From eea59e6a49cf5a1b1dc0cff85659bee1a1c9d934 Mon Sep 17 00:00:00 2001 From: Vivek Aggarwal Date: Mon, 26 Oct 2020 18:05:12 -0700 Subject: [PATCH 1/7] initial changes --- network/policy/policy.go | 1 + network/policy/policy_windows.go | 86 +++++++++++++++++++++++++++++++- 2 files changed, 85 insertions(+), 2 deletions(-) diff --git a/network/policy/policy.go b/network/policy/policy.go index 419b2fc1b9..4b645c866c 100644 --- a/network/policy/policy.go +++ b/network/policy/policy.go @@ -10,6 +10,7 @@ const ( OutBoundNatPolicy CNIPolicyType = "OutBoundNAT" RoutePolicy CNIPolicyType = "ROUTE" PortMappingPolicy CNIPolicyType = "NAT" + ACLPolicy CNIPolicyType = "ACL" ) type CNIPolicyType string diff --git a/network/policy/policy_windows.go b/network/policy/policy_windows.go index abd092881d..9a1a68a641 100644 --- a/network/policy/policy_windows.go +++ b/network/policy/policy_windows.go @@ -11,12 +11,21 @@ import ( ) const ( - // protocolTcp indicates tcp protocol id for portmapping + // protocolTcp indicates tcp protocol id for portmapping/ACL policy protocolTcp = 6 - // protocolUdp indicates udp protocol id for portmapping + // protocolUdp indicates udp protocol id for portmapping/ACL policy protocolUdp = 17 + // protocolIcmpv4 indicates icmpv4 id for ACL policy + protocolIcmpv4 = 1 + + // protocolIcmpv6 indicates icmpv6 id for ACL policy + protocolIcmpv6 = 58 + + // protocolIgmp indicates igmp protocol id for ACL policy + protocolIgmp = 2 + // CnetAddressSpace indicates constant for the key string CnetAddressSpace = "cnetAddressSpace" ) @@ -45,6 +54,25 @@ type KVPairRoute struct { NeedEncap bool `json:"NeedEncap"` } +// ServiceName is excluded because it is N/A for l2bridge and l2tunnel +// Inernal Port also has been excluded for same reasons. +type KVPairACLPolicy struct { + // comma indicates that in JSON as Key "Type" (the default) + Type CNIPolicyType `json:","` + Protocol uint16 `json:","` // Only support in Hnsv1 + Protocols string `json:",omitempty"` + Action string `json:","` + Direction string `json:","` + LocalAddresses string `json:","` + RemoteAddresses string `json:","` + LocalPorts string `json:",omitempty"` + LocalPort uint16 `json:","` // Only supported in Hnsv1 + RemotePorts string `json:",omitempty"` + RemotePort uint16 `json:","` + RuleType string `json:","` + Priority uint16 `json:","` +} + var ValidWinVerForDnsNat bool // SerializePolicies serializes policies to json. @@ -176,6 +204,14 @@ func GetPolicyType(policy Policy) CNIPolicyType { } } + // TO DO : Move to just using Policy struct to determine type. + var aclPolicySetting KVPairACLPolicy + if err := json.Unmarshal(policy.Data, &aclPolicySetting); err == nil { + if dataRoute.Type == ACLPolicy { + return ACLPolicy + } + } + // Return empty string if the policy type is invalid log.Printf("Returning policyType INVALID") return "" @@ -343,6 +379,27 @@ func GetHcnPortMappingPolicy(policy Policy) (hcn.EndpointPolicy, error) { return portMappingPolicy, nil } +// GetHcnACLPolicy returns ACL policy. +func GetHcnACLPolicy(policy Policy) (hcn.EndpointPolicy, error) { + aclEndpolicySetting := hcn.EndpointPolicy{ + Type: hcn.ACL, + } + + var aclPolicySetting hcn.AclPolicySetting + if err := json.Unmarshal(policy.Data, &aclPolicySetting); err != nil { + return aclEndpolicySetting, err + } + + aclPolicySettingBytes, err := json.Marshal(aclPolicySetting) + if err != nil { + return aclEndpolicySetting, err + } + + aclEndpolicySetting.Settings = aclPolicySettingBytes + + return aclEndpolicySetting, nil +} + // GetHcnEndpointPolicies returns array of all endpoint policies. func GetHcnEndpointPolicies(policyType CNIPolicyType, policies []Policy, epInfoData map[string]interface{}, enableSnatForDns, enableMultiTenancy bool) ([]hcn.EndpointPolicy, error) { var ( @@ -363,6 +420,8 @@ func GetHcnEndpointPolicies(policyType CNIPolicyType, policies []Policy, epInfoD endpointPolicy, err = GetHcnRoutePolicy(policy) case PortMappingPolicy: endpointPolicy, err = GetHcnPortMappingPolicy(policy) + case ACLPolicy: + endpointPolicy, err = GetHcnACLPolicy(policy) default: // return error as we should be able to parse all the policies specified return hcnEndPointPolicies, fmt.Errorf("Failed to set Policy: Type: %s, Data: %s", policy.Type, policy.Data) @@ -411,3 +470,26 @@ func AddDnsNATPolicyV2() (hcn.EndpointPolicy, error) { Settings: outBoundNatPolicySettingsBytes} return endpointPolicy, err } + +/*func getProtocolInt(protocolStr string) (uint64, error) { + + var protocolInt uint64 + protocol := strings.ToUpper(strings.TrimSpace(protocolStr)) + + switch protocol { + case "TCP": + protocolInt = protocolTcp + case "UDP": + protocolInt = protocolUdp + case "ICMPV4": + protocolInt = protocolIcmpv4 + case "ICMPV6": + protocolInt = protocolIcmpv6 + case "IGMP": + protocolInt = protocolIgmp + default: + return protocolInt, fmt.Errorf("Invalid protocol specified: %s", protocol) + } + + return protocolInt, nil +}*/ From dde0b4aa9a15b080d80cb27a0dc36d56c3f88938 Mon Sep 17 00:00:00 2001 From: Vivek Aggarwal Date: Wed, 28 Oct 2020 17:43:55 -0700 Subject: [PATCH 2/7] remove extraneous code --- network/policy/policy_windows.go | 44 +++----------------------------- 1 file changed, 4 insertions(+), 40 deletions(-) diff --git a/network/policy/policy_windows.go b/network/policy/policy_windows.go index 9a1a68a641..3506ca1a73 100644 --- a/network/policy/policy_windows.go +++ b/network/policy/policy_windows.go @@ -17,15 +17,6 @@ const ( // protocolUdp indicates udp protocol id for portmapping/ACL policy protocolUdp = 17 - // protocolIcmpv4 indicates icmpv4 id for ACL policy - protocolIcmpv4 = 1 - - // protocolIcmpv6 indicates icmpv6 id for ACL policy - protocolIcmpv6 = 58 - - // protocolIgmp indicates igmp protocol id for ACL policy - protocolIgmp = 2 - // CnetAddressSpace indicates constant for the key string CnetAddressSpace = "cnetAddressSpace" ) @@ -56,7 +47,7 @@ type KVPairRoute struct { // ServiceName is excluded because it is N/A for l2bridge and l2tunnel // Inernal Port also has been excluded for same reasons. -type KVPairACLPolicy struct { +/*type KVPairACLPolicy struct { // comma indicates that in JSON as Key "Type" (the default) Type CNIPolicyType `json:","` Protocol uint16 `json:","` // Only support in Hnsv1 @@ -71,7 +62,7 @@ type KVPairACLPolicy struct { RemotePort uint16 `json:","` RuleType string `json:","` Priority uint16 `json:","` -} +}*/ var ValidWinVerForDnsNat bool @@ -204,12 +195,8 @@ func GetPolicyType(policy Policy) CNIPolicyType { } } - // TO DO : Move to just using Policy struct to determine type. - var aclPolicySetting KVPairACLPolicy - if err := json.Unmarshal(policy.Data, &aclPolicySetting); err == nil { - if dataRoute.Type == ACLPolicy { - return ACLPolicy - } + if dataRoute.Type == ACLPolicy { + return ACLPolicy } // Return empty string if the policy type is invalid @@ -470,26 +457,3 @@ func AddDnsNATPolicyV2() (hcn.EndpointPolicy, error) { Settings: outBoundNatPolicySettingsBytes} return endpointPolicy, err } - -/*func getProtocolInt(protocolStr string) (uint64, error) { - - var protocolInt uint64 - protocol := strings.ToUpper(strings.TrimSpace(protocolStr)) - - switch protocol { - case "TCP": - protocolInt = protocolTcp - case "UDP": - protocolInt = protocolUdp - case "ICMPV4": - protocolInt = protocolIcmpv4 - case "ICMPV6": - protocolInt = protocolIcmpv6 - case "IGMP": - protocolInt = protocolIgmp - default: - return protocolInt, fmt.Errorf("Invalid protocol specified: %s", protocol) - } - - return protocolInt, nil -}*/ From 