 53, 17) 2329 } 2330 2331 func DNSTCPEgressKey(id int) Key { 2332 return testEgressKey(id, 53, 6) 2333 } 2334 2335 func HostIngressKey() Key { 2336 return testIngressKey(1, 0, 0) 2337 } 2338 2339 func AnyIngressKey() Key { 2340 return testIngressKey(0, 0, 0) 2341 } 2342 2343 func AnyEgressKey() Key { 2344 return testEgressKey(0, 0, 0) 2345 } 2346 2347 func HttpIngressKey(id int) Key { 2348 return testIngressKey(id, 80, 6) 2349 } 2350 2351 func HttpEgressKey(id int) Key { 2352 return testEgressKey(id, 80, 6) 2353 } 2354 2355 func allowEntry(proxyPort uint16, owners ...MapStateOwner) MapStateEntry { 2356 return testEntry(proxyPort, false, AuthTypeDisabled, owners...) 2357 } 2358 2359 func denyEntry(proxyPort uint16, owners ...MapStateOwner) MapStateEntry { 2360 return testEntry(proxyPort, true, AuthTypeDisabled, owners...) 2361 } 2362 2363 func testEntry(proxyPort uint16, deny bool, authType AuthType, owners ...MapStateOwner) MapStateEntry { 2364 listener := "" 2365 entry := MapStateEntry{ 2366 ProxyPort: proxyPort, 2367 priority: proxyPort, 2368 Listener: listener, 2369 AuthType: authType, 2370 IsDeny: deny, 2371 } 2372 entry.owners = make(map[MapStateOwner]struct{}, len(owners)) 2373 for _, owner := range owners { 2374 entry.owners[owner] = struct{}{} 2375 } 2376 return entry 2377 } 2378 2379 func allowEntryD(proxyPort uint16, derivedFrom labels.LabelArrayList, owners ...MapStateOwner) MapStateEntry { 2380 return testEntryD(proxyPort, false, AuthTypeDisabled, derivedFrom, owners...) 2381 } 2382 2383 func testEntryD(proxyPort uint16, deny bool, authType AuthType, derivedFrom labels.LabelArrayList, owners ...MapStateOwner) MapStateEntry { 2384 entry := testEntry(proxyPort, deny, authType, owners...) 2385 entry.DerivedFromRules = derivedFrom 2386 return entry 2387 } 2388 2389 func TestMapState_AccumulateMapChangesDeny(t *testing.T) { 2390 csFoo := newTestCachedSelector("Foo", false) 2391 csBar := newTestCachedSelector("Bar", false) 2392 2393 type args struct { 2394 cs *testCachedSelector 2395 adds []int 2396 deletes []int 2397 port uint16 2398 proto uint8 2399 ingress bool 2400 redirect bool 2401 deny bool 2402 } 2403 tests := []struct { 2404 continued bool // Start from the end state of the previous test 2405 name string 2406 setup *mapState 2407 args []args // changes applied, in order 2408 state MapState 2409 adds Keys 2410 deletes Keys 2411 }{{ 2412 name: "test-1a - Adding L3-deny to an existing allow-all with L4-only allow redirect map state entries", 2413 setup: newMapState(map[Key]MapStateEntry{ 2414 AnyIngressKey(): allowEntry(0), 2415 HttpIngressKey(0): allowEntry(12345, nil), 2416 }), 2417 args: []args{ 2418 {cs: csFoo, adds: []int{41}, deletes: []int{}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 2419 }, 2420 state: newMapState(map[Key]MapStateEntry{ 2421 AnyIngressKey(): allowEntry(0), 2422 testIngressKey(41, 0, 0): denyEntry(0, csFoo).WithDependents(HttpIngressKey(41)), 2423 HttpIngressKey(0): allowEntry(12345, nil), 2424 HttpIngressKey(41): denyEntry(0).WithOwners(testIngressKey(41, 0, 0)), 2425 }), 2426 adds: Keys{ 2427 testIngressKey(41, 0, 0): {}, 2428 HttpIngressKey(41): {}, 2429 }, 2430 deletes: Keys{}, 2431 }, { 2432 continued: true, 2433 name: "test-1b - Adding 2nd identity", 2434 args: []args{ 2435 {cs: csFoo, adds: []int{42}, deletes: []int{}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 2436 }, 2437 state: newMapState(map[Key]MapStateEntry{ 2438 AnyIngressKey(): allowEntry(0), 2439 testIngressKey(41, 0, 0): denyEntry(0, csFoo).WithDependents(HttpIngressKey(41)), 2440 testIngressKey(42, 0, 0): denyEntry(0, csFoo).WithDependents(HttpIngressKey(42)), 2441 HttpIngressKey(0): allowEntry(12345, nil), 2442 HttpIngressKey(41): denyEntry(0).WithOwners(testIngressKey(41, 0, 0)), 2443 HttpIngressKey(42): denyEntry(0).WithOwners(testIngressKey(42, 0, 0)), 2444 }), 2445 adds: Keys{ 2446 testIngressKey(42, 0, 0): {}, 2447 HttpIngressKey(42): {}, 2448 }, 2449 deletes: Keys{}, 2450 }, { 2451 continued: true, 2452 name: "test-1c - Removing the same key", 2453 args: []args{ 2454 {cs: csFoo, adds: nil, deletes: []int{42}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 2455 }, 2456 state: newMapState(map[Key]MapStateEntry{ 2457 AnyIngressKey(): allowEntry(0), 2458 testIngressKey(41, 0, 0): denyEntry(0, csFoo).WithDependents(HttpIngressKey(41)), 2459 HttpIngressKey(0): allowEntry(12345, nil), 2460 HttpIngressKey(41): denyEntry(0).WithOwners(testIngressKey(41, 0, 0)), 2461 }), 2462 adds: Keys{}, 2463 deletes: Keys{ 2464 testIngressKey(42, 0, 0): {}, 2465 HttpIngressKey(42): {}, 2466 }, 2467 }, { 2468 name: "test-2a - Adding 2 identities, and deleting a nonexisting key on an empty state", 2469 args: []args{ 2470 {cs: csFoo, adds: []int{42, 43}, deletes: []int{50}, port: 80, proto: 6, ingress: true, redirect: false, deny: true}, 2471 }, 2472 state: newMapState(map[Key]MapStateEntry{ 2473 HttpIngressKey(42): denyEntry(0, csFoo), 2474 HttpIngressKey(43): denyEntry(0, csFoo), 2475 }), 2476 adds: Keys{ 2477 HttpIngressKey(42): {}, 2478 HttpIngressKey(43): {}, 2479 }, 2480 deletes: Keys{}, 2481 }, { 2482 continued: true, 2483 name: "test-2b - Adding Bar also selecting 42", 2484 args: []args{ 2485 {cs: csBar, adds: []int{42, 44}, deletes: []int{50}, port: 80, proto: 6, ingress: true, redirect: false, deny: true}, 2486 }, 2487 state: newMapState(map[Key]MapStateEntry{ 2488 HttpIngressKey(42): denyEntry(0, csFoo, csBar), 2489 HttpIngressKey(43): denyEntry(0, csFoo), 2490 HttpIngressKey(44): denyEntry(0, csBar), 2491 }), 2492 adds: Keys{ 2493 HttpIngressKey(44): {}, 2494 }, 2495 deletes: Keys{}, 2496 }, { 2497 continued: true, 2498 name: "test-2c - Deleting 42 from Foo, remains on Bar and no deletes", 2499 args: []args{ 2500 {cs: csFoo, adds: []int{}, deletes: []int{42}, port: 80, proto: 6, ingress: true, redirect: false, deny: true}, 2501 }, 2502 state: newMapState(map[Key]MapStateEntry{ 2503 HttpIngressKey(42): denyEntry(0, csBar), 2504 HttpIngressKey(43): denyEntry(0, csFoo), 2505 HttpIngressKey(44): denyEntry(0, csBar), 2506 }), 2507 adds: Keys{}, 2508 deletes: Keys{}, 2509 }, { 2510 continued: true, 2511 name: "test-2d - Deleting 42 from Foo again, not deleted", 2512 args: []args{ 2513 {cs: csFoo, adds: []int{}, deletes: []int{42}, port: 80, proto: 6, ingress: true, redirect: false, deny: true}, 2514 }, 2515 state: newMapState(map[Key]MapStateEntry{ 2516 HttpIngressKey(42): denyEntry(0, csBar), 2517 HttpIngressKey(43): denyEntry(0, csFoo), 2518 HttpIngressKey(44): denyEntry(0, csBar), 2519 }), 2520 adds: Keys{}, 2521 deletes: Keys{}, 2522 }, { 2523 continued: true, 2524 name: "test-2e - Deleting 42 from Bar, deleted", 2525 args: []args{ 2526 {cs: csBar, adds: []int{}, deletes: []int{42}, port: 80, proto: 6, ingress: true, redirect: false, deny: true}, 2527 }, 2528 state: newMapState(map[Key]MapStateEntry{ 2529 HttpIngressKey(43): denyEntry(0, csFoo), 2530 HttpIngressKey(44): denyEntry(0, csBar), 2531 }), 2532 adds: Keys{}, 2533 deletes: Keys{ 