netpol: fix duplicate default drop acl (#3197)

Signed-off-by: 张祖建 <zhangzujian.7@gmail.com>
kubeovn · Sep 11, 2023 · 012e003 · 012e003
1 parent 1c13e40
commit 012e003
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 52 deletions.
diff --git a/pkg/controller/network_policy.go b/pkg/controller/network_policy.go
@@ -332,7 +332,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 						return err
 					}
 
-					ops, err := c.ovnNbClient.UpdateIngressAclOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, []netv1.NetworkPolicyPort{}, logEnable, namedPortMap)
+					ops, err := c.ovnNbClient.UpdateIngressAclOps(pgName, ingressAllowAsName, ingressExceptAsName, protocol, nil, logEnable, namedPortMap)
 					if err != nil {
 						klog.Errorf("generate operations that add ingress acls to np %s: %v", key, err)
 						return err
@@ -485,7 +485,7 @@ func (c *Controller) handleUpdateNp(key string) error {
 						return err
 					}
 
-					ops, err := c.ovnNbClient.UpdateEgressAclOps(pgName, egressAllowAsName, egressExceptAsName, protocol, []netv1.NetworkPolicyPort{}, logEnable, namedPortMap)
+					ops, err := c.ovnNbClient.UpdateEgressAclOps(pgName, egressAllowAsName, egressExceptAsName, protocol, nil, logEnable, namedPortMap)
 					if err != nil {
 						klog.Errorf("generate operations that add egress acls to np %s: %v", key, err)
 						return err

diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go
@@ -22,29 +22,32 @@ import (
 func (c *ovnNbClient) UpdateIngressAclOps(pgName, asIngressName, asExceptName, protocol string, npp []netv1.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
 	acls := make([]*ovnnb.ACL, 0)
 
-	ipSuffix := "ip4"
-	if protocol == kubeovnv1.ProtocolIPv6 {
-		ipSuffix = "ip6"
-	}
+	if strings.HasSuffix(asIngressName, ".0") || strings.HasSuffix(asIngressName, ".all") {
+		// create the default drop rule for only once
+		ipSuffix := "ip4"
+		if protocol == kubeovnv1.ProtocolIPv6 {
+			ipSuffix = "ip6"
+		}
 
-	/* default drop acl */
-	allIpMatch := NewAndAclMatch(
-		NewAclMatch("outport", "==", "@"+pgName, ""),
-		NewAclMatch(ipSuffix, "", "", ""),
-	)
-	options := func(acl *ovnnb.ACL) {
-		if logEnable {
-			acl.Log = true
-			acl.Severity = &ovnnb.ACLSeverityWarning
+		/* default drop acl */
+		allIpMatch := NewAndAclMatch(
+			NewAclMatch("outport", "==", "@"+pgName, ""),
+			NewAclMatch(ipSuffix, "", "", ""),
+		)
+		options := func(acl *ovnnb.ACL) {
+			if logEnable {
+				acl.Log = true
+				acl.Severity = &ovnnb.ACLSeverityWarning
+			}
 		}
-	}
 
-	defaultDropAcl, err := c.newAclWithoutCheck(pgName, ovnnb.ACLDirectionToLport, util.IngressDefaultDrop, allIpMatch.String(), ovnnb.ACLActionDrop, options)
-	if err != nil {
-		return nil, fmt.Errorf("new default drop ingress acl for port group %s: %v", pgName, err)
-	}
+		defaultDropAcl, err := c.newAclWithoutCheck(pgName, ovnnb.ACLDirectionToLport, util.IngressDefaultDrop, allIpMatch.String(), ovnnb.ACLActionDrop, options)
+		if err != nil {
+			return nil, fmt.Errorf("new default drop ingress acl for port group %s: %v", pgName, err)
+		}
 
-	acls = append(acls, defaultDropAcl)
+		acls = append(acls, defaultDropAcl)
+	}
 
 	/* allow acl */
 	matches := newNetworkPolicyAclMatch(pgName, asIngressName, asExceptName, protocol, ovnnb.ACLDirectionToLport, npp, namedPortMap)
@@ -69,36 +72,39 @@ func (c *ovnNbClient) UpdateIngressAclOps(pgName, asIngressName, asExceptName, p
 func (c *ovnNbClient) UpdateEgressAclOps(pgName, asEgressName, asExceptName, protocol string, npp []netv1.NetworkPolicyPort, logEnable bool, namedPortMap map[string]*util.NamedPortInfo) ([]ovsdb.Operation, error) {
 	acls := make([]*ovnnb.ACL, 0)
 
-	ipSuffix := "ip4"
-	if protocol == kubeovnv1.ProtocolIPv6 {
-		ipSuffix = "ip6"
-	}
+	if strings.HasSuffix(asEgressName, ".0") || strings.HasSuffix(asEgressName, ".all") {
+		// create the default drop rule for only once
+		ipSuffix := "ip4"
+		if protocol == kubeovnv1.ProtocolIPv6 {
+			ipSuffix = "ip6"
+		}
 
