[Windows NPM Lite] Remove IPSets reference from DataPath for CIDR blocks #3942
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@rejain456 👋 This repository doesn't have Copilot instructions. With Copilot instructions, I can understand the repository better, work faster and produce higher quality PRs. I can generate a .github/copilot-instructions.md file for you automatically. Click here to open a pre-filled issue and assign it to me. I'll write the instructions, and then tag you for review. |
…R blocks Co-authored-by: rejain456 <[email protected]>
Copilot
AI
changed the title
Copilot finished work on behalf of
rejain456
August 15, 2025 20:36
|
This pull request is stale because it has been open for 2 weeks with no activity. Remove stale label or comment or this will be closed in 7 days |
|
Pull request closed due to inactivity. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR removes the intermediate IPSet data structures from the Windows NPM Lite datapath for CIDR blocks, enabling direct CIDR-to-HNS ACL rule translation. This optimization eliminates unnecessary IPSet creation and management for CIDR-based network policies on Windows.
Problem
Currently, Windows NPM Lite processes CIDR-based network policies through an inefficient flow:
Where IPSets are created as intermediate data structures to hold CIDR blocks before translating them to HNS rules. This creates unnecessary overhead and complexity for simple CIDR-based policies.
Solution
This PR implements a direct CIDR approach for Windows NPM Lite:
Key Changes
CIDRs []stringfield to store direct CIDR valuesipBlockRule()function to bypass IPSet creation when Windows NPM Lite is enabledgetAddrListFromSetInfo()to return direct CIDR values instead of IPSet hashed namesExample
Before this change, HNS ACL rules referenced IPSet names:
After this change, HNS ACL rules use direct CIDR values:
Backward Compatibility
Testing
Fixes #3941.
💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.