2534 HttpIngressKey(42): {}, 2535 }, 2536 }, { 2537 continued: true, 2538 name: "test-2f - Adding an entry that already exists, no adds", 2539 args: []args{ 2540 {cs: csBar, adds: []int{44}, deletes: []int{}, port: 80, proto: 6, ingress: true, redirect: false, deny: true}, 2541 }, 2542 state: newMapState(map[Key]MapStateEntry{ 2543 HttpIngressKey(43): denyEntry(0, csFoo), 2544 HttpIngressKey(44): denyEntry(0, csBar), 2545 }), 2546 adds: Keys{}, 2547 deletes: Keys{}, 2548 }, { 2549 continued: false, 2550 name: "test-3a - egress allow with deny-L3", 2551 setup: newMapState(map[Key]MapStateEntry{ 2552 AnyIngressKey(): allowEntry(0), 2553 HostIngressKey(): allowEntry(0), 2554 testEgressKey(42, 0, 0): denyEntry(0, csFoo), 2555 }), 2556 args: []args{ 2557 {cs: csBar, adds: []int{42}, deletes: []int{}, port: 53, proto: 17, ingress: false, redirect: false, deny: false}, 2558 {cs: csBar, adds: []int{42}, deletes: []int{}, port: 53, proto: 6, ingress: false, redirect: false, deny: false}, 2559 }, 2560 state: newMapState(map[Key]MapStateEntry{ 2561 AnyIngressKey(): allowEntry(0), 2562 HostIngressKey(): allowEntry(0), 2563 testEgressKey(42, 0, 0): denyEntry(0, csFoo), 2564 }), 2565 adds: Keys{}, 2566 deletes: Keys{}, 2567 }, { 2568 continued: true, 2569 name: "test-3b - egress allow DNS on another ID with deny-L3", 2570 args: []args{ 2571 {cs: csBar, adds: []int{43}, deletes: []int{}, port: 53, proto: 17, ingress: false, redirect: false, deny: false}, 2572 {cs: csBar, adds: []int{43}, deletes: []int{}, port: 53, proto: 6, ingress: false, redirect: false, deny: false}, 2573 }, 2574 state: newMapState(map[Key]MapStateEntry{ 2575 AnyIngressKey(): allowEntry(0), 2576 HostIngressKey(): allowEntry(0), 2577 testEgressKey(42, 0, 0): denyEntry(0, csFoo), 2578 DNSUDPEgressKey(43): allowEntry(0, csBar), 2579 DNSTCPEgressKey(43): allowEntry(0, csBar), 2580 }), 2581 adds: Keys{ 2582 DNSUDPEgressKey(43): {}, 2583 DNSTCPEgressKey(43): {}, 2584 }, 2585 deletes: Keys{}, 2586 }, { 2587 continued: true, 2588 name: "test-3c - egress allow HTTP proxy with deny-L3", 2589 args: []args{ 2590 {cs: csFoo, adds: []int{43}, deletes: []int{}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2591 }, 2592 state: newMapState(map[Key]MapStateEntry{ 2593 AnyIngressKey(): allowEntry(0), 2594 HostIngressKey(): allowEntry(0), 2595 testEgressKey(42, 0, 0): denyEntry(0, csFoo), 2596 DNSUDPEgressKey(43): allowEntry(0, csBar), 2597 DNSTCPEgressKey(43): allowEntry(0, csBar), 2598 HttpEgressKey(43): allowEntry(1, csFoo), 2599 }), 2600 adds: Keys{ 2601 HttpEgressKey(43): {}, 2602 }, 2603 deletes: Keys{}, 2604 }, { 2605 continued: false, 2606 name: "test-4a - Add L7 skipped due to covering L3 deny", 2607 setup: newMapState(map[Key]MapStateEntry{ 2608 AnyIngressKey(): allowEntry(0), 2609 HostIngressKey(): allowEntry(0), 2610 testEgressKey(42, 0, 0): denyEntry(0, csFoo), 2611 }), 2612 args: []args{ 2613 {cs: csFoo, adds: []int{42}, deletes: []int{}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2614 }, 2615 state: newMapState(map[Key]MapStateEntry{ 2616 AnyIngressKey(): allowEntry(0), 2617 HostIngressKey(): allowEntry(0), 2618 testEgressKey(42, 0, 0): denyEntry(0, csFoo), 2619 }), 2620 adds: Keys{}, 2621 deletes: Keys{}, 2622 }, { 2623 continued: true, 2624 name: "test-4b - Add & delete L7 skipped due to covering L3 deny", 2625 args: []args{ 2626 {cs: csFoo, adds: []int{42}, deletes: []int{}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2627 {cs: csFoo, adds: []int{}, deletes: []int{42}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2628 }, 2629 state: newMapState(map[Key]MapStateEntry{ 2630 AnyIngressKey(): allowEntry(0), 2631 HostIngressKey(): allowEntry(0), 2632 testEgressKey(42, 0, 0): denyEntry(0, csFoo), 2633 }), 2634 adds: Keys{}, 2635 deletes: Keys{}, 2636 }, { 2637 name: "test-5 - Adding L3-deny to an existing allow-all", 2638 setup: newMapState(map[Key]MapStateEntry{ 2639 AnyIngressKey(): allowEntry(0), 2640 }), 2641 args: []args{ 2642 {cs: csFoo, adds: []int{41}, deletes: []int{}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 2643 }, 2644 state: newMapState(map[Key]MapStateEntry{ 2645 AnyIngressKey(): allowEntry(0), 2646 testIngressKey(41, 0, 0): denyEntry(0, csFoo), 2647 }), 2648 adds: Keys{ 2649 testIngressKey(41, 0, 0): {}, 2650 }, 2651 deletes: Keys{}, 2652 }, { 2653 name: "test-6 - Multiple dependent entries", 2654 setup: newMapState(map[Key]MapStateEntry{ 2655 AnyEgressKey(): allowEntry(0), 2656 HttpEgressKey(0): allowEntry(12345, nil), 2657 DNSUDPEgressKey(0): allowEntry(12346, nil), 2658 }), 2659 args: []args{ 2660 {cs: csFoo, adds: []int{41}, deletes: []int{}, port: 0, proto: 0, ingress: false, redirect: false, deny: true}, 2661 }, 2662 state: newMapState(map[Key]MapStateEntry{ 2663 AnyEgressKey(): allowEntry(0), 2664 testEgressKey(41, 0, 0): denyEntry(0, csFoo).WithDependents(HttpEgressKey(41), DNSUDPEgressKey(41)), 2665 HttpEgressKey(0): allowEntry(12345, nil), 2666 HttpEgressKey(41): denyEntry(0).WithOwners(testEgressKey(41, 0, 0)), 2667 DNSUDPEgressKey(0): allowEntry(12346, nil), 2668 DNSUDPEgressKey(41): denyEntry(0).WithOwners(testEgressKey(41, 0, 0)), 2669 }), 2670 adds: Keys{ 2671 testEgressKey(41, 0, 0): {}, 2672 HttpEgressKey(41): {}, 2673 DNSUDPEgressKey(41): {}, 2674 }, 2675 deletes: Keys{}, 2676 }, { 2677 continued: false, 2678 name: "test-n - title", 2679 args: []args{ 2680 //{cs: csFoo, adds: []int{42, 43}, deletes: []int{50}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 2681 }, 2682 state: newMapState(nil), 2683 adds: Keys{ 2684 //HttpIngressKey(42): allowEntry(0), 2685 }, 2686 deletes: Keys{ 2687 //HttpIngressKey(43): allowEntry(0), 2688 }, 2689 }, 2690 } 2691 2692 policyMapState := newMapState(nil) 2693 2694 for _, tt := range tests { 2695 policyMaps := MapChanges{} 2696 if !tt.continued { 2697 if tt.setup != nil { 2698 policyMapState = tt.setup 2699 } else { 2700 policyMapState = newMapState(nil) 2701 } 2702 } 2703 for _, x := range tt.args { 2704 dir := trafficdirection.Egress 2705 if x.ingress { 2706 dir = trafficdirection.Ingress 2707 } 2708 adds := x.cs.addSelections(x.adds...) 2709 deletes := x.cs.deleteSelections(x.deletes...) 