Skip to content

Commit

Permalink
fix subnet acl with same net allow (#3961)
Browse files Browse the repository at this point in the history
Signed-off-by: lynn901 <[email protected]>
  • Loading branch information
lynn901 authored and zbb88888 committed Apr 30, 2024
1 parent 6c961bf commit f974fd4
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 9 deletions.
10 changes: 8 additions & 2 deletions pkg/ovs/ovn-nb-acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -440,13 +440,19 @@ func (c *OVNNbClient) UpdateLogicalSwitchACL(lsName, cidrBlock string, subnetAcl
NewACLMatch(ipSuffix+".dst", "==", cidr, ""),
)

sameSubnetACL, err := c.newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllowRelated, options)
ingressSameSubnetACL, err := c.newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllow, options)
if err != nil {
klog.Error(err)
return fmt.Errorf("new same subnet ingress acl for logical switch %s: %v", lsName, err)
}
acls = append(acls, ingressSameSubnetACL)

acls = append(acls, sameSubnetACL)
egressSameSubnetACL, err := c.newACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllow, options)
if err != nil {
klog.Error(err)
return fmt.Errorf("new same subnet egress acl for logical switch %s: %v", lsName, err)
}
acls = append(acls, egressSameSubnetACL)
}
}

Expand Down
21 changes: 14 additions & 7 deletions pkg/ovs/ovn-nb-acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -688,13 +688,20 @@ func (suite *OvnClientTestSuite) testUpdateLogicalSwitchACL() {
if protocol == kubeovnv1.ProtocolIPv6 {
match = "ip6.src == 2409:8720:4a00::0/64 && ip6.dst == 2409:8720:4a00::0/64"
}
acl, err := ovnClient.GetACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, false)
require.NoError(t, err)
expect := newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllowRelated)
expect.UUID = acl.UUID
expect.ExternalIDs["subnet"] = lsName
require.Equal(t, expect, acl)
require.Contains(t, ls.ACLs, acl.UUID)
ingressACL, err := ovnClient.GetACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, false)
require.NoError(t, err)
ingressExpect := newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllow)
ingressExpect.UUID = ingressACL.UUID
ingressExpect.ExternalIDs["subnet"] = lsName
require.Equal(t, ingressExpect, ingressACL)
require.Contains(t, ls.ACLs, ingressACL.UUID)
egressACL, err := ovnClient.GetACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, match, false)
require.NoError(t, err)
egressExpect := newACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllow)
egressExpect.UUID = egressACL.UUID
egressExpect.ExternalIDs["subnet"] = lsName
require.Equal(t, egressExpect, egressACL)
require.Contains(t, ls.ACLs, egressACL.UUID)
}

for _, subnetACL := range subnetAcls {
Expand Down

0 comments on commit f974fd4

Please sign in to comment.