Skip to content

Commit 1f59e78

Browse files
murali-reddymurali-reddy
committed
change ACCEPT to RETURN with mark when a netpol is matched so that we run through
all the applicable network policies for a flow
1 parent 97b022f commit 1f59e78

File tree

1 file changed

+43
-28
lines changed

1 file changed

+43
-28
lines changed

pkg/controllers/netpol/network_policy_controller.go

Lines changed: 43 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -750,11 +750,21 @@ func (npc *NetworkPolicyController) appendRuleToPolicyChain(iptablesCmdHandler *
750750
if dPort != "" {
751751
args = append(args, "--dport", dPort)
752752
}
753-
args = append(args, "-j", "ACCEPT")
754-
err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
753+
754+
markComment := "rule to mark traffic matching a network policy"
755+
markArgs := append(args, "-j", "MARK", "-m", "comment", "--comment", markComment, "--set-xmark", "0x10000/0x10000")
756+
err := iptablesCmdHandler.AppendUnique("filter", policyChainName, markArgs...)
757+
if err != nil {
758+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
759+
}
760+
761+
returnComment := "rule to RETURN traffic matching a network policy"
762+
returnArgs := append(args, "-m", "comment", "--comment", returnComment, "-m", "mark", "--mark", "0x10000/0x10000", "-j", "RETURN")
763+
err = iptablesCmdHandler.AppendUnique("filter", policyChainName, returnArgs...)
755764
if err != nil {
756765
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
757766
}
767+
758768
return nil
759769
}
760770

@@ -767,6 +777,33 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
767777
glog.Fatalf("Failed to initialize iptables executor: %s", err.Error())
768778
}
769779

780+
dropUnmarkedTrafficRules := func(podName, podNamespace, podFwChainName string) error {
781+
// add rule to log the packets that will be dropped due to network policy enforcement
782+
comment := "rule to log dropped traffic POD name:" + podName + " namespace: " + podNamespace
783+
args := []string{"-m", "comment", "--comment", comment, "-m", "mark", "!", "--mark", "0x10000/0x10000", "-j", "NFLOG", "--nflog-group", "100", "-m", "limit", "--limit", "10/minute", "--limit-burst", "10"}
784+
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
785+
if err != nil {
786+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
787+
}
788+
789+
// add rule to DROP if no applicable network policy permits the traffic
790+
comment = "rule to REJECT traffic destined for POD name:" + podName + " namespace: " + podNamespace
791+
args = []string{"-m", "comment", "--comment", comment, "-m", "mark", "!", "--mark", "0x10000/0x10000", "-j", "REJECT"}
792+
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
793+
if err != nil {
794+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
795+
}
796+
797+
// reset mark to let traffic pass through rest of the chains
798+
args = []string{"-j", "MARK", "--set-mark", "0"}
799+
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
800+
if err != nil {
801+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
802+
}
803+
804+
return nil
805+
}
806+
770807
// loop through the pods running on the node which to which ingress network policies to be applied
771808
ingressNetworkPolicyEnabledPods, err := npc.getIngressNetworkPolicyEnabledPods(networkPoliciesInfo, npc.nodeIP.String())
772809
if err != nil {
@@ -882,20 +919,9 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
882919
}
883920
}
884921

885-
// add rule to log the packets that will be dropped due to network policy enforcement
886-
comment = "rule to log dropped traffic POD name:" + pod.name + " namespace: " + pod.namespace
887-
args = []string{"-m", "comment", "--comment", comment, "-j", "NFLOG", "--nflog-group", "100", "-m", "limit", "--limit", "10/minute", "--limit-burst", "10"}
888-
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
922+
err = dropUnmarkedTrafficRules(pod.name, pod.namespace, podFwChainName)
889923
if err != nil {
890-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
891-
}
892-
893-
// add default DROP rule at the end of chain
894-
comment = "default rule to REJECT traffic destined for POD name:" + pod.name + " namespace: " + pod.namespace
895-
args = []string{"-m", "comment", "--comment", comment, "-j", "REJECT"}
896-
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
897-
if err != nil {
898-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
924+
return nil, err
899925
}
900926
}
901927

@@ -992,20 +1018,9 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
9921018
}
9931019
}
9941020

995-
// add rule to log the packets that will be dropped due to network policy enforcement
996-
comment = "rule to log dropped traffic POD name:" + pod.name + " namespace: " + pod.namespace
997-
args = []string{"-m", "comment", "--comment", comment, "-j", "NFLOG", "--nflog-group", "100", "-m", "limit", "--limit", "10/minute", "--limit-burst", "10"}
998-
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
1021+
err = dropUnmarkedTrafficRules(pod.name, pod.namespace, podFwChainName)
9991022
if err != nil {
1000-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
1001-
}
1002-
1003-
// add default DROP rule at the end of chain
1004-
comment = "default rule to REJECT traffic destined for POD name:" + pod.name + " namespace: " + pod.namespace
1005-
args = []string{"-m", "comment", "--comment", comment, "-j", "REJECT"}
1006-
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
1007-
if err != nil {
1008-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
1023+
return nil, err
10091024
}
10101025
}
10111026

0 commit comments

Comments
 (0)