Skip to content
GitLab
Commit e1038d22 authored by MengxinLiu's avatar MengxinLiu Committed by oilbeater
Browse files

fix: acl and qos issues

parent 79525912
master acl acl-doc add_unknown_to_lsp allow-subnet arm bandwidth base/enable-dbg centralized-policy-route centralized_nat chore/coc-roadmap chore/crd-to-v1 chore/ovs-vsctl-log chore/remove-networks-crd chore/render-kind-yaml chore/show-gw-error chore/size ci/arm-pr ci/base ci/base-update ci/improvement ci/ipv6 ci/no-pr-push ci/retry ci/trivy ci/ubuntu-version ci/update-kind cni crd-print db-monitor debug delete-qos delete-qos-queue delete_ip dev/2.13 doc/custom-kubeconfig doc/optimization doc/vip docs/corigine docs/dpdk-pod-name docs/iface-ic docs/internal-port-vlan docs/namespace docs/optimize docs/optimize-cilium dualstack dualstack_merge ecmp ecmp_static_route encap-ip env-check fdb feat/add-lint feat/bgp feat/dev-image feat/disable-ping-check feat/distribute-eip feat/github-action feat/gw feat/keep-chassis-name feat/ko feat/log feat/mcast feat/multicast feat/ovn-ic feat/remove-cluster-ip feat/session-lb feat/sfc feat/ssl feat/update-ovn feat/vlan-geneve feat/vlan-regex feat/vpc-lb fix-base fix-dnat fix-resubmit-limit fix/acl fix/avx512 fix/check-crd fix/check-special-subnet fix/cleanup fix/ecmp-hash fix/error-log fix/forward-accept fix/gw-del fix/ic-restart fix/init-ping fix/iptables fix/ipv6-svc fix/ko-tcpdump fix/metrics-name fix/missing-date fix/node-acl fix/np-log fix/ovn-healthcheck fix/ovn-northd-flipflop fix/pod-del fix/provider-check fix/reset-ovn0 fix/src-priority fix/sriov-issues fix/subnet-without-protocol fix/udp-checksum fix/uninstall fix/vlan-del fix_make_kind_reload gc-vm-lsp internal-port internal_port internal_tcpdump ip join klog/v2 log/rotate ls-dnat-mod-dl-dst lsp-address lsp-ipam mahz-master merge-vlan monitor/metrics monitor/pinger-metrics monitor_db_con multus multus-cni-update namespace nat-gw nbctl networkpolicy nodeport np_master ns-subnet ovn-controller ovn-db-recover ovs-nonstop ovs-win64-ci perf/4.18 perf/alias perf/libovsdb perf/optimization perf/policy-route perf/route-port-address perf/stt perf/tuning-guide poc policy-route policy-route-1.8 port-group push-img qos qos-e2e qos-query refactor/other_config reflactor_note release-1.10 release-1.2 release-1.3 release-1.4 release-1.5 release-1.5-vpc release-1.5.2 release-1.6 release-1.7 release-1.8 release-1.8-kubevirt release-1.8-lint release-1.8-monitor release-1.9 release-1.9-monitor release/1.1 release/prepare-1.9 remove_no_need_parms_svcAsName restore revert-1094-vpc-lb revert-1264-yd-master revert-1309-fixcni revert-395-perf/policy-route revert-397-fix/ipv6-route revert-399-fix/as-inconsist security/ubuntu-update security/update-ubuntu sg-acl stspod subnet subnet_ips svc sync-ovn-db test/fix-flaky testing update-ovs update/1.7-1.8 update/1.8.2 update_version upgrade-ovs vlan vm-migrate vm-static-ip vpc-nat-gw webhook v1.10.7 v1.10.6 v1.10.5 v1.10.4 v1.10.3 v1.10.2 v1.10.1 v1.10.0 v1.9.14 v1.9.13 v1.9.12 v1.9.10 v1.9.9 v1.9.8 v1.9.7 v1.9.6 v1.9.5 v1.9.4 v1.9.3 v1.9.2 v1.9.1 v1.9.0 v1.8.14 v1.8.12 v1.8.11 v1.8.9 v1.8.8 v1.8.7 v1.8.6 v1.8.5 v1.8.4 v1.8.3 v1.8.2 v1.8.1 v1.8.0 v1.7.3 v1.7.2 v1.7.1 v1.7.0 v1.6.3 v1.6.2 v1.6.1 v1.6.0 v1.5.2 v1.5.1 v1.5.0 v1.4.0 v1.3.0 v1.2.1 v1.2.0 v1.1.1 v1.1.0 v
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 4 additions and 2 deletions
+4 -2
pkg/daemon/controller.go
+ 1
- 1
View file @ e1038d22
......@@ -337,7 +337,7 @@ func (c *Controller) handlePod(key string) error {
c.recorder.Eventf(pod, v1.EventTypeWarning, "ValidatePodNetworkFailed", err.Error())
return err
}
return ovs.SetPodBandwidth(pod.Name, pod.Namespace, pod.Annotations[util.IngressRateAnnotation], pod.Annotations[util.EgressRateAnnotation])
return ovs.SetPodBandwidth(pod.Name, pod.Namespace, pod.Annotations[util.EgressRateAnnotation], pod.Annotations[util.IngressRateAnnotation])
}
// Run starts controller
......
pkg/ovs/ovn-nbctl.go
+ 3
- 1
View file @ e1038d22
......@@ -349,15 +349,17 @@ func (c Client) ResetLogicalSwitchAcl(ls, protocol string) error {
// SetPrivateLogicalSwitch will drop all ingress traffic except allow subnets
func (c Client) SetPrivateLogicalSwitch(ls, protocol, cidr string, allow []string) error {
delArgs := []string{"acl-del", ls}
allowArgs := []string{}
var dropArgs []string
if protocol == kubeovnv1.ProtocolIPv4 {
dropArgs = []string{"--", "acl-add", ls, "to-lport", util.DefaultDropPriority, fmt.Sprintf(`ip4.src!=%s || ip4.dst!=%s`, cidr, cidr), "drop"}
allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip4.src==%s", c.NodeSwitchCIDR), "allow-related")
} else {
dropArgs = []string{"--", "acl-add", ls, "to-lport", util.DefaultDropPriority, fmt.Sprintf(`ip6.src!=%s || ip6.dst!=%s`, cidr, cidr), "drop"}
allowArgs = append(allowArgs, "--", "acl-add", ls, "to-lport", util.NodeAllowPriority, fmt.Sprintf("ip6.src==%s", c.NodeSwitchCIDR), "allow-related")
}
ovnArgs := append(delArgs, dropArgs...)
allowArgs := []string{}
for _, subnet := range allow {
if strings.TrimSpace(subnet) != "" {
var match string
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

免费DevSecOps平台,让您的项目体验完整的DevSecOps流程,让项目更安全