Skip to content

enable network policies strict mode #268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
+711 −46
Open

enable network policies strict mode #268

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
74dde8d
golang dependencies
aojea Oct 22, 2025
6038334
add example network policies manifests
aojea Oct 22, 2025
05e3016
apply network policies to existing connections.
aojea Oct 22, 2025
5b6ffa7
clarify ct set entry
aojea Oct 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions cmd/kube-network-policies/iptracker/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ func run() int {
FailOpen: opts.FailOpen,
QueueID: opts.QueueID,
NetfilterBug1766Fix: opts.NetfilterBug1766Fix,
StrictMode: opts.StrictMode,
}

var config *rest.Config
Expand Down
1 change: 1 addition & 0 deletions cmd/kube-network-policies/npa-v1alpha2/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ func run() int {
FailOpen: opts.FailOpen,
QueueID: opts.QueueID,
NetfilterBug1766Fix: opts.NetfilterBug1766Fix,
StrictMode: opts.StrictMode,
}

var config *rest.Config
Expand Down
1 change: 1 addition & 0 deletions cmd/kube-network-policies/standard/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ func run() int {
FailOpen: opts.FailOpen,
QueueID: opts.QueueID,
NetfilterBug1766Fix: opts.NetfilterBug1766Fix,
StrictMode: opts.StrictMode,
}

var config *rest.Config
Expand Down
10 changes: 10 additions & 0 deletions examples/accept-ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
9 changes: 9 additions & 0 deletions examples/deny-all.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
7 changes: 5 additions & 2 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,12 @@ go 1.24.3
require (
github.com/armon/go-radix v1.0.0
github.com/containerd/nri v0.10.0
github.com/florianl/go-nfqueue v1.3.2
github.com/florianl/go-nfqueue/v2 v2.0.0
github.com/google/go-cmp v0.7.0
github.com/google/nftables v0.3.0
github.com/mdlayher/netlink v1.8.0
github.com/prometheus/client_golang v1.23.2
github.com/vishvananda/netlink v1.3.1
github.com/vishvananda/netlink v1.3.2-0.20251022194116-03b8f90390d9
github.com/vishvananda/netns v0.0.5
go.etcd.io/bbolt v1.4.3
go.etcd.io/etcd/api/v3 v3.6.5
Expand Down Expand Up @@ -118,3 +118,6 @@ require (
sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
sigs.k8s.io/yaml v1.6.0 // indirect
)

