Merge branch 'master' into set-health

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,6 +1,6 @@
 ## Description
-A few sentences describing the overall goals of the pull request's commits. 
-Please include 
+A few sentences describing the overall goals of the pull request's commits.
+Please include
 - the type of fix - (e.g. bug fix, new feature, documentation)
 - some details on _why_ this PR should be merged
 - the details of the testing you've done on it (both manual and automated)
@@ -10,4 +10,16 @@ Please include
 ## Todos
 - [ ] Tests
 - [ ] Documentation
+- [ ] Release note
 
+## Release Note
+<!-- Writing a release note:
+- By default, no release note action is required.
+- If you're unsure whether or not your PR needs a note, ask your reviewer for guidance.
+- If this PR requires a release note, update the block below to include a concise note describing
+  the change and any important impacts this PR may have.
+-->
+
+```release-note
+None required
+```

glide.yaml

@@ -43,5 +43,7 @@ import:
   - rest
   - tools/cache
   - tools/clientcmd
+- package: github.com/prometheus/client_golang
+  version: ^0.8.0
 testImport:
 - package: github.com/onsi/gomega

lib/api/policy.go

@@ -48,6 +48,9 @@ type PolicyMetadata struct {
 
 	// The name of the selector-based security policy.
 	Name string `json:"name,omitempty" validate:"omitempty,namespacedname"`
+
+	// Arbitrary key-value information to be used by clients.
+	Annotations map[string]string `json:"annotations,omitempty" validate:"omitempty"`
 }
 
 // PolicySpec contains the specification for a selector-based security Policy resource.
@@ -99,6 +102,9 @@ type PolicySpec struct {
 	// this policy are applied before any data plane connection tracking, and packets allowed by
 	// this policy are marked as not to be tracked.
 	DoNotTrack bool `json:"doNotTrack,omitempty"`
+
+	// PreDNAT indicates to apply the rules in this policy before any DNAT.
+	PreDNAT bool `json:"preDNAT,omitempty"`
 }
 
 // NewPolicy creates a new (zeroed) Policy struct with the TypeMetadata initialised to the current

lib/api/rule.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2016 Tigera, Inc. All rights reserved.
+// Copyright (c) 2016-2017 Tigera, Inc. All rights reserved.
 
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -75,7 +75,7 @@ type ICMPFields struct {
 // to a particular entity (that is either the source or destination).
 //
 // A source EntityRule matches the source endpoint and originating traffic.
-// A desination EntityRule matches the destination endpoint and terminating traffic.
+// A destination EntityRule matches the destination endpoint and terminating traffic.
 type EntityRule struct {
 	// Tag is an optional field that restricts the rule to only apply to traffic that
 	// originates from (or terminates at) endpoints that have profiles with the given tag
@@ -84,8 +84,13 @@ type EntityRule struct {
 
 	// Net is an optional field that restricts the rule to only apply to traffic that
 	// originates from (or terminates at) IP addresses in the given subnet.
+	// Deprecated: superseded by the Nets field.
 	Net *net.IPNet `json:"net,omitempty" validate:"omitempty"`
 
+	// Nets is an optional field that restricts the rule to only apply to traffic that
+	// originates from (or terminates at) IP addresses in any of the given subnets.
+	Nets []*net.IPNet `json:"nets,omitempty" validate:"omitempty"`
+
 	// Selector is an optional field that contains a selector expression (see Policy for
 	// sample syntax).  Only traffic that originates from (terminates at) endpoints matching
 	// the selector will be matched.
@@ -115,9 +120,15 @@ type EntityRule struct {
 	// NotTag is the negated version of the Tag field.
 	NotTag string `json:"notTag,omitempty" validate:"omitempty,tag"`
 
-	// NotNet is the negated version of the Net field.
+	// NotNet is an optional field that restricts the rule to only apply to traffic that
+	// does not originate from (or terminate at) an IP address in the given subnet.
+	// Deprecated: superseded by NotNets.
 	NotNet *net.IPNet `json:"notNet,omitempty" validate:"omitempty"`
 
+	// NotNets is an optional field that restricts the rule to only apply to traffic that
+	// does not originate from (or terminate at) an IP address in any of the given subnets.
+	NotNets []*net.IPNet `json:"notNets,omitempty" validate:"omitempty"`
+
 	// NotSelector is the negated version of the Selector field.  See Selector field for
 	// subtleties with negated selectors.
 	NotSelector string `json:"notSelector,omitempty" validate:"omitempty,selector"`
@@ -128,3 +139,28 @@ type EntityRule struct {
 	// Protocol match in the Rule to be set to "tcp" or "udp".
 	NotPorts []numorstring.Port `json:"notPorts,omitempty" validate:"omitempty,dive"`
 }
+
+func combineNets(n *net.IPNet, nets []*net.IPNet) []*net.IPNet {
+	if n == nil {
+		return nets
+	}
+	if len(nets) == 0 {
+		return []*net.IPNet{n}
+	}
+	combined := make([]*net.IPNet, len(nets)+1)
+	copy(combined, nets)
+	combined[len(combined)-1] = n
+	return combined
+}
+
+// GetNets returns either r.Nets or a slice containing r.Net.  It is useful for unifying the
+// two representations.
+func (r EntityRule) GetNets() []*net.IPNet {
+	return combineNets(r.Net, r.Nets)
+}
+
+// GetNets returns either r.NotNets or a slice containing NotNet.  It is useful for unifying the
+// two representations.
+func (r EntityRule) GetNotNets() []*net.IPNet {
+	return combineNets(r.NotNet, r.NotNets)
+}

lib/backend/backend_suite_test.go

@@ -1,3 +1,17 @@
+// Copyright (c) 2017 Tigera, Inc. All rights reserved.
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package backend_test
 
 import (