feat(netpol): authorize l3 protocols

Signed-off-by: SkalaNetworks <contact@skala.network>

Author: SkalaNetworks

mocks/pkg/ovs/interface.go

@@ -174,6 +174,14 @@ func (c *Controller) handleUpdateNp(key string) error {
 
 	if hasIngressRule(np) {
 		for _, protocol := range protocolSet.List() {
+			standardACLOps, err := c.OVNNbClient.CreateNpBaseACLOps(npName, pgName, np.Namespace, ovnnb.ACLDirectionToLport, protocol)
+			if err != nil {
+				klog.Errorf("failed to set base ingress acl: %v", err)
+				return fmt.Errorf("failed to set default ingress block acl: %w", err)
+			}
+			klog.Infof("standard acl ops of len %d: %v", len(standardACLOps), standardACLOps)
+			ingressACLOps = append(ingressACLOps, standardACLOps...)
+
 			for idx, npr := range np.Spec.Ingress {
 				// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
 				ingressAllowAsName := fmt.Sprintf("%s.%s.%d", ingressAllowAsNamePrefix, protocol, idx)
@@ -303,6 +311,13 @@ func (c *Controller) handleUpdateNp(key string) error {
 
 	if hasEgressRule(np) {
 		for _, protocol := range protocolSet.List() {
+			standardACLOps, err := c.OVNNbClient.CreateNpBaseACLOps(npName, pgName, np.Namespace, ovnnb.ACLDirectionToLport, protocol)
+			if err != nil {
+				klog.Errorf("failed to set base ingress acl: %v", err)
+				return fmt.Errorf("failed to set default ingress block acl: %w", err)
+			}
+			egressACLOps = append(egressACLOps, standardACLOps...)
+
 			for idx, npr := range np.Spec.Egress {
 				// A single address set must contain addresses of the same type and the name must be unique within table, so IPv4 and IPv6 address set should be different
 				egressAllowAsName := fmt.Sprintf("%s.%s.%d", egressAllowAsNamePrefix, protocol, idx)

pkg/controller/network_policy.go

@@ -157,6 +157,7 @@ type PortGroup interface {
 }
 
 type ACL interface {
+	CreateNpBaseACLOps(npName, pgName, npNamespace, direction, protocol string) ([]ovsdb.Operation, error)
 	UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
 	UpdateEgressACLOps(netpol, pgName, asEgressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error)
 	CreateGatewayACL(lsName, pgName, gateway, u2oInterconnectionIP string) error

pkg/ovs/interface.go

@@ -53,6 +53,94 @@ func setACLName(acl *ovnnb.ACL, name string) {
 	acl.Name = ptr.To(name)
 }
 
+// CreateNpBaseACLOps creates the base ACLs of a NetworkPolicy to allow ARP/ICMP/VRRP
+// We allow those protocols because the standard for NetworkPolicies excepts to only block
+// based on the IP/TCP/UDP/SCTP protocols.
+func (c *OVNNbClient) CreateNpBaseACLOps(npName, pgName, npNamespace, direction, protocol string) ([]ovsdb.Operation, error) {
+	portDirection := "outport"
+	dhcpv4UdpSrc, dhcpv4UdpDst := "67", "68"
+	dhcpv6UdpSrc, dhcpv6UdpDst := "547", "546"
+
+	if direction == ovnnb.ACLDirectionFromLport { // egress rule
+		portDirection = "inport"
+		dhcpv4UdpSrc, dhcpv4UdpDst = dhcpv4UdpDst, dhcpv4UdpSrc
+		dhcpv6UdpSrc, dhcpv6UdpDst = dhcpv6UdpDst, dhcpv6UdpSrc
+	}
+
+	acls := make([]*ovnnb.ACL, 0)
+
+	newACL := func(match, protocol string) {
+		options := func(acl *ovnnb.ACL) {
+			setACLName(acl, npName)
+		}
+
+		acl, err := c.newACL(pgName, direction, util.IngressAllowPriority, match, ovnnb.ACLActionAllowRelated, util.NetpolACLTier, options)
+		if err != nil {
+			klog.Error(err)
+			klog.Errorf("failed to create new base ingress acl for network policy %s/%s: %v", npNamespace, npName, err)
+			return
+		}
+		acls = append(acls, acl)
+	}
+
+	// Allow ARP
+	allArpMatch := NewAndACLMatch(
+		NewACLMatch(portDirection, "==", "@"+pgName, ""),
+		NewACLMatch("arp", "", "", ""),
+	)
+	newACL(allArpMatch.String(), "arp")
+
+	// Allow VRRP
+	vrrpMatch := NewAndACLMatch(
+		NewACLMatch(portDirection, "==", "@"+pgName, ""),
+		NewACLMatch("ip.proto", "==", "112", ""),
+	)
+	newACL(vrrpMatch.String(), "vrrp")
+
+	if protocol == kubeovnv1.ProtocolIPv6 {
+		// Allow  ICMPv6
+		icmpv6Match := NewAndACLMatch(
+			NewACLMatch(portDirection, "==", "@"+pgName, ""),
+			NewACLMatch("icmp6", "", "", ""),
+		)
+		newACL(icmpv6Match.String(), "icmp")
+
+		// Allow DHCPv6
+		dhcpv6Match := NewAndACLMatch(
+			NewACLMatch(portDirection, "==", "@"+pgName, ""),
+			NewACLMatch("udp.src", "==", dhcpv6UdpSrc, ""),
+			NewACLMatch("udp.dst", "==", dhcpv6UdpDst, ""),
+			NewACLMatch("ip6", "", "", ""),
+		)
+		newACL(dhcpv6Match.String(), "dhcp")
+	}
+
+	if protocol == kubeovnv1.ProtocolIPv4 {
+		// Allow  ICMPv4
+		icmpv6Match := NewAndACLMatch(
+			NewACLMatch(portDirection, "==", "@"+pgName, ""),
+			NewACLMatch("icmp4", "", "", ""),
+		)
+		newACL(icmpv6Match.String(), "icmp")
+
+		// Allow DHCPv4
+		dhcpv4Match := NewAndACLMatch(
+			NewACLMatch(portDirection, "==", "@"+pgName, ""),
+			NewACLMatch("udp.src", "==", dhcpv4UdpSrc, ""),
+			NewACLMatch("udp.dst", "==", dhcpv4UdpDst, ""),
+			NewACLMatch("ip4", "", "", ""),
+		)
+		newACL(dhcpv4Match.String(), "dhcp")
+	}
+
+	ops, err := c.CreateAclsOps(pgName, portGroupKey, acls...)
+	if err != nil {
+		klog.Error(err)
+		return nil, fmt.Errorf("failed to create ingress acl for port group %s: %w", pgName, err)
+	}
+	return ops, nil
+}
+
 // UpdateIngressACLOps return operation that creates an ingress ACL
 func (c *OVNNbClient) UpdateIngressACLOps(netpol, pgName, asIngressName, asExceptName, protocol, aclName string, npp []netv1.NetworkPolicyPort, logEnable bool, logACLActions []ovnnb.ACLAction, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
 	acls := make([]*ovnnb.ACL, 0)