apply network policies to existing connections.

The dataplane uses conntrack labels to identify the connections that are
already processed and skip the ones that are processed and established.
The dataplane now inspect the existing connections in the conntrack
table and evaluates against the current network policies, if one of the
connections is no longer valid the label is removed, so the packets gets
requeued and reevaluated.

The strict mode is enabled by default and runs at most every 30 seconds
once there is a change triggered in the dataplane, this is to avoid
performance issues for listing conntrack entries too often.

Author: aojea

cmd/kube-network-policies/iptracker/main.go

@@ -123,6 +123,7 @@ func run() int {
 		FailOpen:            opts.FailOpen,
 		QueueID:             opts.QueueID,
 		NetfilterBug1766Fix: opts.NetfilterBug1766Fix,
+		StrictMode:          opts.StrictMode,
 	}
 
 	var config *rest.Config

cmd/kube-network-policies/npa-v1alpha2/main.go

@@ -83,6 +83,7 @@ func run() int {
 		FailOpen:            opts.FailOpen,
 		QueueID:             opts.QueueID,
 		NetfilterBug1766Fix: opts.NetfilterBug1766Fix,
+		StrictMode:          opts.StrictMode,
 	}
 
 	var config *rest.Config

cmd/kube-network-policies/standard/main.go

@@ -78,6 +78,7 @@ func run() int {
 		FailOpen:            opts.FailOpen,
 		QueueID:             opts.QueueID,
 		NetfilterBug1766Fix: opts.NetfilterBug1766Fix,
+		StrictMode:          opts.StrictMode,
 	}
 
 	var config *rest.Config

go.mod

@@ -5,7 +5,7 @@ go 1.24.3
 require (
 	github.com/armon/go-radix v1.0.0
 	github.com/containerd/nri v0.10.0
-	github.com/florianl/go-nfqueue/v2 v2.0.1
+	github.com/florianl/go-nfqueue/v2 v2.0.2
 	github.com/google/go-cmp v0.7.0
 	github.com/google/nftables v0.3.0
 	github.com/mdlayher/netlink v1.8.0

go.sum

@@ -29,8 +29,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/florianl/go-nfqueue/v2 v2.0.1 h1:UNVaW5YSAH2vpQcJ+lK17OHiArPTdd1z57OBE/rymuI=
-github.com/florianl/go-nfqueue/v2 v2.0.1/go.mod h1:VA09+iPOT43OMoCKNfXHyzujQUty2xmzyCRkBOlmabc=
+github.com/florianl/go-nfqueue/v2 v2.0.2 h1:FL5lQTeetgpCvac1TRwSfgaXUn0YSO7WzGvWNIp3JPE=
+github.com/florianl/go-nfqueue/v2 v2.0.2/go.mod h1:VA09+iPOT43OMoCKNfXHyzujQUty2xmzyCRkBOlmabc=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=

pkg/cmd/cmd.go

@@ -25,6 +25,7 @@ type Options struct {
 	HostnameOverride    string
 	NetfilterBug1766Fix bool
 	DisableNRI          bool
+	StrictMode          bool
 }
 
 // NewOptions creates a new Options object with default values.
@@ -41,6 +42,7 @@ func (o *Options) AddFlags(fs *flag.FlagSet) {
 	fs.StringVar(&o.HostnameOverride, "hostname-override", "", "If non-empty, will be used as the name of the Node that kube-network-policies is running on. If unset, the node name is assumed to be the same as the node's hostname.")
 	fs.BoolVar(&o.NetfilterBug1766Fix, "netfilter-bug-1766-fix", true, "If set, process DNS packets on the PREROUTING hooks to avoid the race condition on the conntrack subsystem, not needed for kernels 6.12+ (see https://bugzilla.netfilter.org/show_bug.cgi?id=1766)")
 	fs.BoolVar(&o.DisableNRI, "disable-nri", false, "If set, disable NRI, that is used to get the Pod IP information directly from the runtime to avoid the race explained in https://issues.k8s.io/85966")
+	fs.BoolVar(&o.StrictMode, "strict-mode", true, "If set, changes to network policies also affect established connections")
 
 	fs.Usage = func() {
 		fmt.Fprint(os.Stderr, "Usage: kube-network-policies [options]\n\n")

