diff --git a/cni/azure-windows.conflist b/cni/azure-windows.conflist index 395d1ec4f5..29ac9e94e4 100644 --- a/cni/azure-windows.conflist +++ b/cni/azure-windows.conflist @@ -40,6 +40,46 @@ "DestinationPrefix": "10.0.0.0/8", "NeedEncap": true } + }, + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Allow", + "Direction": "Out", + "RemoteAddresses": "168.63.129.16/32", + "Protocols": "17", + "RemotePorts": "53", + "Priority": 200 + } + }, + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Block", + "Direction": "Out", + "RemoteAddresses": "168.63.129.16/32", + "Priority": 65000 + } + }, + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Allow", + "Direction": "Out", + "Priority": 65500 + } + }, + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Allow", + "Direction": "In", + "Priority": 65500 + } } ] } diff --git a/network/policy/policy.go b/network/policy/policy.go index 419b2fc1b9..4b645c866c 100644 --- a/network/policy/policy.go +++ b/network/policy/policy.go @@ -10,6 +10,7 @@ const ( OutBoundNatPolicy CNIPolicyType = "OutBoundNAT" RoutePolicy CNIPolicyType = "ROUTE" PortMappingPolicy CNIPolicyType = "NAT" + ACLPolicy CNIPolicyType = "ACL" ) type CNIPolicyType string diff --git a/network/policy/policy_windows.go b/network/policy/policy_windows.go index abd092881d..db28f091ec 100644 --- a/network/policy/policy_windows.go +++ b/network/policy/policy_windows.go @@ -176,6 +176,11 @@ func GetPolicyType(policy Policy) CNIPolicyType { } } + // Check if the type is ACLPolicy + if policy.Type == ACLPolicy { + return ACLPolicy + } + // Return empty string if the policy type is invalid log.Printf("Returning policyType INVALID") return "" @@ -343,6 +348,28 @@ func GetHcnPortMappingPolicy(policy Policy) (hcn.EndpointPolicy, error) { return portMappingPolicy, nil } +// GetHcnACLPolicy returns ACL policy. +func GetHcnACLPolicy(policy Policy) (hcn.EndpointPolicy, error) { + aclEndpolicySetting := hcn.EndpointPolicy{ + Type: hcn.ACL, + } + + // Check beforehand, the input meets the expected format + // otherwise, endpoint creation will fail later on. + var aclPolicySetting hcn.AclPolicySetting + if err := json.Unmarshal(policy.Data, &aclPolicySetting); err != nil { + return aclEndpolicySetting, err + } + + aclPolicySettingBytes, err := json.Marshal(aclPolicySetting) + if err != nil { + return aclEndpolicySetting, err + } + + aclEndpolicySetting.Settings = aclPolicySettingBytes + return aclEndpolicySetting, nil +} + // GetHcnEndpointPolicies returns array of all endpoint policies. func GetHcnEndpointPolicies(policyType CNIPolicyType, policies []Policy, epInfoData map[string]interface{}, enableSnatForDns, enableMultiTenancy bool) ([]hcn.EndpointPolicy, error) { var ( @@ -363,6 +390,8 @@ func GetHcnEndpointPolicies(policyType CNIPolicyType, policies []Policy, epInfoD endpointPolicy, err = GetHcnRoutePolicy(policy) case PortMappingPolicy: endpointPolicy, err = GetHcnPortMappingPolicy(policy) + case ACLPolicy: + endpointPolicy, err = GetHcnACLPolicy(policy) default: // return error as we should be able to parse all the policies specified return hcnEndPointPolicies, fmt.Errorf("Failed to set Policy: Type: %s, Data: %s", policy.Type, policy.Data)