9494fb623c2dc82409a437868d5e38afbeab4b7c Mon Sep 17 00:00:00 2001 From: Vivek Aggarwal Date: Wed, 28 Oct 2020 17:51:19 -0700 Subject: [PATCH 3/7] Add ACL and wireserver ACL --- cni/azure-windows.conflist | 13 +++++++++++++ network/policy/policy_windows.go | 23 ++--------------------- 2 files changed, 15 insertions(+), 21 deletions(-) diff --git a/cni/azure-windows.conflist b/cni/azure-windows.conflist index 395d1ec4f5..26f2059c28 100644 --- a/cni/azure-windows.conflist +++ b/cni/azure-windows.conflist @@ -40,6 +40,19 @@ "DestinationPrefix": "10.0.0.0/8", "NeedEncap": true } + }, + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Protocols": "6", + "Action": "Block", + "Direction": "Out", + "RemoteAddresses": "168.63.129.16/32", + "RemotePorts": "80", + "Priority": 200, + "RuleType": "Switch" + } } ] } diff --git a/network/policy/policy_windows.go b/network/policy/policy_windows.go index 3506ca1a73..671a824bac 100644 --- a/network/policy/policy_windows.go +++ b/network/policy/policy_windows.go @@ -11,10 +11,10 @@ import ( ) const ( - // protocolTcp indicates tcp protocol id for portmapping/ACL policy + // protocolTcp indicates tcp protocol id for portmapping protocolTcp = 6 - // protocolUdp indicates udp protocol id for portmapping/ACL policy + // protocolUdp indicates udp protocol id for portmapping protocolUdp = 17 // CnetAddressSpace indicates constant for the key string @@ -45,25 +45,6 @@ type KVPairRoute struct { NeedEncap bool `json:"NeedEncap"` } -// ServiceName is excluded because it is N/A for l2bridge and l2tunnel -// Inernal Port also has been excluded for same reasons. -/*type KVPairACLPolicy struct { - // comma indicates that in JSON as Key "Type" (the default) - Type CNIPolicyType `json:","` - Protocol uint16 `json:","` // Only support in Hnsv1 - Protocols string `json:",omitempty"` - Action string `json:","` - Direction string `json:","` - LocalAddresses string `json:","` - RemoteAddresses string `json:","` - LocalPorts string `json:",omitempty"` - LocalPort uint16 `json:","` // Only supported in Hnsv1 - RemotePorts string `json:",omitempty"` - RemotePort uint16 `json:","` - RuleType string `json:","` - Priority uint16 `json:","` -}*/ - var ValidWinVerForDnsNat bool // SerializePolicies serializes policies to json. From 8c143a8228f88560e982e99a62958945e42f8542 Mon Sep 17 00:00:00 2001 From: Vivek Aggarwal Date: Wed, 28 Oct 2020 18:19:12 -0700 Subject: [PATCH 4/7] add ACLs --- cni/azure-windows.conflist | 44 ++++++++++++++++++++++++++++++++++---- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/cni/azure-windows.conflist b/cni/azure-windows.conflist index 26f2059c28..12d1334023 100644 --- a/cni/azure-windows.conflist +++ b/cni/azure-windows.conflist @@ -45,13 +45,49 @@ "Name": "EndpointPolicy", "Value": { "Type": "ACL", - "Protocols": "6", + "Action": "Allow", + "Direction": "Out", + "RemoteAddresses": "168.63.129.16/32", + "RemotePorts": "53", + "Priority": 200 + } + } + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Block", + "Direction": "Out", + "RemoteAddresses": "169.254.169.254/32", + "Priority": 65498 + } + }, + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", "Action": "Block", "Direction": "Out", "RemoteAddresses": "168.63.129.16/32", - "RemotePorts": "80", - "Priority": 200, - "RuleType": "Switch" + "Priority": 65499 + } + }, + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Allow", + "Direction": "In", + "Priority": 65500 + } + }, + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Allow", + "Direction": "Out", + "Priority": 65500 } } ] From de539913b384d5089eaf01527ac6c87cc759df31 Mon Sep 17 00:00:00 2001 From: Vivek Aggarwal Date: Wed, 28 Oct 2020 21:15:58 -0700 Subject: [PATCH 5/7] default acls --- cni/azure-windows.conflist | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/cni/azure-windows.conflist b/cni/azure-windows.conflist index 12d1334023..63d580e557 100644 --- a/cni/azure-windows.conflist +++ b/cni/azure-windows.conflist @@ -48,19 +48,10 @@ "Action": "Allow", "Direction": "Out", "RemoteAddresses": "168.63.129.16/32", + "Protocols": "17", "RemotePorts": "53", "Priority": 200 } - } - { - "Name": "EndpointPolicy", - "Value": { - "Type": "ACL", - "Action": "Block", - "Direction": "Out", - "RemoteAddresses": "169.254.169.254/32", - "Priority": 65498 - } }, { "Name": "EndpointPolicy", @@ -69,15 +60,15 @@ "Action": "Block", "Direction": "Out", "RemoteAddresses": "168.63.129.16/32", - "Priority": 65499 + "Priority": 65000 } }, - { + { "Name": "EndpointPolicy", "Value": { "Type": "ACL", "Action": "Allow", - "Direction": "In", + "Direction": "Out", "Priority": 65500 } }, @@ -86,7 +77,7 @@ "Value": { "Type": "ACL", "Action": "Allow", - "Direction": "Out", + "Direction": "In", "Priority": 65500 } } From 961b0dd5b0f9b400bb45e4c28da4ac6742b37b35 Mon Sep 17 00:00:00 2001 From: Vivek Aggarwal Date: Tue, 3 Nov 2020 12:54:48 -0800 Subject: [PATCH 6/7] address comments --- network/policy/policy_windows.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/network/policy/policy_windows.go b/network/policy/policy_windows.go index 671a824bac..db28f091ec 100644 --- a/network/policy/policy_windows.go +++ b/network/policy/policy_windows.go @@ -176,7 +176,8 @@ func GetPolicyType(policy Policy) CNIPolicyType { } } - if dataRoute.Type == ACLPolicy { + // Check if the type is ACLPolicy + if policy.Type == ACLPolicy { return ACLPolicy } @@ -353,6 +354,8 @@ func GetHcnACLPolicy(policy Policy) (hcn.EndpointPolicy, error) { Type: hcn.ACL, } + // Check beforehand, the input meets the expected format + // otherwise, endpoint creation will fail later on. var aclPolicySetting hcn.AclPolicySetting if err := json.Unmarshal(policy.Data, &aclPolicySetting); err != nil { return aclEndpolicySetting, err @@ -364,7 +367,6 @@ func GetHcnACLPolicy(policy Policy) (hcn.EndpointPolicy, error) { } aclEndpolicySetting.Settings = aclPolicySettingBytes - return aclEndpolicySetting, nil } From 24803a320b32cae90573bff301538d8c7d0c1412 Mon Sep 17 00:00:00 2001 From: Vivek Aggarwal Date: Tue, 3 Nov 2020 13:00:22 -0800 Subject: [PATCH 7/7] addressed comment --- cni/azure-windows.conflist | 56 +++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/cni/azure-windows.conflist b/cni/azure-windows.conflist index 63d580e557..29ac9e94e4 100644 --- a/cni/azure-windows.conflist +++ b/cni/azure-windows.conflist @@ -42,43 +42,43 @@ } }, { - "Name": "EndpointPolicy", - "Value": { - "Type": "ACL", - "Action": "Allow", - "Direction": "Out", - "RemoteAddresses": "168.63.129.16/32", + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Allow", + "Direction": "Out", + "RemoteAddresses": "168.63.129.16/32", "Protocols": "17", - "RemotePorts": "53", - "Priority": 200 + "RemotePorts": "53", + "Priority": 200 } }, { - "Name": "EndpointPolicy", - "Value": { - "Type": "ACL", - "Action": "Block", - "Direction": "Out", - "RemoteAddresses": "168.63.129.16/32", - "Priority": 65000 + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Block", + "Direction": "Out", + "RemoteAddresses": "168.63.129.16/32", + "Priority": 65000 } }, - { - "Name": "EndpointPolicy", - "Value": { - "Type": "ACL", - "Action": "Allow", - "Direction": "Out", - "Priority": 65500 + { + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Allow", + "Direction": "Out", + "Priority": 65500 } }, { - "Name": "EndpointPolicy", - "Value": { - "Type": "ACL", - "Action": "Allow", - "Direction": "In", - "Priority": 65500 + "Name": "EndpointPolicy", + "Value": { + "Type": "ACL", + "Action": "Allow", + "Direction": "In", + "Priority": 65500 } } ]