2710 var cs CachedSelector 2711 if x.cs != nil { 2712 cs = x.cs 2713 } 2714 var invertedPortMask uint16 2715 if x.port == 0 { 2716 invertedPortMask = 0xffff 2717 } 2718 key := Key{DestPort: x.port, InvertedPortMask: invertedPortMask, Nexthdr: x.proto, TrafficDirection: dir.Uint8()} 2719 var proxyPort uint16 2720 if x.redirect { 2721 proxyPort = 1 2722 } 2723 value := NewMapStateEntry(cs, nil, proxyPort, "", 0, x.deny, DefaultAuthType, AuthTypeDisabled) 2724 policyMaps.AccumulateMapChanges(cs, adds, deletes, []Key{key}, value) 2725 } 2726 adds, deletes := policyMaps.consumeMapChanges(DummyOwner{}, policyMapState, denyRules, nil) 2727 policyMapState.validatePortProto(t) 2728 require.True(t, policyMapState.Equals(tt.state), "%s (MapState):\n%s", tt.name, policyMapState.Diff(tt.state)) 2729 require.EqualValues(t, tt.adds, adds, tt.name+" (adds)") 2730 require.EqualValues(t, tt.deletes, deletes, tt.name+" (deletes)") 2731 } 2732 } 2733 2734 func TestMapState_AccumulateMapChanges(t *testing.T) { 2735 csFoo := newTestCachedSelector("Foo", false) 2736 csBar := newTestCachedSelector("Bar", false) 2737 2738 type args struct { 2739 cs *testCachedSelector 2740 adds []int 2741 deletes []int 2742 port uint16 2743 proto uint8 2744 ingress bool 2745 redirect bool 2746 deny bool 2747 hasAuth HasAuthType 2748 authType AuthType 2749 } 2750 tests := []struct { 2751 continued bool // Start from the end state of the previous test 2752 name string 2753 args []args // changes applied, in order 2754 state MapState 2755 adds Keys 2756 deletes Keys 2757 }{{ 2758 name: "test-2a - Adding 2 identities, and deleting a nonexisting key on an empty state", 2759 args: []args{ 2760 {cs: csFoo, adds: []int{42, 43}, deletes: []int{50}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 2761 }, 2762 state: newMapState(map[Key]MapStateEntry{ 2763 HttpIngressKey(42): allowEntry(0, csFoo), 2764 HttpIngressKey(43): allowEntry(0, csFoo), 2765 }), 2766 adds: Keys{ 2767 HttpIngressKey(42): {}, 2768 HttpIngressKey(43): {}, 2769 }, 2770 deletes: Keys{}, 2771 }, { 2772 continued: true, 2773 name: "test-2b - Adding Bar also selecting 42", 2774 args: []args{ 2775 {cs: csBar, adds: []int{42, 44}, deletes: []int{50}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 2776 }, 2777 state: newMapState(map[Key]MapStateEntry{ 2778 HttpIngressKey(42): allowEntry(0, csFoo, csBar), 2779 HttpIngressKey(43): allowEntry(0, csFoo), 2780 HttpIngressKey(44): allowEntry(0, csBar), 2781 }), 2782 adds: Keys{ 2783 HttpIngressKey(44): {}, 2784 }, 2785 deletes: Keys{}, 2786 }, { 2787 continued: true, 2788 name: "test-2c - Deleting 42 from Foo, remains on Bar and no deletes", 2789 args: []args{ 2790 {cs: csFoo, adds: []int{}, deletes: []int{42}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 2791 }, 2792 state: newMapState(map[Key]MapStateEntry{ 2793 HttpIngressKey(42): allowEntry(0, csBar), 2794 HttpIngressKey(43): allowEntry(0, csFoo), 2795 HttpIngressKey(44): allowEntry(0, csBar), 2796 }), 2797 adds: Keys{}, 2798 deletes: Keys{}, 2799 }, { 2800 continued: true, 2801 name: "test-2d - Deleting 42 from Foo again, not deleted", 2802 args: []args{ 2803 {cs: csFoo, adds: []int{}, deletes: []int{42}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 2804 }, 2805 state: newMapState(map[Key]MapStateEntry{ 2806 HttpIngressKey(42): allowEntry(0, csBar), 2807 HttpIngressKey(43): allowEntry(0, csFoo), 2808 HttpIngressKey(44): allowEntry(0, csBar), 2809 }), 2810 adds: Keys{}, 2811 deletes: Keys{}, 2812 }, { 2813 continued: true, 2814 name: "test-2e - Deleting 42 from Bar, deleted", 2815 args: []args{ 2816 {cs: csBar, adds: []int{}, deletes: []int{42}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 2817 }, 2818 state: newMapState(map[Key]MapStateEntry{ 2819 HttpIngressKey(43): allowEntry(0, csFoo), 2820 HttpIngressKey(44): allowEntry(0, csBar), 2821 }), 2822 adds: Keys{}, 2823 deletes: Keys{ 2824 HttpIngressKey(42): {}, 2825 }, 2826 }, { 2827 continued: true, 2828 name: "test-2f - Adding an entry that already exists, no adds", 2829 args: []args{ 2830 {cs: csBar, adds: []int{44}, deletes: []int{}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 2831 }, 2832 state: newMapState(map[Key]MapStateEntry{ 2833 HttpIngressKey(43): allowEntry(0, csFoo), 2834 HttpIngressKey(44): allowEntry(0, csBar), 2835 }), 2836 adds: Keys{}, 2837 deletes: Keys{}, 2838 }, { 2839 continued: false, 2840 name: "test-3a - egress HTTP proxy (setup)", 2841 args: []args{ 2842 {cs: nil, adds: []int{0}, deletes: []int{}, port: 0, proto: 0, ingress: true, redirect: false, deny: false}, 2843 {cs: nil, adds: []int{1}, deletes: []int{}, port: 0, proto: 0, ingress: true, redirect: false, deny: false}, 2844 {cs: csBar, adds: []int{42}, deletes: []int{}, port: 53, proto: 17, ingress: false, redirect: false, deny: false}, 2845 {cs: csBar, adds: []int{42}, deletes: []int{}, port: 53, proto: 6, ingress: false, redirect: false, deny: false}, 2846 }, 2847 state: newMapState(map[Key]MapStateEntry{ 2848 AnyIngressKey(): allowEntry(0, nil), 2849 HostIngressKey(): allowEntry(0, nil), 2850 DNSUDPEgressKey(42): allowEntry(0, csBar), 2851 DNSTCPEgressKey(42): allowEntry(0, csBar), 2852 }), 2853 adds: Keys{ 2854 AnyIngressKey(): {}, 2855 HostIngressKey(): {}, 2856 DNSUDPEgressKey(42): {}, 2857 DNSTCPEgressKey(42): {}, 2858 }, 2859 deletes: Keys{}, 2860 }, { 2861 continued: true, 2862 name: "test-3b - egress HTTP proxy (incremental update)", 2863 args: []args{ 2864 {cs: csFoo, adds: []int{43}, deletes: []int{}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2865 }, 2866 state: newMapState(map[Key]MapStateEntry{ 2867 AnyIngressKey(): allowEntry(0, nil), 2868 HostIngressKey(): allowEntry(0, nil), 2869 DNSUDPEgressKey(42): allowEntry(0, csBar), 2870 DNSTCPEgressKey(42): allowEntry(0, csBar), 2871 HttpEgressKey(43): allowEntry(1, csFoo), 2872 }), 2873 adds: Keys{ 2874 HttpEgressKey(43): {}, 2875 }, 2876 deletes: Keys{}, 2877 }, { 2878 continued: false, 2879 name: "test-4a - Add & delete; delete cancels the add in reply", 2880 args: []args{ 2881 {cs: csFoo, adds: []int{44}, deletes: []int{}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2882 {cs: csFoo, adds: []int{}, deletes: []int{44}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2883 }, 2884 state: newMapState(nil), 2885 adds: Keys{}, 2886 deletes: Keys{ 2887 // Delete of the key is recoded as the key may have existed already in the (bpf) map 2888 HttpEgressKey(44): {}, 2889 }, 2890 }, { 2891 continued: true, 2892 name: "test-4b - Add, delete, & add; delete suppressed", 2893 args: []args{ 2894 {cs: csFoo, adds: []int{44}, deletes: []int{}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2895 {cs: csFoo, adds: []int{}, deletes: []int{44}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2896 {cs: csFoo, adds: []int{44}, deletes: []int{}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 2897 }, 2898 state: newMapState(map[Key]MapStateEntry{ 2899 HttpEgressKey(44): allowEntry(1, csFoo), 2900 }), 2901 adds: Keys{ 2902 HttpEgressKey(44): {}, 2903 }, 2904 deletes: Keys{}, 2905 }, { 2906 continued: false, 2907 name: "test-n - title", 2908 args: []args{ 2909 //{cs: csFoo, adds: []int{42, 43}, deletes: []int{50}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 2910 }, 2911 state: newMapState(nil), 2912 adds: Keys{ 2913 //HttpIngressKey(42): allowEntry(0), 2914 }, 2915 deletes: Keys{ 2916 //HttpIngressKey(43): allowEntry(0), 2917 }, 2918 }, 2919 } 2920 2921 policyMapState := newMapState(nil) 2922 2923 for _, tt := range tests { 2924 policyMaps := MapChanges{} 2925 if !tt.continued { 2926 policyMapState = newMapState(nil) 2927 } 2928 for _, x := range tt.args { 2929 dir := trafficdirection.Egress 2930 if x.ingress { 2931 dir = trafficdirection.Ingress 2932 } 2933 adds := x.cs.addSelections(x.adds...) 2934 deletes := x.cs.deleteSelections(x.deletes...) 