1. add anp domain case

[changluyi]

2. fix mac conflict case

Pull Request

• Make sure you have followed Kube-OVN Code Style.

What type of this PR

Examples of user facing changes:

• Features
• Bug fixes
• Docs
• Tests

Which issue(s) this PR fixes

Fixes #(issue-number)

[gemini-code-assist]

Summary of Changes

Hello @changluyi, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request expands the testing suite for AdminNetworkPolicy (ANP) by adding comprehensive end-to-end tests for the domainName feature, covering its integration with CIDR rules and the correct application of wildcard matching. Concurrently, it includes a bug fix that improves the reliability of MAC address extraction in existing subnet tests, preventing potential test failures due to inconsistent command output parsing.

Highlights

• AdminNetworkPolicy (ANP) DomainName E2E Tests: Introduced new end-to-end conformance tests to validate the AdminNetworkPolicy's domainName feature, ensuring it functions correctly with both CIDR rules and wildcard matching.
• MAC Address Extraction Improvement: Enhanced the robustness of MAC address extraction in subnet E2E tests by implementing a regular expression-based parsing method, addressing potential issues with nbctl command output.
• Wildcard DomainName Rule Validation: Added specific test cases to verify the behavior and precedence of wildcard domainName rules within AdminNetworkPolicies, including scenarios where specific allow rules override broader deny rules.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces two new e2e tests for AdminNetworkPolicy (ANP) domain name rules and fixes a bug in MAC address parsing in a subnet test. The new ANP tests are well-structured and cover important scenarios, including the interaction of domain name and CIDR rules, as well as wildcard domain matching. I've provided a suggestion to reorder some checks in one of the tests to prevent potential flakiness due to DNS resolution behavior. The fix for MAC address parsing is a good improvement, making it more robust. I've also added a minor suggestion for a performance and maintainability improvement there. Overall, this is a valuable contribution that enhances test coverage and reliability.

[gemini-code-assist]

The order of these connectivity tests could lead to flaky results. The test at line 496, testNetworkConnectivity("https://baidu.com", true, ...) correctly expects traffic to baidu.com to be allowed, as the deny rule *.baidu.com. does not match the apex domain.

However, previous tests (lines 484-486) attempt to connect to subdomains like www.baidu.com, which are denied. This causes their resolved IP addresses to be associated with a 'deny' action by OVN. If baidu.com later resolves to one of these same "tainted" IPs, traffic to it will also be blocked, causing this test to fail intermittently.

To make the test more robust and avoid this potential DNS-related flakiness, I suggest reordering the tests. The check for the apex domain (baidu.com) should be performed before checks for subdomains (www.baidu.com, etc.).

Suggested change

	// Test connectivity after applying ANP with wildcard rules
	// All baidu.com subdomains should be blocked (wildcard deny rule)
	testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to www.baidu.com after applying ANP (should be blocked by wildcard)")
	testNetworkConnectivity("https://api.baidu.com", false, "Testing connectivity to api.baidu.com after applying ANP (should be blocked by wildcard)")
	testNetworkConnectivity("https://blog.baidu.com", false, "Testing connectivity to blog.baidu.com after applying ANP (should be blocked by wildcard)")
	// www.google.com should be allowed (specific allow rule overrides wildcard deny)
	testNetworkConnectivity("https://www.google.com", true, "Testing connectivity to www.google.com after applying ANP (should be allowed by specific rule)")
	// Other google.com subdomains should be blocked (wildcard deny rule)
	testNetworkConnectivity("https://mail.google.com", false, "Testing connectivity to mail.google.com after applying ANP (should be blocked by wildcard)")
	ginkgo.By("Testing edge cases with wildcard rules")
	// Test that exact domain matches work
	testNetworkConnectivity("https://baidu.com", true, "Testing connectivity to baidu.com (exact domain, should be allowed)")
	// Test that subdomain matching works correctly
	testNetworkConnectivity("https://subdomain.baidu.com", false, "Testing connectivity to subdomain.baidu.com (should be blocked by wildcard)")
	// Test connectivity after applying ANP with wildcard rules
	ginkgo.By("Testing edge cases with wildcard rules")
	// Test that exact domain matches work
	testNetworkConnectivity("https://baidu.com", true, "Testing connectivity to baidu.com (exact domain, should be allowed)")
	// All baidu.com subdomains should be blocked (wildcard deny rule)
	testNetworkConnectivity("https://www.baidu.com", false, "Testing connectivity to www.baidu.com after applying ANP (should be blocked by wildcard)")
	testNetworkConnectivity("https://api.baidu.com", false, "Testing connectivity to api.baidu.com after applying ANP (should be blocked by wildcard)")
	testNetworkConnectivity("https://blog.baidu.com", false, "Testing connectivity to blog.baidu.com after applying ANP (should be blocked by wildcard)")
	// www.google.com should be allowed (specific allow rule overrides wildcard deny)
	testNetworkConnectivity("https://www.google.com", true, "Testing connectivity to www.google.com after applying ANP (should be allowed by specific rule)")
	// Other google.com subdomains should be blocked (wildcard deny rule)
	testNetworkConnectivity("https://mail.google.com", false, "Testing connectivity to mail.google.com after applying ANP (should be blocked by wildcard)")
	// Test that subdomain matching works correctly
	testNetworkConnectivity("https://subdomain.baidu.com", false, "Testing connectivity to subdomain.baidu.com (should be blocked by wildcard)")

[gemini-code-assist]

For performance and maintainability, it's better to compile this regular expression once at the package level instead of inside the test function. This avoids recompiling the regex on every test execution. You can define macRegex as a package-level variable.

[zbb88888]

这些注释感觉保留应该会更好读吧？