search

aporeto-inc / trireme-lib

Simple, scalable and secure application segmentation
https://trireme.io
Apache License 2.0
298 stars 51 forks source link

Windows discover mode 3.14.0 #1030

Closed philipatl closed 3 years ago

philipatl commented 3 years ago

merge fix for bug 619 into 3.14 as well

Disabling discovery mode for Windows results in rules not being cleaned up. In one case, rules can grow in our driver, adding to a linked list that is checked in a hot code path, and refer to non-existent ipsets. In another case, which exhibits the bug in the linked issue, discovery mode rules can also refer to external networks that are pre-existing and not created automatically by the discovery mode mechanism, and these rules may not be cleaned up, due to an issue in platform-independent code.

So the bulk of this PR is the Windows-specific code to ensure rules don't grow unbounded. The crucial change to fix the linked bug is in iptables.go and ipsets.go.

philipatl commented 3 years ago

/build - automatically fired by gogo with following PRs and commit SHAs v1.0.0

[
  {
    "project": "windows-discover-mode-3.14",
    "component": "enforcerd",
    "pr-id": "1900",
    "commit-sha": "52c387f61cedef3c79c1c4dedf4dc1548e83778a",
    "pipeline": "release-3.14.0"
  },
  {
    "project": "windows-discover-mode-3.14",
    "component": "trireme-lib",
    "pr-id": "1030",
    "commit-sha": "9157c2e6d22d7631cb1c07dbe26b908813515bb4",
    "pipeline": "release-3.14.0"
  }
]