diff --git a/pkg/controller/security_group.go b/pkg/controller/security_group.go index e0559a1843c..eb5d6dc00fc 100644 --- a/pkg/controller/security_group.go +++ b/pkg/controller/security_group.go @@ -254,6 +254,9 @@ func (c *Controller) handleAddOrUpdateSg(key string) error { c.patchSgStatus(sg) return err } + if err := c.ovnLegacyClient.CreateSgBaseIngressACL(sg.Name); err != nil { + return err + } sg.Status.IngressMd5 = newIngressMd5 sg.Status.IngressLastSyncSuccess = true c.patchSgStatus(sg) @@ -264,6 +267,9 @@ func (c *Controller) handleAddOrUpdateSg(key string) error { c.patchSgStatus(sg) return err } + if err := c.ovnLegacyClient.CreateSgBaseEgressACL(sg.Name); err != nil { + return err + } sg.Status.EgressMd5 = newEgressMd5 sg.Status.EgressLastSyncSuccess = true c.patchSgStatus(sg) diff --git a/pkg/ovs/ovn-nbctl-legacy.go b/pkg/ovs/ovn-nbctl-legacy.go index f032a07ad16..173e1e05fc3 100644 --- a/pkg/ovs/ovn-nbctl-legacy.go +++ b/pkg/ovs/ovn-nbctl-legacy.go @@ -2405,6 +2405,65 @@ func (c LegacyClient) CreateSgDenyAllACL() error { return nil } +func (c LegacyClient) CreateSgBaseEgressACL(sgName string) error { + portGroupName := GetSgPortGroupName(sgName) + klog.Infof("add base egress acl, sg: %s", portGroupName) + // allow arp + if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority, + fmt.Sprintf("outport==@%s && arp", portGroupName), "allow-related"); err != nil { + return err + } + + // icmpv6 + if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority, + fmt.Sprintf("outport==@%s && icmp6.type=={130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portGroupName), "allow-related"); err != nil { + return err + } + + // dhcpv4 res + if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority, + fmt.Sprintf("outport==@%s && udp.src==68 && udp.dst==67 && ip4", portGroupName), "allow-related"); err != nil { + return err + } + + // dhcpv6 res + if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupBasePriority, + fmt.Sprintf("outport==@%s && udp.src==546 && udp.dst==547 && ip6", portGroupName), "allow-related"); err != nil { + return err + } + return nil +} + +func (c LegacyClient) CreateSgBaseIngressACL(sgName string) error { + portGroupName := GetSgPortGroupName(sgName) + klog.Infof("add base ingress acl, sg: %s", portGroupName) + // allow arp + if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority, + fmt.Sprintf("inport==@%s && arp", portGroupName), "allow-related"); err != nil { + return err + } + + // icmpv6 + if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority, + fmt.Sprintf("inport==@%s && icmp6.type=={130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portGroupName), "allow-related"); err != nil { + return err + } + + // dhcpv4 offer + if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority, + fmt.Sprintf("inport==@%s && udp.src==67 && udp.dst==68 && ip4", portGroupName), "allow-related"); err != nil { + return err + } + + // dhcpv6 offer + if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupBasePriority, + fmt.Sprintf("inport==@%s && udp.src==547 && udp.dst==546 && ip6", portGroupName), "allow-related"); err != nil { + return err + } + + return nil +} + func (c LegacyClient) UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction AclDirection) error { sgPortGroupName := GetSgPortGroupName(sg.Name) // clear acl diff --git a/pkg/util/const.go b/pkg/util/const.go index 31bb6cd1136..7ee627d38a8 100644 --- a/pkg/util/const.go +++ b/pkg/util/const.go @@ -127,6 +127,7 @@ const ( NodeAllowPriority = "3000" SecurityGroupHighestPriority = "2300" + SecurityGroupBasePriority = "2005" SecurityGroupAllowPriority = "2004" SecurityGroupDropPriority = "2003"