Skip to content

Commit d7a783a

Browse files
SkalaNetworksSkalaNetworks
committed
fix(netpol): don't add default block twice for dualstacks
Signed-off-by: SkalaNetworks <contact@skala.network>
1 parent e14c95e commit d7a783a

File tree

5 files changed

+168
-106
lines changed

5 files changed

+168
-106
lines changed

mocks/pkg/ovs/interface.go

Lines changed: 46 additions & 16 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pkg/controller/network_policy.go

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -173,6 +173,9 @@ func (c *Controller) handleUpdateNp(key string) error {
173173
}
174174

175175
if hasIngressRule(np) {
176+
blockACLOps, err := c.OVNNbClient.UpdateDefaultBlockACLOps(npName, pgName, ovnnb.ACLDirectionToLport, logEnable)
177+
ingressACLOps = append(ingressACLOps, blockACLOps...)
178+
176179
for _, protocol := range protocolSet.List() {
177180
for idx, npr := range np.Spec.Ingress {
178181
// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
@@ -214,7 +217,7 @@ func (c *Controller) handleUpdateNp(key string) error {
214217
npp = npr.Ports
215218
}
216219

217-
ops, err := c.OVNNbClient.UpdateIngressACLOps(key, pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
220+
ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
218221
if err != nil {
219222
klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
220223
return err
@@ -236,7 +239,7 @@ func (c *Controller) handleUpdateNp(key string) error {
236239
return err
237240
}
238241

239-
ops, err := c.OVNNbClient.UpdateIngressACLOps(key, pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
242+
ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
240243
if err != nil {
241244
klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
242245
return err
@@ -302,6 +305,9 @@ func (c *Controller) handleUpdateNp(key string) error {
302305
}
303306

304307
if hasEgressRule(np) {
308+
blockACLOps, err := c.OVNNbClient.UpdateDefaultBlockACLOps(npName, pgName, ovnnb.ACLDirectionFromLport, logEnable)
309+
egressACLOps = append(egressACLOps, blockACLOps...)
310+
305311
for _, protocol := range protocolSet.List() {
306312
for idx, npr := range np.Spec.Egress {
307313
// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
@@ -343,7 +349,7 @@ func (c *Controller) handleUpdateNp(key string) error {
343349
npp = npr.Ports
344350
}
345351

346-
ops, err := c.OVNNbClient.UpdateEgressACLOps(key, pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
352+
ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
347353
if err != nil {
348354
klog.Errorf("generate operations that add egress acls to np %s: %v", key, err)
349355
return err
@@ -365,7 +371,7 @@ func (c *Controller) handleUpdateNp(key string) error {
365371
return err
366372
}
367373

368-
ops, err := c.OVNNbClient.UpdateEgressACLOps(key, pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
374+
ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
369375
if err != nil {
370376
klog.Errorf("generate operations that add egress acls to np %s: %v", key, err)
371377
return err

pkg/ovs/interface.go

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -157,8 +157,9 @@ type PortGroup interface {
157157
}
158158

159159
type ACL interface {
160-
UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
161-
UpdateEgressACLOps(netpol, pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
160+
UpdateDefaultBlockACLOps(netpol, pgName, direction string, loggingEnabled bool) ([]ovsdb.Operation, error)
161+
UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
162+
UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
162163
CreateGatewayACL(lsName, pgName, gateway, u2oInterconnectionIP string) error
163164
CreateNodeACL(pgName, nodeIPStr, joinIPStr string) error
164165
CreateSgDenyAllACL(sgName string) error

0 commit comments

Comments
 (0)