Handle overlaps in except and allow CIDRs

[Pavani-Panakanti]

Issue #, if available:
If there is an overlap of IPs in an allow rule and in an except block of other rule, we do not handle the merging

Description of changes:

Example:

egress:
  - to:
      - ipBlock:
          cidr: 192.168.0.0/16
    ports:
      - port: 3306
  - to:
      - ipBlock:
          cidr: 0.0.0.0/0
          except:
            - 192.168.0.0/16

Before this change we evaluate this as

• 0.0.0.0/0 - startPort:0 endPort: 0
• except block - 192.168.0.0/16 - startPort: 0 endPort:0
• 192.168.0.0/16 - allow on port 3306, as this is part of 0.0.0.0/0 allow on all ports. Append previous ports to this new L4 info. Final L4 ports info looks as below
  • startPort: 3306, endPort: 0 - allow
  • startPort:0, endPort: 0 - allow
  • startPort:0, endPort:0 - deny

The correct behavior for 192.168.0.0/16 should be allow on 3306 as explicit allow takes precedence and deny on rest all ports due to except
New evaluation logic - all except blocks are handled at end

• 0.0.0.0/0 - startPort:0 endPort: 0
• 192.168.0.0/16 - allow on port 3306. This is part of 0.0.0.0/0, so check if it is part of any except under this cidr. If yes do not add ports of 0.0.0.0/0 to 192.168.0.0/16. If no, add ports. In this case it is part of except so do not add it
• Handle all except at end. For every except key, check if entry is already present in cidrsMap. If yes, there is some explicit allow and everything else will be default deny so no change required. If no, we need to add deny all entry to make sure we deny all traffic and do not allow it if it is part of some other superset CIDR

Other Changes in the PR:

• Code refactoring to make it simpler and easy to follow
  • catch all need not be handled separately. We evaluate rules in the order of prefix length, so catch all will be handled first followed by others
• If no protocol specified, it should be allow any protocol. Changed default to any_ip_protocol from tcp
• For any_ip_protocol, check start and end ports for traffic evaluation. Before fix if it is any_protocol we allow on all ports
  • example:
    • Port:53 → This should be evaluated as allow any_protocol on port 53

Testing done with multiple cases of except overlaps

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[jayanthvn]

Can you also add a test case for this in our integration suite?

[jayanthvn]

@Pavani-Panakanti - Can you fix conflicts?

[Copilot]

Pull Request Overview

This PR enhances CIDR rule processing by postponing except handling to the end of rule evaluation, inserting explicit deny‐all entries for excluded ranges, and simplifying catch‐all logic. It also updates default protocol behavior to allow any protocol, refactors key utilities, and enriches eBPF C code with detailed port‐matching comments.

• Refactor computeMapEntriesFromEndpointRules to aggregate rules in a cidrsMap, inherit broader‐CIDR ports, and append deny‐all entries for except blocks at the end.
• Remove legacy IsCatchAllIPEntry logic and change default protocol to ANY_IP_PROTOCOL instead of TCP; derive port ranges correctly for any_ip_protocol.
• Add explicit comments and port‐matching conditions in all four eBPF .bpf.c files to clarify ANY_IP_PROTOCOL and specific‐protocol logic.

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file

| File | Description |

| -------------------------------------- | -------------------------------------------------------------- |

| pkg/utils/utils_test.go | Removed TestIsCatchAllIPEntry, updated expected IsNonHostCIDR behavior |

| pkg/utils/utils.go | Added DENY_ALL_PROTOCOL, removed IsCatchAllIPEntry, updated deriveProtocolValue and IsNonHostCIDR |
| pkg/ebpf/c/tc.v6ingress.bpf.c | Expanded port‐matching logic comments for ANY_IP_PROTOCOL and specific protocols |
| pkg/ebpf/c/tc.v6egress.bpf.c | Same as above for egress v6 |
| pkg/ebpf/c/tc.v4ingress.bpf.c | Same detailed comments for IPv4 ingress |
| pkg/ebpf/c/tc.v4egress.bpf.c | Same detailed comments for IPv4 egress |
| pkg/ebpf/bpf_client_test.go | Removed old catch‐all test, updated helper from nonHostCIDRs to cidrsMap |
| pkg/ebpf/bpf_client.go | Refactored rule merging into cidrsMap, added addDenyAllL4Entry, removed old catch‐all path |

[viveksb007]

I think the sorting happens in ascending order of prefix length. I was trying to understand this while refactoring and also wrote a test for this sorting fn https://github.com/aws/aws-network-policy-agent/pull/419/files#diff-36a28a4029b0030c4806fc3502df4be1c44c2f35e54196df5cdf7c93f3448d71

[haouc]

Should I assume .IPCidr has no collision? I am not sure if it is safe to use rule.ipcidr as key.

[haouc]

nit: I think L4Info's len is 0 if getting here.

[haouc]

Just for my curiosity, these L4Info and Except are guaranteed not empty?

[haouc]

nit: maybe > 1 then check to dedup?

[haouc]

nit: sounds like

if utils.IsNonHostCIDR(cidr) {
    ...
}

will do the work?

[haouc]

They are really complicate if check... Any chance we can take them out into a func? I think there is only one small different on ip-> for v4 and v6.

[haouc]

nit: they can be assigned with nil.