Skip non-calico ipsets

[mazdakn]

Description

Skip non calico IP sets to prevent hitting unsupported protocol version for ipsets created by other components likes kube proxy. The idea is to run ipset list -name to get the list of ipsets, and get more details for calico ipsets by running ipset list [name] instead of running ipset list to get all information for all ipsets including non-calico ones.

Related issues/PRs

Fixes #8372

Todos

• Tests
• Documentation
• Release note

Release Note

Felix now avoids accessing non-Calico IP sets. This reduces the scope for IP set compatibility errors when another app has created an IP set that Calico's version of IP set can't parse.

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

• docs-pr-required: This change requires a change to the documentation that has not been completed yet.
• docs-completed: This change has all necessary documentation completed.
• docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

• release-note-required: This PR has user-facing changes. Most PRs should have this label.
• release-note-not-required: This PR has no user-facing changes.

Other optional labels:

• cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
• needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

[fasaxc]

Thanks, generally looking good; a few comments inline; mainly on naming/style suggestions.

Is there any sane way that we could write an FV test for this? How easy is it to get hold of a newer ipset binary to create a "bad" IP set? Could we do

docker run <some off the shelf image> -net=<felix container> ipset create foo bar

perhaps?

[mazdakn]

@fasaxc adding a test to check this reliably depends on the host's kernel version:

[root@felix-0-61811-4-felixfv /]# ipset create test hash:ip bitmask 24
ipset v7.19: Argument `bitmask' is supported in the kernel module of the set type hash:ip starting from the revision 6 and you have installed revision 5 only. Your kernel is behind your ipset utility.
Try `ipset help' for more information.
[root@felix-0-61811-4-felixfv /]# uname -r
5.15.0-91-generic

So if we add a test to verify the error and also its fix, it would run differently based on the host. Unless we skip the test based on kernel version. In that case, I prefer to add the test in another PR since it would need more work. WDYT?

[fasaxc]

LGTM, thanks for taking my style comments on board; code looks really clean (to me!) now. Let's not add the extra test; sounds like it's too fiddly to do given the kernel limits.

One nit-level comment but I don't need to see it again.