@@ -1394,13 +1394,15 @@ func (c *OVNNbClient) sgRuleNoACL(sgName, direction string, rule kubeovnv1.Secur
13941394 pgName := GetSgPortGroupName (sgName )
13951395
13961396 // ingress rule
1397- srcOrDst , portDirection := "src" , "outport"
1397+ localSrcOrDst , remoteSrcOrDst , portDirection := "dst" , "src" , "outport"
13981398 if direction == ovnnb .ACLDirectionFromLport { // egress rule
1399- srcOrDst = "dst"
1399+ remoteSrcOrDst = "dst"
1400+ localSrcOrDst = "src"
14001401 portDirection = "inport"
14011402 }
14021403
1403- ipKey := ipSuffix + "." + srcOrDst
1404+ ipKey := ipSuffix + "." + remoteSrcOrDst
1405+ localIPKey := ipSuffix + "." + localSrcOrDst
14041406
14051407 /* match all traffic to or from pgName */
14061408 allIPMatch := NewAndACLMatch (
@@ -1427,6 +1429,14 @@ func (c *OVNNbClient) sgRuleNoACL(sgName, direction string, rule kubeovnv1.Secur
14271429 )
14281430 }
14291431
1432+ // Add a rule to match local address only if it is set
1433+ if rule .LocalAddress != "" {
1434+ allowedIPMatch = NewAndACLMatch (
1435+ allowedIPMatch ,
1436+ NewACLMatch (localIPKey , "==" , rule .LocalAddress , "" ),
1437+ )
1438+ }
1439+
14301440 /* allow layer 4 traffic */
14311441 // allow all layer 4 traffic
14321442 match := allowedIPMatch
@@ -1448,6 +1458,14 @@ func (c *OVNNbClient) sgRuleNoACL(sgName, direction string, rule kubeovnv1.Secur
14481458 allowedIPMatch ,
14491459 NewACLMatch (string (rule .Protocol )+ ".dst" , "<=" , strconv .Itoa (rule .PortRangeMin ), strconv .Itoa (rule .PortRangeMax )),
14501460 )
1461+
1462+ // Add a match on source port if a local address was provided.
1463+ if rule .LocalAddress != "" {
1464+ match = NewAndACLMatch (
1465+ match ,
1466+ NewACLMatch (string (rule .Protocol )+ ".src" , "<=" , strconv .Itoa (rule .SourcePortRangeMin ), strconv .Itoa (rule .SourcePortRangeMax )),
1467+ )
1468+ }
14511469 }
14521470
14531471 securityGroupHighestPriority , _ := strconv .Atoi (util .SecurityGroupHighestPriority )
0 commit comments