drop both IPv4 and IPv6 traffic in networkpolicy drop acl

Signed-off-by: 马洪贞 <[email protected]>
kubeovn · Apr 22, 2024 · 1775aa0 · 1775aa0
1 parent 7ffb791
commit 1775aa0
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 41 deletions.
diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -298,17 +298,16 @@ func (c *Controller) handleUpdateNp(key string) error {
 
 					ingressACLOps = append(ingressACLOps, ops...)
 				}
-
-				if err = c.OVNNbClient.Transact("add-ingress-acls", ingressACLOps); err != nil {
-					return fmt.Errorf("add ingress acls to %s: %v", pgName, err)
-				}
-
-				if err = c.OVNNbClient.SetACLLog(pgName, protocol, logEnable, true); err != nil {
-					// just log and do not return err here
-					klog.Errorf("failed to set ingress acl log for np %s, %v", key, err)
-				}
 			}
 		}
+		if err := c.OVNNbClient.Transact("add-ingress-acls", ingressACLOps); err != nil {
+			return fmt.Errorf("add ingress acls to %s: %v", pgName, err)
+		}
+
+		if err := c.OVNNbClient.SetACLLog(pgName, "", logEnable, true); err != nil {
+			// just log and do not return err here
+			klog.Errorf("failed to set ingress acl log for np %s, %v", key, err)
+		}
 
 		ass, err := c.OVNNbClient.ListAddressSets(map[string]string{
 			networkPolicyKey: fmt.Sprintf("%s/%s/%s", np.Namespace, npName, "ingress"),
@@ -427,16 +426,16 @@ func (c *Controller) handleUpdateNp(key string) error {
 					egressACLOps = append(egressACLOps, ops...)
 				}
 
-				if err = c.OVNNbClient.Transact("add-egress-acls", egressACLOps); err != nil {
-					return fmt.Errorf("add egress acls to %s: %v", pgName, err)
-				}
-
-				if err = c.OVNNbClient.SetACLLog(pgName, protocol, logEnable, false); err != nil {
-					// just log and do not return err here
-					klog.Errorf("failed to set egress acl log for np %s, %v", key, err)
-				}
 			}
 		}
+		if err := c.OVNNbClient.Transact("add-egress-acls", egressACLOps); err != nil {
+			return fmt.Errorf("add egress acls to %s: %v", pgName, err)
+		}
+
+		if err := c.OVNNbClient.SetACLLog(pgName, "", logEnable, false); err != nil {
+			// just log and do not return err here
+			klog.Errorf("failed to set egress acl log for np %s, %v", key, err)
+		}
 
 		ass, err := c.OVNNbClient.ListAddressSets(map[string]string{
 			networkPolicyKey: fmt.Sprintf("%s/%s/%s", np.Namespace, npName, "egress"),

diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go
@@ -25,15 +25,10 @@ func (c *OVNNbClient) UpdateIngressACLOps(pgName, asIngressName, asExceptName, p
 
 	if strings.HasSuffix(asIngressName, ".0") || strings.HasSuffix(asIngressName, ".all") {
 		// create the default drop rule for only once
-		ipSuffix := "ip4"
-		if protocol == kubeovnv1.ProtocolIPv6 {
-			ipSuffix = "ip6"
-		}
-
-		/* default drop acl */
+		// both IPv4 and IPv6 traffic should be forbade in dual-stack situation
 		allIPMatch := NewAndACLMatch(
 			NewACLMatch("outport", "==", "@"+pgName, ""),
-			NewACLMatch(ipSuffix, "", "", ""),
+			NewACLMatch("ip", "", "", ""),
 		)
 		options := func(acl *ovnnb.ACL) {
 			if logEnable {
@@ -75,15 +70,10 @@ func (c *OVNNbClient) UpdateEgressACLOps(pgName, asEgressName, asExceptName, pro
 
 	if strings.HasSuffix(asEgressName, ".0") || strings.HasSuffix(asEgressName, ".all") {
 		// create the default drop rule for only once
-		ipSuffix := "ip4"
-		if protocol == kubeovnv1.ProtocolIPv6 {
-			ipSuffix = "ip6"
-		}
-
-		/* default drop acl */
+		// both IPv4 and IPv6 traffic should be forbade in dual-stack situation
 		allIPMatch := NewAndACLMatch(
 			NewACLMatch("inport", "==", "@"+pgName, ""),
-			NewACLMatch(ipSuffix, "", "", ""),
+			NewACLMatch("ip", "", "", ""),
 		)
 		options := func(acl *ovnnb.ACL) {
 			if logEnable {
@@ -629,15 +619,10 @@ func (c *OVNNbClient) SetACLLog(pgName, protocol string, logEnable, isIngress bo
 		portDirection = "inport"
 	}
 
