Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ICMP support in ACNP and ANP #3472

Merged
merged 2 commits into from
Apr 25, 2022
Merged

Add ICMP support in ACNP and ANP #3472

merged 2 commits into from
Apr 25, 2022

Conversation

GraysonWu
Copy link
Contributor

@GraysonWu GraysonWu commented Mar 18, 2022
edited
Loading

Fixes #3263

This PR added ICMP support in Antrea-native policy. User could define a policy only enfored on ICMP traffic or ICMP traffic with specific ICMP type or ICMP code.

  1. Added a new field called protocols which contains protocols that are not supported by ports. Currently, only ICMP protocol is in this field.

  2. On the controller side,

  • Both ports and protocols will be translate into Service of internalNP
  • Added ICMPType and ICMPCode to Service
  1. On the agent side,
  • Added a new struct matchPair which contains one matchKey and one matchValue
  • Added some new MatchKey: MatchICMPType, MatchICMPCode, MatchICMPv6Type and MatchICMPv6Code
  • Change conjunctiveMatch from contains only one matchKey-matchValue pair to contains a list of matchPair, in order to support flows with multipul match conditions like this: icmp,icmp_type=8,icmp_code=0,action=conjunction(2,3/3)

Provide some examples here:

apiVersion: crd.antrea.io/v1alpha1
kind: ClusterNetworkPolicy
metadata:
  name: acnp-icmp
spec:
    priority: 5
    tier: SecurityOps
    appliedTo:
      - podSelector:
          matchLabels:
            app: client
    egress:
      - action: Drop
        to:
          - podSelector:
              matchLabels:
                app: server
        protocols:
          - icmp:
              icmpType: 8
              icmpCode: 0

With the policy above, these corresponding flows will be installed on the OVS:

table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, priority=44900,conj_id=2 actions=load:0x2->NXM_NX_REG3[],load:0x1->NXM_NX_REG0[10],resubmit(,EgressMetric)
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, priority=44900,ip,nw_src=x.x.x.x actions=conjunction(2,1/3)
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, priority=44900,ip,nw_dst=x.x.x.x actions=conjunction(2,2/3)
table=AntreaPolicyEgressRule, n_packets=0, n_bytes=0, priority=44900,icmp,icmp_type=8,icmp_code=0 actions=conjunction(2,3/3)

Signed-off-by: wgrayson [email protected]

@GraysonWu
Copy link
Contributor Author

GraysonWu commented Mar 18, 2022
edited
Loading

E2E tests and doc changes are in PR #3635.

@lgtm-com
Copy link

lgtm-com bot commented Mar 18, 2022

This pull request introduces 1 alert when merging 1d55c1c into 4db3c18 - view on LGTM.com

new alerts:

  • 1 for Log entries created from user input

@lgtm-com
Copy link

lgtm-com bot commented Mar 21, 2022

This pull request introduces 1 alert when merging 17b2cba into 53a5a8d - view on LGTM.com

new alerts:

  • 1 for Log entries created from user input

@codecov-commenter
Copy link

codecov-commenter commented Mar 21, 2022
edited
Loading

Codecov Report

Merging #3472 (246f1c5) into main (3aeb404) will decrease coverage by 6.97%.
The diff coverage is 66.66%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3472      +/-   ##
==========================================
- Coverage   64.59%   57.62%   -6.98%     
==========================================
  Files         278      392     +114     
  Lines       39363    55339   +15976     
==========================================
+ Hits        25427    31887    +6460     
- Misses      11957    21012    +9055     
- Partials     1979     2440     +461
Flag Coverage Δ
e2e-tests 50.30% <39.71%> (?)
integration-tests 38.27% <ø> (?)
kind-e2e-tests 52.30% <38.46%> (+<0.01%) ⬆️
unit-tests 43.86% <65.73%> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/agent/types/networkpolicy.go 81.08% <ø> (ø)
pkg/apis/controlplane/types.go 0.00% <ø> (ø)
pkg/ovs/openflow/ofctrl_builder.go 64.19% <7.14%> (+4.51%) ⬆️
...g/controller/networkpolicy/clusternetworkpolicy.go 69.21% <50.00%> (ø)
pkg/agent/openflow/pipeline.go 77.06% <66.66%> (+1.74%) ⬆️
pkg/agent/openflow/network_policy.go 84.88% <70.93%> (-1.03%) ⬇️
...kg/controller/networkpolicy/antreanetworkpolicy.go 83.33% <100.00%> (ø)
pkg/controller/networkpolicy/crd_utils.go 92.20% <100.00%> (+0.48%) ⬆️
pkg/controller/networkpolicy/validate.go 50.62% <100.00%> (ø)
pkg/controller/stats/aggregator.go 81.05% <100.00%> (ø)
... and 139 more

