fix(netpol): don't add default block twice for dualstacks

SkalaNetworks · SkalaNetworks · commit e7b16302002b · 2025-09-20T10:12:51.000+02:00
Signed-off-by: SkalaNetworks &lt;contact@skala.network&gt;
diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -173,6 +173,9 @@ func (c *Controller) handleUpdateNp(key string) error {
 	}
 
 	if hasIngressRule(np) {
+		blockACLOps, err := c.OVNNbClient.UpdateDefaultBlockACLOps(npName, pgName, ovnnb.ACLDirectionToLport, logEnable)
+		ingressACLOps = append(ingressACLOps, blockACLOps...)
+
 		for _, protocol := range protocolSet.List() {
 			for idx, npr := range np.Spec.Ingress {
 				// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
@@ -214,7 +217,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 					npp = npr.Ports
 				}
 
-				ops, err := c.OVNNbClient.UpdateIngressACLOps(key, pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
+				ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
 				if err != nil {
 					klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
 					return err
@@ -236,7 +239,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 					return err
 				}
 
-				ops, err := c.OVNNbClient.UpdateIngressACLOps(key, pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
+				ops, err := c.OVNNbClient.UpdateIngressACLOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
 				if err != nil {
 					klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
 					return err
@@ -302,6 +305,9 @@ func (c *Controller) handleUpdateNp(key string) error {
 	}
 
 	if hasEgressRule(np) {
+		blockACLOps, err := c.OVNNbClient.UpdateDefaultBlockACLOps(npName, pgName, ovnnb.ACLDirectionFromLport, logEnable)
+		egressACLOps = append(egressACLOps, blockACLOps...)
+
 		for _, protocol := range protocolSet.List() {
 			for idx, npr := range np.Spec.Egress {
 				// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
@@ -343,7 +349,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 					npp = npr.Ports
 				}
 
-				ops, err := c.OVNNbClient.UpdateEgressACLOps(key, pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
+				ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, npp, logEnable, logActions, namedPortMap)
 				if err != nil {
 					klog.Errorf("generate operations that add egress acls to np %s: %v", key, err)
 					return err
@@ -365,7 +371,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 					return err
 				}
 
-				ops, err := c.OVNNbClient.UpdateEgressACLOps(key, pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
+				ops, err := c.OVNNbClient.UpdateEgressACLOps(pgName, egressAllowAsName, egressExceptAsName, protocol, aclName, nil, logEnable, logActions, namedPortMap)
 				if err != nil {
 					klog.Errorf("generate operations that add egress acls to np %s: %v", key, err)
 					return err
diff --git a/pkg/ovs/interface.go b/pkg/ovs/interface.go
@@ -157,8 +157,9 @@ type PortGroup interface {
 }
 
 type ACL interface {
-	UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
-	UpdateEgressACLOps(netpol, pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
+	UpdateDefaultBlockACLOps(netpol, pgName, direction string, loggingEnabled bool) ([]ovsdb.Operation, error)
+	UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
+	UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
 	CreateGatewayACL(lsName, pgName, gateway, u2oInterconnectionIP string) error
 	CreateNodeACL(pgName, nodeIPStr, joinIPStr string) error
 	CreateSgDenyAllACL(sgName string) error
diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go
@@ -53,34 +53,56 @@ func setACLName(acl *ovnnb.ACL, name string) {
 	acl.Name = ptr.To(name)
 }
 
-// UpdateIngressACLOps return operation that creates an ingress ACL
-func (c *OVNNbClient) UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
-	acls := make([]*ovnnb.ACL, 0)
+// UpdateDefaultBlockACLOps returns operations to update/create the default block ACL
+func (c *OVNNbClient) UpdateDefaultBlockACLOps(netpol, pgName, direction string, loggingEnabled bool) ([]ovsdb.Operation, error) {
+	portDirection := "outport"
+	priority := util.IngressDefaultDrop
 
