Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

529 explain return path #627

Merged
merged 200 commits into from
Jun 24, 2024
Merged

529 explain return path #627

merged 200 commits into from
Jun 24, 2024

Conversation

ShiriMoran
Copy link
Contributor

No description provided.

ShiriMoran added 30 commits May 27, 2024 12:11
@ShiriMoran
clarified comment
8677704
@ShiriMoran
clarified comment
bfc0a4d
@ShiriMoran
added new structs and todos
f638b28
@ShiriMoran
renaming towards refactoring
df17381
@ShiriMoran
minor refactoring
79ee2ed
@ShiriMoran
minor refactoring
1b59966
@ShiriMoran
implemented computeAllowedStatefulConnections to replace computeAllow…
8d59bdd 
…edStatefulConnectionsOld
@ShiriMoran
new structs refactor
ff9c768
@ShiriMoran
printing functions for the new structs
e7fe4b9
@ShiriMoran
fix bug
c0f0c32
@ShiriMoran
grouping using new structs
7bfae63
@ShiriMoran
remove debug print
0f48c3d
@ShiriMoran
added todo
1811764
@ShiriMoran
minor refactor
a60ebf0
@ShiriMoran
working tests
129b8d1
@ShiriMoran
added todos
7d8c7f8
@ShiriMoran
issues on loadBalancer understood and documented
962fa69
@ShiriMoran
refactoring debug format (1)
0b893ff
@ShiriMoran
todo
4d7681d
@ShiriMoran
json format uses new struct; SplitAllowedConnsToUnidirectionalAndBidi…
bbe4e40 
…rectional no longer needed
@ShiriMoran
debug format uses new struct
fa07330
@ShiriMoran
AllowedConnsCombinedStateful no longer used
965f9eb
@ShiriMoran
Added AllowedConnsCombinedStateful, its computation and using it for …
09ce513 
…grouping
@ShiriMoran
json format for subnets uses new structs
f485708
@ShiriMoran
now hasStatelessConns can use the new struct
7829f22
@ShiriMoran
now ConnLabel can use the new struct and grouping's old groupedCommon…
19f9c6f 
…Properties.conn is no longer required for report endpoints and report subnets
@ShiriMoran
func (connectivityMap GeneralConnectivityMap) getCombinedConnsStr() s…
48e252d 
…tring no longer needed
@ShiriMoran
transforming grouping_test.go
67886c8
@ShiriMoran
transforming grouping_test.go
16d8653
@ShiriMoran
transforming grouping_test.go
c1d3ec9
haim-kermany
haim-kermany previously approved these changes Jun 17, 2024
View reviewed changes
@adisos
Copy link
Collaborator

adisos commented Jun 18, 2024

@ShiriMoran please add the issue referred to this PR, and a short description of this PR.

adisos
adisos requested changes Jun 18, 2024
View reviewed changes
Copy link
Collaborator

@adisos adisos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

few initial comments

pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_debug.txt Outdated
====================================================================

Allowed connections from vsi3a-ky[10.240.30.5] to vsi1-ky[10.240.10.4]: All Connections
TCP respond is enabled on protocol: TCP src-ports: 1-50 dst-ports: 1-600
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TCP respond is enabled on protocol: TCP src-ports: 1-50 dst-ports: 1-600
TCP response is enabled on protocol: TCP src-ports: 1-50 dst-ports: 1-600

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_debug.txt Outdated
security group sg1-ky allows connection with the following allow rules
index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0

TCP respond partly enabled by the following rules:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TCP respond partly enabled by the following rules:
TCP response partly enabled by the following rules:

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there a test example where TCP response is not enabled at all? what is the output in such case?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you add a link to the output file for this test?
do you specify by which NACL it is blocked?

Copy link
Contributor Author

@ShiriMoran ShiriMoran Jun 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here
The blocking NACL + rules are specified in debug ("Verbose") mode.

Not sure we want to add a blocking path. In most cases it is redundant and having such a path only in a small subset of the cases may be confusing. Lets discuss.

@ShiriMoran
Copy link
Contributor Author

ShiriMoran commented Jun 18, 2024
edited
Loading

@ShiriMoran please add the issue referred to this PR, and a short description of this PR

Resolves #529 - adds responsive details in explainability

@adisos
Copy link
Collaborator

adisos commented Jun 18, 2024

@ShiriMoran please add the issue referred to this PR, and a short description of this PR

Resolve #529 - adds responsive details in explainability

If this issue should be closed with this PR, it should also be linked to this PR.

@ShiriMoran ShiriMoran linked an issue Jun 18, 2024 that may be closed by this pull request
Explainability: add return path details for TCP connectivity #529
Closed
adisos
adisos requested changes Jun 24, 2024
View reviewed changes
pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_debug.txt
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please add a variation of this test, where both rules from src-to-dst and rules from dst-to-src add constraints on permitted TCP ports , so intersection is validated from all ingress&egress rules of both directions.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

forgot to push?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pushed now

pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_debug.txt Outdated

Details:
~~~~~~~~
Path enabled by the following rules:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Path enabled by the following rules:
Path is enabled by the following rules:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

pkg/ibmvpc/examples/out/explain_out/PartialTCPRespond_all_vpcs_explain_debug.txt Outdated
security group sg1-ky allows connection with the following allow rules
index: 4, direction: inbound, conns: protocol: all, remote: sg3-ky (10.240.30.5/32,10.240.30.6/32), local: 0.0.0.0/0

TCP response partly enabled by the following rules:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
TCP response partly enabled by the following rules:
TCP response is partly enabled by the following rules:

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@ShiriMoran ShiriMoran merged commit a8faa5b into main Jun 24, 2024
4 checks passed
@ShiriMoran ShiriMoran deleted the 529_explain_return_path branch June 24, 2024 12:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adisos adisos adisos approved these changes

@haim-kermany haim-kermany haim-kermany left review comments

Assignees
No one assigned
Labels
size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Explainability: add return path details for TCP connectivity
3 participants
@ShiriMoran @adisos @haim-kermany