From 671d55db7b4c205dd5bc897b66bf215f9541c85d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=A2=81=E5=8F=88=E8=A2=81?= Date: Thu, 12 Oct 2023 17:19:49 +0800 Subject: [PATCH] add base rules for allowing vrrp packets (#3293) Signed-off-by: yuanliu --- pkg/ovs/ovn-nb-acl.go | 18 ++++++++++++++++-- pkg/ovs/ovn-nb-acl_test.go | 14 +++++++++++--- 2 files changed, 27 insertions(+), 5 deletions(-) diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go index 009fa3281de..3629693308e 100644 --- a/pkg/ovs/ovn-nb-acl.go +++ b/pkg/ovs/ovn-nb-acl.go @@ -286,10 +286,18 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error { portDirection := "outport" dhcpv4UdpSrc, dhcpv4UdpDst := "67", "68" dhcpv6UdpSrc, dhcpv6UdpDst := "547", "546" + icmpv6Type := "{130, 134, 135, 136}" + // 130 group membership query + // 133 router solicitation + // 134 router advertisement + // 135 neighbor solicitation + // 136 neighbor advertisement + if direction == ovnnb.ACLDirectionFromLport { // egress rule portDirection = "inport" dhcpv4UdpSrc, dhcpv4UdpDst = dhcpv4UdpDst, dhcpv4UdpSrc dhcpv6UdpSrc, dhcpv6UdpDst = dhcpv6UdpDst, dhcpv6UdpSrc + icmpv6Type = "{130, 133, 135, 136}" } acls := make([]*ovnnb.ACL, 0) @@ -314,7 +322,7 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error { // icmpv6 icmpv6Match := NewAndACLMatch( NewACLMatch(portDirection, "==", "@"+pgName, ""), - NewACLMatch("icmp6.type", "==", "{130, 134, 135, 136}", ""), + NewACLMatch("icmp6.type", "==", icmpv6Type, ""), NewACLMatch("icmp6.code", "==", "0", ""), NewACLMatch("ip.ttl", "==", "255", ""), ) @@ -336,9 +344,15 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error { NewACLMatch("udp.dst", "==", dhcpv6UdpDst, ""), NewACLMatch("ip6", "", "", ""), ) - newACL(dhcpv6Match.String()) + // vrrp + vrrpMatch := NewAndACLMatch( + NewACLMatch(portDirection, "==", "@"+pgName, ""), + NewACLMatch("ip.proto", "==", "112", ""), + ) + newACL(vrrpMatch.String()) + if err := c.CreateAcls(pgName, portGroupKey, acls...); err != nil { return fmt.Errorf("add ingress acls to port group %s: %v", pgName, err) } diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go index a7c1e776a70..51b7e55c121 100644 --- a/pkg/ovs/ovn-nb-acl_test.go +++ b/pkg/ovs/ovn-nb-acl_test.go @@ -473,7 +473,7 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() { pg, err := ovnClient.GetPortGroup(pgName, false) require.NoError(t, err) - require.Len(t, pg.ACLs, 4) + require.Len(t, pg.ACLs, 5) // arp match := fmt.Sprintf("%s == @%s && arp", portDirection, pgName) @@ -490,6 +490,10 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() { // dhcpv6 match = fmt.Sprintf("%s == @%s && udp.src == 547 && udp.dst == 546 && ip6", portDirection, pgName) expect(pg, match) + + // vrrp + match = fmt.Sprintf("%s == @%s && ip.proto == 112", portDirection, pgName) + expect(pg, match) }) t.Run("create sg base egress acl", func(t *testing.T) { @@ -508,14 +512,14 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() { pg, err := ovnClient.GetPortGroup(pgName, false) require.NoError(t, err) - require.Len(t, pg.ACLs, 4) + require.Len(t, pg.ACLs, 5) // arp match := fmt.Sprintf("%s == @%s && arp", portDirection, pgName) expect(pg, match) // icmpv6 - match = fmt.Sprintf("%s == @%s && icmp6.type == {130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portDirection, pgName) + match = fmt.Sprintf("%s == @%s && icmp6.type == {130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portDirection, pgName) expect(pg, match) // dhcpv4 @@ -525,6 +529,10 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() { // dhcpv6 match = fmt.Sprintf("%s == @%s && udp.src == 546 && udp.dst == 547 && ip6", portDirection, pgName) expect(pg, match) + + // vrrp + match = fmt.Sprintf("%s == @%s && ip.proto == 112", portDirection, pgName) + expect(pg, match) }) }