// TODO: remove once https://github.com/florianl/go-nfqueue/pull/70 is merged
replace github.com/florianl/go-nfqueue/v2 => github.com/aojea/go-nfqueue/v2 v2.0.1
30 changes: 6 additions & 24 deletions go.sum
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
github.com/aojea/go-nfqueue/v2 v2.0.1 h1:quJb28QwOUhxert5BokiaYKUCUFnXTpfTek3C5zdtSg=
github.com/aojea/go-nfqueue/v2 v2.0.1/go.mod h1:VA09+iPOT43OMoCKNfXHyzujQUty2xmzyCRkBOlmabc=
github.com/aojea/netlink v1.1.1-0.20251021162304-66082cc4caa7 h1:axAKcfEIPNc9L1GhKlYxJPMGxGnudsqgm116l8+sqjQ=
github.com/aojea/netlink v1.1.1-0.20251021162304-66082cc4caa7/go.mod h1:lEui7SPMd9fgxzHVGRAvTxsBGCF6PRH81o2kLWLWHgw=
github.com/armon/go-radix v1.0.0 h1:F4z6KzEeeQIMeLFa97iZU6vupzoecKdU5TX24SNppXI=
github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
Expand Down Expand Up @@ -29,8 +33,6 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/florianl/go-nfqueue v1.3.2 h1:8DPzhKJHywpHJAE/4ktgcqveCL7qmMLsEsVD68C4x4I=
github.com/florianl/go-nfqueue v1.3.2/go.mod h1:eSnAor2YCfMCVYrVNEhkLGN/r1L+J4uDjc0EUy0tfq4=
github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
Expand Down Expand Up @@ -59,8 +61,6 @@ github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
Expand All @@ -84,7 +84,6 @@ github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbd
github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
Expand All @@ -101,10 +100,8 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
github.com/mdlayher/netlink v1.6.0/go.mod h1:0o3PlBmGst1xve7wQ7j/hwpNaFaH4qCRyWCdcZk8/vA=
github.com/mdlayher/netlink v1.8.0 h1:e7XNIYJKD7hUct3Px04RuIGJbBxy1/c4nX7D5YyvvlM=
github.com/mdlayher/netlink v1.8.0/go.mod h1:UhgKXUlDQhzb09DrCl2GuRNEglHmhYoWAHid9HK3594=
github.com/mdlayher/socket v0.1.1/go.mod h1:mYV5YIZAfHh4dzDVzI8x8tWLWCliuX8Mon5Awbj+qDs=
github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
Expand Down Expand Up @@ -156,8 +153,8 @@ github.com/tetratelabs/wazero v1.9.0 h1:IcZ56OuxrtaEz8UYNRHBrUa9bYeX9oVY93KspZZB
github.com/tetratelabs/wazero v1.9.0/go.mod h1:TSbcXCfFP0L2FGkRPxHphadXPjo1T6W+CseNNY7EkjM=
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802 h1:uruHq4dN7GR16kFc5fp3d1RIYzJW5onx8Ybykw2YQFA=
github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
github.com/vishvananda/netlink v1.3.2-0.20251022194116-03b8f90390d9 h1:Rvo2TKn0ziU4PtKcmGfBJrjmfhFex2SBsothV8eShVE=
github.com/vishvananda/netlink v1.3.2-0.20251022194116-03b8f90390d9/go.mod h1:lEui7SPMd9fgxzHVGRAvTxsBGCF6PRH81o2kLWLWHgw=
github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
github.com/vishvananda/netns v0.0.5/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
Expand Down Expand Up @@ -222,40 +219,25 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q=
golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k=
golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM=
golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
Expand Down
2 changes: 2 additions & 0 deletions pkg/cmd/cmd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ type Options struct {
HostnameOverride string
NetfilterBug1766Fix bool
DisableNRI bool
StrictMode bool
}

// NewOptions creates a new Options object with default values.
Expand All @@ -41,6 +42,7 @@ func (o *Options) AddFlags(fs *flag.FlagSet) {
fs.StringVar(&o.HostnameOverride, "hostname-override", "", "If non-empty, will be used as the name of the Node that kube-network-policies is running on. If unset, the node name is assumed to be the same as the node's hostname.")
fs.BoolVar(&o.NetfilterBug1766Fix, "netfilter-bug-1766-fix", true, "If set, process DNS packets on the PREROUTING hooks to avoid the race condition on the conntrack subsystem, not needed for kernels 6.12+ (see https://bugzilla.netfilter.org/show_bug.cgi?id=1766)")
fs.BoolVar(&o.DisableNRI, "disable-nri", false, "If set, disable NRI, that is used to get the Pod IP information directly from the runtime to avoid the race explained in https://issues.k8s.io/85966")
fs.BoolVar(&o.StrictMode, "strict-mode", true, "If set, changes to network policies also affect established connections")

fs.Usage = func() {
fmt.Fprint(os.Stderr, "Usage: kube-network-policies [options]\n\n")
Expand Down
125 changes: 125 additions & 0 deletions pkg/dataplane/conntrack.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
package dataplane

import (
"encoding/binary"

"github.com/vishvananda/netlink"
"golang.org/x/sys/unix"
v1 "k8s.io/api/core/v1"
"k8s.io/klog/v2"
"sigs.k8s.io/kube-network-policies/pkg/network"
)

var (
mapIPFamilyToString = map[uint8]v1.IPFamily{
unix.AF_INET: v1.IPv4Protocol,
unix.AF_INET6: v1.IPv6Protocol,
}
mapProtocolToString = map[uint8]v1.Protocol{
unix.IPPROTO_TCP: v1.ProtocolTCP,
unix.IPPROTO_UDP: v1.ProtocolUDP,
unix.IPPROTO_SCTP: v1.ProtocolSCTP,
}
)

func PacketFromFlow(flow *netlink.ConntrackFlow) *network.Packet {
if flow == nil {
return nil
}
packet := network.Packet{
SrcIP: flow.Forward.SrcIP,
DstIP: flow.Reverse.SrcIP,
SrcPort: int(flow.Forward.SrcPort),
DstPort: int(flow.Reverse.SrcPort),
}

if family, ok := mapIPFamilyToString[flow.FamilyType]; ok {
packet.Family = family
} else {
klog.InfoS("Unknown IP family", "family", flow.FamilyType, "flow", flow)
return nil
}

if protocol, ok := mapProtocolToString[flow.Forward.Protocol]; ok {
packet.Proto = protocol
} else {
klog.InfoS("Unknown protocol", "protocol", flow.Forward.Protocol, "flow", flow)
return nil
}

return &packet
}

// generateLabelMask converts an integer (bit index 0-127) into a 16-byte
// slice ([]byte) representing the 128-bit mask. If the bit index is out of range,
// it returns a 16-byte slice of all zeros. It expects bit index to be in the range 0-127.
func generateLabelMask(bitIndex int) []byte {
if bitIndex < 0 || bitIndex > 127 {
return make([]byte, 16)
}
// word64Index 0: Bits 0-63 (LSW 64 bits)
// word64Index 1: Bits 64-127 (MSW 64 bits)
word64Index := bitIndex / 64
bitPos := uint(bitIndex % 64)
mask := uint64(1) << bitPos

result := make([]byte, 16)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could do this at the top and then you'd be able to return result in the error case.
(EDIT: like in clearLabelBit!)

if word64Index == 1 {
// Bit is in the MSW (96-127), serialize the mask into the first 8 bytes.
binary.BigEndian.PutUint64(result[0:], mask)
} else {
// Bit is in the LSW (0-63), serialize the mask into the last 8 bytes.
binary.BigEndian.PutUint64(result[8:], mask)
}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need to use uint64s here...

byteIndex := bitIndex / 8
bitPos := uint(bitIndex % 8)
mask := uint8(1) << bitPos
result[byteIndex] = mask

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that gives me the returned value in the reverse order, I think is the oppsite "endianess"

 /usr/local/google/home/aojea/src/kube-network-policies/pkg/dataplane/conntrack_test.go:76: generateLabelMask() for index 10:
         Got:  00040000000000000000000000000000
         Want: 00000000000000000000000000000400
=== RUN   TestGenerateLabelMask/Bit_126_(MSW)
    /usr/local/google/home/aojea/src/kube-network-policies/pkg/dataplane/conntrack_test.go:76: generateLabelMask() for index 126:
         Got:  00000000000000000000000000000040
         Want: 40000000000000000000000000000000


return result
}

// clearLabelBit clears a specific bit in a 16-byte label array and returns a new array.
func clearLabelBit(currentLabel []byte, bitIndex int) []byte {
newLabel := make([]byte, 16)
if len(currentLabel) != 16 {
return newLabel
}

copy(newLabel, currentLabel)

if bitIndex < 0 || bitIndex > 127 {
return newLabel
}

// Determine which 64-bit word the bit falls into.
// word64Index 0: Bits 0-63 (LSW)
// word64Index 1: Bits 64-127 (MSW)
word64Index := bitIndex / 64

// Determine the bit position within that 64-bit word (0-63).
bitPos := uint(bitIndex % 64)

// Create the 64-bit mask for clearing.
// ^(1 << bitPos) results in a mask that is all 1s except for a single 0 at the target bitPos.
zeroMask := ^(uint64(1) << bitPos)

// The 16-byte array is Big-Endian: MSW (first 8 bytes), LSW (last 8 bytes).
var targetStartIndex int

if word64Index == 1 {
// Bit is in the MSW (Bits 64-127), located in the first 8 bytes.
targetStartIndex = 0
} else {
// Bit is in the LSW (Bits 0-63), located in the last 8 bytes.
targetStartIndex = 8
}

// 3. Extract the target 64-bit word from the new array.
currentWord := binary.BigEndian.Uint64(newLabel[targetStartIndex:])

// 4. Apply the AND operation: currentWord &= zeroMask.
// This clears the single bit while preserving all others in the word.
newWord := currentWord & zeroMask

// 5. Write the modified 64-bit word back into the new array.
binary.BigEndian.PutUint64(newLabel[targetStartIndex:], newWord)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

byteIndex := bitIndex / 8
bitPos := uint(bitIndex % 8)
mask := uint8(1) << bitPos
newLabel[byteIndex] ^&= mask


return newLabel
}
Loading
Loading