conntrack: allow to filter by subnet #627
Conversation
|
/assign @dcbw @danwinship |
conntrack_linux.go
Outdated
| // AddIP adds an IP to the conntrack filter | ||
| func (f *ConntrackFilter) AddIP(tp ConntrackFilterType, ip net.IP) error { | ||
| // Convert IP to a subnet with a full mask | ||
| iplen := 8 * len(ip) |
There was a problem hiding this comment.
@aojea can you explain a bit more what you're doing here? THere's gotta be something we can do that I can understand in 2 minutes of looking at it. Also, we're not To4() or To16() canonicalizing anything here; does the Contains() down below handle that automatically for us?
There was a problem hiding this comment.
This creates a full mask, I tested locally but indeed is a bit opaque because I think it depends on the golang net IP internal types. I will make it explicit so there is no doubt, if you have an ipv4 it add /32 if you have ipv6 it adds /128
There was a problem hiding this comment.
The contains check if an IP belongs to an IP subnet , the IP 192.268.2.1 belongs to the subnet 192.168.2.1/32
There was a problem hiding this comment.
thanks for the explanation, new push looks good to me
aojea
force-pushed
the
conntrack_cidrs
branch
2 times, most recently
from
57952bd
to
e9f53c8
Compare
|
lgtm |
|
LGTM |
|
please push again to trigger CI |
Add a new conntrack filter to be able to filter by subnet, in addition to current IP address filter. Signed-off-by: Antonio Ojea <aojea@redhat.com>
Add a new conntrack filter to be able to filter by subnet, in
addition to current IP address filter.
This keeps compatibility, since the IP filter is just an IP subnet filter with full mask.
Signed-off-by: Antonio Ojea aojea@redhat.com