Deleted unused original implementation code.

Changed number of expected warnings (see Issue #724

Signed-off-by: Tanya <[email protected]>

nca/CoreDS/ConnectivityProperties.py

@@ -21,29 +21,19 @@ class ConnectivityProperties(CanonicalHyperCubeSet):
  for TCP, it may be any of the dimensions from dimensions_list, except for icmp_type and icmp_code,
  for icmp data the actual used dimensions are only [src_peers, dst_peers, icmp_type, icmp_code].
 
- The usage of this class in the original solution:
- In the original solution ConnectivityProperties do not hold src_peers, dst_peers and protocols dimensions.
- First, ConnectivityProperties are built at parse time. Since peers are not a part of ConnectivityProperties,
- the named ports cannot be resolved at parse time, and so are kept in named_ports and excluded_named_ports,
- as explained below.
- Second, at the query time, ConnectivityProperties is calculated for every pair of peers, and the named ports
- are resolved. The pairs of peers and the protocols are kept in ConnectionSet class, together with
- the resulting ConnectivityProperties.
-
- The usage of this class in the optimized solution:
- In the optimized solution ConnectivityProperties potentially hold all the dimensions, including sets
- of source peers and destination peers. The connectivity properties are built at the parse time for every policy.
- The named ports are resolved during the construction, therefore in the optimized solution named_ports and
- excluded_named_ports fields are not used.
-
- The src_peers and dst_peers dimensions are special dimensions, they do not have constant domain. Their domain
- depends on the current set of peers in the system (as appears in BasePeerSet singleton). This set grows when
- adding more configurations. Thus, there is no unique 'all values' representation. In particular, those
- dimensions are never reduced to inactive.
- This might be a problem in comparison and inclusion operators of ConnectivityProperties. The possible solution
- may be to keep 'reference full domain value' for these dimensions (as another member in the BasePeerSet),
- and to set it to relevant values per query, and to make a special treatment of these dimensions
- in the above operators.
+ ConnectivityProperties potentially hold all the dimensions, including sets of source peers and destination peers.
+ The connectivity properties are built at the parse time for every policy.
+ The named ports are resolved during the construction, therefore in the optimized solution named_ports and
+ excluded_named_ports fields are not used.
+
+ The src_peers and dst_peers dimensions are special dimensions, they do not have constant domain. Their domain
+ depends on the current set of peers in the system (as appears in BasePeerSet singleton). This set grows when
+ adding more configurations. Thus, there is no unique 'all values' representation. In particular, those
+ dimensions are never reduced to inactive.
+ This might be a problem in comparison and inclusion operators of ConnectivityProperties. The possible solution
+ may be to keep 'reference full domain value' for these dimensions (as another member in the BasePeerSet),
+ and to set it to relevant values per query, and to make a special treatment of these dimensions
+ in the above operators.
 
  Also, including support for (included and excluded) named ports (relevant for dest ports only).
 
@@ -366,7 +356,7 @@ def project_on_one_dimension(self, dim_name):
  return res
 
  @staticmethod
- def _resolve_named_ports(named_ports, peer, protocols):
+ def _resolve_named_ports(named_ports, peer, protocols, used_named_ports):
  peer_named_ports = peer.get_named_ports()
  real_ports = PortSet()
  for named_port in named_ports:
@@ -379,6 +369,7 @@ def _resolve_named_ports(named_ports, peer, protocols):
  f'of the pod {peer}. Ignoring the pod')
  continue
  real_ports.add_port(real_port[0])
+ used_named_ports.add(named_port)
  return real_ports
 
  @staticmethod
@@ -389,11 +380,8 @@ def make_conn_props(conn_cube):
  If possible (i.e., in the optimized solution, when dst_peers are supported in the given cube),
  the named ports will be resolved.
 
- In the optimized solution, the resulting ConnectivityProperties should not contain named ports:
+ The resulting ConnectivityProperties should not contain named ports:
  they are substituted with corresponding port numbers, per peer
- In the original solution, the resulting ConnectivityProperties may contain named ports;
- they cannot yet be resolved, since dst peers are not provided at this stage the original solution;
- they will be resolved by convert_named_ports call during query runs.
 
  :param ConnectivityCube conn_cube: the input connectivity cube including all dimension values,
  whereas missing dimensions are represented by their default values (representing all possible values).
@@ -402,11 +390,12 @@ def make_conn_props(conn_cube):
  src_ports = conn_cube["src_ports"]
  dst_ports = conn_cube["dst_ports"]
  assert not src_ports.named_ports and not src_ports.excluded_named_ports
- if (not dst_ports.named_ports and not dst_ports.excluded_named_ports) or \
- not conn_cube.is_active_dim("dst_peers"):
- # Should not resolve named ports
+ if not dst_ports.named_ports and not dst_ports.excluded_named_ports:
+ # No named ports
  return ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube)
 
