From 80f00e4bb76018aec7ac4cdf19d01c9981131e0e Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 15 Apr 2020 15:34:14 -0700 Subject: [PATCH 1/3] need to update action to block, update priority --- cns/NetworkContainerContract.go | 16 +++++++++++++--- cns/hnsclient/hnsclient_windows.go | 7 +++++-- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index f25cd05a12..77d4677de9 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -244,6 +244,16 @@ type ValidAclPolicySetting struct { Priority uint16 `json:","` } +const ( + ActionTypeAllow string = "Allow" + + ActionTypeBlock string = "Block" + + DirectionTypeIn string = "In" + + DirectionTypeOut string = "Out" +) + // Validate - Validates network container request policies func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() error { // validate ACL policy @@ -258,15 +268,15 @@ func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() return fmt.Errorf("Action field cannot be empty in ACL Policy") } //Deny request if ACL Action is not Allow or Deny - if !strings.EqualFold(requestedAclPolicy.Action, "Allow") && !strings.EqualFold(requestedAclPolicy.Action, "Deny") { - return fmt.Errorf("Only Allow or Deny is supported in Action field") + if !strings.EqualFold(requestedAclPolicy.Action, ActionTypeAllow) && !strings.EqualFold(requestedAclPolicy.Action, ActionTypeBlock) { + return fmt.Errorf("Only Allow or Block is supported in Action field") } //Deny request if ACL Direction is empty if len(strings.TrimSpace(string(requestedAclPolicy.Direction))) == 0 { return fmt.Errorf("Direction field cannot be empty in ACL Policy") } //Deny request if ACL direction is not In or Out - if !strings.EqualFold(requestedAclPolicy.Direction, "In") && !strings.EqualFold(requestedAclPolicy.Direction, "Out") { + if !strings.EqualFold(requestedAclPolicy.Direction, DirectionTypeIn) && !strings.EqualFold(requestedAclPolicy.Direction, DirectionTypeOut) { return fmt.Errorf("Only In or Out is supported in Direction field") } if requestedAclPolicy.Priority == 0 { diff --git a/cns/hnsclient/hnsclient_windows.go b/cns/hnsclient/hnsclient_windows.go index 306236b8ed..3b22b94f9c 100644 --- a/cns/hnsclient/hnsclient_windows.go +++ b/cns/hnsclient/hnsclient_windows.go @@ -67,6 +67,9 @@ const ( // aclPriority200 indicates the ACL priority of 200 aclPriority200 = 200 + // aclPriority1000 indicates the ACL priority of 1000 + aclPriority1000 = 1000 + // aclPolicyType indicates a ACL policy aclPolicyType = "ACLPolicy" @@ -394,7 +397,7 @@ func configureAclSettingHostNCApipaEndpoint( LocalAddresses: networkContainerApipaIP, RemoteAddresses: hostApipaIP, RuleType: hcn.RuleTypeSwitch, - Priority: aclPriority200, + Priority: aclPriority1000, } if err = addAclToEndpointPolicy(outAllowToHostOnly, &endpointPolicies); err != nil { @@ -426,7 +429,7 @@ func configureAclSettingHostNCApipaEndpoint( LocalAddresses: networkContainerApipaIP, RemoteAddresses: hostApipaIP, RuleType: hcn.RuleTypeSwitch, - Priority: aclPriority200, + Priority: aclPriority1000, } if err = addAclToEndpointPolicy(inAllowFromHostOnly, &endpointPolicies); err != nil { From 459f2db1d88bd0062ef1916f2538dafcbc9b170f Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 15 Apr 2020 15:44:18 -0700 Subject: [PATCH 2/3] need to update action to block, update priority --- cns/hnsclient/hnsclient_windows.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cns/hnsclient/hnsclient_windows.go b/cns/hnsclient/hnsclient_windows.go index 3b22b94f9c..0f5541c989 100644 --- a/cns/hnsclient/hnsclient_windows.go +++ b/cns/hnsclient/hnsclient_windows.go @@ -446,7 +446,7 @@ func configureAclSettingHostNCApipaEndpoint( if strings.EqualFold(requestedPolicy.Type, aclPolicyType) && strings.EqualFold(requestedPolicy.EndpointType, apipaEndpointType) { var requestedAclPolicy hcn.AclPolicySetting if err = json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil { - return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %S", requestedPolicy.Settings, err) + return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %+v", requestedPolicy.Settings, err) } //Using {NetworkContainerIP} as a placeholder to signal using Network Container IP if strings.EqualFold(requestedAclPolicy.LocalAddresses, "{NetworkContainerIP}") { From dd305ce791aeae8d64f6855e0d0307fe138aefd7 Mon Sep 17 00:00:00 2001 From: Ali Egal Date: Wed, 15 Apr 2020 20:49:10 -0700 Subject: [PATCH 3/3] address comments --- cns/NetworkContainerContract.go | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/cns/NetworkContainerContract.go b/cns/NetworkContainerContract.go index 77d4677de9..5fa319d0df 100644 --- a/cns/NetworkContainerContract.go +++ b/cns/NetworkContainerContract.go @@ -245,12 +245,9 @@ type ValidAclPolicySetting struct { } const ( - ActionTypeAllow string = "Allow" - - ActionTypeBlock string = "Block" - - DirectionTypeIn string = "In" - + ActionTypeAllow string = "Allow" + ActionTypeBlock string = "Block" + DirectionTypeIn string = "In" DirectionTypeOut string = "Out" )