Skip to content
This repository has been archived by the owner on Jul 5, 2023. It is now read-only.

Initial support for UDP #123

Closed
wants to merge 2 commits into from
Closed

Initial support for UDP #123

wants to merge 2 commits into from

Conversation

johscheuer
Copy link
Contributor

Fixes: #103
Fixes: #112

@johscheuer johscheuer added the enhancement New feature or request label Aug 21, 2020
@johscheuer
Copy link
Contributor Author

@maxbischoff what are your thoughts here:

theoretically if we have a network policy like this:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-deny-all
  namespace: 01-deny-all-traffic-to-an-application
spec:
  podSelector:
    matchLabels:
      app: web
  ingress: []

We would need to check also UDP since the docs tell us:

   ports        <[]Object>
     List of ports which should be made accessible on the pods selected for this
     rule. Each item in this list is combined using a logical OR. If this field
     is empty or missing, this rule matches all ports (traffic not restricted by
     port). If this field is present and contains at least one item, then this
     rule allows traffic only if the traffic matches at least one port in the
     list.

If we test both this could introduce some noise (since most services will only be listening on TCP) but for completeness we actually should check the UDP ports also otherwise we could ignore an open protocol.

@maxbischoff
Copy link
Member

@maxbischoff what are your thoughts here:

theoretically if we have a network policy like this:

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: web-deny-all
  namespace: 01-deny-all-traffic-to-an-application
spec:
  podSelector:
    matchLabels:
      app: web
  ingress: []

We would need to check also UDP since the docs tell us:

   ports        <[]Object>
     List of ports which should be made accessible on the pods selected for this
     rule. Each item in this list is combined using a logical OR. If this field
     is empty or missing, this rule matches all ports (traffic not restricted by
     port). If this field is present and contains at least one item, then this
     rule allows traffic only if the traffic matches at least one port in the
     list.

If we test both this could introduce some noise (since most services will only be listening on TCP) but for completeness we actually should check the UDP ports also otherwise we could ignore an open protocol.

I think we should factor it in. Maybe we can make UDP testing (or the tested protocols) configurable in general?

@johscheuer
Copy link
Contributor Author

For the configurable part I would open a second PR once UDP support is finished.

@johscheuer johscheuer closed this Feb 14, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support UDP Port mapping issue
2 participants
@johscheuer @maxbischoff