-	/* default drop acl */
-	allIpMatch := NewAndAclMatch(
-		NewAclMatch("inport", "==", "@"+pgName, ""),
-		NewAclMatch(ipSuffix, "", "", ""),
-	)
-	options := func(acl *ovnnb.ACL) {
-		if logEnable {
-			acl.Log = true
-			acl.Severity = &ovnnb.ACLSeverityWarning
+		/* default drop acl */
+		allIpMatch := NewAndAclMatch(
+			NewAclMatch("inport", "==", "@"+pgName, ""),
+			NewAclMatch(ipSuffix, "", "", ""),
+		)
+		options := func(acl *ovnnb.ACL) {
+			if logEnable {
+				acl.Log = true
+				acl.Severity = &ovnnb.ACLSeverityWarning
+			}
+
+			if acl.Options == nil {
+				acl.Options = make(map[string]string)
+			}
+			acl.Options["apply-after-lb"] = "true"
 		}
 
-		if acl.Options == nil {
-			acl.Options = make(map[string]string)
+		defaultDropAcl, err := c.newAclWithoutCheck(pgName, ovnnb.ACLDirectionFromLport, util.EgressDefaultDrop, allIpMatch.String(), ovnnb.ACLActionDrop, options)
+		if err != nil {
+			klog.Error(err)
+			return nil, fmt.Errorf("new default drop egress acl for port group %s: %v", pgName, err)
 		}
-		acl.Options["apply-after-lb"] = "true"
-	}
 
-	defaultDropAcl, err := c.newAclWithoutCheck(pgName, ovnnb.ACLDirectionFromLport, util.EgressDefaultDrop, allIpMatch.String(), ovnnb.ACLActionDrop, options)
-	if err != nil {
-		klog.Error(err)
-		return nil, fmt.Errorf("new default drop egress acl for port group %s: %v", pgName, err)
+		acls = append(acls, defaultDropAcl)
 	}
 
-	acls = append(acls, defaultDropAcl)
-
 	/* allow acl */
 	matches := newNetworkPolicyAclMatch(pgName, asEgressName, asExceptName, protocol, ovnnb.ACLDirectionFromLport, npp, namedPortMap)
 	for _, m := range matches {

diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go
@@ -81,8 +81,8 @@ func (suite *OvnClientTestSuite) testUpdateIngressAclOps() {
 		t.Parallel()
 
 		pgName := "test_create_v4_ingress_acl_pg"
-		asIngressName := "test.default.ingress.allow.ipv4"
-		asExceptName := "test.default.ingress.except.ipv4"
+		asIngressName := "test.default.ingress.allow.ipv4.all"
+		asExceptName := "test.default.ingress.except.ipv4.all"
 		protocol := kubeovnv1.ProtocolIPv4
 
 		err := ovnClient.CreatePortGroup(pgName, nil)
@@ -109,8 +109,8 @@ func (suite *OvnClientTestSuite) testUpdateIngressAclOps() {
 		t.Parallel()
 
 		pgName := "test_create_v6_ingress_acl_pg"
-		asIngressName := "test.default.ingress.allow.ipv6"
-		asExceptName := "test.default.ingress.except.ipv6"
+		asIngressName := "test.default.ingress.allow.ipv6.all"
+		asExceptName := "test.default.ingress.except.ipv6.all"
 		protocol := kubeovnv1.ProtocolIPv6
 
 		err := ovnClient.CreatePortGroup(pgName, nil)
@@ -151,8 +151,8 @@ func (suite *OvnClientTestSuite) testUpdateEgressAclOps() {
 		t.Parallel()
 
 		pgName := "test_create_v4_egress_acl_pg"
-		asEgressName := "test.default.egress.allow.ipv4"
-		asExceptName := "test.default.egress.except.ipv4"
+		asEgressName := "test.default.egress.allow.ipv4.all"
+		asExceptName := "test.default.egress.except.ipv4.all"
 		protocol := kubeovnv1.ProtocolIPv4
 
 		err := ovnClient.CreatePortGroup(pgName, nil)
@@ -179,8 +179,8 @@ func (suite *OvnClientTestSuite) testUpdateEgressAclOps() {
 		t.Parallel()
 
 		pgName := "test_create_v6_egress_acl_pg"
-		asEgressName := "test.default.egress.allow.ipv6"
-		asExceptName := "test.default.egress.except.ipv6"
+		asEgressName := "test.default.egress.allow.ipv6.all"
+		asExceptName := "test.default.egress.except.ipv6.all"
 		protocol := kubeovnv1.ProtocolIPv6
 
 		err := ovnClient.CreatePortGroup(pgName, nil)