Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Modify IPSet Setfilter to make it suitable for filtering ipsets dynamically #9669

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

sridhartigera
Copy link
Member

Description

This PR modifies SetFilter in ipsets to make it suitable to filter ipsets dynamically. The changes are

  1. Change SetFilter to set a func which takes ipset name and returns whether it needs to be filtered or not.
  2. Provide another API MarkDirty which takes a set of ipset names and marks it dirty. This is used for rawEgressPolicy when in BPF mode.

Related issues/PRs

Todos

  • Tests
  • Documentation
  • Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

@sridhartigera sridhartigera added docs-not-required Docs not required for this change release-note-not-required Change has no user-facing impact labels Jan 2, 2025
@sridhartigera sridhartigera requested a review from a team as a code owner January 2, 2025 19:55
@marvin-tigera marvin-tigera added this to the Calico v3.30.0 milestone Jan 2, 2025
Copy link
Member

@fasaxc fasaxc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is the right sort of change but there are a couple of problems with the API.

I'm a bit wary that the filtering logic is implemented differently in each IP sets implementation. Could we extract out a new struct that manages the IP set filtering and then re-use it in all the implementations so that they all have a "full" (but shared) implementation of filtering. Feels like a bit of a footgun that the API is there but not implemented (or partially implemented) in some cases.


func (s *IPSets) MarkDirty(ipsetNames set.Set[string]) {
for name, meta := range s.setNameToAllMetadata {
if ipsetNames.Contains(name) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now the wrong check because s.filterIPSet should govern whether the IP set is programmed. You should remove the ipsetNames parameter and use the filter. Then this method can be called OnFilterUpdated or something like that and it just triggers a recheck of the filter for all IP sets.

dp.RegisterManager(newRawEgressPolicyManager(rawTableV6, ruleRenderer, 6, ipSetsV6.SetFilter, config.RulesConfig.NFTables))
mgr := newRawEgressPolicyManager(rawTableV6, ruleRenderer, 6, ipSetsV6.MarkDirty, config.RulesConfig.NFTables)
ipSetsV6.SetFilter(func(ipSetName string) bool {
neededIPSets := mgr.GetNeededIPSets()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a very inefficient way to do this check. Every call to the filter will build the full "needed sets" Set and then throw it away again. That is O(n^2) in the number of IP sets, which is not acceptable.

However, now you've switched to a "pull" model for this, you should be able to do a lot better. What if you made the API mgr.IPSetNeeded(name)? Then you could do a trivial map lookup inside the manager instead of building the unneeded set.

m.filterIPSet = fn
}

func (m *bpfIPSets) MarkDirty(ipsetNames set.Set[string]) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel a bit uneasy that we have a flexible filter function but we're not implementing the rescan here. Someone could come along later and use the filter function without realising this isn't implemented.

Should at least comment "Not implemented because the only filter we use with this IP set is 100% static, based on the IP set name."

@@ -193,6 +193,8 @@ func (m *IPSets) ApplyDeletions() bool {
return false
}

func (s *IPSets) SetFilter(ipSetNames set.Set[string]) {
// Not needed for Windows.
func (m *IPSets) SetFilter(fn func(ipSetName string) bool) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth commenting that these are deliberately not implemented

for name, meta := range s.setNameToAllMetadata {
if s.ipSetNeeded(name) {
if ipsetNames.Contains(name) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, new filter func should govern the check.

@@ -97,7 +97,7 @@ type IPSets struct {

// Optional filter. When non-nil, only these IP set IDs will be rendered into the dataplane
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of date comment

@@ -57,6 +57,8 @@ type bpfIPSets struct {
opRecorder logutils.OpRecorder

lg *log.Entry

filterIPSet func(string) bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth a comment saying what this does. In particular:

  • What does nil mean?
  • Is true "filter in" or "filter out"

@@ -1035,7 +1040,12 @@ func NewIntDataplaneDriver(config Config) *InternalDataplane {
config.MaxIPSetSize))
dp.RegisterManager(newPolicyManager(rawTableV6, mangleTableV6, filterTableV6, ruleRenderer, 6, config.RulesConfig.NFTables))
} else {
dp.RegisterManager(newRawEgressPolicyManager(rawTableV6, ruleRenderer, 6, ipSetsV6.SetFilter, config.RulesConfig.NFTables))
mgr := newRawEgressPolicyManager(rawTableV6, ruleRenderer, 6, ipSetsV6.MarkDirty, config.RulesConfig.NFTables)
ipSetsV6.SetFilter(func(ipSetName string) bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth a comment here saying what this filter stuff is about.

Suggested change
ipSetsV6.SetFilter(func(ipSetName string) bool {
// When in BPF mode, we still program egress do-not-track rules into
// (ip|nf)tables; set a filter on the IP sets we program so that only the
// IP sets needed for do-not-track are programmed.
ipSetsV6.SetFilter(func(ipSetName string) bool {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs-not-required Docs not required for this change release-note-not-required Change has no user-facing impact
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants