policy: Handle pass rules during enforcement#1904
Open
jrajahalme wants to merge 2 commits into
Open
Conversation
Leave enough space after the pass verdict for all the passed rules to fit in before the following rules on the same tier. This is the requirement of the current API for correct behavior. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Handle pass rules during enforcement by skipping past the passed-over rules when a rule with a pass verdict matches. This is more straightforward and gets rid of precedence promotioin altogether, which is made possible by the duplication of wildcard-port rules into the port-specific rulesets, as after that change there is no need to compare precedences between multiple lookups. Since there is no transformation on the rules, the applied rules have the same shape as the imported policy, which makes debugging easier. The implementation skips over the passed-over rules without scanning all of them so the performance should be similar to the previous implementation. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme
added
clean-up
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Handle pass rules during enforcement by skipping past the passed-over
rules when a rule with a pass verdict matches. This is more
straightforward and gets rid of precedence promotion altogether, which
is made possible by the duplication of wildcard-port rules into the
port-specific rulesets, as after that change there is no need to compare
precedences between multiple lookups. Since there is no transformation on
the rules, the applied rules have the same shape as the imported policy,
which makes debugging easier. The implementation skips over the
passed-over rules without scanning all of them so the performance should
be similar to the previous implementation.