Update action to block and increase priority for allow

cns/NetworkContainerContract.go

@@ -244,6 +244,13 @@ type ValidAclPolicySetting struct {
 	Priority        uint16 `json:","`
 }
 
+const (
+	ActionTypeAllow  string = "Allow"
+	ActionTypeBlock  string = "Block"
+	DirectionTypeIn  string = "In"
+	DirectionTypeOut string = "Out"
+)
+
 // Validate - Validates network container request policies
 func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate() error {
 	// validate ACL policy
@@ -258,15 +265,15 @@ func (networkContainerRequestPolicy *NetworkContainerRequestPolicies) Validate()
 				return fmt.Errorf("Action field cannot be empty in ACL Policy")
 			}
 			//Deny request if ACL Action is not Allow or Deny
-			if !strings.EqualFold(requestedAclPolicy.Action, "Allow") && !strings.EqualFold(requestedAclPolicy.Action, "Deny") {
-				return fmt.Errorf("Only Allow or Deny is supported in Action field")
+			if !strings.EqualFold(requestedAclPolicy.Action, ActionTypeAllow) && !strings.EqualFold(requestedAclPolicy.Action, ActionTypeBlock) {
+				return fmt.Errorf("Only Allow or Block is supported in Action field")
 			}
 			//Deny request if ACL Direction is empty
 			if len(strings.TrimSpace(string(requestedAclPolicy.Direction))) == 0 {
 				return fmt.Errorf("Direction field cannot be empty in ACL Policy")
 			}
 			//Deny request if ACL direction is not In or Out
-			if !strings.EqualFold(requestedAclPolicy.Direction, "In") && !strings.EqualFold(requestedAclPolicy.Direction, "Out") {
+			if !strings.EqualFold(requestedAclPolicy.Direction, DirectionTypeIn) && !strings.EqualFold(requestedAclPolicy.Direction, DirectionTypeOut) {
 				return fmt.Errorf("Only In or Out is supported in Direction field")
 			}
 			if requestedAclPolicy.Priority == 0 {

cns/hnsclient/hnsclient_windows.go

@@ -67,6 +67,9 @@ const (
 	// aclPriority200 indicates the ACL priority of 200
 	aclPriority200 = 200
 
+	// aclPriority1000 indicates the ACL priority of 1000
+	aclPriority1000 = 1000
+
 	// aclPolicyType indicates a ACL policy
 	aclPolicyType = "ACLPolicy"
 
@@ -394,7 +397,7 @@ func configureAclSettingHostNCApipaEndpoint(
 				LocalAddresses:  networkContainerApipaIP,
 				RemoteAddresses: hostApipaIP,
 				RuleType:        hcn.RuleTypeSwitch,
-				Priority:        aclPriority200,
+				Priority:        aclPriority1000,
 			}
 
 			if err = addAclToEndpointPolicy(outAllowToHostOnly, &endpointPolicies); err != nil {
@@ -426,7 +429,7 @@ func configureAclSettingHostNCApipaEndpoint(
 				LocalAddresses:  networkContainerApipaIP,
 				RemoteAddresses: hostApipaIP,
 				RuleType:        hcn.RuleTypeSwitch,
-				Priority:        aclPriority200,
+				Priority:        aclPriority1000,
 			}
 
 			if err = addAclToEndpointPolicy(inAllowFromHostOnly, &endpointPolicies); err != nil {
@@ -443,7 +446,7 @@ func configureAclSettingHostNCApipaEndpoint(
 			if strings.EqualFold(requestedPolicy.Type, aclPolicyType) && strings.EqualFold(requestedPolicy.EndpointType, apipaEndpointType) {
 				var requestedAclPolicy hcn.AclPolicySetting
 				if err = json.Unmarshal(requestedPolicy.Settings, &requestedAclPolicy); err != nil {
-					return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %S", requestedPolicy.Settings, err)
+					return nil, fmt.Errorf("Failed to Unmarshal requested ACL policy: %+v with error: %+v", requestedPolicy.Settings, err)
 				}
 				//Using {NetworkContainerIP} as a placeholder to signal using Network Container IP
 				if strings.EqualFold(requestedAclPolicy.LocalAddresses, "{NetworkContainerIP}") {