-	if strings.HasSuffix(asIngressName, ".0") || strings.HasSuffix(asIngressName, ".all") {
-		// create the default drop rule for only once
-		// both IPv4 and IPv6 traffic should be forbade in dual-stack situation
-		allIPMatch := NewAndACLMatch(
-			NewACLMatch("outport", "==", "@"+pgName, ""),
-			NewACLMatch("ip", "", "", ""),
-		)
-		options := func(acl *ovnnb.ACL) {
-			setACLName(acl, netpol)
-			if logEnable {
-				acl.Log = true
-				acl.Severity = ptr.To(ovnnb.ACLSeverityWarning)
-			}
+	if direction == ovnnb.ACLDirectionFromLport {
+		portDirection = "inport"
+		priority = util.EgressDefaultDrop
+	}
+
+	// Block everything IP related (IPv4/IPv6/ICMPv4/ICMPv6/...)
+	allIPMatch := NewAndACLMatch(
+		NewACLMatch(portDirection, "==", "@"+pgName, ""),
+		NewACLMatch("ip", "", "", ""),
+	)
+
+	options := func(acl *ovnnb.ACL) {
+		setACLName(acl, netpol)
+		if loggingEnabled {
+			acl.Log = true
+			acl.Severity = ptr.To(ovnnb.ACLSeverityWarning)
 		}
 
-		defaultDropACL, err := c.newACLWithoutCheck(pgName, ovnnb.ACLDirectionToLport, util.IngressDefaultDrop, allIPMatch.String(), ovnnb.ACLActionDrop, util.NetpolACLTier, options)
-		if err != nil {
-			klog.Error(err)
-			return nil, fmt.Errorf("new default drop ingress acl for port group %s: %w", pgName, err)
+		if direction == ovnnb.ACLDirectionFromLport {
+			if acl.Options == nil {
+				acl.Options = make(map[string]string)
+			}
+			acl.Options["apply-after-lb"] = "true"
 		}
+	}
 
-		acls = append(acls, defaultDropACL)
+	defaultDropACL, err := c.newACL(pgName, direction, priority, allIPMatch.String(), ovnnb.ACLActionDrop, util.NetpolACLTier, options)
+	if err != nil {
+		klog.Error(err)
+		return nil, fmt.Errorf("failed to create drop acl for port group %s: %w", pgName, err)
 	}
 
+	ops, err := c.CreateAclsOps(pgName, portGroupKey, defaultDropACL)
+	if err != nil {
+		klog.Error(err)
+		return nil, fmt.Errorf("failed to create default drop acl ops for port group %s: %w", pgName, err)
+	}
+
+	return ops, nil
+}
+
+// UpdateIngressACLOps return operation that creates an ingress ACL
+func (c *OVNNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
+	acls := make([]*ovnnb.ACL, 0)
+
 	/* allow acl */
 	matches := newNetworkPolicyACLMatch(pgName, asIngressName, asExceptName, protocol, ovnnb.ACLDirectionToLport, npp, namedPortMap)
 	for _, m := range matches {
@@ -110,38 +132,9 @@ func (c *OVNNbClient) UpdateIngressACLOps(netpol, pgName, asIngressName, asExcep
 }
 
 // UpdateEgressACLOps return operation that creates an egress ACL
-func (c *OVNNbClient) UpdateEgressACLOps(netpol, pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
+func (c *OVNNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
 	acls := make([]*ovnnb.ACL, 0)
 
