Commit 4a5c5498 authored by MengxinLiu's avatar MengxinLiu Committed by oilbeater
Browse files

fix: acl related issues

1. add missing all traffic network policy
2. subnet private and allSubnets should match both directions
parent 0ae82043
No related merge requests found
Showing with 40 additions and 22 deletions
+40 -22
......@@ -221,14 +221,20 @@ func (c *Controller) handleUpdateNp(key string) error {
allows := []string{}
excepts := []string{}
for _, npr := range np.Spec.Ingress {
for _, npp := range npr.From {
allow, except, err := c.fetchPolicySelectedAddresses(np.Namespace, npp)
if err != nil {
klog.Errorf("failed to fetch policy selected addresses, %v", err)
return err
if len(np.Spec.Ingress) == 0 {
allows = []string{"0.0.0.0/0"}
excepts = []string{}
break
} else {
for _, npp := range npr.From {
allow, except, err := c.fetchPolicySelectedAddresses(np.Namespace, npp)
if err != nil {
klog.Errorf("failed to fetch policy selected addresses, %v", err)
return err
}
allows = append(allows, allow...)
excepts = append(excepts, except...)
}
allows = append(allows, allow...)
excepts = append(excepts, except...)
}
}
......@@ -279,14 +285,20 @@ func (c *Controller) handleUpdateNp(key string) error {
allows := []string{}
excepts := []string{}
for _, npr := range np.Spec.Egress {
for _, npp := range npr.To {
allow, except, err := c.fetchPolicySelectedAddresses(np.Namespace, npp)
if err != nil {
klog.Errorf("failed to fetch policy selected addresses, %v", err)
return err
if len(npr.To) == 0 {
allows = []string{"0.0.0.0/0"}
excepts = []string{}
break
} else {
for _, npp := range npr.To {
allow, except, err := c.fetchPolicySelectedAddresses(np.Namespace, npp)
if err != nil {
klog.Errorf("failed to fetch policy selected addresses, %v", err)
return err
}
allows = append(allows, allow...)
excepts = append(excepts, except...)
}
allows = append(allows, allow...)
excepts = append(excepts, except...)
}
}
......
......@@ -256,7 +256,7 @@ func (c *Controller) handleAddSubnet(key string) error {
}
if subnet.Spec.Private {
return c.ovnClient.SetPrivateLogicalSwitch(subnet.Name, subnet.Spec.Protocol, subnet.Spec.AllowSubnets)
return c.ovnClient.SetPrivateLogicalSwitch(subnet.Name, subnet.Spec.Protocol, subnet.Spec.CIDRBlock, subnet.Spec.AllowSubnets)
}
return c.ovnClient.CleanLogicalSwitchAcl(subnet.Name)
}
......@@ -297,7 +297,7 @@ func (c *Controller) handleUpdateSubnet(key string) error {
}
if subnet.Spec.Private {
return c.ovnClient.SetPrivateLogicalSwitch(subnet.Name, subnet.Spec.Protocol, subnet.Spec.AllowSubnets)
return c.ovnClient.SetPrivateLogicalSwitch(subnet.Name, subnet.Spec.Protocol, subnet.Spec.CIDRBlock, subnet.Spec.AllowSubnets)
}
return c.ovnClient.CleanLogicalSwitchAcl(subnet.Name)
......
......@@ -295,9 +295,15 @@ func (c Client) CleanLogicalSwitchAcl(ls string) error {
}
// SetPrivateLogicalSwitch will drop all ingress traffic except allow subnets
func (c Client) SetPrivateLogicalSwitch(ls, protocol string, allow []string) error {
func (c Client) SetPrivateLogicalSwitch(ls, protocol, cidr string, allow []string) error {
delArgs := []string{"acl-del", ls}
dropArgs := []string{"--", "acl-add", ls, "to-lport", util.DefaultDropPriority, fmt.Sprintf(`inport=="%s-%s"`, ls, c.ClusterRouter), "drop"}
var dropArgs []string
if protocol == kubeovnv1.ProtocolIPv4 {
dropArgs = []string{"--", "acl-add", ls, "to-lport", util.DefaultDropPriority, fmt.Sprintf(`ip4.src!=%s || ip4.dst!=%s`, cidr, cidr), "drop"}
} else {
dropArgs = []string{"--", "acl-add", ls, "to-lport", util.DefaultDropPriority, fmt.Sprintf(`ip6.src!=%s || ip6.dst!=%s`, cidr, cidr), "drop"}
}
ovnArgs := append(delArgs, dropArgs...)
allowArgs := []string{}
......@@ -306,9 +312,9 @@ func (c Client) SetPrivateLogicalSwitch(ls, protocol string, allow []string) err
var match string
switch protocol {
case kubeovnv1.ProtocolIPv4:
match = fmt.Sprintf("ip4.src==%s", strings.TrimSpace(subnet))
match = fmt.Sprintf("ip4.src==%s || ip4.dst==%s", strings.TrimSpace(subnet), strings.TrimSpace(subnet))
case kubeovnv1.ProtocolIPv6:
match = fmt.Sprintf("ip6.src==%s", strings.TrimSpace(subnet))
match = fmt.Sprintf("ip6.src==%s || ip6.dst==%s", strings.TrimSpace(subnet), strings.TrimSpace(subnet))
}
allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.SubnetAllowPriority, match, "allow-related")
......@@ -479,8 +485,8 @@ func (c Client) DeleteACL(pgName, direction string) error {
func (c Client) SetPortsToPortGroup(portGroup string, portNames []string) error {
ovnArgs := []string{"clear", "port_group", portGroup, "ports"}
if len(portGroup) > 0 {
ovnArgs := []string{"pg-set-ports", portGroup}
if len(portNames) > 0 {
ovnArgs = []string{"pg-set-ports", portGroup}
ovnArgs = append(ovnArgs, portNames...)
}
_, err := c.ovnNbCommand(ovnArgs...)
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment