trie value for except should not inherite if [overlaps between except and allow CIDR] or [except is larger than allow CIDR] ; trie value for except should inherite if except is smaller than allow cidr

[ech0potato]

Issue #, if available:
Now there is an overlap between allow ip cidrs and except, here is the case:

  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - port: 8080
  - to:
    - ipBlock:
        cidr: 10.0.0.0/16
        except:
        - 10.0.0.0/24
    ports:
    - port: 8081

Here, the ebpf egress map is :

Key : IP/Prefixlen - 10.0.0.0/24
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8080
Endport -  0
-------------------
-------------------
Value Entry :  1
Protocol -  TCP
StartPort -  8081
Endport -  0
-------------------
*******************************
Key : IP/Prefixlen - 10.0.0.0/16
-------------------
Value Entry :  0
Protocol -  ANY PROTOCOL
StartPort -  0
Endport -  0
-------------------
*******************************

Description of changes:

trie key 10.0.0.0/24 should not have TCP 8081, which belongs to 10.0.0.0/16 but except 10.0.0.0/24.

We should first collect all the L4Info for nonHostCIDR, and then handle the exceptions. This is because when the eBPF program receives a packet, it matches against the smallest CIDR. If an exception is contained within a certain CIDR, then this exception should inherit the L4Info of that CIDR.

Therefore, after processing all the L4Info associated with the CIDRs, we will handle the exceptions:

For a specific exception (let's call it exceptA), we need to iterate through all the CIDRs and their L4Info. If:

• A certain CIDR contains exceptA and the exceptions of this CIDR do not contain exceptA, then the Trie Value for exceptA should inherit the L4Info of this CIDR.
• A certain CIDR contains exceptA, and this CIDR has an exception that includes exceptA, then the Trie Value for exceptA should not inherit the L4Info of this CIDR.
• A certain CIDR does not contain exceptA, then exceptA should not inherit the L4Info of this CIDR.

Finally, we will process all the CIDRs and exceptions, using these as keys to write into the eBPF map's trie, and determine the corresponding L4Info. If the length of the L4Info is 0, we will write a RESERVE. If it is not 0, we will write the values according to the StartPort, EndPort, and Protocol of the L4Info.

after change，the ebpf egress map is:

Key : IP/Prefixlen - 10.0.0.0/24
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8080
Endport -  0
-------------------
*******************************
Key : IP/Prefixlen - 10.0.0.0/16
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8081
Endport -  0
-------------------
*******************************

port 8081 for 10.0.0.0/16 but except 10.0.0.24 has been removed

For another case , which e :

  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - port: 8080
  - to:
    - ipBlock:
        cidr: 10.0.0.0/16
        except:
        - 10.0.0.0/25
    ports:
    - port: 8081

after change , we can get :

Key : IP/Prefixlen - 10.0.0.0/24
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8080
Endport -  0
-------------------
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8081
Endport -  0
-------------------
*******************************
Key : IP/Prefixlen - 10.0.0.0/24
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8080
Endport -  0
-------------------
*******************************
Key : IP/Prefixlen - 10.0.0.0/16
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8081
Endport -  0
-------------------
*******************************

except 10.0.0.0/25 is in allow cidr 10.0.0.0/24, so L4Info should gather 10.0.0.0/24'sport 8080 and 10.0.0.0/16's port 8081.

and the last case:

  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.0.0/24
    ports:
    - port: 8080
  - to:
    - ipBlock:
        cidr: 10.0.0.0/16
        except:
        - 10.0.0.0/23
    ports:
    - port: 8081

after change , we can get :

Key : IP/Prefixlen - 10.0.0.0/24
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8080
Endport -  0
-------------------
*******************************
Key : IP/Prefixlen - 10.0.0.0/16
-------------------
Value Entry :  0
Protocol -  TCP
StartPort -  8081
Endport -  0
-------------------
*******************************
Key : IP/Prefixlen - 10.0.0.0/23
-------------------
Value Entry :  0
Protocol -  RESERVERD
StartPort -  0
Endport -  0
-------------------
*******************************

we should block any packet that in 10.0.0.0/23 but not in 10.0.0.0/25, and if packet that in 10.0.0.0/24, it matches 10.0.0.0/24, allowing port 8080.

therefore, for an except cidr, if no other allow cidr (for except's parent allow cidr, L4Info should not inherit) contains it , we should deny all ports.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[Pavani-Panakanti]

We have a open PR under review to fix this same issue #344