Dyanngg
Dyanngg reviewed Mar 22, 2022
View reviewed changes
build/yamls/base/crds.yml Outdated Show resolved Hide resolved
@GraysonWu GraysonWu force-pushed the icmp-support branch 2 times, most recently from 469861a to c0979a0 Compare March 25, 2022 22:58
@GraysonWu GraysonWu changed the title Add ICMP support in ACNP and ANP [WIP]Add ICMP support in ACNP and ANP Mar 31, 2022
@GraysonWu GraysonWu force-pushed the icmp-support branch 4 times, most recently from 5ea7717 to ad9e549 Compare April 5, 2022 20:16
@GraysonWu GraysonWu changed the title [WIP]Add ICMP support in ACNP and ANP Add ICMP support in ACNP and ANP Apr 5, 2022
jianjuns
jianjuns reviewed Apr 8, 2022
View reviewed changes
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/apis/crd/v1alpha1/types.go Outdated
@@ -600,3 +605,18 @@ type NamespacedName struct {
Name string `json:"name,omitempty"`
Namespace string `json:"namespace,omitempty"`
}

// NetworkPolicyProtocol includes all protocols that `ports` can't support. All
// fields should be used as a stand-alone field. To match all traffic with a
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

standalone field

What does "standalone field" mean?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It means all fields cannot be used with each other.

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
tnqn
tnqn reviewed Apr 8, 2022
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall, @wenyingd could you take a look at openflow change?

pkg/apis/crd/v1alpha1/types.go Outdated Show resolved Hide resolved
pkg/agent/openflow/network_policy.go Show resolved Hide resolved
@tnqn tnqn added api-review Categorizes an issue or PR as actively needing an API review. kind/feature Categorizes issue or PR as related to a new feature. action/release-note Indicates a PR that should be included in release notes. labels Apr 8, 2022
@tnqn tnqn added this to the Antrea v1.7 release milestone Apr 8, 2022
@tnqn
Copy link
Member

tnqn commented Apr 8, 2022

@GraysonWu could you add more information to PR description and commit message, e.g. what change is made to API, an usage example?

GraysonWu added a commit to GraysonWu/antrea that referenced this pull request Apr 13, 2022
@GraysonWu
ICMP support e2e test
9563f19 
Add E2E tests for ICMP support PR antrea-io#3472

Signed-off-by: wgrayson <[email protected]>
@GraysonWu GraysonWu mentioned this pull request Apr 13, 2022
Merged
GraysonWu added a commit to GraysonWu/antrea that referenced this pull request Apr 14, 2022
@GraysonWu
ICMP support e2e test
fe8a8f5 
Add E2E tests and related content in doc for ICMP support PR antrea-io#3472

Signed-off-by: wgrayson <[email protected]>
wenyingd
wenyingd reviewed Apr 14, 2022
View reviewed changes
pkg/agent/openflow/network_policy.go Outdated Show resolved Hide resolved
pkg/agent/openflow/network_policy.go Outdated Show resolved Hide resolved
pkg/apis/controlplane/v1beta2/types.go Show resolved Hide resolved
tnqn
tnqn reviewed Apr 15, 2022
View reviewed changes
pkg/agent/openflow/network_policy.go Outdated Show resolved Hide resolved
pkg/agent/openflow/network_policy.go Outdated Show resolved Hide resolved
GraysonWu added a commit to GraysonWu/antrea that referenced this pull request Apr 15, 2022
@GraysonWu
E2E test of Antrea native policy ICMP support
574abfd 
Add E2E tests and related content in doc for ICMP support PR antrea-io#3472

Signed-off-by: wgrayson <[email protected]>
GraysonWu added a commit to GraysonWu/antrea that referenced this pull request Apr 15, 2022
@GraysonWu
E2E test of Antrea native policy ICMP support
cfe8f3f 
Add E2E tests and related content in doc for ICMP support PR antrea-io#3472

Signed-off-by: wgrayson <[email protected]>
tnqn
tnqn previously approved these changes Apr 19, 2022
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, @GraysonWu could you rebase on main so we can merge?