2935 var cs CachedSelector 2936 if x.cs != nil { 2937 cs = x.cs 2938 } 2939 var invertedPortMask uint16 2940 if x.port == 0 { 2941 invertedPortMask = 0xffff 2942 } 2943 key := Key{DestPort: x.port, InvertedPortMask: invertedPortMask, Nexthdr: x.proto, TrafficDirection: dir.Uint8()} 2944 var proxyPort uint16 2945 if x.redirect { 2946 proxyPort = 1 2947 } 2948 value := NewMapStateEntry(cs, nil, proxyPort, "", 0, x.deny, x.hasAuth, x.authType) 2949 policyMaps.AccumulateMapChanges(cs, adds, deletes, []Key{key}, value) 2950 } 2951 adds, deletes := policyMaps.consumeMapChanges(DummyOwner{}, policyMapState, policyFeatures(0), nil) 2952 policyMapState.validatePortProto(t) 2953 require.True(t, policyMapState.Equals(tt.state), tt.name+"%s (MapState):\n%s", policyMapState.Diff(tt.state)) 2954 require.EqualValues(t, tt.adds, adds, tt.name+" (adds)") 2955 require.EqualValues(t, tt.deletes, deletes, tt.name+" (deletes)") 2956 } 2957 } 2958 2959 var testLabels = labels.LabelArray{ 2960 labels.NewLabel("test", "ing", labels.LabelSourceReserved), 2961 } 2962 2963 func TestMapState_AddVisibilityKeys(t *testing.T) { 2964 csFoo := newTestCachedSelector("Foo", false) 2965 csBar := newTestCachedSelector("Bar", false) 2966 2967 type args struct { 2968 redirectPort uint16 2969 visMeta VisibilityMetadata 2970 } 2971 tests := []struct { 2972 name string 2973 ms, want *mapState 2974 args args 2975 }{ 2976 { 2977 name: "test-1 - Add HTTP ingress visibility - allow-all", 2978 ms: newMapState(map[Key]MapStateEntry{ 2979 AnyIngressKey(): allowEntry(0), 2980 }), 2981 args: args{ 2982 redirectPort: 12345, 2983 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 2984 }, 2985 want: newMapState(map[Key]MapStateEntry{ 2986 AnyIngressKey(): allowEntry(0), 2987 HttpIngressKey(0): allowEntryD(12345, visibilityDerivedFrom, nil), 2988 }), 2989 }, 2990 { 2991 name: "test-2 - Add HTTP ingress visibility - no allow-all", 2992 ms: newMapState(nil), 2993 args: args{ 2994 redirectPort: 12345, 2995 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 2996 }, 2997 want: newMapState(nil), 2998 }, 2999 { 3000 name: "test-3 - Add HTTP ingress visibility - L4-allow", 3001 ms: newMapState(map[Key]MapStateEntry{ 3002 HttpIngressKey(0): allowEntryD(0, labels.LabelArrayList{testLabels}), 3003 }), 3004 args: args{ 3005 redirectPort: 12345, 3006 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 3007 }, 3008 want: newMapState(map[Key]MapStateEntry{ 3009 HttpIngressKey(0): allowEntryD(12345, labels.LabelArrayList{visibilityDerivedFromLabels, testLabels}, nil), 3010 }), 3011 }, 3012 { 3013 name: "test-4 - Add HTTP ingress visibility - L3/L4-allow", 3014 ms: newMapState(map[Key]MapStateEntry{ 3015 HttpIngressKey(123): allowEntryD(0, labels.LabelArrayList{testLabels}, csBar), 3016 }), 3017 args: args{ 3018 redirectPort: 12345, 3019 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 3020 }, 3021 want: newMapState(map[Key]MapStateEntry{ 3022 HttpIngressKey(123): allowEntryD(12345, labels.LabelArrayList{visibilityDerivedFromLabels, testLabels}, csBar), 3023 }), 3024 }, 3025 { 3026 name: "test-5 - Add HTTP ingress visibility - L3-allow (host)", 3027 ms: newMapState(map[Key]MapStateEntry{ 3028 HostIngressKey(): allowEntry(0), 3029 }), 3030 args: args{ 3031 redirectPort: 12345, 3032 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 3033 }, 3034 want: newMapState(map[Key]MapStateEntry{ 3035 HostIngressKey(): allowEntry(0).WithDependents(HttpIngressKey(1)), 3036 HttpIngressKey(1): allowEntryD(12345, labels.LabelArrayList{visibilityDerivedFromLabels}).WithOwners(HostIngressKey()), 3037 }), 3038 }, 3039 { 3040 name: "test-6 - Add HTTP ingress visibility - L3/L4-allow on different port", 3041 ms: newMapState(map[Key]MapStateEntry{ 3042 testIngressKey(123, 88, 6): allowEntryD(0, labels.LabelArrayList{testLabels}, csBar), 3043 }), 3044 args: args{ 3045 redirectPort: 12345, 3046 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 3047 }, 3048 want: newMapState(map[Key]MapStateEntry{ 3049 testIngressKey(123, 88, 6): allowEntryD(0, labels.LabelArrayList{testLabels}, csBar), 3050 }), 3051 }, 3052 { 3053 name: "test-7 - Add HTTP ingress visibility - allow-all + L4-deny (no change)", 3054 ms: newMapState(map[Key]MapStateEntry{ 3055 AnyIngressKey(): allowEntry(0), 3056 HttpIngressKey(0): denyEntry(0), 3057 }), 3058 args: args{ 3059 redirectPort: 12345, 3060 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 3061 }, 3062 want: newMapState(map[Key]MapStateEntry{ 3063 AnyIngressKey(): allowEntry(0), 3064 HttpIngressKey(0): denyEntry(0), 3065 }), 3066 }, 3067 { 3068 name: "test-8 - Add HTTP ingress visibility - allow-all + L3-deny", 3069 ms: newMapState(map[Key]MapStateEntry{ 3070 AnyIngressKey(): allowEntry(0), 3071 testIngressKey(234, 0, 0): denyEntry(0, csFoo), 3072 }), 3073 args: args{ 3074 redirectPort: 12345, 3075 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 3076 }, 3077 want: newMapState(map[Key]MapStateEntry{ 3078 AnyIngressKey(): allowEntry(0), 3079 testIngressKey(234, 0, 0): denyEntry(0, csFoo).WithDependents(HttpIngressKey(234)), 3080 HttpIngressKey(0): allowEntryD(12345, visibilityDerivedFrom, nil), 3081 HttpIngressKey(234): denyEntry(0, csFoo).WithOwners(testIngressKey(234, 0, 0)), 3082 }), 3083 }, 3084 { 3085 name: "test-9 - Add HTTP ingress visibility - allow-all + L3/L4-deny", 3086 ms: newMapState(map[Key]MapStateEntry{ 3087 AnyIngressKey(): allowEntry(0), 3088 HttpIngressKey(132): denyEntry(0, csBar), 3089 }), 3090 args: args{ 3091 redirectPort: 12345, 3092 visMeta: VisibilityMetadata{Ingress: true, Port: 80, Proto: u8proto.TCP}, 3093 }, 3094 want: newMapState(map[Key]MapStateEntry{ 3095 AnyIngressKey(): allowEntry(0), 3096 HttpIngressKey(132): denyEntry(0, csBar), 3097 HttpIngressKey(0): allowEntryD(12345, visibilityDerivedFrom, nil), 3098 }), 3099 }, 3100 { 3101 name: "test-10 - Add HTTP egress visibility", 3102 ms: newMapState(map[Key]MapStateEntry{ 3103 AnyEgressKey(): allowEntry(0), 3104 }), 3105 args: args{ 3106 redirectPort: 12346, 3107 visMeta: VisibilityMetadata{Ingress: false, Port: 80, Proto: u8proto.TCP}, 3108 }, 3109 want: newMapState(map[Key]MapStateEntry{ 3110 AnyEgressKey(): allowEntry(0), 3111 HttpEgressKey(0): allowEntryD(12346, visibilityDerivedFrom, nil), 3112 }), 3113 }, 3114 } 3115 for _, tt := range tests { 3116 old := ChangeState{ 3117 Old: make(map[Key]MapStateEntry), 3118 } 3119 tt.ms.ForEach(func(k Key, v MapStateEntry) bool { 3120 old.insertOldIfNotExists(k, v) 3121 return true 3122 }) 3123 changes := ChangeState{ 3124 Adds: make(Keys), 3125 Old: make(map[Key]MapStateEntry), 3126 } 3127 tt.ms.AddVisibilityKeys(DummyOwner{}, tt.args.redirectPort, &tt.args.visMeta, changes) 3128 tt.ms.validatePortProto(t) 3129 require.True(t, tt.ms.Equals(tt.want), "%s:\n%s", tt.name, tt.ms.Diff(tt.want)) 3130 // Find new and updated entries 3131 wantAdds := make(Keys) 3132 wantOld := make(map[Key]MapStateEntry) 3133 3134 for k, v := range old.Old { 3135 if _, ok := tt.ms.Get(k); !ok { 3136 wantOld[k] = v 3137 } 3138 } 3139 tt.ms.ForEach(func(k Key, v MapStateEntry) bool { 3140 if v2, ok := old.Old[k]; ok { 3141 if !assert.ObjectsAreEqual(v2, v) { 3142 if !v.DatapathEqual(&v2) { 3143 wantAdds[k] = struct{}{} 3144 } 3145 wantOld[k] = v2 3146 } 3147 } else { 3148 wantAdds[k] = struct{}{} 3149 } 3150 return true 3151 }) 3152 require.EqualValues(t, wantAdds, changes.Adds, tt.name) 3153 require.EqualValues(t, wantOld, changes.Old, tt.name) 3154 } 3155 } 3156 3157 func TestMapState_AccumulateMapChangesOnVisibilityKeys(t *testing.T) { 3158 csFoo := newTestCachedSelector("Foo", false) 3159 csBar := newTestCachedSelector("Bar", false) 3160 3161 type args struct { 3162 cs *testCachedSelector 3163 adds []int 3164 deletes []int 3165 port uint16 3166 proto uint8 3167 ingress bool 3168 redirect bool 3169 deny bool 3170 } 3171 type visArgs struct { 3172 redirectPort uint16 3173 visMeta VisibilityMetadata 3174 } 3175 tests := []struct { 3176 continued bool // Start from the end state of the previous test 3177 name string 3178 setup *mapState 3179 visArgs []visArgs 3180 visAdds Keys 3181 visOld map[Key]MapStateEntry 3182 args []args // changes applied, in order 3183 state MapState 3184 adds Keys 3185 deletes Keys 3186 }{{ 3187 name: "test-1a - Adding identity to deny with visibilty", 3188 setup: newMapState(map[Key]MapStateEntry{ 3189 AnyIngressKey(): allowEntry(0), 3190 testIngressKey(234, 0, 0): denyEntry(0, csFoo), 3191 }), 3192 visArgs: []visArgs{{ 3193 redirectPort: 12345, 3194 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3195 }}, 3196 visAdds: Keys{ 3197 HttpIngressKey(0): {}, 3198 HttpIngressKey(234): {}, 3199 }, 3200 visOld: map[Key]MapStateEntry{ 3201 testIngressKey(234, 0, 0): denyEntry(0, csFoo), 3202 }, 3203 args: []args{ 3204 {cs: csFoo, adds: []int{235}, deletes: []int{}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 3205 }, 3206 state: newMapState(map[Key]MapStateEntry{ 3207 AnyIngressKey(): allowEntry(0), 3208 testIngressKey(234, 0, 0): denyEntry(0, csFoo).WithDependents(HttpIngressKey(234)), 3209 testIngressKey(235, 0, 0): denyEntry(0, csFoo).WithDependents(HttpIngressKey(235)), 3210 HttpIngressKey(0): allowEntryD(12345, visibilityDerivedFrom, nil), 3211 HttpIngressKey(234): denyEntry(0).WithOwners(testIngressKey(234, 0, 0)), 3212 HttpIngressKey(235): denyEntry(0).WithOwners(testIngressKey(235, 0, 0)), 3213 }), 3214 adds: Keys{ 3215 testIngressKey(235, 0, 0): {}, 3216 HttpIngressKey(235): {}, 3217 }, 3218 deletes: Keys{}, 3219 }, { 3220 continued: true, 3221 name: "test-1b - Removing the sole key", 3222 args: []args{ 3223 {cs: csFoo, adds: nil, deletes: []int{235}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 3224 }, 3225 state: newMapState(map[Key]MapStateEntry{ 3226 AnyIngressKey(): allowEntry(0), 3227 testIngressKey(234, 0, 0): denyEntry(0, csFoo).WithDependents(HttpIngressKey(234)), 3228 HttpIngressKey(0): allowEntryD(12345, visibilityDerivedFrom, nil), 3229 HttpIngressKey(234): denyEntry(0).WithOwners(testIngressKey(234, 0, 0)), 3230 }), 3231 adds: Keys{}, 3232 deletes: Keys{ 3233 testIngressKey(235, 0, 0): {}, 3234 HttpIngressKey(235): {}, 3235 }, 3236 }, { 3237 name: "test-2a - Adding 2 identities, and deleting a nonexisting key on an empty state", 3238 args: []args{ 3239 {cs: csFoo, adds: []int{235, 236}, deletes: []int{50}, port: 0, proto: 0, ingress: true, redirect: false, deny: false}, 3240 }, 3241 visArgs: []visArgs{{ 3242 redirectPort: 12345, 3243 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3244 }}, 3245 state: newMapState(map[Key]MapStateEntry{ 3246 testIngressKey(235, 0, 0): allowEntry(0, csFoo).WithDependents(HttpIngressKey(235)), 3247 testIngressKey(236, 0, 0): allowEntry(0, csFoo).WithDependents(HttpIngressKey(236)), 3248 HttpIngressKey(235): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(235, 0, 0)), 3249 HttpIngressKey(236): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(236, 0, 0)), 3250 }), 3251 adds: Keys{ 3252 testIngressKey(235, 0, 0): {}, 3253 HttpIngressKey(235): {}, 3254 testIngressKey(236, 0, 0): {}, 3255 HttpIngressKey(236): {}, 3256 }, 3257 deletes: Keys{ 3258 testIngressKey(235, 0, 0): {}, // changed dependents 3259 testIngressKey(236, 0, 0): {}, // changed dependents 3260 }, 3261 }, { 3262 continued: true, 3263 name: "test-2b - Adding Bar also selecting 235", 3264 args: []args{ 3265 {cs: csBar, adds: []int{235, 237}, deletes: []int{50}, port: 0, proto: 0, ingress: true, redirect: false, deny: false}, 3266 }, 3267 visArgs: []visArgs{{ 3268 redirectPort: 12345, 3269 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3270 }}, 3271 state: newMapState(map[Key]MapStateEntry{ 3272 testIngressKey(235, 0, 0): allowEntry(0, csFoo, csBar).WithDependents(HttpIngressKey(235)), 3273 testIngressKey(236, 0, 0): allowEntry(0, csFoo).WithDependents(HttpIngressKey(236)), 3274 HttpIngressKey(235): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(235, 0, 0)), 3275 HttpIngressKey(236): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(236, 0, 0)), 3276 testIngressKey(237, 0, 0): allowEntry(0, csBar).WithDependents(HttpIngressKey(237)), 3277 HttpIngressKey(237): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(237, 0, 0)), 3278 }), 3279 adds: Keys{ 3280 testIngressKey(237, 0, 0): {}, 3281 HttpIngressKey(237): {}, 3282 }, 3283 deletes: Keys{ 3284 testIngressKey(237, 0, 0): {}, // changed dependents 3285 }, 3286 }, { 3287 continued: true, 3288 name: "test-2c - Deleting 235 from Foo, remains on Bar and no deletes", 3289 args: []args{ 3290 {cs: csFoo, adds: []int{}, deletes: []int{235}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 3291 }, 3292 visArgs: []visArgs{{ 3293 redirectPort: 12345, 3294 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3295 }}, 3296 state: newMapState(map[Key]MapStateEntry{ 3297 testIngressKey(235, 0, 0): allowEntry(0, csBar).WithDependents(HttpIngressKey(235)), 3298 testIngressKey(236, 0, 0): allowEntry(0, csFoo).WithDependents(HttpIngressKey(236)), 3299 HttpIngressKey(235): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(235, 0, 0)), 3300 HttpIngressKey(236): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(236, 0, 0)), 3301 testIngressKey(237, 0, 0): allowEntry(0, csBar).WithDependents(HttpIngressKey(237)), 3302 HttpIngressKey(237): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(237, 0, 0)), 3303 }), 3304 adds: Keys{}, 3305 deletes: Keys{}, 3306 }, { 3307 continued: true, 3308 name: "test-2d - Deleting 235 from Foo again, not deleted", 3309 args: []args{ 3310 {cs: csFoo, adds: []int{}, deletes: []int{235}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 3311 }, 3312 visArgs: []visArgs{{ 3313 redirectPort: 12345, 3314 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3315 }}, 3316 state: newMapState(map[Key]MapStateEntry{ 3317 testIngressKey(235, 0, 0): allowEntry(0, csBar).WithDependents(HttpIngressKey(235)), 3318 testIngressKey(236, 0, 0): allowEntry(0, csFoo).WithDependents(HttpIngressKey(236)), 