-	if strings.HasSuffix(asEgressName, ".0") || strings.HasSuffix(asEgressName, ".all") {
-		// create the default drop rule for only once
-		// both IPv4 and IPv6 traffic should be forbade in dual-stack situation
-		allIPMatch := NewAndACLMatch(
-			NewACLMatch("inport", "==", "@"+pgName, ""),
-			NewACLMatch("ip", "", "", ""),
-		)
-		options := func(acl *ovnnb.ACL) {
-			setACLName(acl, netpol)
-			if logEnable {
-				acl.Log = true
-				acl.Severity = ptr.To(ovnnb.ACLSeverityWarning)
-			}
-
-			if acl.Options == nil {
-				acl.Options = make(map[string]string)
-			}
-			acl.Options["apply-after-lb"] = "true"
-		}
-
-		defaultDropACL, err := c.newACLWithoutCheck(pgName, ovnnb.ACLDirectionFromLport, util.EgressDefaultDrop, allIPMatch.String(), ovnnb.ACLActionDrop, util.NetpolACLTier, options)
-		if err != nil {
-			klog.Error(err)
-			return nil, fmt.Errorf("new default drop egress acl for port group %s: %w", pgName, err)
-		}
-
-		acls = append(acls, defaultDropACL)
-	}
-
 	/* allow acl */
 	matches := newNetworkPolicyACLMatch(pgName, asEgressName, asExceptName, protocol, ovnnb.ACLDirectionFromLport, npp, namedPortMap)
 	for _, m := range matches {
@@ -356,7 +349,7 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error {
 		acl, err := c.newACL(pgName, direction, util.SecurityGroupBasePriority, match, ovnnb.ACLActionAllowRelated, util.NetpolACLTier)
 		if err != nil {
 			klog.Error(err)
-			klog.Errorf("new base ingress acl for security group %s: %v", sgName, err)
+			klog.Errorf("failed to create new base ingress acl for security group %s: %v", sgName, err)
 			return
 		}
 		acls = append(acls, acl)
diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go
@@ -65,6 +65,54 @@ func newACL(parentName, direction, priority, match, action string, tier int, opt
 	return acl
 }
 
+func (suite *OvnClientTestSuite) testUpdateDefaultBlockACLOps() {
+	t := suite.T()
+	t.Parallel()
+
+	nbClient := suite.ovnNBClient
+
+	expect := func(row ovsdb.Row, action, direction, match, priority string) {
+		intPriority, err := strconv.Atoi(priority)
+		require.NoError(t, err)
+		require.Equal(t, action, row["action"])
+		require.Equal(t, direction, row["direction"])
+		require.Equal(t, match, row["match"])
+		require.Equal(t, intPriority, row["priority"])
+	}
+
+	t.Run("default block ingress", func(t *testing.T) {
+		t.Parallel()
+
+		netpol := "default block ingress"
+		pgName := "test_create_block_ingress_acl_pg"
+
+		err := nbClient.CreatePortGroup(pgName, nil)
+		require.NoError(t, err)
+
+		ops, err := nbClient.UpdateDefaultBlockACLOps(netpol, pgName, ovnnb.ACLDirectionToLport, true)
+		require.NoError(t, err)
+		require.Len(t, ops, 1)
+
+		expect(ops[0].Row, "drop", ovnnb.ACLDirectionToLport, fmt.Sprintf("outport == @%s && ip", pgName), util.IngressDefaultDrop)
+	})
+
+	t.Run("default block egress", func(t *testing.T) {
+		t.Parallel()
+
+		netpol := "default block egress"
+		pgName := "test_create_block_egress_acl_pg"
+
+		err := nbClient.CreatePortGroup(pgName, nil)
+		require.NoError(t, err)
+
+		ops, err := nbClient.UpdateDefaultBlockACLOps(netpol, pgName, ovnnb.ACLDirectionFromLport, true)
+		require.NoError(t, err)
+		require.Len(t, ops, 1)
+
+		expect(ops[0].Row, "drop", ovnnb.ACLDirectionFromLport, fmt.Sprintf("inport == @%s && ip", pgName), util.EgressDefaultDrop)
+	})
+}
+
 func (suite *OvnClientTestSuite) testUpdateIngressACLOps() {
 	t := suite.T()
 	t.Parallel()
@@ -83,7 +131,6 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() {
 	t.Run("ipv4 acl", func(t *testing.T) {
 		t.Parallel()
 
