Skip to content

Commit

Permalink
implement network policy for multicast
Browse files Browse the repository at this point in the history 
1. For multicast traffic, we support ingress rules for IGMP, and egress rules for multicast data traffic.
 And apply NetworkPolicy to real traffic for both. Ingress for multicast traffic is not supported now.

2. While egress for IGMP only supports IGMP report, which is handled by packetIn. This patch
maintainsvrule map for each group address to fetch the rule which matches the member and also
has the highest priority. And packetIn will decide to allow or drop the IGMP report traffic
based on the matched rule.

Signed-off-by: Bin Liu <[email protected]>
  • Loading branch information
@liu4480
liu4480 committed Jun 8, 2022
1 parent 5115ee2 commit 20b0d80
Show file tree
Hide file tree
Showing 46 changed files with 1,681 additions and 240 deletions.
28 changes: 28 additions & 0 deletions build/charts/antrea/templates/crds/clusternetworkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -224,6 +225,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -425,6 +438,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -437,6 +451,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down
28 changes: 28 additions & 0 deletions build/charts/antrea/templates/crds/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -152,6 +153,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -322,6 +335,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -334,6 +348,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down
56 changes: 56 additions & 0 deletions build/yamls/antrea-aks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1021,6 +1021,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1033,6 +1034,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -1234,6 +1247,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1246,6 +1260,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down Expand Up @@ -1920,6 +1948,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1932,6 +1961,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -2102,6 +2143,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -2114,6 +2156,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down
56 changes: 56 additions & 0 deletions build/yamls/antrea-eks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1021,6 +1021,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1033,6 +1034,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -1234,6 +1247,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1246,6 +1260,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down Expand Up @@ -1920,6 +1948,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1932,6 +1961,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -2102,6 +2143,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -2114,6 +2156,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down
Loading

0 comments on commit 20b0d80

Please sign in to comment.