3319 HttpIngressKey(235): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(235, 0, 0)), 3320 HttpIngressKey(236): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(236, 0, 0)), 3321 testIngressKey(237, 0, 0): allowEntry(0, csBar).WithDependents(HttpIngressKey(237)), 3322 HttpIngressKey(237): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(237, 0, 0)), 3323 }), 3324 adds: Keys{}, 3325 deletes: Keys{}, 3326 }, { 3327 continued: true, 3328 name: "test-2e - Deleting 235 from Bar, deleted", 3329 args: []args{ 3330 {cs: csBar, adds: []int{}, deletes: []int{235}, port: 0, proto: 0, ingress: true, redirect: false, deny: true}, 3331 }, 3332 visArgs: []visArgs{{ 3333 redirectPort: 12345, 3334 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3335 }}, 3336 state: newMapState(map[Key]MapStateEntry{ 3337 testIngressKey(236, 0, 0): allowEntry(0, csFoo).WithDependents(HttpIngressKey(236)), 3338 HttpIngressKey(236): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(236, 0, 0)), 3339 testIngressKey(237, 0, 0): allowEntry(0, csBar).WithDependents(HttpIngressKey(237)), 3340 HttpIngressKey(237): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(237, 0, 0)), 3341 }), 3342 adds: Keys{}, 3343 deletes: Keys{ 3344 testIngressKey(235, 0, 0): {}, 3345 HttpIngressKey(235): {}, 3346 }, 3347 }, { 3348 continued: true, 3349 name: "test-2f - Adding an entry that already exists, no adds", 3350 args: []args{ 3351 {cs: csBar, adds: []int{237}, deletes: []int{}, port: 0, proto: 0, ingress: true, redirect: false, deny: false}, 3352 }, 3353 visArgs: []visArgs{{ 3354 redirectPort: 12345, 3355 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3356 }}, 3357 state: newMapState(map[Key]MapStateEntry{ 3358 testIngressKey(236, 0, 0): allowEntry(0, csFoo).WithDependents(HttpIngressKey(236)), 3359 HttpIngressKey(236): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(236, 0, 0)), 3360 testIngressKey(237, 0, 0): allowEntry(0, csBar).WithDependents(HttpIngressKey(237)), 3361 HttpIngressKey(237): allowEntryD(12345, visibilityDerivedFrom).WithOwners(testIngressKey(237, 0, 0)), 3362 }), 3363 adds: Keys{}, 3364 deletes: Keys{}, 3365 }, { 3366 continued: false, 3367 name: "test-3a - egress HTTP proxy (setup)", 3368 setup: newMapState(map[Key]MapStateEntry{ 3369 AnyIngressKey(): allowEntry(0), 3370 HostIngressKey(): allowEntry(0), 3371 HttpEgressKey(0): allowEntry(0), 3372 }), 3373 visArgs: []visArgs{ 3374 { 3375 redirectPort: 12345, 3376 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3377 }, 3378 { 3379 redirectPort: 12346, 3380 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: false, Port: 80, Proto: u8proto.TCP}, 3381 }, 3382 { 3383 redirectPort: 12347, 3384 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: false, Port: 53, Proto: u8proto.UDP}, 3385 }, 3386 }, 3387 visAdds: Keys{ 3388 HttpIngressKey(0): {}, 3389 HttpEgressKey(0): {}, 3390 }, 3391 visOld: map[Key]MapStateEntry{ 3392 // Old value for the modified entry 3393 HttpEgressKey(0): allowEntry(0), 3394 }, 3395 args: []args{ 3396 {cs: csBar, adds: []int{42}, deletes: []int{}, port: 53, proto: 17, ingress: false, redirect: false, deny: false}, 3397 {cs: csBar, adds: []int{42}, deletes: []int{}, port: 53, proto: 6, ingress: false, redirect: false, deny: false}, 3398 }, 3399 state: newMapState(map[Key]MapStateEntry{ 3400 AnyIngressKey(): allowEntry(0), 3401 HostIngressKey(): allowEntry(0), 3402 // Entry added solely due to visibility annotation has a 'nil' owner 3403 HttpIngressKey(0): allowEntryD(12345, visibilityDerivedFrom).WithOwners(nil), 3404 // Entries modified due to visibility annotation keep their existing owners (here none) 3405 HttpEgressKey(0): allowEntryD(12346, visibilityDerivedFrom, nil), 3406 DNSUDPEgressKey(42): allowEntryD(12347, visibilityDerivedFrom, csBar), 3407 DNSTCPEgressKey(42): allowEntry(0, csBar), 3408 }), 3409 adds: Keys{ 3410 DNSUDPEgressKey(42): {}, 3411 DNSTCPEgressKey(42): {}, 3412 }, 3413 deletes: Keys{}, 3414 }, { 3415 continued: true, 3416 name: "test-3b - egress HTTP proxy (incremental update)", 3417 args: []args{ 3418 {cs: csFoo, adds: []int{43}, deletes: []int{}, port: 80, proto: 6, ingress: false, redirect: true, deny: false}, 3419 }, 3420 visArgs: []visArgs{ 3421 { 3422 redirectPort: 12345, 3423 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: true, Port: 80, Proto: u8proto.TCP}, 3424 }, 3425 { 3426 redirectPort: 12346, 3427 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: false, Port: 80, Proto: u8proto.TCP}, 3428 }, 3429 { 3430 redirectPort: 12347, 3431 visMeta: VisibilityMetadata{Parser: ParserTypeHTTP, Ingress: false, Port: 53, Proto: u8proto.UDP}, 3432 }, 3433 }, 3434 state: newMapState(map[Key]MapStateEntry{ 3435 AnyIngressKey(): allowEntry(0), 3436 HostIngressKey(): allowEntry(0), 3437 HttpIngressKey(0): allowEntryD(12345, visibilityDerivedFrom).WithOwners(nil), 3438 HttpEgressKey(0): allowEntryD(12346, visibilityDerivedFrom, nil), 3439 DNSUDPEgressKey(42): allowEntryD(12347, visibilityDerivedFrom, csBar), 3440 DNSTCPEgressKey(42): allowEntry(0, csBar), 3441 // Redirect entries are not modified by visibility annotations 3442 HttpEgressKey(43): allowEntry(1, csFoo), 3443 }), 3444 adds: Keys{ 3445 HttpEgressKey(43): {}, 3446 }, 3447 deletes: Keys{}, 3448 }, { 3449 continued: false, 3450 name: "test-n - title", 3451 args: []args{ 3452 //{cs: csFoo, adds: []int{42, 43}, deletes: []int{50}, port: 80, proto: 6, ingress: true, redirect: false, deny: false}, 3453 }, 3454 state: newMapState(nil), 3455 adds: Keys{ 3456 //HttpIngressKey(42): {}, 3457 }, 3458 deletes: Keys{ 3459 //HttpIngressKey(43): {}, 3460 }, 3461 }, 3462 } 3463 3464 policyMapState := newMapState(nil) 3465 3466 for _, tt := range tests { 3467 // Allow omit empty maps 3468 if tt.visAdds == nil { 3469 tt.visAdds = make(Keys) 3470 } 3471 if tt.visOld == nil { 3472 tt.visOld = make(map[Key]MapStateEntry) 3473 } 3474 if tt.adds == nil { 3475 tt.adds = make(Keys) 3476 } 3477 if tt.deletes == nil { 3478 tt.deletes = make(Keys) 3479 } 3480 policyMaps := MapChanges{} 3481 if !tt.continued { 3482 if tt.setup != nil { 3483 policyMapState = tt.setup 3484 } else { 3485 policyMapState = newMapState(nil) 3486 } 3487 } 3488 changes := ChangeState{ 3489 Adds: make(Keys), 3490 Deletes: make(Keys), 3491 Old: make(map[Key]MapStateEntry), 3492 } 3493 for _, arg := range tt.visArgs { 3494 policyMapState.AddVisibilityKeys(DummyOwner{}, arg.redirectPort, &arg.visMeta, changes) 3495 } 3496 require.EqualValues(t, tt.visAdds, changes.Adds, tt.name+" (visAdds)") 3497 require.EqualValues(t, tt.visOld, changes.Old, tt.name+" (visOld)") 3498 3499 for _, x := range tt.args { 3500 dir := trafficdirection.Egress 3501 if x.ingress { 3502 dir = trafficdirection.Ingress 3503 } 3504 adds := x.cs.addSelections(x.adds...) 3505 deletes := x.cs.deleteSelections(x.deletes...) 