@GraysonWu
Add ICMP support in ACNP and ANP
eb1a554 
This PR added ICMP support in Antrea-native policy. User could define
a policy only enfored on ICMP traffic or ICMP traffic with specific
ICMP type or ICMP code.

1. Added a new field called `protocols` which contains protocols that
are not supported by `ports`. Currently, only ICMP protocol is in
this field.

2. On the controller side,
* Both `ports` and `protocols` will be translate into `Service` of
  internalNP
* Added `ICMPType` and `ICMPCode` to `Service`

3. On the agent side,
* Added a new struct `matchPair` which contains one matchKey and one
  matchValue
* Added some new `MatchKey`: `MatchICMPType`, `MatchICMPCode`,
  `MatchICMPv6Type` and `MatchICMPv6Code`
* Change `conjunctiveMatch` from contains only one matchKey-matchValue
  pair to contains a list of `matchPair`, in order to support flows
  with multipul match conditions like this:
  `icmp,icmp_type=8,icmp_code=0,action=conjunction(2,3/3)`

Signed-off-by: wgrayson <[email protected]>
GraysonWu added a commit to GraysonWu/antrea that referenced this pull request Apr 19, 2022
@GraysonWu
E2E test of Antrea native policy ICMP support
fcb9bed 
Add E2E tests and related content in doc for ICMP support PR antrea-io#3472

Signed-off-by: wgrayson <[email protected]>
@GraysonWu
Copy link
Contributor Author

LGTM, @GraysonWu could you rebase on main so we can merge?

Done. Just a friendly reminder: e2e tests and doc update are in PR #3635

@GraysonWu
Address comments
246f1c5 
Signed-off-by: wgrayson <[email protected]>
GraysonWu added a commit to GraysonWu/antrea that referenced this pull request Apr 20, 2022
@GraysonWu
E2E test of Antrea native policy ICMP support
047c8c9 
Add E2E tests and related content in doc for ICMP support PR antrea-io#3472

Signed-off-by: wgrayson <[email protected]>
@GraysonWu GraysonWu requested review from ceclinux and tnqn April 20, 2022 21:10
@tnqn
Copy link
Member

tnqn commented Apr 21, 2022

/test-all

@GraysonWu
Copy link
Contributor Author

/test-networkpolicy
/test-hw-offload
/test-e2e
/test-all-features-conformance

@tnqn
Copy link
Member

tnqn commented Apr 25, 2022

/test-networkpolicy
/test-e2e

1 similar comment
@XinShuYang
Copy link
Contributor

/test-networkpolicy
/test-e2e

@tnqn tnqn merged commit 2921271 into antrea-io:main Apr 25, 2022
GraysonWu added a commit to GraysonWu/antrea that referenced this pull request Apr 25, 2022
@GraysonWu
E2E test of Antrea native policy ICMP support
d5025f0 
Add E2E tests and related content in doc for ICMP support PR antrea-io#3472

Signed-off-by: wgrayson <[email protected]>
tnqn pushed a commit that referenced this pull request May 10, 2022
@GraysonWu
E2E test of Antrea native policy ICMP support (#3635)
ac44d6b 
Add E2E tests and related content in doc for ICMP support PR #3472

Signed-off-by: wgrayson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jianjuns jianjuns jianjuns left review comments

@wenyingd wenyingd wenyingd left review comments

@tnqn tnqn tnqn approved these changes

@antoninbas antoninbas Awaiting requested review from antoninbas

@Dyanngg Dyanngg Awaiting requested review from Dyanngg

@ceclinux ceclinux Awaiting requested review from ceclinux

Assignees
No one assigned
Labels
action/release-note Indicates a PR that should be included in release notes. api-review Categorizes an issue or PR as actively needing an API review. kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
Antrea v1.7 release
Development

Successfully merging this pull request may close these issues.

Accept protocol = ICMP on ClusterNetworkPolicies
8 participants
@GraysonWu @codecov-commenter @tnqn @XinShuYang @ceclinux @wenyingd @Dyanngg @jianjuns