From eb34b0226e01fa2e2c91c5388ac8ef5a4c2c0e70 Mon Sep 17 00:00:00 2001 From: lynn901 Date: Tue, 30 Apr 2024 18:50:16 +0800 Subject: [PATCH] fix subnet acl with same net allow Signed-off-by: lynn901 --- pkg/ovs/ovn-nb-acl.go | 10 ++++++++-- pkg/ovs/ovn-nb-acl_test.go | 21 ++++++++++++++------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go index 690472b8865..bb8ec2bf113 100644 --- a/pkg/ovs/ovn-nb-acl.go +++ b/pkg/ovs/ovn-nb-acl.go @@ -440,13 +440,19 @@ func (c *OVNNbClient) UpdateLogicalSwitchACL(lsName, cidrBlock string, subnetAcl NewACLMatch(ipSuffix+".dst", "==", cidr, ""), ) - sameSubnetACL, err := c.newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllowRelated, options) + ingressSameSubnetACL, err := c.newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllow, options) if err != nil { klog.Error(err) return fmt.Errorf("new same subnet ingress acl for logical switch %s: %v", lsName, err) } + acls = append(acls, ingressSameSubnetACL) - acls = append(acls, sameSubnetACL) + egressSameSubnetACL, err := c.newACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllow, options) + if err != nil { + klog.Error(err) + return fmt.Errorf("new same subnet egress acl for logical switch %s: %v", lsName, err) + } + acls = append(acls, egressSameSubnetACL) } } diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go index 718f366dcfe..f792fbdda76 100644 --- a/pkg/ovs/ovn-nb-acl_test.go +++ b/pkg/ovs/ovn-nb-acl_test.go @@ -688,13 +688,20 @@ func (suite *OvnClientTestSuite) testUpdateLogicalSwitchACL() { if protocol == kubeovnv1.ProtocolIPv6 { match = "ip6.src == 2409:8720:4a00::0/64 && ip6.dst == 2409:8720:4a00::0/64" } - acl, err := ovnClient.GetACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, false) - require.NoError(t, err) - expect := newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllowRelated) - expect.UUID = acl.UUID - expect.ExternalIDs["subnet"] = lsName - require.Equal(t, expect, acl) - require.Contains(t, ls.ACLs, acl.UUID) + ingressACL, err := ovnClient.GetACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, false) + require.NoError(t, err) + ingressExpect := newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllow) + ingressExpect.UUID = ingressACL.UUID + ingressExpect.ExternalIDs["subnet"] = lsName + require.Equal(t, ingressExpect, ingressACL) + require.Contains(t, ls.ACLs, ingressACL.UUID) + egressACL, err := ovnClient.GetACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, match, false) + require.NoError(t, err) + egressExpect := newACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllow) + egressExpect.UUID = egressACL.UUID + egressExpect.ExternalIDs["subnet"] = lsName + require.Equal(t, egressExpect, egressACL) + require.Contains(t, ls.ACLs, egressACL.UUID) } for _, subnetACL := range subnetAcls {