add base sg rules for ports (#2365)

Co-authored-by: yuanliu <yuanliu@cmss.chinamobile.com>

pkg/controller/security_group.go

@@ -254,6 +254,9 @@ func (c *Controller) handleAddOrUpdateSg(key string) error {
 			c.patchSgStatus(sg)
 			return err
 		}
+		if err := c.ovnLegacyClient.CreateSgBaseIngressACL(sg.Name); err != nil {
+			return err
+		}
 		sg.Status.IngressMd5 = newIngressMd5
 		sg.Status.IngressLastSyncSuccess = true
 		c.patchSgStatus(sg)
@@ -264,6 +267,9 @@ func (c *Controller) handleAddOrUpdateSg(key string) error {
 			c.patchSgStatus(sg)
 			return err
 		}
+		if err := c.ovnLegacyClient.CreateSgBaseEgressACL(sg.Name); err != nil {
+			return err
+		}
 		sg.Status.EgressMd5 = newEgressMd5
 		sg.Status.EgressLastSyncSuccess = true
 		c.patchSgStatus(sg)

pkg/ovs/ovn-nbctl-legacy.go

@@ -2405,6 +2405,65 @@ func (c LegacyClient) CreateSgDenyAllACL() error {
 	return nil
 }
 
+func (c LegacyClient) CreateSgBaseEgressACL(sgName string) error {
+	portGroupName := GetSgPortGroupName(sgName)
+	klog.Infof("add base egress acl, sg: %s", portGroupName)
+	// allow arp
+	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority,
+		fmt.Sprintf("outport==@%s && arp", portGroupName), "allow-related"); err != nil {
+		return err
+	}
+
+	// icmpv6
+	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority,
+		fmt.Sprintf("outport==@%s && icmp6.type=={130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portGroupName), "allow-related"); err != nil {
+		return err
+	}
+
+	// dhcpv4 res
+	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority,
+		fmt.Sprintf("outport==@%s && udp.src==68 && udp.dst==67 && ip4", portGroupName), "allow-related"); err != nil {
+		return err
+	}
+
+	// dhcpv6 res
+	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority,
+		fmt.Sprintf("outport==@%s && udp.src==546 && udp.dst==547 && ip6", portGroupName), "allow-related"); err != nil {
+		return err
+	}
+	return nil
+}
+
+func (c LegacyClient) CreateSgBaseIngressACL(sgName string) error {
+	portGroupName := GetSgPortGroupName(sgName)
+	klog.Infof("add base ingress acl, sg: %s", portGroupName)
+	// allow arp
+	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority,
+		fmt.Sprintf("inport==@%s && arp", portGroupName), "allow-related"); err != nil {
+		return err
+	}
+
+	// icmpv6
+	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority,
+		fmt.Sprintf("inport==@%s && icmp6.type=={130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portGroupName), "allow-related"); err != nil {
+		return err
+	}
+
+	// dhcpv4 offer
+	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority,
+		fmt.Sprintf("inport==@%s && udp.src==67 && udp.dst==68 && ip4", portGroupName), "allow-related"); err != nil {
+		return err
+	}
+
+	// dhcpv6 offer
+	if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority,
+		fmt.Sprintf("inport==@%s && udp.src==547 && udp.dst==546 && ip6", portGroupName), "allow-related"); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (c LegacyClient) UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction AclDirection) error {
 	sgPortGroupName := GetSgPortGroupName(sg.Name)
 	// clear acl

pkg/util/const.go

@@ -127,6 +127,7 @@ const (
 	NodeAllowPriority = "3000"
 
 	SecurityGroupHighestPriority = "2300"
+	SecurityGroupBasePriority    = "2005"
 	SecurityGroupAllowPriority   = "2004"
 	SecurityGroupDropPriority    = "2003"