pkg/dataplane/conntrack.go

@@ -0,0 +1,93 @@
+package dataplane
+
+import (
+	"github.com/vishvananda/netlink"
+	"golang.org/x/sys/unix"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog/v2"
+	"sigs.k8s.io/kube-network-policies/pkg/network"
+)
+
+var (
+	mapIPFamilyToString = map[uint8]v1.IPFamily{
+		unix.AF_INET:  v1.IPv4Protocol,
+		unix.AF_INET6: v1.IPv6Protocol,
+	}
+	mapProtocolToString = map[uint8]v1.Protocol{
+		unix.IPPROTO_TCP:  v1.ProtocolTCP,
+		unix.IPPROTO_UDP:  v1.ProtocolUDP,
+		unix.IPPROTO_SCTP: v1.ProtocolSCTP,
+	}
+)
+
+func PacketFromFlow(flow *netlink.ConntrackFlow) *network.Packet {
+	if flow == nil {
+		return nil
+	}
+	packet := network.Packet{
+		SrcIP:   flow.Forward.SrcIP,
+		DstIP:   flow.Reverse.SrcIP,
+		SrcPort: int(flow.Forward.SrcPort),
+		DstPort: int(flow.Reverse.SrcPort),
+	}
+
+	if family, ok := mapIPFamilyToString[flow.FamilyType]; ok {
+		packet.Family = family
+	} else {
+		klog.InfoS("Unknown IP family", "family", flow.FamilyType, "flow", flow)
+		return nil
+	}
+
+	if protocol, ok := mapProtocolToString[flow.Forward.Protocol]; ok {
+		packet.Proto = protocol
+	} else {
+		klog.InfoS("Unknown protocol", "protocol", flow.Forward.Protocol, "flow", flow)
+		return nil
+	}
+
+	return &packet
+}
+
+// generateLabelMask creates a 16-byte (128-bit) mask with a single bit set at the
+// specified bitIndex.
+// If the bit index is out of the valid range [0, 127], it returns a 16-byte
+// slice of all zeros.
+// This function implements a Big Endia 128-bit layout. This means the
+// most significant byte (containing bits 127-120) is at index 0 of the
+// slice, and the least significant *byte* (containing bits 7-0) is at
+// index 15.
+func generateLabelMask(bitIndex int) []byte {
+	labelMask := make([]byte, 16)
+	if bitIndex < 0 || bitIndex > 127 {
+		return labelMask
+	}
+
+	arrayIndex := len(labelMask) - (bitIndex / 8) - 1
+	bitPos := uint(bitIndex % 8)
+	mask := uint8(1) << bitPos
+	labelMask[arrayIndex] = mask
+	return labelMask
+}
+
+// clearLabelBit clears a specific bit in a 16-byte (128-bit) label and returns
+// a new 16-byte slice with the modified label. The original slice (currentLabel)
+// is not modified.
+// If currentLabel is not 16 bytes long, it returns a new, empty 16-byte slice.
+// If bitIndex is out of the valid range [0, 127], it returns a copy of the
+// original label.
+func clearLabelBit(currentLabel []byte, bitIndex int) []byte {
+	newLabel := make([]byte, 16)
+	if len(currentLabel) != 16 {
+		return newLabel
+	}
+
+	copy(newLabel, currentLabel)
+	if bitIndex < 0 || bitIndex > 127 {
+		return newLabel
+	}
+	arrayIndex := len(newLabel) - (bitIndex / 8) - 1
+	bitPos := uint(bitIndex % 8)
+	zeroMask := ^(uint8(1) << bitPos)
+	newLabel[arrayIndex] &= zeroMask
+	return newLabel
+}