-	ipSuffix := "ip4"
-	if protocol == kubeovnv1.ProtocolIPv6 {
-		ipSuffix = "ip6"
-	}
-
 	// match all traffic to or from pgName
 	allIPMatch := NewAndACLMatch(
 		NewACLMatch(portDirection, "==", "@"+pgName, ""),
-		NewACLMatch(ipSuffix, "", "", ""),
+		NewACLMatch("ip", "", "", ""),
 	)
 
 	acl, err := c.GetACL(pgName, direction, util.IngressDefaultDrop, allIPMatch.String(), true)
@@ -650,6 +635,9 @@ func (c *OVNNbClient) SetACLLog(pgName, protocol string, logEnable, isIngress bo
 		return nil // skip if acl not found
 	}
 
+	if acl.Log == logEnable {
+		return nil
+	}
 	acl.Log = logEnable
 
 	err = c.UpdateACL(acl, &acl.Log)

diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go
@@ -94,7 +94,7 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() {
 		require.NoError(t, err)
 		require.Len(t, ops, 4)
 
-		expect(ops[0].Row, "drop", ovnnb.ACLDirectionToLport, fmt.Sprintf("outport == @%s && ip4", pgName), util.IngressDefaultDrop)
+		expect(ops[0].Row, "drop", ovnnb.ACLDirectionToLport, fmt.Sprintf("outport == @%s && ip", pgName), util.IngressDefaultDrop)
 
 		matches := newNetworkPolicyACLMatch(pgName, asIngressName, asExceptName, protocol, ovnnb.ACLDirectionToLport, npp, nil)
 		i := 1
@@ -120,7 +120,7 @@ func (suite *OvnClientTestSuite) testUpdateIngressACLOps() {
 		require.NoError(t, err)
 		require.Len(t, ops, 3)
 
-		expect(ops[0].Row, "drop", ovnnb.ACLDirectionToLport, fmt.Sprintf("outport == @%s && ip6", pgName), util.IngressDefaultDrop)
+		expect(ops[0].Row, "drop", ovnnb.ACLDirectionToLport, fmt.Sprintf("outport == @%s && ip", pgName), util.IngressDefaultDrop)
 
 		matches := newNetworkPolicyACLMatch(pgName, asIngressName, asExceptName, protocol, ovnnb.ACLDirectionToLport, nil, nil)
 		i := 1
@@ -164,7 +164,7 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() {
 		require.NoError(t, err)
 		require.Len(t, ops, 4)
 
-		expect(ops[0].Row, "drop", ovnnb.ACLDirectionFromLport, fmt.Sprintf("inport == @%s && ip4", pgName), util.EgressDefaultDrop)
+		expect(ops[0].Row, "drop", ovnnb.ACLDirectionFromLport, fmt.Sprintf("inport == @%s && ip", pgName), util.EgressDefaultDrop)
 
 		matches := newNetworkPolicyACLMatch(pgName, asEgressName, asExceptName, protocol, ovnnb.ACLDirectionFromLport, npp, nil)
 		i := 1
@@ -190,7 +190,7 @@ func (suite *OvnClientTestSuite) testUpdateEgressACLOps() {
 		require.NoError(t, err)
 		require.Len(t, ops, 3)
 
-		expect(ops[0].Row, "drop", ovnnb.ACLDirectionFromLport, fmt.Sprintf("inport == @%s && ip6", pgName), util.EgressDefaultDrop)
+		expect(ops[0].Row, "drop", ovnnb.ACLDirectionFromLport, fmt.Sprintf("inport == @%s && ip", pgName), util.EgressDefaultDrop)
 
 		matches := newNetworkPolicyACLMatch(pgName, asEgressName, asExceptName, protocol, ovnnb.ACLDirectionFromLport, nil, nil)
 		i := 1