Fixes default Network Policy to allow ARP

With recent changes to OVN to block untracked traffic like ARP, we now need to explicitly allow it in the default ACLs. Closes: #1076 Signed-off-by: Tim Rozet <trozet@redhat.com>
openshift · Mar 31, 2020 · 5106e7d · 5106e7d
1 parent 966cdaf
commit 5106e7d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/go-controller/pkg/ovn/policy.go b/go-controller/pkg/ovn/policy.go
@@ -325,7 +325,13 @@ func (oc *Controller) createDefaultDenyPortGroup(policyType knet.PolicyType) err
 	err = addACLPortGroup(portGroupUUID, portGroupName, toLport,
 		defaultDenyPriority, "", "drop", policyType)
 	if err != nil {
-		return fmt.Errorf("Failed to create default deny port group %v", err)
+		return fmt.Errorf("Failed to create default deny ACL for port group %v", err)
+	}
+
+	err = addACLPortGroup(portGroupUUID, portGroupName, toLport,
+		defaultAllowPriority, "arp", "allow", policyType)
+	if err != nil {
+		return fmt.Errorf("Failed to create default allow ARP ACL for port group %v", err)
 	}
 
 	if policyType == knet.PolicyTypeIngress {

diff --git a/go-controller/pkg/ovn/policy_test.go b/go-controller/pkg/ovn/policy_test.go
@@ -72,6 +72,10 @@ func (n networkPolicy) addLocalPodCmds(fexec *ovntest.FakeExec, pod pod) {
 		Cmd:    "ovn-nbctl --timeout=15 --data=bare --no-heading --columns=_uuid find ACL match=\"outport == @ingressDefaultDeny\" action=drop external-ids:default-deny-policy-type=Ingress",
 		Output: fakeUUID,
 	})
+	fexec.AddFakeCmd(&ovntest.ExpectedCmd{
+		Cmd:    "ovn-nbctl --timeout=15 --data=bare --no-heading --columns=_uuid find ACL match=\"outport == @ingressDefaultDeny && arp\" action=allow external-ids:default-deny-policy-type=Ingress",
+		Output: fakeUUID,
+	})
 	fexec.AddFakeCmd(&ovntest.ExpectedCmd{
 		Cmd:    "ovn-nbctl --timeout=15 --data=bare --no-heading --columns=_uuid find port_group name=egressDefaultDeny",
 		Output: fakeUUID,
@@ -80,6 +84,10 @@ func (n networkPolicy) addLocalPodCmds(fexec *ovntest.FakeExec, pod pod) {
 		Cmd:    "ovn-nbctl --timeout=15 --data=bare --no-heading --columns=_uuid find ACL match=\"inport == @egressDefaultDeny\" action=drop external-ids:default-deny-policy-type=Egress",
 		Output: fakeUUID,
 	})
+	fexec.AddFakeCmd(&ovntest.ExpectedCmd{
+		Cmd:    "ovn-nbctl --timeout=15 --data=bare --no-heading --columns=_uuid find ACL match=\"inport == @egressDefaultDeny && arp\" action=allow external-ids:default-deny-policy-type=Egress",
+		Output: fakeUUID,
+	})
 	fexec.AddFakeCmdsNoOutputNoError([]string{
 		"ovn-nbctl --timeout=15 --if-exists remove port_group fake_uuid ports fake_uuid -- add port_group fake_uuid ports fake_uuid",
 	})