pkg/dataplane/conntrack_test.go

@@ -0,0 +1,197 @@
+package dataplane
+
+import (
+	"encoding/hex"
+	"testing"
+)
+
+func TestGenerateLabelMask(t *testing.T) {
+	// The expected results are derived from the nftables debug output,
+	// serialized as a 16-byte Big-Endian array (MSW first, LSW last).
+	tests := []struct {
+		name     string
+		bitIndex int
+		expected string // Expected 16-byte hex string
+	}{
+		{
+			name:     "Bit 10 (LSW)",
+			bitIndex: 10,
+			// Bit 10 is 2^10 = 0x400. This is in the LSW (last 8 bytes).
+			expected: "00000000000000000000000000000400",
+		},
+		{
+			name:     "Bit 126 (MSW)",
+			bitIndex: 126,
+			// Bit 126 is 2^62 within the 64-bit MSW (first 8 bytes). 0x4000000000000000
+			expected: "40000000000000000000000000000000",
+		},
+		{
+			name:     "Bit 127 (MSW)",
+			bitIndex: 127,
+			// Bit 127 is 2^63 within the 64-bit MSW (first 8 bytes). 0x8000000000000000
+			expected: "80000000000000000000000000000000",
+		},
+		{
+			name:     "Bit 0 (LSW Start)",
+			bitIndex: 0,
+			// 2^0 = 0x1. In the LSW (last byte).
+			expected: "00000000000000000000000000000001",
+		},
+		{
+			name:     "Bit 63 (LSW End)",
+			bitIndex: 63,
+			// 2^63 = 0x8000000000000000. In the LSW (last 8 bytes).
+			expected: "00000000000000008000000000000000",
+		},
+		{
+			name:     "Bit 64 (MSW Start)",
+			bitIndex: 64,
+			// 2^0 (within the MSW). In the MSW (first 8 bytes).
+			expected: "00000000000000010000000000000000",
+		},
+		{
+			name:     "Out of Range (128)",
+			bitIndex: 128,
+			// Expected 16 zero bytes: "00...00"
+			expected: "00000000000000000000000000000000",
+		},
+		{
+			name:     "Out of Range (-1)",
+			bitIndex: -1,
+			// Expected 16 zero bytes: "00...00"
+			expected: "00000000000000000000000000000000",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Call the function
+			result := generateLabelMask(tt.bitIndex)
+
+			// Convert result to hex string for easy comparison
+			actualHex := hex.EncodeToString(result)
+
+			// Compare the actual result with the expected hex string
+			if actualHex != tt.expected {
+				t.Errorf("generateLabelMask() for index %d:\n Got:  %v\n Want: %v", tt.bitIndex, actualHex, tt.expected)
+			}
+		})
+	}
+}
+
+// TestClearLabelBit tests the clearLabelBit function across various scenarios.
+func TestClearLabelBit(t *testing.T) {
+	// Helper function to convert a hex string to a byte slice
+	mustDecodeHex := func(s string) []byte {
+		b, err := hex.DecodeString(s)
+		if err != nil {
+			panic(err)
+		}
+		return b
+	}
+
+	// A base label with bits 10, 63, 64, and 127 set.
+	// Bit 127 (MSW: 0x8000000000000000)
+	// Bit 64 (MSW: 0x0000000000000001)
+	// Bit 63 (LSW: 0x8000000000000000)
+	// Bit 10 (LSW: 0x0000000000000400)
+	// Base Hex: 80000000000000018000000000000400
+	baseLabelHex := "80000000000000018000000000000400"
+	baseLabel := mustDecodeHex(baseLabelHex)
+
+	tests := []struct {
+		name         string
+		initialLabel []byte
+		bitIndex     int
+		expectedHex  string
+		expectChange bool // Used to verify if the original array remains untouched
+	}{
+		{
+			name:         "Clear Bit 10 (LSW Middle)",
+			initialLabel: baseLabel,
+			bitIndex:     10,
+			// Expected: Bit 10 (0x400) cleared -> 8000...018000...0000
+			expectedHex:  "80000000000000018000000000000000",
+			expectChange: true,
+		},
+		{
+			name:         "Clear Bit 127 (MSW End)",
+			initialLabel: baseLabel,
+			bitIndex:     127,
+			// Expected: Bit 127 (0x80...) cleared -> 0000...018000...0400
+			expectedHex:  "00000000000000018000000000000400",
+			expectChange: true,
+		},
+		{
+			name:         "Clear Bit 63 (LSW End Boundary)",
+			initialLabel: baseLabel,
+			bitIndex:     63,
+			// Expected: Bit 63 (0x80...) cleared -> 8000...010000...0400
+			expectedHex:  "80000000000000010000000000000400",
+			expectChange: true,
+		},
+		{
+			name:         "Clear Bit 64 (MSW Start Boundary)",
+			initialLabel: baseLabel,
+			bitIndex:     64,
+			// Expected: Bit 64 (0x01) cleared -> 8000...008000...0400
+			expectedHex:  "80000000000000008000000000000400",
+			expectChange: true,
+		},
+		{
+			name:         "Clear Bit 0 (LSW Start Boundary)",
+			initialLabel: mustDecodeHex("00000000000000000000000000000001"), // Only bit 0 set
+			bitIndex:     0,
+			// Expected: All zeros
+			expectedHex:  "00000000000000000000000000000000",
+			expectChange: true,
+		},
+		{
+			name:         "Clear Bit Already Zero (Bit 50)",
+			initialLabel: baseLabel,
+			bitIndex:     50, // Bit 50 is zero in the base label
+			expectedHex:  baseLabelHex,
+			expectChange: true, // A copy is still returned, but the content is the same
+		},
+		{
+			name:         "Out of Range (128)",
+			initialLabel: baseLabel,
+			bitIndex:     128,
+			expectedHex:  baseLabelHex,
+			expectChange: true, // A copy is still returned, but the content is the same
+		},
+		{
+			name:         "Out of Range (-1)",
+			initialLabel: baseLabel,
+			bitIndex:     -1,
+			expectedHex:  baseLabelHex,
+			expectChange: true, // A copy is still returned, but the content is the same
+		},
+		{
+			name:         "Invalid Length (10 bytes)",
+			initialLabel: mustDecodeHex("F0F0F0F0F0"), // Only 5 bytes
+			bitIndex:     10,
+			expectedHex:  "00000000000000000000000000000000", // Should return 16 zero bytes
+			expectChange: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Save the original hex string for verification
+			originalHex := hex.EncodeToString(tt.initialLabel)
+
+			// Execute the function
+			result := clearLabelBit(tt.initialLabel, tt.bitIndex)
+
+			actualHex := hex.EncodeToString(result)
+			if actualHex != tt.expectedHex {
+				t.Errorf("Result Mismatch for index %d:\n Got:  %s\n Want: %s", tt.bitIndex, actualHex, tt.expectedHex)
+			}
+
+			if len(tt.initialLabel) == 16 && originalHex != hex.EncodeToString(tt.initialLabel) {
+				t.Errorf("Original array was modified!\n Initial: %s\n After call: %s", originalHex, hex.EncodeToString(tt.initialLabel))
+			}
+		})
+	}
+}