projectcalico · fasaxc · Dec 20, 2023 · Oct 6, 2023 · Oct 6, 2023 · Oct 9, 2023
@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2021 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -317,8 +317,9 @@ func ParsedRulesToActivePolicyUpdate(key model.PolicyKey, rules *ParsedRules) *p
 				rules.OutboundRules,
 				"pol-out-default/"+key.Name,
 			),
-			Untracked: rules.Untracked,
-			PreDnat:   rules.PreDNAT,
+			Untracked:        rules.Untracked,
+			PreDnat:          rules.PreDNAT,
+			OriginalSelector: rules.OriginalSelector,
 		},
 	}
 }

@@ -1,4 +1,4 @@
-// Copyright (c) 2017-2018 Tigera, Inc. All rights reserved.
+// Copyright (c) 2017-2023 Tigera, Inc. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -91,20 +91,22 @@ var _ = Describe("ParsedRulesToActivePolicyUpdate", func() {
 			InboundRules: []*calc.ParsedRule{
 				{Action: "Deny"},
 			},
-			PreDNAT:   true,
-			Untracked: true,
+			PreDNAT:          true,
+			Untracked:        true,
+			OriginalSelector: "all()",
 		}
 		fullyLoadedProtoRules = proto.ActivePolicyUpdate{
 			Id: &proto.PolicyID{
 				Tier: "default",
 				Name: "a-policy",
 			},
 			Policy: &proto.Policy{
-				Namespace:     "namespace",
-				InboundRules:  []*proto.Rule{{Action: "Deny"}},
-				OutboundRules: []*proto.Rule{{Action: "Allow"}},
-				Untracked:     true,
-				PreDnat:       true,
+				Namespace:        "namespace",
+				InboundRules:     []*proto.Rule{{Action: "Deny"}},
+				OutboundRules:    []*proto.Rule{{Action: "Allow"}},
+				Untracked:        true,
+				PreDnat:          true,
+				OriginalSelector: "all()",
 			},
 		}
 	)

@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2021 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -11,6 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
+
 package calc
 
 import (
@@ -172,26 +173,40 @@ func NewRuleScanner() *RuleScanner {
 }
 
 func (rs *RuleScanner) OnProfileActive(key model.ProfileRulesKey, profile *model.ProfileRules) {
-	parsedRules := rs.updateRules(key, profile.InboundRules, profile.OutboundRules, false, false, "")
+	parsedRules := rs.updateRules(key, profile.InboundRules, profile.OutboundRules, false, false, "", "")
 	rs.RulesUpdateCallbacks.OnProfileActive(key, parsedRules)
 }
 
 func (rs *RuleScanner) OnProfileInactive(key model.ProfileRulesKey) {
-	rs.updateRules(key, nil, nil, false, false, "")
+	rs.updateRules(key, nil, nil, false, false, "", "")
 	rs.RulesUpdateCallbacks.OnProfileInactive(key)
 }
 
 func (rs *RuleScanner) OnPolicyActive(key model.PolicyKey, policy *model.Policy) {
-	parsedRules := rs.updateRules(key, policy.InboundRules, policy.OutboundRules, policy.DoNotTrack, policy.PreDNAT, policy.Namespace)
+	parsedRules := rs.updateRules(
+		key,
+		policy.InboundRules,
+		policy.OutboundRules,
+		policy.DoNotTrack,
+		policy.PreDNAT,
+		policy.Namespace,
+		selector.Normalise(policy.Selector),
+	)
 	rs.RulesUpdateCallbacks.OnPolicyActive(key, parsedRules)
 }
 
 func (rs *RuleScanner) OnPolicyInactive(key model.PolicyKey) {
-	rs.updateRules(key, nil, nil, false, false, "")
+	rs.updateRules(key, nil, nil, false, false, "", "")
 	rs.RulesUpdateCallbacks.OnPolicyInactive(key)
 }
 
-func (rs *RuleScanner) updateRules(key interface{}, inbound, outbound []model.Rule, untracked, preDNAT bool, origNamespace string) (parsedRules *ParsedRules) {
+func (rs *RuleScanner) updateRules(
+	key interface{},
+	inbound, outbound []model.Rule,
+	untracked, preDNAT bool,
+	origNamespace string,
+	origSelector string,
+) (parsedRules *ParsedRules) {
 	log.Debugf("Scanning rules (%v in, %v out) for key %v",
 		len(inbound), len(outbound), key)
 	// Extract all the new selectors/named ports.
@@ -219,11 +234,12 @@ func (rs *RuleScanner) updateRules(key interface{}, inbound, outbound []model.Ru
 		}
 	}
 	parsedRules = &ParsedRules{
-		Namespace:     origNamespace,
-		InboundRules:  parsedInbound,
-		OutboundRules: parsedOutbound,
-		Untracked:     untracked,
-		PreDNAT:       preDNAT,
+		Namespace:        origNamespace,
+		InboundRules:     parsedInbound,
+		OutboundRules:    parsedOutbound,
+		Untracked:        untracked,
+		PreDNAT:          preDNAT,
+		OriginalSelector: origSelector,
 	}
 
 	// Figure out which IP sets are new.
@@ -294,6 +310,8 @@ type ParsedRules struct {
 
 	// PreDNAT is true if these rules should be applied before any DNAT.
 	PreDNAT bool
+
+	OriginalSelector string
 }
 
 // ParsedRule is like a backend.model.Rule, except the selector matches and named ports are

@@ -1,4 +1,4 @@
-// Copyright (c) 2020-2021 Tigera, Inc. All rights reserved.
+// Copyright (c) 2020-2023 Tigera, Inc. All rights reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -94,13 +94,15 @@ var _ = DescribeTable("RuleScanner rule conversion should generate correct Parse
 			Namespace:     "namespace",
 			InboundRules:  []model.Rule{modelRule},
 			OutboundRules: []model.Rule{},
+			Selector:      "a  ==  'A' ",
 		}
 		rs.OnPolicyActive(policyKey, policy)
 		Expect(ur.activeRules).To(Equal(map[model.Key]*ParsedRules{
 			policyKey: {
-				Namespace:     "namespace",
-				InboundRules:  []*ParsedRule{&expectedParsedRule},
-				OutboundRules: []*ParsedRule{},
+				Namespace:        "namespace",
+				InboundRules:     []*ParsedRule{&expectedParsedRule},
+				OutboundRules:    []*ParsedRule{},
+				OriginalSelector: "a == \"A\"",
 			},
 		}))
 		rs.OnPolicyInactive(policyKey)