3506 var cs CachedSelector 3507 if x.cs != nil { 3508 cs = x.cs 3509 } 3510 var invertedPortMask uint16 3511 if x.port == 0 { 3512 invertedPortMask = 0xffff 3513 } 3514 key := Key{DestPort: x.port, InvertedPortMask: invertedPortMask, Nexthdr: x.proto, TrafficDirection: dir.Uint8()} 3515 var proxyPort uint16 3516 if x.redirect { 3517 proxyPort = 1 3518 } 3519 value := NewMapStateEntry(cs, nil, proxyPort, "", 0, x.deny, DefaultAuthType, AuthTypeDisabled) 3520 policyMaps.AccumulateMapChanges(cs, adds, deletes, []Key{key}, value) 3521 } 3522 adds, deletes := policyMaps.consumeMapChanges(DummyOwner{}, policyMapState, denyRules, nil) 3523 changes = ChangeState{ 3524 Adds: adds, 3525 Deletes: deletes, 3526 Old: make(map[Key]MapStateEntry), 3527 } 3528 3529 // Visibilty redirects need to be re-applied after consumeMapChanges() 3530 for _, arg := range tt.visArgs { 3531 policyMapState.AddVisibilityKeys(DummyOwner{}, arg.redirectPort, &arg.visMeta, changes) 3532 } 3533 for k := range changes.Old { 3534 changes.Deletes[k] = struct{}{} 3535 } 3536 policyMapState.validatePortProto(t) 3537 require.True(t, tt.state.Equals(policyMapState), "%s (MapState):\n%s", tt.name, policyMapState.Diff(tt.state)) 3538 require.EqualValues(t, tt.adds, changes.Adds, tt.name+" (adds)") 3539 require.EqualValues(t, tt.deletes, changes.Deletes, tt.name+" (deletes)") 3540 } 3541 } 3542 3543 func (e MapStateEntry) asDeny() MapStateEntry { 3544 if !e.IsDeny { 3545 e.IsDeny = true 3546 e.ProxyPort = 0 3547 e.Listener = "" 3548 e.priority = 0 3549 e.hasAuthType = DefaultAuthType 3550 e.AuthType = AuthTypeDisabled 3551 } 3552 return e 3553 } 3554 3555 func TestMapState_denyPreferredInsertWithSubnets(t *testing.T) { 3556 identityCache := identity.IdentityMap{ 3557 identity.ReservedIdentityWorld: labels.LabelWorld.LabelArray(), 3558 worldIPIdentity: lblWorldIP, // "192.0.2.3/32" 3559 worldSubnetIdentity: lblWorldSubnet.LabelArray(), // "192.0.2.0/24" 3560 } 3561 3562 reservedWorldID := identity.ReservedIdentityWorld.Uint32() 3563 worldIPID := worldIPIdentity.Uint32() 3564 worldSubnetID := worldSubnetIdentity.Uint32() 3565 selectorCache := testNewSelectorCache(identityCache) 3566 type action uint16 3567 const ( 3568 noAction = action(iota) 3569 insertA = action(1 << iota) 3570 insertB 3571 insertAWithBProto 3572 insertBWithAProto 3573 insertBWithAProtoAsDeny 3574 insertAasDeny 3575 insertBasDeny 3576 insertBoth = insertA | insertB 3577 ) 3578 // these tests are based on the sheet https://docs.google.com/spreadsheets/d/1WANIoZGB48nryylQjjOw6lKjI80eVgPShrdMTMalLEw#gid=2109052536 3579 tests := []struct { 3580 name string 3581 aIdentity, bIdentity uint32 3582 aIsDeny, bIsDeny bool 3583 aPort uint16 3584 aProto uint8 3585 bPort uint16 3586 bProto uint8 3587 outcome action 3588 }{ 3589 // deny-allow insertions 3590 {"deny-allow: a superset a|b L3-only", reservedWorldID, worldSubnetID, true, false, 0, 0, 0, 0, insertA | insertBasDeny}, 3591 {"deny-allow: b superset a|b L3-only", worldIPID, worldSubnetID, true, false, 0, 0, 0, 0, insertBoth}, 3592 {"deny-allow: a superset a L3-only, b L4", reservedWorldID, worldSubnetID, true, false, 0, 0, 0, 6, insertA | insertBasDeny}, 3593 {"deny-allow: b superset a L3-only, b L4", worldIPID, worldSubnetID, true, false, 0, 0, 0, 6, insertBoth | insertAWithBProto}, 3594 {"deny-allow: a superset a L3-only, b L3L4", reservedWorldID, worldSubnetID, true, false, 0, 0, 80, 6, insertA | insertBasDeny}, 3595 {"deny-allow: b superset a L3-only, b L3L4", worldIPID, worldSubnetID, true, false, 0, 0, 80, 6, insertBoth | insertAWithBProto}, 3596 {"deny-allow: a superset a L4, b L3-only", reservedWorldID, worldSubnetID, true, false, 0, 6, 0, 0, insertBoth | insertBWithAProtoAsDeny}, 3597 {"deny-allow: b superset a L4, b L3-only", worldIPID, worldSubnetID, true, false, 0, 6, 0, 0, insertBoth}, 3598 {"deny-allow: a superset a L4, b L4", reservedWorldID, worldSubnetID, true, false, 0, 6, 0, 6, insertA | insertBasDeny}, 3599 {"deny-allow: b superset a L4, b L4", worldIPID, worldSubnetID, true, false, 0, 6, 0, 6, insertBoth}, 3600 {"deny-allow: a superset a L4, b L3L4", reservedWorldID, worldSubnetID, true, false, 0, 6, 80, 6, insertA | insertBasDeny}, 3601 {"deny-allow: b superset a L4, b L3L4", worldIPID, worldSubnetID, true, false, 0, 6, 80, 6, insertBoth | insertAWithBProto}, 3602 {"deny-allow: a superset a L3L4, b L3-only", reservedWorldID, worldSubnetID, true, false, 80, 6, 0, 0, insertBoth | insertBWithAProtoAsDeny}, 3603 {"deny-allow: b superset a L3L4, b L3-only", worldIPID, worldSubnetID, true, false, 80, 6, 0, 0, insertBoth}, 3604 {"deny-allow: a superset a L3L4, b L4", reservedWorldID, worldSubnetID, true, false, 80, 6, 0, 6, insertBoth | insertBWithAProtoAsDeny}, 3605 {"deny-allow: b superset a L3L4, b L4", worldIPID, worldSubnetID, true, false, 80, 6, 0, 6, insertBoth}, 3606 {"deny-allow: a superset a L3L4, b L3L4", reservedWorldID, worldSubnetID, true, false, 80, 6, 80, 6, insertA | insertBasDeny}, 3607 {"deny-allow: b superset a L3L4, b L3L4", worldIPID, worldSubnetID, true, false, 80, 6, 80, 6, insertBoth}, 3608 3609 // deny-deny insertions: Note: There is no dedundancy between different non-zero security IDs on the 3610 // datapath, even if one would be a CIDR subset of another. Situation would be different if we could 3611 // completely remove (or not add in the first place) the redundant ID from the ipcache so that 3612 // datapath could never assign that ID to a packet for policy enforcement. 3613 // These test case are left here for such future improvement. 3614 {"deny-deny: a superset a|b L3-only", worldSubnetID, worldIPID, true, true, 0, 0, 0, 0, insertBoth}, 3615 {"deny-deny: b superset a|b L3-only", worldSubnetID, reservedWorldID, true, true, 0, 0, 0, 0, insertBoth}, 3616 {"deny-deny: a superset a L3-only, b L4", worldSubnetID, worldIPID, true, true, 0, 0, 0, 6, insertBoth}, 3617 {"deny-deny: b superset a L3-only, b L4", worldSubnetID, reservedWorldID, true, true, 0, 0, 0, 6, insertBoth}, 3618 {"deny-deny: a superset a L3-only, b L3L4", worldSubnetID, worldIPID, true, true, 0, 0, 80, 6, insertBoth}, 3619 {"deny-deny: b superset a L3-only, b L3L4", worldSubnetID, reservedWorldID, true, true, 0, 0, 80, 6, insertBoth}, 3620 {"deny-deny: a superset a L4, b L3-only", worldSubnetID, worldIPID, true, true, 0, 6, 0, 0, insertBoth}, 3621 {"deny-deny: b superset a L4, b L3-only", worldSubnetID, reservedWorldID, true, true, 0, 6, 0, 0, insertBoth}, 3622 {"deny-deny: a superset a L4, b L4", worldSubnetID, worldIPID, true, true, 0, 6, 0, 6, insertBoth}, 3623 {"deny-deny: b superset a L4, b L4", worldSubnetID, reservedWorldID, true, true, 0, 6, 0, 6, insertBoth}, 3624 {"deny-deny: a superset a L4, b L3L4", worldSubnetID, worldIPID, true, true, 0, 6, 80, 6, insertBoth}, 3625 {"deny-deny: b superset a L4, b L3L4", worldSubnetID, reservedWorldID, true, true, 0, 6, 80, 6, insertBoth}, 3626 {"deny-deny: a superset a L3L4, b L3-only", worldSubnetID, worldIPID, true, true, 80, 6, 0, 0, insertBoth}, 3627 {"deny-deny: b superset a L3L4, b L3-only", worldSubnetID, reservedWorldID, true, true, 80, 6, 0, 0, insertBoth}, 3628 {"deny-deny: a superset a L3L4, b L4", worldSubnetID, worldIPID, true, true, 80, 6, 0, 6, insertBoth}, 3629 {"deny-deny: b superset a L3L4, b L4", worldSubnetID, reservedWorldID, true, true, 80, 6, 0, 6, insertBoth}, 3630 {"deny-deny: a superset a L3L4, b L3L4", worldSubnetID, worldIPID, true, true, 80, 6, 80, 6, insertBoth}, 3631 {"deny-deny: b superset a L3L4, b L3L4", worldSubnetID, reservedWorldID, true, true, 80, 6, 80, 6, insertBoth}, 3632 // allow-allow insertions do not need tests as their affect on one another does not matter. 