From e8118fd89ea66f73857fd4f2c99e20379cc8eba5 Mon Sep 17 00:00:00 2001
From: paul miller <pmiller@microsoft.com>
Date: Thu, 21 Nov 2024 22:26:20 -0800
Subject: [PATCH] type verdict

---
 pkg/networkpolicy/controller.go      | 24 +++++++-----------------
 pkg/networkpolicy/verdict_string.go  | 24 ++++++++++++++++++++++++
 pkg/nfqinterceptor/nfqinterceptor.go |  6 +++---
 3 files changed, 34 insertions(+), 20 deletions(-)
 create mode 100644 pkg/networkpolicy/verdict_string.go

diff --git a/pkg/networkpolicy/controller.go b/pkg/networkpolicy/controller.go
index f7321c8..6ec112e 100644
--- a/pkg/networkpolicy/controller.go
+++ b/pkg/networkpolicy/controller.go
@@ -311,14 +311,17 @@ type Controller struct {
 	interceptor interceptor
 }
 
+//go:generate stringer -type=Verdict
+type Verdict int
+
 // Verdicts
 const (
-	Drop = iota
+	Drop Verdict = iota
 	Accept
 )
 
 type interceptor interface {
-	Run(context.Context, func(Packet) int) error
+	Run(context.Context, func(Packet) Verdict) error
 	Sync(ctx context.Context, podV4IPs, podV6IPs sets.Set[string]) error
 	Stop(ctx context.Context)
 }
@@ -357,7 +360,7 @@ func (c *Controller) Run(ctx context.Context) error {
 
 	// Parse the packet and check if it should be accepted
 	// Packets should be evaludated independently in each direction
-	fn := func(packet Packet) int {
+	fn := func(packet Packet) Verdict {
 
 		startTime := time.Now()
 
@@ -367,7 +370,7 @@ func (c *Controller) Run(ctx context.Context) error {
 			processingTime := float64(time.Since(startTime).Microseconds())
 			packetProcessingHist.WithLabelValues(string(packet.proto), string(packet.family)).Observe(processingTime)
 			packetProcessingSum.Observe(processingTime)
-			verdictStr := verdictString(verdict)
+			verdictStr := verdict.String()
 			packetCounterVec.WithLabelValues(string(packet.proto), string(packet.family), verdictStr).Inc()
 			logger.V(2).Info("Finished syncing packet", "id", packet.Id, "duration", time.Since(startTime), "verdict", verdictStr)
 		}()
@@ -391,19 +394,6 @@ func (c *Controller) Run(ctx context.Context) error {
 	return nil
 }
 
-// verifctString coverts nfqueue int vericts to strings for metrics/logging
-// it does not cover all of them because we should only use a subset.
-func verdictString(verdict int) string {
-	switch verdict {
-	case Drop:
-		return "drop"
-	case Accept:
-		return "accept"
-	default:
-		return "unknown"
-	}
-}
-
 // evaluatePacket evalute the network policies using the following order:
 // 1. AdminNetworkPolicies in Egress for the source Pod/IP
 // 2. NetworkPolicies in Egress (if needed) for the source Pod/IP
diff --git a/pkg/networkpolicy/verdict_string.go b/pkg/networkpolicy/verdict_string.go
new file mode 100644
index 0000000..3d3735a
--- /dev/null
+++ b/pkg/networkpolicy/verdict_string.go
@@ -0,0 +1,24 @@
+// Code generated by "stringer -type=Verdict"; DO NOT EDIT.
+
+package networkpolicy
+
+import "strconv"
+
+func _() {
+	// An "invalid array index" compiler error signifies that the constant values have changed.
+	// Re-run the stringer command to generate them again.
+	var x [1]struct{}
+	_ = x[Drop-0]
+	_ = x[Accept-1]
+}
+
+const _Verdict_name = "DropAccept"
+
+var _Verdict_index = [...]uint8{0, 4, 10}
+
+func (i Verdict) String() string {
+	if i < 0 || i >= Verdict(len(_Verdict_index)-1) {
+		return "Verdict(" + strconv.FormatInt(int64(i), 10) + ")"
+	}
+	return _Verdict_name[_Verdict_index[i]:_Verdict_index[i+1]]
+}
diff --git a/pkg/nfqinterceptor/nfqinterceptor.go b/pkg/nfqinterceptor/nfqinterceptor.go
index 3cbd038..62ef712 100644
--- a/pkg/nfqinterceptor/nfqinterceptor.go
+++ b/pkg/nfqinterceptor/nfqinterceptor.go
@@ -76,7 +76,7 @@ func (n *nfqInterceptor) Stop(ctx context.Context) {
 	}
 }
 
-func (n *nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpolicy.Packet) int) error {
+func (n *nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpolicy.Packet) networkpolicy.Verdict) error {
 	logger := klog.FromContext(ctx)
 	registerMetrics(ctx)
 	go wait.UntilWithContext(ctx, func(ctx context.Context) {
@@ -136,13 +136,13 @@ func (n *nfqInterceptor) Run(ctx context.Context, renderVerdict func(networkpoli
 		packet, err := networkpolicy.ParsePacket(*a.Payload)
 		if err != nil {
 			logger.Error(err, "Can not process packet, applying default policy", "id", *a.PacketID, "failOpen", n.FailOpen)
-			nf.SetVerdict(packet.Id, verdict)
+			nf.SetVerdict(packet.Id, int(verdict))
 			return 0
 		}
 		packet.Id = *a.PacketID
 		verdict = renderVerdict(packet)
 		// log error and return default if not Accept or Drop?
-		nf.SetVerdict(packet.Id, verdict)
+		nf.SetVerdict(packet.Id, int(verdict))
 		return 0
 	}
 	// Register your function to listen on nflog group 100