Skip to content

Commit

Permalink
fix ip range match
Browse files Browse the repository at this point in the history 
Signed-off-by: huabing zhao <zhaohuabing@gmail.com>
  • Loading branch information
@zhaohuabing
zhaohuabing committed May 16, 2024
1 parent 7d0e6e9 commit 1ac43ed
Show file tree
Hide file tree
Showing 8 changed files with 44 additions and 83 deletions.
2 changes: 1 addition & 1 deletion internal/gatewayapi/helpers.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -469,7 +469,7 @@ func parseCIDR(cidr string) (*ir.CIDRMatch, error) {

mask, _ := ipn.Mask.Size()
return &ir.CIDRMatch{
CIDR: ipn.String(),
CIDR: ip.String(),
IPv6: ip.To4() == nil,
MaskLen: mask,
}, nil
Expand Down
2 changes: 1 addition & 1 deletion ...api/testdata/backendtrafficpolicy-with-local-ratelimit-default-route-level-limit.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,7 @@ xdsIR:
requests: 10
unit: Hour
- cidrMatch:
cidr: 192.168.0.0/16
cidr: 192.168.0.0
distinct: false
ipv6: false
maskLen: 16
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtrafficpolicy-with-local-ratelimit.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,7 +197,7 @@ xdsIR:
requests: 10
unit: Hour
- cidrMatch:
cidr: 192.168.0.0/16
cidr: 192.168.0.0
distinct: false
ipv6: false
maskLen: 16
Expand Down
2 changes: 1 addition & 1 deletion internal/gatewayapi/testdata/backendtrafficpolicy-with-ratelimit.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ xdsIR:
global:
rules:
- cidrMatch:
cidr: 192.168.0.0/16
cidr: 192.168.0.0
distinct: true
ipv6: false
maskLen: 16
Expand Down
12 changes: 6 additions & 6 deletions internal/gatewayapi/testdata/securitypolicy-with-authoriztion.out.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,22 +255,22 @@ xdsIR:
- action: Deny
principal:
clientCIDRs:
- cidr: 192.168.1.0/24
- cidr: 192.168.1.0
distinct: false
ipv6: false
maskLen: 24
- cidr: 192.168.2.0/24
- cidr: 192.168.2.0
distinct: false
ipv6: false
maskLen: 24
- action: Deny
principal:
clientCIDRs:
- cidr: 10.75.1.0/24
- cidr: 10.75.1.0
distinct: false
ipv6: false
maskLen: 24
- cidr: 10.75.2.0/24
- cidr: 10.75.2.0
distinct: false
ipv6: false
maskLen: 24
Expand All @@ -297,11 +297,11 @@ xdsIR:
- action: Allow
principal:
clientCIDRs:
- cidr: 10.0.1.0/24
- cidr: 10.0.1.0
distinct: false
ipv6: false
maskLen: 24
- cidr: 10.0.2.0/24
- cidr: 10.0.2.0
distinct: false
ipv6: false
maskLen: 24
33 changes: 7 additions & 26 deletions internal/xds/translator/authorization.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,13 @@ import (

cncfv3 "github.com/cncf/xds/go/xds/core/v3"
matcherv3 "github.com/cncf/xds/go/xds/type/matcher/v3"
configv3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
rbacconfigv3 "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3"
routev3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
rbacv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3"
hcmv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
networkinput "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3"
ipmatcherv3 "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/input_matchers/ip/v3"
"google.golang.org/protobuf/types/known/anypb"
"google.golang.org/protobuf/types/known/wrapperspb"

Expand Down Expand Up @@ -153,40 +155,19 @@ func (*rbac) patchRoute(route *routev3.Route, irRoute *ir.HTTPRoute) error {
// If no matcher matches, the default action will be used.
for _, rule := range authorization.Rules {
// Build the IPMatcher based on the client CIDRs.
ipRangeMatcher := &matcherv3.IPMatcher_IPRangeMatcher{}
ipRangeMatcher := &ipmatcherv3.Ip{
StatPrefix: "source-ip",
}
for _, cidr := range rule.Principal.ClientCIDRs {
ipRangeMatcher.Ranges = append(ipRangeMatcher.Ranges, &cncfv3.CidrRange{
ipRangeMatcher.CidrRanges = append(ipRangeMatcher.CidrRanges, &configv3.CidrRange{
AddressPrefix: cidr.CIDR,
PrefixLen: &wrapperspb.UInt32Value{
Value: uint32(cidr.MaskLen),
},
})
}

