github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

pkg/proxy/nftables: refactor packet tracer address matching

Browse Source 
Use bool instead of not-equal-operator as string in
tracer.addressMatches of helpers_test.go

Signed-off-by: Daman Arora <aroradaman@gmail.com>
This commit is contained in:
Daman Arora
2024-01-21 12:53:55 +05:30
parent d23483dd7c
commit 80ca91c90c
1 changed files with 8 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/proxy/nftables/helpers_test.go
View File

@@ -174,7 +174,7 @@ func newNFTablesTracer(t *testing.T, nft *knftables.Fake, nodeIPs []string) *nft
}
}
func (tracer *nftablesTracer) addressMatches(ipStr, not, ruleAddress string) bool {
func (tracer *nftablesTracer) addressMatches(ipStr string, wantMatch bool, ruleAddress string) bool {
ip := netutils.ParseIPSloppy(ipStr)
if ip == nil {
tracer.t.Fatalf("Bad IP in test case: %s", ipStr)
@@ -195,18 +195,14 @@ func (tracer *nftablesTracer) addressMatches(ipStr, not, ruleAddress string) boo
match = ip.Equal(ip2)
}
if not == "!= " {
return !match
} else {
return match
}
return match == wantMatch
}
func (tracer *nftablesTracer) noneAddressesMatch(ipStr, ruleAddress string) bool {
ruleAddress = strings.ReplaceAll(ruleAddress, " ", "")
addresses := strings.Split(ruleAddress, ",")
for _, address := range addresses {
if tracer.addressMatches(ipStr, "", address) {
if tracer.addressMatches(ipStr, true, address) {
return false
}
}
@@ -240,7 +236,7 @@ func (tracer *nftablesTracer) matchDest(elements []*knftables.Element, destIP, p
// found.
func (tracer *nftablesTracer) matchDestAndSource(elements []*knftables.Element, destIP, protocol, destPort, sourceIP string) *knftables.Element {
for _, element := range elements {
if element.Key[0] == destIP && element.Key[1] == protocol && element.Key[2] == destPort && tracer.addressMatches(sourceIP, "", element.Key[3]) {
if element.Key[0] == destIP && element.Key[1] == protocol && element.Key[2] == destPort && tracer.addressMatches(sourceIP, true, element.Key[3]) {
return element
}
}
@@ -416,8 +412,8 @@ func (tracer *nftablesTracer) runChain(chname, sourceIP, protocol, destIP, destP
// Tests whether destIP does/doesn't match a literal.
match := destAddrRegexp.FindStringSubmatch(rule)
rule = strings.TrimPrefix(rule, match[0])
not, ip := match[1], match[2]
if !tracer.addressMatches(destIP, not, ip) {
wantMatch, ip := match[1] != "!= ", match[2]
if !tracer.addressMatches(destIP, wantMatch, ip) {
rule = ""
break
}
@@ -458,8 +454,8 @@ func (tracer *nftablesTracer) runChain(chname, sourceIP, protocol, destIP, destP
// Tests whether sourceIP does/doesn't match a literal.
match := sourceAddrRegexp.FindStringSubmatch(rule)
rule = strings.TrimPrefix(rule, match[0])
not, ip := match[1], match[2]
if !tracer.addressMatches(sourceIP, not, ip) {
wantMatch, ip := match[1] != "!= ", match[2]
if !tracer.addressMatches(sourceIP, wantMatch, ip) {
rule = ""
break
}