-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modify IPSet Setfilter to make it suitable for filtering ipsets dynamically #9669
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is the right sort of change but there are a couple of problems with the API.
I'm a bit wary that the filtering logic is implemented differently in each IP sets implementation. Could we extract out a new struct that manages the IP set filtering and then re-use it in all the implementations so that they all have a "full" (but shared) implementation of filtering. Feels like a bit of a footgun that the API is there but not implemented (or partially implemented) in some cases.
felix/ipsets/ipsets.go
Outdated
|
||
func (s *IPSets) MarkDirty(ipsetNames set.Set[string]) { | ||
for name, meta := range s.setNameToAllMetadata { | ||
if ipsetNames.Contains(name) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is now the wrong check because s.filterIPSet
should govern whether the IP set is programmed. You should remove the ipsetNames
parameter and use the filter. Then this method can be called OnFilterUpdated
or something like that and it just triggers a recheck of the filter for all IP sets.
dp.RegisterManager(newRawEgressPolicyManager(rawTableV6, ruleRenderer, 6, ipSetsV6.SetFilter, config.RulesConfig.NFTables)) | ||
mgr := newRawEgressPolicyManager(rawTableV6, ruleRenderer, 6, ipSetsV6.MarkDirty, config.RulesConfig.NFTables) | ||
ipSetsV6.SetFilter(func(ipSetName string) bool { | ||
neededIPSets := mgr.GetNeededIPSets() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a very inefficient way to do this check. Every call to the filter will build the full "needed sets" Set
and then throw it away again. That is O(n^2)
in the number of IP sets, which is not acceptable.
However, now you've switched to a "pull" model for this, you should be able to do a lot better. What if you made the API mgr.IPSetNeeded(name)
? Then you could do a trivial map lookup inside the manager instead of building the unneeded set.
felix/bpf/ipsets/ipsets.go
Outdated
m.filterIPSet = fn | ||
} | ||
|
||
func (m *bpfIPSets) MarkDirty(ipsetNames set.Set[string]) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Feel a bit uneasy that we have a flexible filter function but we're not implementing the rescan here. Someone could come along later and use the filter function without realising this isn't implemented.
Should at least comment "Not implemented because the only filter we use with this IP set is 100% static, based on the IP set name."
@@ -193,6 +193,8 @@ func (m *IPSets) ApplyDeletions() bool { | |||
return false | |||
} | |||
|
|||
func (s *IPSets) SetFilter(ipSetNames set.Set[string]) { | |||
// Not needed for Windows. | |||
func (m *IPSets) SetFilter(fn func(ipSetName string) bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth commenting that these are deliberately not implemented
felix/nftables/ipsets.go
Outdated
for name, meta := range s.setNameToAllMetadata { | ||
if s.ipSetNeeded(name) { | ||
if ipsetNames.Contains(name) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, new filter func should govern the check.
felix/nftables/ipsets.go
Outdated
@@ -97,7 +97,7 @@ type IPSets struct { | |||
|
|||
// Optional filter. When non-nil, only these IP set IDs will be rendered into the dataplane |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of date comment
@@ -57,6 +57,8 @@ type bpfIPSets struct { | |||
opRecorder logutils.OpRecorder | |||
|
|||
lg *log.Entry | |||
|
|||
filterIPSet func(string) bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth a comment saying what this does. In particular:
- What does
nil
mean? - Is
true
"filter in" or "filter out"
@@ -1035,7 +1040,12 @@ func NewIntDataplaneDriver(config Config) *InternalDataplane { | |||
config.MaxIPSetSize)) | |||
dp.RegisterManager(newPolicyManager(rawTableV6, mangleTableV6, filterTableV6, ruleRenderer, 6, config.RulesConfig.NFTables)) | |||
} else { | |||
dp.RegisterManager(newRawEgressPolicyManager(rawTableV6, ruleRenderer, 6, ipSetsV6.SetFilter, config.RulesConfig.NFTables)) | |||
mgr := newRawEgressPolicyManager(rawTableV6, ruleRenderer, 6, ipSetsV6.MarkDirty, config.RulesConfig.NFTables) | |||
ipSetsV6.SetFilter(func(ipSetName string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth a comment here saying what this filter stuff is about.
ipSetsV6.SetFilter(func(ipSetName string) bool { | |
// When in BPF mode, we still program egress do-not-track rules into | |
// (ip|nf)tables; set a filter on the IP sets we program so that only the | |
// IP sets needed for do-not-track are programmed. | |
ipSetsV6.SetFilter(func(ipSetName string) bool { |
Description
This PR modifies
SetFilter
in ipsets to make it suitable to filter ipsets dynamically. The changes areMarkDirty
which takes a set of ipset names and marks it dirty. This is used for rawEgressPolicy when in BPF mode.Related issues/PRs
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*
label.docs-pr-required
: This change requires a change to the documentation that has not been completed yet.docs-completed
: This change has all necessary documentation completed.docs-not-required
: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*
label.release-note-required
: This PR has user-facing changes. Most PRs should have this label.release-note-not-required
: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate
: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr
: This PR is related to install and requires a corresponding change to the operator.