Named_ports warnings are no longer counted in config findings #724
Comments
tanyaveksler
added a commit
that referenced
this issue
May 7, 2024
Changed number of expected warnings (see Issue #724 Signed-off-by: Tanya <[email protected]>
tanyaveksler
added a commit
that referenced
this issue
Jun 9, 2024
* Initial implementation of building and minimizing fw-rules directly from connectivity properties. Signed-off-by: Tanya <[email protected]> * Fixed lint errors. Signed-off-by: Tanya <[email protected]> * Updating (some of) expected results for explainability queries, according to more condensed optimized output. Signed-off-by: Tanya <[email protected]> * Fixed converting fw-rules to connectivity properties, while taking into account TCP/non-TCP protocol restriction. Signed-off-by: Tanya <[email protected]> * Optimized handling IpBlocks in optimized fw-rules minimization Signed-off-by: Tanya <[email protected]> * Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya <[email protected]> * Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya <[email protected]> * More optimization in calculation partial ns grouping. Signed-off-by: Tanya <[email protected]> * Fixed lint error Signed-off-by: Tanya <[email protected]> * Refining basic namespace grouping by finding more opportunities to use properties in containing connections. Signed-off-by: Tanya <[email protected]> * One more refinemenet of basic namespace grouping Signed-off-by: Tanya <[email protected]> * One more refinemenet of basic namespace grouping Signed-off-by: Tanya <[email protected]> * More refinemenets of peer grouping from properties Signed-off-by: Tanya <[email protected]> * More refinemenets of peer grouping from properties Signed-off-by: Tanya <[email protected]> * More refinements of peer grouping from properties Signed-off-by: Tanya <[email protected]> * Added outputEndpoints option handling to PeerSetElement. Refined ns-set pairs grouping computation -trying starting from src_peers and from dst_peers and choosing a more compact grouping. Added grouping by full IpBlock. Signed-off-by: Tanya <[email protected]> * Fixing lint errors. Signed-off-by: Tanya <[email protected]> * Fixing handling txt-no_fw_rules format in the optimized solution Signed-off-by: Tanya <[email protected]> * Fixing lint error Signed-off-by: Tanya <[email protected]> * Fix: taking into account connectivity restriction (TCP/non-TCP) in generation of dot output in optimized solution Signed-off-by: Tanya <[email protected]> * Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya <[email protected]> * Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya <[email protected]> * Added grouping by dns entries to the optimized algorithm. Signed-off-by: Tanya <[email protected]> * Changed expected results of connectivity map query tests according to optimized runs Signed-off-by: Tanya <[email protected]> * Changed optimized semantic diff query implementation according to the optimized fw-rules minimization algorithm. Fixed get_connection_set_and_peers_from_cube. Changed some of the expected results of semantic diff tests. Signed-off-by: Tanya <[email protected]> * Keeping every dns entry separate in minimization of fw rules. Updated more semantic diff expected results. Signed-off-by: Tanya <[email protected]> * Updated containment, permits, forbids expected results. Signed-off-by: Tanya <[email protected]> * Cleaning up unused code and refactoring accordingly. Signed-off-by: Tanya <[email protected]> * Fixed lint error. Signed-off-by: Tanya <[email protected]> * Changed default to be the optimized run. Signed-off-by: Tanya <[email protected]> * In opt='debug' the result explanation should ne according to the optimized run. Signed-off-by: Tanya <[email protected]> * Restoring resource in scheme, changed by mistake. Signed-off-by: Tanya <[email protected]> * Updating more expected results. Signed-off-by: Tanya <[email protected]> * Small optimizations. Signed-off-by: Tanya <[email protected]> * Initial implementation of building and minimizing fw-rules directly from connectivity properties. Signed-off-by: Tanya <[email protected]> * Fixed lint errors. Signed-off-by: Tanya <[email protected]> * Updating (some of) expected results for explainability queries, according to more condensed optimized output. Signed-off-by: Tanya <[email protected]> * Fixed converting fw-rules to connectivity properties, while taking into account TCP/non-TCP protocol restriction. Signed-off-by: Tanya <[email protected]> * Optimized handling IpBlocks in optimized fw-rules minimization Signed-off-by: Tanya <[email protected]> * Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya <[email protected]> * Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya <[email protected]> * More optimization in calculation partial ns grouping. Signed-off-by: Tanya <[email protected]> * Fixed lint error Signed-off-by: Tanya <[email protected]> * Refining basic namespace grouping by finding more opportunities to use properties in containing connections. Signed-off-by: Tanya <[email protected]> * One more refinemenet of basic namespace grouping Signed-off-by: Tanya <[email protected]> * One more refinemenet of basic namespace grouping Signed-off-by: Tanya <[email protected]> * More refinemenets of peer grouping from properties