+ # Should resolve named ports
+ assert conn_cube.is_active_dim("dst_peers")
  # Initialize conn_properties
  if dst_ports.port_set:
  dst_ports_no_named_ports = PortSet()
@@ -419,15 +408,21 @@ def make_conn_props(conn_cube):
  # Resolving dst named ports
  protocols = conn_cube["protocols"]
  dst_peers = conn_cube["dst_peers"]
+ used_named_ports = set()
  for peer in dst_peers:
- real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.named_ports, peer, protocols)
+ real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.named_ports, peer, protocols,
+ used_named_ports)
  if real_ports:
  conn_cube.update({"dst_ports": real_ports, "dst_peers": PeerSet({peer})})
  conn_properties |= ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube)
- excluded_real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.excluded_named_ports, peer, protocols)
+ excluded_real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.excluded_named_ports, peer,
+ protocols, used_named_ports)
  if excluded_real_ports:
  conn_cube.update({"dst_ports": excluded_real_ports, "dst_peers": PeerSet({peer})})
  conn_properties -= ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube)
+ unresolved_named_ports = (dst_ports.named_ports.union(dst_ports.excluded_named_ports)).difference(used_named_ports)
+ if unresolved_named_ports:
+ print(f'Warning: Named ports {unresolved_named_ports} are not defined in any pod')
  return conn_properties
 
  @staticmethod

nca/CoreDS/DimensionsManager.py

@@ -13,7 +13,7 @@
 class DimensionsManager:
  """
  A singleton class to manage dimensions names and their association to type and domain.
- The dimensions are related to certain protocol's properties in ConnectionSet / ConnectivityProperties.
+ The dimensions are related to certain protocol's properties in ConnectivityProperties.
  They are used for allowed connection representation, as protocols properties, within CanonicalHyperCubeSet objects.
 
  The src_peers and dst_peers are special dimensions, they do not have constant domain.

nca/CoreDS/Peer.py

@@ -2,7 +2,6 @@
 # Copyright 2020- IBM Inc. All rights reserved
 # SPDX-License-Identifier: Apache2.0
 #
-import copy
 import ipaddress
 import re
 from ipaddress import ip_network
@@ -425,39 +424,6 @@ def _add_interval_to_list(interval, non_overlapping_interval_list):
  non_overlapping_interval_list += interval.split()
  non_overlapping_interval_list += to_add
 
- @staticmethod
- def disjoint_ip_blocks(ip_blocks1, ip_blocks2, exclude_ipv6=False):
- """
- Takes all (atomic) ip-ranges in both ip-blocks and returns a new set of ip-ranges where
- each ip-range is:
- 1. a subset of an ip-range in either ip-blocks AND
- 2. cannot be partially intersected by an ip-range in either ip-blocks AND
- 3. is maximal (extending the range to either side will violate either 1 or 2)
- :param ip_blocks1: A set of ip blocks
- :param ip_blocks2: A set of ip blocks
- :param bool exclude_ipv6: indicates if to exclude the IPv6 addresses in case the result is all_ips_block
- :return: A set of ip ranges as specified above
- :rtype: PeerSet
- """
- # deepcopy is required since add_interval_to_list() changes the 'interval' argument
- ip_blocks_set = copy.deepcopy(ip_blocks1)
- ip_blocks_set |= copy.deepcopy(ip_blocks2)
- ip_blocks = sorted(ip_blocks_set, key=IpBlock.ip_count)
-
- # making sure the resulting list does not contain overlapping ipBlocks
- blocks_with_no_overlap = []
- for interval in ip_blocks:
- IpBlock._add_interval_to_list(interval, blocks_with_no_overlap)
-
- res = PeerSet()
- for ip_block in blocks_with_no_overlap:
- res.add(ip_block)
-
- if not res:
- res.add(IpBlock.get_all_ips_block(exclude_ipv6))
-
- return res
-
  def is_ipv4_block(self):
  """
  checks whether self IpBlock includes only IPv4 addresses

nca/CoreDS/ProtocolSet.py

@@ -13,6 +13,8 @@ class ProtocolSet(CanonicalIntervalSet):
  """
  min_protocol_num = 0
  max_protocol_num = 255
+ port_supporting_protocols = {6, 17, 132}
+ icmp_protocols = {1, 58}
 
  def __init__(self, all_protocols=False):
  """
@@ -148,3 +150,27 @@ def copy(self):
  for interval in self.interval_set:
  new_copy.interval_set.append(interval.copy())
  return new_copy
+
+ @staticmethod
+ def protocol_supports_ports(protocol):
+ """
+ :param protocol: Protocol number or name
+ :return: Whether the given protocol has ports
+ :rtype: bool
+ """
+ prot = protocol
+ if isinstance(protocol, str):
+ prot = ProtocolNameResolver.get_protocol_number(protocol)
+ return prot in ProtocolSet.port_supporting_protocols
+
+ @staticmethod
+ def protocol_is_icmp(protocol):
+ """
+ :param protocol: Protocol number or name
+ :return: Whether the protocol is icmp or icmpv6
+ :rtype: bool
+ """
+ prot = protocol
+ if isinstance(protocol, str):
+ prot = ProtocolNameResolver.get_protocol_number(protocol)
+ return prot in ProtocolSet.icmp_protocols

nca/FWRules/MinimizeBasic.py

@@ -130,7 +130,7 @@ def get_connection_set_and_peers_from_cube(the_cube, peer_container,
  if has_active_dim:
  conns.add_connections(protocol, props)
  else:
- if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol):
+ if ProtocolSet.protocol_supports_ports(protocol) or ProtocolSet.protocol_is_icmp(protocol):
  conns.add_connections(protocol, props)
  else:
  conns.add_connections(protocol, True)