-		netpol := "ipv4 ingress"
 		pgName := "test_create_v4_ingress_acl_pg"
 		asIngressName := "test.default.ingress.allow.ipv4.all"
 		asExceptName := "test.default.ingress.except.ipv4.all"
@@ -95,11 +142,9 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() {
 
 		npp := mockNetworkPolicyPort()
 
-		ops, err := nbClient.UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName, npp, true, nil, nil)
+		ops, err := nbClient.UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName, npp, true, nil, nil)
 		require.NoError(t, err)
-		require.Len(t, ops, 4)
-
-		expect(ops[0].Row, "drop", ovnnb.ACLDirectionToLport, fmt.Sprintf("outport == @%s && ip", pgName), util.IngressDefaultDrop)
+		require.Len(t, ops, 3)
 
 		matches := newNetworkPolicyACLMatch(pgName, asIngressName, asExceptName, protocol, ovnnb.ACLDirectionToLport, npp, nil)
 		i := 1
@@ -113,7 +158,6 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() {
 	t.Run("ipv6 acl", func(t *testing.T) {
 		t.Parallel()
 
-		netpol := "ipv6 ingress"
 		pgName := "test_create_v6_ingress_acl_pg"
 		asIngressName := "test.default.ingress.allow.ipv6.all"
 		asExceptName := "test.default.ingress.except.ipv6.all"
@@ -123,11 +167,9 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() {
 		err := nbClient.CreatePortGroup(pgName, nil)
 		require.NoError(t, err)
 
-		ops, err := nbClient.UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName, nil, true, nil, nil)
+		ops, err := nbClient.UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName, nil, true, nil, nil)
 		require.NoError(t, err)
-		require.Len(t, ops, 3)
-
-		expect(ops[0].Row, "drop", ovnnb.ACLDirectionToLport, fmt.Sprintf("outport == @%s && ip", pgName), util.IngressDefaultDrop)
+		require.Len(t, ops, 2)
 
 		matches := newNetworkPolicyACLMatch(pgName, asIngressName, asExceptName, protocol, ovnnb.ACLDirectionToLport, nil, nil)
 		i := 1
@@ -141,28 +183,26 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() {
 	t.Run("test empty pgName", func(t *testing.T) {
 		t.Parallel()
 
-		netpol := "ingress with empty pg name"
 		pgName := ""
 		asIngressName := "test.default.ingress.allow.ipv4.all"
 		asExceptName := "test.default.ingress.except.ipv4.all"
 		protocol := kubeovnv1.ProtocolIPv4
 		aclName := "test_create_v4_ingress_acl_pg"
 
-		_, err := nbClient.UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName, nil, true, nil, nil)
+		_, err := nbClient.UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName, nil, true, nil, nil)
 		require.ErrorContains(t, err, "the port group name or logical switch name is required")
 	})
 
 	t.Run("test empty pgName without suffix", func(t *testing.T) {
 		t.Parallel()
 
-		netpol := "ingress with empty pg name and no suffix"
 		pgName := ""
 		asIngressName := "test.default.ingress.allow.ipv4"
 		asExceptName := "test.default.ingress.except.ipv4"
 		protocol := kubeovnv1.ProtocolIPv4
 		aclName := "test_create_v4_ingress_acl_pg"
 
-		_, err := nbClient.UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName, nil, true, nil, nil)
+		_, err := nbClient.UpdateIngressACLOps(pgName, asIngressName, asExceptName, protocol, aclName, nil, true, nil, nil)
 		require.ErrorContains(t, err, "the port group name or logical switch name is required")
 	})
 }
@@ -185,7 +225,6 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() {
 	t.Run("ipv4 acl", func(t *testing.T) {
 		t.Parallel()
 
-		netpol := "ipv4 egress"
 		pgName := "test_create_v4_egress_acl_pg"
 		asEgressName := "test.default.egress.allow.ipv4.all"
 		asExceptName := "test.default.egress.except.ipv4.all"
@@ -197,11 +236,9 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() {
 
 		npp := mockNetworkPolicyPort()
 
-		ops, err := nbClient.UpdateEgressACLOps(netpol, pgName, asEgressName, asExceptName, protocol, aclName, npp, true, nil, nil)
+		ops, err := nbClient.UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName, npp, true, nil, nil)
 		require.NoError(t, err)
-		require.Len(t, ops, 4)
-
-		expect(ops[0].Row, "drop", ovnnb.ACLDirectionFromLport, fmt.Sprintf("inport == @%s && ip", pgName), util.EgressDefaultDrop)
+		require.Len(t, ops, 3)
 
 		matches := newNetworkPolicyACLMatch(pgName, asEgressName, asExceptName, protocol, ovnnb.ACLDirectionFromLport, npp, nil)
 		i := 1
@@ -215,7 +252,6 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() {
 	t.Run("ipv6 acl", func(t *testing.T) {
 		t.Parallel()
 
-		netpol := "ipv6 egress"
 		pgName := "test_create_v6_egress_acl_pg"
 		asEgressName := "test.default.egress.allow.ipv6.all"
 		asExceptName := "test.default.egress.except.ipv6.all"
@@ -225,11 +261,9 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() {
 		err := nbClient.CreatePortGroup(pgName, nil)
 		require.NoError(t, err)
 
-		ops, err := nbClient.UpdateEgressACLOps(netpol, pgName, asEgressName, asExceptName, protocol, aclName, nil, true, nil, nil)
+		ops, err := nbClient.UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName, nil, true, nil, nil)
 		require.NoError(t, err)
-		require.Len(t, ops, 3)
-
-		expect(ops[0].Row, "drop", ovnnb.ACLDirectionFromLport, fmt.Sprintf("inport == @%s && ip", pgName), util.EgressDefaultDrop)
+		require.Len(t, ops, 2)
 
 		matches := newNetworkPolicyACLMatch(pgName, asEgressName, asExceptName, protocol, ovnnb.ACLDirectionFromLport, nil, nil)
 		i := 1
@@ -243,28 +277,26 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() {
 	t.Run("test empty pgName", func(t *testing.T) {
 		t.Parallel()
 
-		netpol := "egress with empty pg name"
 		pgName := ""
 		asEgressName := "test.default.egress.allow.ipv4.all"
 		asExceptName := "test.default.egress.except.ipv4.all"
 		protocol := kubeovnv1.ProtocolIPv4
 		aclName := "test_create_v4_egress_acl_pg"
 
-		_, err := nbClient.UpdateEgressACLOps(netpol, pgName, asEgressName, asExceptName, protocol, aclName, nil, true, nil, nil)
+		_, err := nbClient.UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName, nil, true, nil, nil)
 		require.ErrorContains(t, err, "the port group name or logical switch name is required")
 	})
 
 	t.Run("test empty pgName without suffix", func(t *testing.T) {
 		t.Parallel()
 
-		netpol := "egress with empty pg name and no suffix"
 		pgName := ""
 		asEgressName := "test.default.egress.allow.ipv4"
 		asExceptName := "test.default.egress.except.ipv4"
 		protocol := kubeovnv1.ProtocolIPv4
 		aclName := "test_create_v4_egress_acl_pg"
 
-		_, err := nbClient.UpdateEgressACLOps(netpol, pgName, asEgressName, asExceptName, protocol, aclName, nil, true, nil, nil)
+		_, err := nbClient.UpdateEgressACLOps(pgName, asEgressName, asExceptName, protocol, aclName, nil, true, nil, nil)
 		require.ErrorContains(t, err, "the port group name or logical switch name is required")
 	})
 }