Signed-off-by: Tanya <[email protected]> * More refinemenets of peer grouping from properties Signed-off-by: Tanya <[email protected]> * More refinements of peer grouping from properties Signed-off-by: Tanya <[email protected]> * Added outputEndpoints option handling to PeerSetElement. Refined ns-set pairs grouping computation -trying starting from src_peers and from dst_peers and choosing a more compact grouping. Added grouping by full IpBlock. Signed-off-by: Tanya <[email protected]> * Fixing lint errors. Signed-off-by: Tanya <[email protected]> * Fixing handling txt-no_fw_rules format in the optimized solution Signed-off-by: Tanya <[email protected]> * Fixing lint error Signed-off-by: Tanya <[email protected]> * Fix: taking into account connectivity restriction (TCP/non-TCP) in generation of dot output in optimized solution Signed-off-by: Tanya <[email protected]> * Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya <[email protected]> * Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya <[email protected]> * Added grouping by dns entries to the optimized algorithm. Signed-off-by: Tanya <[email protected]> * Changed expected results of connectivity map query tests according to optimized runs Signed-off-by: Tanya <[email protected]> * Changed optimized semantic diff query implementation according to the optimized fw-rules minimization algorithm. Fixed get_connection_set_and_peers_from_cube. Changed some of the expected results of semantic diff tests. Signed-off-by: Tanya <[email protected]> * Keeping every dns entry separate in minimization of fw rules. Updated more semantic diff expected results. Signed-off-by: Tanya <[email protected]> * Updated containment, permits, forbids expected results. Signed-off-by: Tanya <[email protected]> * Cleaning up unused code and refactoring accordingly. Signed-off-by: Tanya <[email protected]> * Fixed lint error. Signed-off-by: Tanya <[email protected]> * Changed default to be the optimized run. Signed-off-by: Tanya <[email protected]> * In opt='debug' the result explanation should ne according to the optimized run. Signed-off-by: Tanya <[email protected]> * Restoring resource in scheme, changed by mistake. Signed-off-by: Tanya <[email protected]> * Updating more expected results. Signed-off-by: Tanya <[email protected]> * Small optimizations. Signed-off-by: Tanya <[email protected]> * Small optimizations. Signed-off-by: Tanya <[email protected]> * Removed disjoint_ip_blocks from optimized solution Signed-off-by: Tanya <[email protected]> * Optimization: adding auto-connections to covered_peer_props (in fw-rules minimization) only if the number of peers is not too high, to avoid long run of these auto-connections calculation. Signed-off-by: Tanya <[email protected]> * Optimization: adding resources to global resource/namespace/pod list in test schemes (instead of putting them only in configurations), to avoid trying to load resources from live cluster, which is time-consuming. Signed-off-by: Tanya <[email protected]> * Deleted unused original implementation code. Changed number of expected warnings (see Issue #724 Signed-off-by: Tanya <[email protected]> * Further refining code by deleting unused original implementatation code. Signed-off-by: Tanya <[email protected]> * Removed usage of ConnectionSet. Signed-off-by: Tanya <[email protected]> * Fixed lint errors. Fixed small error. Signed-off-by: Tanya <[email protected]> * Fixed sorting ConnectivityProperties (making stable sort) Consequently, fixed expected results Signed-off-by: Tanya <[email protected]> * Fixed handling TCP / non-TCP connections output. Signed-off-by: Tanya <[email protected]> * More fixed expected results. Signed-off-by: Tanya <[email protected]> * More fixed expected results. Small fix in printing TCP connections in dot format. Signed-off-by: Tanya <[email protected]> * Added some doc Signed-off-by: Tanya <[email protected]> * Removed no longer used named_ports and excluded_named_ports in ConnectivityProperties. Removed outdated unit tests. Signed-off-by: Tanya <[email protected]> * Small fixes Signed-off-by: Tanya <[email protected]> * Updates of some more expected results. Removed --optimized_run flag. Removed ConnectionSet class. Signed-off-by: Tanya <[email protected]> * Fixed lint errors. Removed original-to-optimized-comparison workflows from test-push. Signed-off-by: Tanya <[email protected]> * Small fix. Signed-off-by: Tanya <[email protected]> * Small fix. Signed-off-by: Tanya <[email protected]> * Some more refactoring of FWRule minimization code. Signed-off-by: Tanya <[email protected]> * Fixed lint error. Signed-off-by: Tanya <[email protected]> --------- Signed-off-by: Tanya <[email protected]>
|
Moved to NP-Guard repo. See here |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Named_portsare now resolved inConnectivityProperties::make_conn_propsduring building policies.ConnectivityPropertiesdo not have access to the policy object. Therefore, all warnings related tonamed_portsresolution are printed but not counted in policy findings.Currently, changed the expected warnings number in relevant scheme files, to make the tests pass.
Consider the possibility of adding the mechanism of warning counting to
ConnectivityProperties.The text was updated successfully, but these errors were encountered: