Semantic diff query optimized

nca/CoreDS/ConnectionSet.py

@@ -585,8 +585,9 @@ def get_non_tcp_connections():
     #  get rid of ConnectionSet and move the code below to ConnectivityProperties.py
 
     @staticmethod
-    def get_connection_set_and_peers_from_cube(conn_cube, peer_container,
+    def get_connection_set_and_peers_from_cube(the_cube, peer_container,
                                                relevant_protocols=ProtocolSet(True)):
+        conn_cube = the_cube.copy()
         src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True)
         conn_cube.unset_dim("src_peers")
         dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True)

nca/CoreDS/ConnectivityProperties.py

@@ -491,3 +491,14 @@ def are_auto_conns(self):
             if cube[src_peers_index] != cube[dst_peers_index] or not cube[src_peers_index].is_single_value():
                 return False
         return True
+
+    def props_without_auto_conns(self):
+        """
+        Return the properties after removing all connections from peer to itself
+        """
+        peers = self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers")
+        auto_conns = ConnectivityProperties()
+        for peer in peers:
+            auto_conns |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({peer}),
+                                                                            "dst_peers": PeerSet({peer})})
+        return self - auto_conns

nca/CoreDS/Peer.py

@@ -662,15 +662,17 @@ def get_ip_block_canonical_form(self):
                 res |= elem
         return res
 
-    def filter_ipv6_blocks(self, ip_blocks_mask):
+    def filter_ip_blocks_by_mask(self, ip_blocks_mask):
         """
         Update ip blocks in the peer set by keeping only parts overlapping with the given mask.
-        :param ip_blocks_mask: the mask according to which ip blocks should be updated
+        :param IpBlock ip_blocks_mask: the mask according to which ip blocks should be updated
         """
         peers_to_remove = []
         peers_to_add = []
         for peer in self:
             if isinstance(peer, IpBlock):
+                if peer.contained_in(ip_blocks_mask):
+                    continue  # optimization - avoid removing and adding the same peer
                 peers_to_remove.append(peer)
                 if peer.overlaps(ip_blocks_mask):
                     new_peer = peer.copy()

nca/FWRules/ConnectivityGraph.py

@@ -57,13 +57,23 @@ def add_edges_from_cube_dict(self, conn_cube, peer_container):
         Add edges to the graph according to the give cube
         :param ConnectivityCube conn_cube: the given cube
          whereas all other values should be filtered out in the output
+         :param PeerContainer peer_container: the peer container
         """
         conns, src_peers, dst_peers = \
             ConnectionSet.get_connection_set_and_peers_from_cube(conn_cube, peer_container)
         for src_peer in src_peers:
             for dst_peer in dst_peers:
                 self.connections_to_peers[conns].append((src_peer, dst_peer))
 
+    def add_props_to_graph(self, props, peer_container):
+        """
+        Add edges to the graph according to the given connectivity properties
+        :param ConnectivityProperties props: the given connectivity properties
+        :param PeerContainer peer_container: the peer container
+        """
+        for cube in props:
+            self.add_edges_from_cube_dict(props.get_connectivity_cube(cube), peer_container)
+
     def _get_peer_details(self, peer, format_requirement=False):
         """
         Get the name of a peer object for connectivity graph, the type and the namespace

nca/NetworkConfig/NetworkConfig.py

@@ -176,7 +176,7 @@ def get_affected_pods(self, is_ingress, layer_name):
 
         return affected_pods
 
-    def _check_for_excluding_ipv6_addresses(self, exclude_ipv6):
+    def check_for_excluding_ipv6_addresses(self, exclude_ipv6):
         """
         checks and returns if to exclude non-referenced IPv6 addresses from the config
         Excluding the IPv6 addresses will be enabled if the exclude_ipv6 param is True and
@@ -202,7 +202,7 @@ def get_referenced_ip_blocks(self, exclude_non_ref_ipv6=False):
         if self.referenced_ip_blocks is not None:
             return self.referenced_ip_blocks
 
-        exclude_non_ref_ipv6_from_policies = self._check_for_excluding_ipv6_addresses(exclude_non_ref_ipv6)
+        exclude_non_ref_ipv6_from_policies = self.check_for_excluding_ipv6_addresses(exclude_non_ref_ipv6)
         self.referenced_ip_blocks = Peer.PeerSet()
         for policy in self.policies_container.policies.values():
             self.referenced_ip_blocks |= policy.referenced_ip_blocks(exclude_non_ref_ipv6_from_policies)
@@ -329,7 +329,7 @@ def append_policy_to_config(self, policy):
         """
         self.policies_container.append_policy(policy)
 
-    def filter_conns_by_peer_types(self, conns, all_peers):
+    def filter_conns_by_peer_types(self, conns):
         """
         Filter the given connections by removing several connection kinds that are never allowed
         (such as IpBlock to IpBlock connections, connections from DNSEntries, and more).
@@ -346,7 +346,6 @@ def filter_conns_by_peer_types(self, conns, all_peers):
                                                                                   "dst_peers": all_ips | all_dns_entries})
         res -= ip_to_ip_or_dns_conns
         # avoid DNSEntry->anything connections
-        dns_to_any_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_dns_entries,
-                                                                             "dst_peers": all_peers})
+        dns_to_any_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_dns_entries})
         res -= dns_to_any_conns
         return res