in npm/pkg/controlplane/controllers/v1/translatePolicy.go [1589:1692]
func translatePolicy(npObj *networkingv1.NetworkPolicy) ([]string, []string, map[string][]string, [][]string, [][]string, []*iptm.IptEntry) {
var (
resultSets []string
resultNamedPorts []string
resultListMap map[string][]string
resultIngressIPCidrs [][]string
resultEgressIPCidrs [][]string
entries []*iptm.IptEntry
hasIngress, hasEgress bool
)
defer func() {
log.Logf("Finished translatePolicy")
log.Logf("sets: %v", resultSets)
log.Logf("lists: %v", resultListMap)
log.Logf("entries: ")
for _, entry := range entries {
log.Logf("entry: %+v", entry)
}
}()
npNs := npObj.ObjectMeta.Namespace
policyName := npObj.ObjectMeta.Name
resultListMap = make(map[string][]string)
// Since nested ipset list:sets are not allowed. We cannot use 2nd level Ipsets
// for NameSpaceSelectors with multiple values
// NPM will need to duplicate rules for each value in NSSelector
if len(npObj.Spec.PolicyTypes) == 0 {
ingressSets, ingressNamedPorts, ingressLists, ingressIPCidrs, ingressEntries := translateIngress(npNs, policyName, npObj.Spec.PodSelector, npObj.Spec.Ingress)
resultSets = append(resultSets, ingressSets...)
resultNamedPorts = append(resultNamedPorts, ingressNamedPorts...)
for resultListKey, resultLists := range ingressLists {
resultListMap[resultListKey] = append(resultListMap[resultListKey], resultLists...)
}
entries = append(entries, ingressEntries...)
egressSets, egressNamedPorts, egressLists, egressIPCidrs, egressEntries := translateEgress(npNs, policyName, npObj.Spec.PodSelector, npObj.Spec.Egress)
resultSets = append(resultSets, egressSets...)
resultNamedPorts = append(resultNamedPorts, egressNamedPorts...)
for resultListKey, resultLists := range egressLists {
resultListMap[resultListKey] = append(resultListMap[resultListKey], resultLists...)
}
entries = append(entries, egressEntries...)
hasIngress = len(ingressSets) > 0
hasEgress = len(egressSets) > 0
entries = append(entries, getDefaultDropEntries(npNs, npObj.Spec.PodSelector, hasIngress, hasEgress)...)
for resultListKey, resultLists := range resultListMap {
resultListMap[resultListKey] = util.UniqueStrSlice(resultLists)
}
return util.UniqueStrSlice(resultSets), util.UniqueStrSlice(resultNamedPorts), resultListMap, ingressIPCidrs, egressIPCidrs, entries
}
for _, ptype := range npObj.Spec.PolicyTypes {
if ptype == networkingv1.PolicyTypeIngress {
ingressSets, ingressNamedPorts, ingressLists, ingressIPCidrs, ingressEntries := translateIngress(npNs, policyName, npObj.Spec.PodSelector, npObj.Spec.Ingress)
resultSets = append(resultSets, ingressSets...)
resultNamedPorts = append(resultNamedPorts, ingressNamedPorts...)
for resultListKey, resultLists := range ingressLists {
resultListMap[resultListKey] = append(resultListMap[resultListKey], resultLists...)
}
resultIngressIPCidrs = ingressIPCidrs
entries = append(entries, ingressEntries...)
if npObj.Spec.Ingress != nil &&
len(npObj.Spec.Ingress) == 1 &&
len(npObj.Spec.Ingress[0].Ports) == 0 &&
len(npObj.Spec.Ingress[0].From) == 0 {
hasIngress = false
} else {
hasIngress = true
}
}
if ptype == networkingv1.PolicyTypeEgress {
egressSets, egressNamedPorts, egressLists, egressIPCidrs, egressEntries := translateEgress(npNs, policyName, npObj.Spec.PodSelector, npObj.Spec.Egress)
resultSets = append(resultSets, egressSets...)
resultNamedPorts = append(resultNamedPorts, egressNamedPorts...)
for resultListKey, resultLists := range egressLists {
resultListMap[resultListKey] = append(resultListMap[resultListKey], resultLists...)
}
resultEgressIPCidrs = egressIPCidrs
entries = append(entries, egressEntries...)
if npObj.Spec.Egress != nil &&
len(npObj.Spec.Egress) == 1 &&
len(npObj.Spec.Egress[0].Ports) == 0 &&
len(npObj.Spec.Egress[0].To) == 0 {
hasEgress = false
} else {
hasEgress = true
}
}
}
entries = append(entries, getDefaultDropEntries(npNs, npObj.Spec.PodSelector, hasIngress, hasEgress)...)
for resultListKey, resultLists := range resultListMap {
resultListMap[resultListKey] = util.UniqueStrSlice(resultLists)
}
return util.UniqueStrSlice(resultSets), util.UniqueStrSlice(resultNamedPorts), resultListMap, resultIngressIPCidrs, resultEgressIPCidrs, entries
}