Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func IPBlockToCIDRs ¶
func IPBlockToCIDRs(ipBlock *networkingv1.IPBlock) []string
IPBlockToCIDRs returns an array of CIDRs corresponding to ipBlock.
To match a NetworkPolicy IPBlock with an "Except", we need to generate the OpenFlow equivalent of "nw_src=${CIDR} && nw_src!=${Except}". OVS has conjunctive matches to get the effect of "&&", but there's no way to say "!="... The only way to make this work is to rewrite
nw_src=[A-H] && nw_src!=B && nw_src!=E
as
nw_src=A || nw_src=[C-D] || nw_src=[F-H]
except that it's more complicated than that because CIDRs can only express ranges whose lengths are powers of 2. So, we call rangesForIPBlock() to generate the list "[[A-A], [C-D], [F-H]]", and then call .toRangeMasks() on each of those ranges to turn them into an equivalent list of VALUE/MASK values.
func PortRangeToPortMasks ¶
PortRangeToPortMasks returns an array of port/mask strings corresponding to the given start and end values.
Here the problem is that we need ">=" and "<=", which OpenFlow doesn't have. So we have to figure out how to express "tp_dst >= ${START} && tp_dst <= ${END}" as a series of "tp_dst=${VALUE}/${MASK}" matches.
(The naive implementation of port range matching would be to just check tp_dst against each value from start to end, for a total of (end-start+1) rules. PortRangeToPortMasks generates the same number of rules as the naive implementation when start==end or when start is odd and end==start+1, but in all other cases it generates fewer total rules.)
Types ¶
This section is empty.