3633 } 3634 for _, tt := range tests { 3635 anyIngressKey := key(0, 0, 0, 0) 3636 allowEntry := MapStateEntry{} 3637 aKey := key(tt.aIdentity, tt.aPort, tt.aProto, 0) 3638 aEntry := MapStateEntry{IsDeny: tt.aIsDeny} 3639 bKey := key(tt.bIdentity, tt.bPort, tt.bProto, 0) 3640 bEntry := MapStateEntry{IsDeny: tt.bIsDeny} 3641 expectedKeys := newMapState(nil) 3642 // Always expect to see the any ingress allow key 3643 expectedKeys.allows.Upsert(anyIngressKey, allowEntry) 3644 if tt.outcome&insertA > 0 { 3645 if tt.aIsDeny { 3646 expectedKeys.denies.Upsert(aKey, aEntry) 3647 } else { 3648 expectedKeys.allows.Upsert(aKey, aEntry) 3649 } 3650 } 3651 if tt.outcome&insertAasDeny > 0 { 3652 expectedKeys.denies.Upsert(aKey, aEntry.asDeny()) 3653 } 3654 if tt.outcome&insertB > 0 { 3655 if tt.bIsDeny { 3656 expectedKeys.denies.Upsert(bKey, bEntry) 3657 } else { 3658 expectedKeys.allows.Upsert(bKey, bEntry) 3659 } 3660 } 3661 if tt.outcome&insertBasDeny > 0 { 3662 expectedKeys.denies.Upsert(bKey, bEntry.asDeny()) 3663 } 3664 if tt.outcome&insertAWithBProto > 0 { 3665 aKeyWithBProto := key(tt.aIdentity, tt.bPort, tt.bProto, 0) 3666 aEntryCpy := aEntry.WithOwners(aKey) 3667 aEntryWithDep := aEntry.WithDependents(aKeyWithBProto) 3668 if tt.aIsDeny { 3669 expectedKeys.denies.Upsert(aKey, aEntryWithDep) 3670 expectedKeys.denies.Upsert(aKeyWithBProto, aEntryCpy) 3671 } else { 3672 expectedKeys.allows.Upsert(aKey, aEntryWithDep) 3673 expectedKeys.allows.Upsert(aKeyWithBProto, aEntryCpy) 3674 } 3675 } 3676 if tt.outcome&insertBWithAProto > 0 { 3677 bKeyWithAProto := key(tt.bIdentity, tt.aPort, tt.aProto, 0) 3678 bEntryCpy := bEntry.WithOwners(bKey) 3679 bEntryWithDep := bEntry.WithDependents(bKeyWithAProto) 3680 if tt.bIsDeny { 3681 expectedKeys.denies.Upsert(bKey, bEntryWithDep) 3682 expectedKeys.denies.Upsert(bKeyWithAProto, bEntryCpy) 3683 } else { 3684 expectedKeys.allows.Upsert(bKey, bEntryWithDep) 3685 expectedKeys.allows.Upsert(bKeyWithAProto, bEntryCpy) 3686 } 3687 } 3688 if tt.outcome&insertBWithAProtoAsDeny > 0 { 3689 bKeyWithAProto := key(tt.bIdentity, tt.aPort, tt.aProto, 0) 3690 bEntryAsDeny := bEntry.WithOwners(aKey).asDeny() 3691 aEntryWithDep := aEntry.WithDependents(bKeyWithAProto) 3692 expectedKeys.denies.Upsert(aKey, aEntryWithDep) 3693 expectedKeys.denies.Upsert(bKeyWithAProto, bEntryAsDeny) 3694 } 3695 outcomeKeys := newMapState(nil) 3696 outcomeKeys.denyPreferredInsert(anyIngressKey, allowEntry, selectorCache, allFeatures) 3697 outcomeKeys.denyPreferredInsert(aKey, aEntry, selectorCache, allFeatures) 3698 outcomeKeys.denyPreferredInsert(bKey, bEntry, selectorCache, allFeatures) 3699 outcomeKeys.validatePortProto(t) 3700 require.True(t, expectedKeys.Equals(outcomeKeys), "%s (MapState):\n%s", tt.name, outcomeKeys.Diff(expectedKeys)) 3701 3702 // Test also with reverse insertion order 3703 outcomeKeys = newMapState(nil) 3704 outcomeKeys.denyPreferredInsert(bKey, bEntry, selectorCache, allFeatures) 3705 outcomeKeys.denyPreferredInsert(aKey, aEntry, selectorCache, allFeatures) 3706 outcomeKeys.denyPreferredInsert(anyIngressKey, allowEntry, selectorCache, allFeatures) 3707 outcomeKeys.validatePortProto(t) 3708 require.True(t, expectedKeys.Equals(outcomeKeys), "%s (in reverse) (MapState):\n%s", tt.name, outcomeKeys.Diff(expectedKeys)) 3709 } 3710 // Now test all cases with different traffic directions. 3711 // This should result in both entries being inserted with 3712 // no changes, as they do not affect one another anymore. 3713 for _, tt := range tests { 3714 anyIngressKey := key(0, 0, 0, 0) 3715 anyEgressKey := key(0, 0, 0, 1) 3716 allowEntry := MapStateEntry{} 3717 aKey := key(tt.aIdentity, tt.aPort, tt.aProto, 0) 3718 aEntry := MapStateEntry{IsDeny: tt.aIsDeny} 3719 bKey := key(tt.bIdentity, tt.bPort, tt.bProto, 1) 3720 bEntry := MapStateEntry{IsDeny: tt.bIsDeny} 3721 expectedKeys := newMapState(nil) 3722 // always expect to see the any allow keys 3723 expectedKeys.allows.Upsert(anyIngressKey, allowEntry) 3724 expectedKeys.allows.Upsert(anyEgressKey, allowEntry) 3725 if tt.aIsDeny { 3726 expectedKeys.denies.Upsert(aKey, aEntry) 3727 } else { 3728 expectedKeys.allows.Upsert(aKey, aEntry) 3729 } 3730 if tt.bIsDeny { 3731 expectedKeys.denies.Upsert(bKey, bEntry) 3732 } else { 3733 expectedKeys.allows.Upsert(bKey, bEntry) 3734 } 3735 outcomeKeys := newMapState(nil) 3736 outcomeKeys.denyPreferredInsert(anyIngressKey, allowEntry, selectorCache, allFeatures) 3737 outcomeKeys.denyPreferredInsert(anyEgressKey, allowEntry, selectorCache, allFeatures) 3738 outcomeKeys.denyPreferredInsert(aKey, aEntry, selectorCache, allFeatures) 3739 outcomeKeys.denyPreferredInsert(bKey, bEntry, selectorCache, allFeatures) 3740 outcomeKeys.validatePortProto(t) 3741 require.True(t, expectedKeys.Equals(outcomeKeys), "%s different traffic directions (MapState):\n%s", tt.name, outcomeKeys.Diff(expectedKeys)) 3742 3743 // Test also with reverse insertion order 3744 outcomeKeys = newMapState(nil) 3745 outcomeKeys.denyPreferredInsert(bKey, bEntry, selectorCache, allFeatures) 3746 outcomeKeys.denyPreferredInsert(aKey, aEntry, selectorCache, allFeatures) 3747 outcomeKeys.denyPreferredInsert(anyEgressKey, allowEntry, selectorCache, allFeatures) 3748 outcomeKeys.denyPreferredInsert(anyIngressKey, allowEntry, selectorCache, allFeatures) 3749 outcomeKeys.validatePortProto(t) 3750 require.True(t, expectedKeys.Equals(outcomeKeys), "%s different traffic directions (in reverse) (MapState):\n%s", tt.name, outcomeKeys.Diff(expectedKeys)) 3751 } 3752 } 3753 3754 func TestMapState_Get_stacktrace(t *testing.T) { 3755 ms := newMapState(nil) 3756 // This should produce a stacktrace in the error log. It is not validated here but can be 3757 // observed manually. 3758 // Example log (with newlines expanded): 3759 // time="2024-06-22T23:21:27+03:00" level=error msg="mapState.Get: invalid wildcard port with non-zero mask: Identity=0,DestPort=0,Nexthdr=0,TrafficDirection=0. Stacktrace: 3760 // github.com/hashicorp/go-hclog.Stacktrace 3761 // github.com/cilium/cilium/vendor/github.com/hashicorp/go-hclog/stacktrace.go:51 3762 // github.com/cilium/cilium/pkg/policy.(*mapState).Get 3763 // github.com/cilium/cilium/pkg/policy/mapstate.go:355 3764 // github.com/cilium/cilium/pkg/policy.TestMapState_Get_stacktrace 3765 // github.com/cilium/cilium/pkg/policy/mapstate_test.go:3699 3766 // testing.tRunner 3767 // go/src/testing/testing.go:1689" subsys=policy 3768 _, ok := ms.Get(Key{}) 3769 assert.False(t, ok) 3770 }