Group common sub-sequences of policies into shared iptables chains #8098
Conversation
marvin-tigera
added
release-note-required
fasaxc
force-pushed
the
policy-grouping
branch
2 times, most recently
from
bd5397a to
663aac1
Compare
fasaxc
changed the title
- Recalculate groups on seelctor change. - Embed direction in group so that we get unique groups for each direction.
fasaxc
force-pushed
the
policy-grouping
branch
from
db1c91a to
67894db
Compare
Combine ClearMark rules into one.
fasaxc
force-pushed
the
policy-grouping
branch
from
7db0210 to
0a95fd4
Compare
Various fixes.
fasaxc
force-pushed
the
policy-grouping
branch
from
0a95fd4 to
703c1cc
Compare
fasaxc
force-pushed
the
policy-grouping
branch
from
dd2b132 to
eeb4b46
Compare
Instead of refcounting blindly, trigger incref of children only when the chain itself becomes referenced. Trigger decref only for referenced chains. Only invalidate dataplane if changing a referenced chain.
fasaxc
force-pushed
the
policy-grouping
branch
from
eeb4b46 to
b360b6a
Compare
fasaxc
added
docs-not-required
fasaxc
changed the title
| @@ -244,6 +244,8 @@ message Policy { | |||
| repeated Rule outbound_rules = 2; | |||
| bool untracked = 3; | |||
| bool pre_dnat = 4; | |||
|
|
|||
| string original_selector = 6; | |||
There was a problem hiding this comment.
(Assume the numbering here is because there's an = 5 field in Enterprise.)
There was a problem hiding this comment.
5 is used above for namespace.
| } else { | ||
| break | ||
| } | ||
| } |
There was a problem hiding this comment.
It would be marginally nicer if the coding here made it clear that these rules could not be further appended to. I'm aware that that is in fact the case - by looking at where ProtoRulesToIptablesRules is used - but I wonder if it might be worth changing the signature so that this function here returns the entire &iptables.Chain?
There was a problem hiding this comment.
I coded this up but it made the tests uglier. Right now they can treat this as simple one-in-one-out function. Returning a chain means we have to pass in a chain name and then unpack the rules to test them.
| const ( | ||
| PolicyDirectionIngress PolicyDirection = "ingress" | ||
| PolicyDirectionEgress PolicyDirection = "egress" | ||
| ) |
There was a problem hiding this comment.
I'm amazed we don't have a definition like this somewhere already!
There was a problem hiding this comment.
Have changed these to match the terminology used in this package inbound/outbound
felix/rules/endpoints.go
Outdated
| @@ -254,14 +258,14 @@ func (r *DefaultRuleRenderer) HostEndpointToRawChains( | |||
|
|
|||
| func (r *DefaultRuleRenderer) HostEndpointToMangleIngressChains( | |||
| ifaceName string, | |||
| preDNATPolicyNames []string, | |||
| preDNATPolicis []*PolicyGroup, | |||
| polChainPrefix := PolicyInboundPfx | ||
| if group.Direction == PolicyDirectionEgress { | ||
| polChainPrefix = PolicyOutboundPfx | ||
| } |
There was a problem hiding this comment.
For host endpoints, are the "i" and "o" prefixes here the same way round as they currently are for policies applying to a host endpoint? (Might be a bit confusing if not.)
There was a problem hiding this comment.
Oh, and same question (albeit not specifically this bit of code) for the policy group "gi" and "go" prefixes.
There was a problem hiding this comment.
The pi and gi chains line up, as do the po and go chains. I.e. gi chains are groups of pi policies. Policy inbound/outbound aligns with the policy model direction. It's the to/from endpoint chains that are flipped between HEPs and WEPs.
| write(strconv.Itoa(len(g.PolicyNames))) | ||
| for _, name := range g.PolicyNames { | ||
| write(name) | ||
| } |
There was a problem hiding this comment.
Can you comment (and remind me) why we include tier and selector here, as well as the direction and policy names? If we had the same group in different tiers, couldn't we reuse the same group?
There was a problem hiding this comment.
- Tier: needed (in enterprise) to disambiguate tierA/policy1 vs tierB/policy1; different policies with the same policy name.
- Direction and Selector I found useful to make the object self describing.
Tier needs to be in the hash. Direction and selector aren't strictly needed in the hash (I think) but I was finding it easier to prove to myself that all bases were covered if I included them rather than try to prove tat it works without them In an earlier iteration I didn't have the gi/go prefix, so the direction was needed.
| ifaceNameToPolicyGroupChainNames map[string][]string /*chain name*/ | ||
|
|
||
| activePolicySelectors map[proto.PolicyID]string | ||
| policyChainRefCounts map[string] /*chain name*/ int |
There was a problem hiding this comment.
Worry that the separation of int here will be confusing.
| break hepLoop | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Possibly worth a common utility definition here:
tierUsesDirtyPolicy := func(t *proto.TierInfo) bool {
for _, pols := range [][]string{t.IngressPolicies, t.EgressPolicies} {
for _, p := range pols {
polID := proto.PolicyID{
Tier: t.Name,
Name: p,
}
if m.dirtyPolicyIDs.Contains(polID) {
return true
}
}
}
return false
}
| @@ -975,6 +1080,11 @@ func (m *endpointManager) updateHostEndpoints() { | |||
| } | |||
| } | |||
|
|
|||
| ifaceNameToPolicyGroups := map[string][]*rules.PolicyGroup{} | |||
There was a problem hiding this comment.
I'm not yet entirely following what this is for. Does it matter that different subsets of these groups will need to be programmed in different iptables tables?
There was a problem hiding this comment.
Oh, I see, the groups are going to be unconditionally programmed in all tables. I guess that's OK, albeit a touch inelegant.
There was a problem hiding this comment.
Ah yes, I just copied the old inelegant solution for policies. Could do a bit better here because we do know which groups go in which tables; just seemed like the number of tracking maps would explode a bit
There was a problem hiding this comment.
I would personally be fine with leaving this to a future tidy up, as this PR is already a good unit on its own.
| }], | ||
| } | ||
| groups := []*rules.PolicyGroup{group} | ||
| for _, name := range names[1:] { |
There was a problem hiding this comment.
Is names[1:] ok if names only has 1 entry?
…rojectcalico#8098) Group policies in iptables chains based on the selectors used in the policies. For example, if there are three policies in a row that use the same selector, put them in a group. - Add protobuf field for policy selector pass through from calc graph. - Add policy group calculation to endpoint manager. Does refcounting to manage shared policy group chains. - Add policy group chain rendering to rule renderer. Take advantage of extra indirection to implement pass rules more efficiently (return on pass or accept). - Make iptables reference counting recursive. Instead of refcounting blindly, trigger incref of children only when the chain itself becomes referenced. Trigger decref only for referenced chains. Only invalidate dataplane if changing a referenced chain. CORE-10015
Description
For example, if there are three policies in a row that use the same selector,
put them in a group.
Related issues/PRs
CORE-10015
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.