RFC1918 excluded from outbound macro but not inbound_outbound

[shane-lawrence]

A new list, which contains the private IPv4 ranges in RFC1918, was added and that list has been excluded from the outbound macro:

falco/rules/falco_rules.yaml

Lines 321 to 328 in 39b5156

	- macro: outbound
	condition: >
	(((evt.type = connect and evt.dir=<) or
	(evt.type in (sendto,sendmsg) and evt.dir=< and
	fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
	(fd.typechar = 4 or fd.typechar = 6) and
	(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and
	(evt.rawres >= 0 or evt.res = EINPROGRESS))

The RFC1918 ranges have not been excluded from the inbound_outbound macro, so it is no longer a combination of the inbound and outbound macros:

falco/rules/falco_rules.yaml

Lines 330 to 337 in 39b5156

	# Very similar to inbound/outbound, but combines the tests together
	# for efficiency.
	- macro: inbound_outbound
	condition: >
	(((evt.type in (accept,listen,connect) and evt.dir=<)) or
	(fd.typechar = 4 or fd.typechar = 6) and
	(fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8") and
	(evt.rawres >= 0 or evt.res = EINPROGRESS))

[shane-lawrence]

/kind rule-update

[shane-lawrence]

/area rules

[shane-lawrence]

I was going to PR a fix to exclude just the private IP ranges, but it looks like this is not the only change to the inbound and outbound macros that didn't lead to a corresponding change to the inbound_outbound macro. #470 was also applied to only the separate rules. Should I incorporate the improvements from that PR into the inbound_outbound macro as well?

[fntlnz]

/assign @Kaizhe

@Kaizhe WDYT?

[Kaizhe]

@shane-lawrence thanks for bringing it up. It's a good call. And please assign me as the reviewer :)

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.