ranges

package
v0.0.0-alpha.0....-18a57d7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 24, 2024 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func IPBlockToCIDRs

func IPBlockToCIDRs(ipBlock *networkingv1.IPBlock) []string

IPBlockToCIDRs returns an array of CIDRs corresponding to ipBlock.

To match a NetworkPolicy IPBlock with an "Except", we need to generate the OpenFlow equivalent of "nw_src=${CIDR} && nw_src!=${Except}". OVS has conjunctive matches to get the effect of "&&", but there's no way to say "!="... The only way to make this work is to rewrite

nw_src=[A-H] && nw_src!=B && nw_src!=E

as

nw_src=A || nw_src=[C-D] || nw_src=[F-H]

except that it's more complicated than that because CIDRs can only express ranges whose lengths are powers of 2. So, we call rangesForIPBlock() to generate the list "[[A-A], [C-D], [F-H]]", and then call .toRangeMasks() on each of those ranges to turn them into an equivalent list of VALUE/MASK values.

func PortRangeToPortMasks

func PortRangeToPortMasks(start, end int) []string

PortRangeToPortMasks returns an array of port/mask strings corresponding to the given start and end values.

Here the problem is that we need ">=" and "<=", which OpenFlow doesn't have. So we have to figure out how to express "tp_dst >= ${START} && tp_dst <= ${END}" as a series of "tp_dst=${VALUE}/${MASK}" matches.

(The naive implementation of port range matching would be to just check tp_dst against each value from start to end, for a total of (end-start+1) rules. PortRangeToPortMasks generates the same number of rules as the naive implementation when start==end or when start is odd and end==start+1, but in all other cases it generates fewer total rules.)

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL