Skip to content

Commit

Permalink
update of the network policy to use the option "use-after-lb"
Browse files Browse the repository at this point in the history
  • Loading branch information
JacobTanenbaum committed Mar 23, 2022
1 parent a115091 commit 0342af7
Show file tree
Hide file tree
Showing 2 changed files with 66 additions and 14 deletions.
25 changes: 18 additions & 7 deletions go-controller/pkg/ovn/gress_policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,11 @@ func (gp *gressPolicy) localPodSetACL(portGroupName, portGroupUUID string, aclLo
// addOrModifyACLAllow adds or modifies an ACL with a given match to the given Port Group
func (gp *gressPolicy) addOrModifyACLAllow(match, l4Match, portGroupUUID string, ipBlockCIDR int, aclLogging string) error {
var direction, action, aclName, ipBlockCIDRString string
direction = types.DirectionToLPort
if gp.policyType == knet.PolicyTypeIngress {
direction = types.DirectionToLPort
} else {
direction = types.DirectionFromLPort
}
action = "allow-related"
aclName = fmt.Sprintf("%s_%s_%v", gp.policyNamespace, gp.policyName, gp.idx)

Expand Down Expand Up @@ -383,16 +387,19 @@ func (gp *gressPolicy) addOrModifyACLAllow(match, l4Match, portGroupUUID string,

if uuid != "" {
// We already have an ACL. We will update it.
_, stderr, err = util.RunOVNNbctl("set", "acl", uuid,
aclSetCMD := []string{"set", "acl", uuid,
match,
fmt.Sprintf("priority=%s", types.DefaultAllowPriority),
fmt.Sprintf("direction=%s", direction),
fmt.Sprintf("action=%s", action),
fmt.Sprintf("log=%t", aclLogging != ""),
fmt.Sprintf("severity=%s", getACLLoggingSeverity(aclLogging)),
fmt.Sprintf("meter=%s", types.OvnACLLoggingMeter),
fmt.Sprintf("name=%.63s", aclName),
)
fmt.Sprintf("name=%.63s", aclName)}
if gp.policyType == knet.PolicyTypeEgress {
aclSetCMD = append(aclSetCMD, "options:apply-after-lb=true")
}
_, stderr, err = util.RunOVNNbctl(aclSetCMD...)
if err != nil {
return fmt.Errorf("failed to modify the allow-from rule for "+
"namespace=%s, policy=%s, stderr: %q (%v)",
Expand All @@ -401,7 +408,7 @@ func (gp *gressPolicy) addOrModifyACLAllow(match, l4Match, portGroupUUID string,
return nil
}

_, stderr, err = util.RunOVNNbctl("--id=@acl", "create",
aclCreateCMD := []string{"--id=@acl", "create",
"acl", fmt.Sprintf("priority=%s", types.DefaultAllowPriority),
fmt.Sprintf("direction=%s", direction),
match,
Expand All @@ -415,8 +422,12 @@ func (gp *gressPolicy) addOrModifyACLAllow(match, l4Match, portGroupUUID string,
fmt.Sprintf("external-ids:namespace=%s", gp.policyNamespace),
fmt.Sprintf("external-ids:policy=%s", gp.policyName),
fmt.Sprintf("external-ids:%s_num=%d", gp.policyType, gp.idx),
fmt.Sprintf("external-ids:policy_type=%s", gp.policyType),
"--", "add", "port_group", portGroupUUID, "acls", "@acl")
fmt.Sprintf("external-ids:policy_type=%s", gp.policyType)}
if gp.policyType == knet.PolicyTypeEgress {
aclCreateCMD = append(aclCreateCMD, "options:apply-after-lb=true")
}
aclCreateCMD = append(aclCreateCMD, "--", "add", "port_group", portGroupUUID, "acls", "@acl")
_, stderr, err = util.RunOVNNbctl(aclCreateCMD...)
if err != nil {
return fmt.Errorf("failed to create the acl allow rule for "+
"namespace=%s, policy=%s, stderr: %q (%v)", gp.policyNamespace,
Expand Down
55 changes: 48 additions & 7 deletions go-controller/pkg/ovn/policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,38 @@ func (oc *Controller) syncNetworkPolicies(networkPolicies []interface{}) {
if err != nil {
klog.Errorf("Error in syncing network policies: %v", err)
}

// update Egress Network policies ACLs
updateList := []string{}
// get the default ACLs put on namespaces by networkPolicies
uuids, stderr, err := util.RunOVNNbctl("--data=bare", "--no-heading",
"--columns=_uuid", "find", "ACL", "direction="+types.DirectionToLPort,
fmt.Sprintf("external-ids:default-deny-policy-type=%s", knet.PolicyTypeEgress))
if err != nil {
klog.Errorf("cannot update Network policy Egress ACLs:(%q) %+v", stderr, err)
} else {
updateList = append(updateList, strings.Split(uuids, "\n")...)
}
// get the ACLs generated by the network policies themselves
uuids, stderr, err = util.RunOVNNbctl("--data=bare", "--no-heading",
"--columns=_uuid", "find", "ACL", "direction="+types.DirectionToLPort,
fmt.Sprintf("external-ids:policy_type=%s", knet.PolicyTypeEgress))
if err != nil {
klog.Errorf("cannot update Network policy Egress ACLs:(%q) %+v", stderr, err)
} else {
updateList = append(updateList, strings.Split(uuids, "\n")...)
}
for _, uuid := range updateList {
// when the uuids return with none there will be at least one empty entry appended
if uuid == "" {
continue
}
if _, stderr, err := util.RunOVNNbctl("set", "acl", uuid,
fmt.Sprintf("direction=%s", types.DirectionFromLPort), "options:apply-after-lb=true"); err != nil {
klog.Errorf("failed to update EgressACL (%s), stderr: %q (%v)", uuid, stderr, err)
}
}

}

func addAllowACLFromNode(logicalSwitch string, mgmtPortIP net.IP, ovnNBClient goovn.Client) error {
Expand Down Expand Up @@ -198,15 +230,21 @@ func addACLPortGroup(policyNamespace, portGroupUUID, direction, priority, match,
} else {
policyName = policyNamespace
}
_, stderr, err := util.RunOVNNbctl("--id=@acl", "create", "acl",
createACLCommand := []string{"--id=@acl", "create", "acl",
fmt.Sprintf("priority=%s", priority),
fmt.Sprintf("direction=%s", direction), match, "action="+action,
fmt.Sprintf("direction=%s", direction),
match,
"action=" + action,
fmt.Sprintf("log=%t", aclLogging != ""), fmt.Sprintf("severity=%s", getACLLoggingSeverity(aclLogging)),
fmt.Sprintf("meter=%s", types.OvnACLLoggingMeter),
fmt.Sprintf("name=%.63s", policyName),
fmt.Sprintf("external-ids:default-deny-policy-type=%s", policyType),
"--", "add", "port_group", portGroupUUID,
"acls", "@acl")
fmt.Sprintf("external-ids:default-deny-policy-type=%s", policyType)}
if policyType == knet.PolicyTypeEgress {
createACLCommand = append(createACLCommand, "options:apply-after-lb=true")
}
createACLCommand = append(createACLCommand, "--", "add", "port_group", portGroupUUID, "acls", "@acl")

_, stderr, err := util.RunOVNNbctl(createACLCommand...)
if err != nil {
return fmt.Errorf("error executing create ACL command for "+
"policy type %s stderr: %q (%v)", policyType, stderr, err)
Expand Down Expand Up @@ -294,25 +332,28 @@ func defaultDenyPortGroup(namespace, gressSuffix string) string {
// must be called with a write lock on nsInfo
func (oc *Controller) createDefaultDenyPortGroup(ns string, nsInfo *namespaceInfo, policyType knet.PolicyType, aclLogging string, policyName string) error {
var portGroupName string
var direction string
if policyType == knet.PolicyTypeIngress {
portGroupName = defaultDenyPortGroup(ns, ingressDefaultDenySuffix)
direction = types.DirectionToLPort
} else if policyType == knet.PolicyTypeEgress {
portGroupName = defaultDenyPortGroup(ns, egressDefaultDenySuffix)
direction = types.DirectionFromLPort
}
portGroupUUID, err := createPortGroup(oc.ovnNBClient, portGroupName, portGroupName)
if err != nil {
return fmt.Errorf("failed to create port_group for %s (%v)",
portGroupName, err)
}
match := getACLMatch(portGroupName, "", policyType)
err = addACLPortGroup(ns, portGroupUUID, types.DirectionToLPort,
err = addACLPortGroup(ns, portGroupUUID, direction,
types.DefaultDenyPriority, match, "drop", policyType, aclLogging, policyName)
if err != nil {
return fmt.Errorf("failed to create default deny ACL for port group %v", err)
}

match = getACLMatch(portGroupName, "arp", policyType)
err = addACLPortGroup(ns, portGroupUUID, types.DirectionToLPort,
err = addACLPortGroup(ns, portGroupUUID, direction,
types.DefaultAllowPriority, match, "allow", policyType, "", "ARPallowPolicy")
if err != nil {
return fmt.Errorf("failed to create default allow ARP ACL for port group %v", err)
Expand Down

0 comments on commit 0342af7

Please sign in to comment.