// Set the action based on the rule.
if rule.Action == egv1a1.AuthorizationActionAllow {
ipRangeMatcher.OnMatch = &matcherv3.Matcher_OnMatch{
OnMatch: &matcherv3.Matcher_OnMatch_Action{
Action: &cncfv3.TypedExtensionConfig{
Name: "allow",
TypedConfig: allowAction,
},
},
}
} else {
ipRangeMatcher.OnMatch = &matcherv3.Matcher_OnMatch{
OnMatch: &matcherv3.Matcher_OnMatch_Action{
Action: &cncfv3.TypedExtensionConfig{
Name: "deny",
TypedConfig: denyAction,
},
},
}
}

if ipMatcher, err = anypb.New(&matcherv3.IPMatcher{
RangeMatchers: []*matcherv3.IPMatcher_IPRangeMatcher{ipRangeMatcher},
}); err != nil {
if ipMatcher, err = anypb.New(ipRangeMatcher); err != nil {
return err
}

Expand Down
12 changes: 6 additions & 6 deletions internal/xds/translator/testdata/in/xds-ir/authorization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,22 +35,22 @@ http:
- action: Deny
principal:
clientCIDRs:
- cidr: 192.168.1.0/24
- cidr: 192.168.1.0
distinct: false
ipv6: false
maskLen: 24
- cidr: 192.168.2.0/24
- cidr: 192.168.2.0
distinct: false
ipv6: false
maskLen: 24
- action: Deny
principal:
clientCIDRs:
- cidr: 10.75.1.0/24
- cidr: 10.75.1.0
distinct: false
ipv6: false
maskLen: 24
- cidr: 10.75.2.0/24
- cidr: 10.75.2.0
distinct: false
ipv6: false
maskLen: 24
Expand Down Expand Up @@ -80,11 +80,11 @@ http:
- action: Allow
principal:
clientCIDRs:
- cidr: 10.0.1.0/24
- cidr: 10.0.1.0
distinct: false
ipv6: false
maskLen: 24
- cidr: 10.0.2.0/24
- cidr: 10.0.2.0
distinct: false
ipv6: false
maskLen: 24
62 changes: 21 additions & 41 deletions internal/xds/translator/testdata/out/xds-ir/authorization.routes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,20 +31,13 @@
customMatch:
name: ip-matcher
typedConfig:
'@type': type.googleapis.com/xds.type.matcher.v3.IPMatcher
rangeMatchers:
- onMatch:
action:
name: deny
typedConfig:
'@type': type.googleapis.com/envoy.config.rbac.v3.Action
action: DENY
name: DENY
ranges:
- addressPrefix: 192.168.1.0/24
prefixLen: 24
- addressPrefix: 192.168.2.0/24
prefixLen: 24
'@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip
cidrRanges:
- addressPrefix: 192.168.1.0/24
prefixLen: 24
- addressPrefix: 192.168.2.0/24
prefixLen: 24
statPrefix: source-ip
input:
name: source-ip
typedConfig:
Expand All @@ -61,20 +54,13 @@
customMatch:
name: ip-matcher
typedConfig:
'@type': type.googleapis.com/xds.type.matcher.v3.IPMatcher
rangeMatchers:
- onMatch:
action:
name: deny
typedConfig:
'@type': type.googleapis.com/envoy.config.rbac.v3.Action
action: DENY
name: DENY
ranges:
- addressPrefix: 10.75.1.0/24
prefixLen: 24
- addressPrefix: 10.75.2.0/24
prefixLen: 24
'@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip
cidrRanges:
- addressPrefix: 10.75.1.0/24
prefixLen: 24
- addressPrefix: 10.75.2.0/24
prefixLen: 24
statPrefix: source-ip
input:
name: source-ip
typedConfig:
Expand Down Expand Up @@ -110,19 +96,13 @@
customMatch:
name: ip-matcher
typedConfig:
'@type': type.googleapis.com/xds.type.matcher.v3.IPMatcher
rangeMatchers:
- onMatch:
action:
name: allow
typedConfig:
'@type': type.googleapis.com/envoy.config.rbac.v3.Action
name: ALLOW
ranges:
- addressPrefix: 10.0.1.0/24
prefixLen: 24
- addressPrefix: 10.0.2.0/24
prefixLen: 24
'@type': type.googleapis.com/envoy.extensions.matching.input_matchers.ip.v3.Ip
cidrRanges:
- addressPrefix: 10.0.1.0/24
prefixLen: 24
- addressPrefix: 10.0.2.0/24
prefixLen: 24
statPrefix: source-ip
input:
name: source-ip
typedConfig:
Expand Down

0 comments on commit 1ac43ed

Please sign in to comment.