Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

block illegal calls in inpod mode #935

Merged
merged 1 commit into from
Apr 18, 2024
Merged

block illegal calls in inpod mode #935

merged 1 commit into from
Apr 18, 2024

Conversation

howardjohn
Copy link
Member

Part of #928

This removes the obsolete call protections for inpod, and adds
equivilents

@howardjohn
block illegal calls in inpod mode
49399bd 
Part of istio#928

This removes the obsolete call protections for inpod, and adds
equivilents
@howardjohn howardjohn requested a review from a team as a code owner April 17, 2024 21:08
@howardjohn howardjohn added the release-notes-none Indicates a PR that does not require release notes. label Apr 17, 2024
@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 17, 2024
ilrudie
ilrudie reviewed Apr 17, 2024
View reviewed changes
Copy link
Contributor

@ilrudie ilrudie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have data to back it but I'm suspicious that ~4 elements just using a vec might be the cheaper option.

Otherwise looks good

src/proxy.rs
@@ -12,6 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.

use std::collections::HashSet;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is hash necessary? Could we just use a vec, sort it once during init and then efficiently search it without calculating hashes on the u16. Because its small we could probably just iterate for a match instead of sort/binary search even

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably not, but its just 1 instance with like 4 keys and we Arc it anyways so doesn't seem so bad?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My guess is all that would be pretty close to a wash with just using a vanilla HashSet, and somewhat less readable.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, if I start feeling froggy maybe I'll test it and let ya know.

bleggett
bleggett approved these changes Apr 18, 2024
View reviewed changes
Copy link
Contributor

@bleggett bleggett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Smarter illegal port registration would be nice, but that's largely a cosmetic concern ATM.

src/proxy.rs
@@ -155,13 +157,19 @@ impl Proxy {
Self::from_inputs(pi, drain).await
}
pub(super) async fn from_inputs(mut pi: ProxyInputs, drain: Watch) -> Result<Self, Error> {
// illegal_ports are internal ports that clients are not authorized to send to
let mut illegal_ports: HashSet<u16> = HashSet::new();
Copy link
Contributor

@bleggett bleggett Apr 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I feel like it would be nice to have a ProxyHandler type, have Proxies.handlers() and then be able to register all the illegal_ports for all handlers in a loop, but that might be overkill ATM.

(was gonna suggest maybe these ports should be in ProxyInfo but then I remembered that type is already overstuffed with random crap)

src/proxy.rs
@@ -12,6 +12,7 @@
// See the License for the specific language governing permissions and
// limitations under the License.

use std::collections::HashSet;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My guess is all that would be pretty close to a wash with just using a vanilla HashSet, and somewhat less readable.

@istio-testing istio-testing merged commit a2b2393 into istio:master Apr 18, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ilrudie ilrudie ilrudie left review comments

@bleggett bleggett bleggett approved these changes

Assignees

@bleggett bleggett

Labels
release-notes-none Indicates a PR that does not require release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@howardjohn @bleggett @ilrudie @istio-testing