Skip to content

Commit

Permalink
Refine policy generation routine to support multiple policies
Browse files Browse the repository at this point in the history 
This change refines policy rule generation to introduce conntrack
and support multiple policies in a pod. Fix openshift#17 and openshift#18
  • Loading branch information
@s1061123
s1061123 committed Jul 11, 2022
1 parent ab3453f commit ad351c3
Show file tree
Hide file tree
Showing 3 changed files with 83 additions and 33 deletions.
48 changes: 43 additions & 5 deletions pkg/server/policyrules.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,12 +165,17 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo,
ipt.CreateFilterChain(chainName)

ingresses := policy.Spec.Ingress
if idx == 0 {
writeLine(ipt.policyIndex, "-A", ingressChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
}
for _, podIntf := range podInfo.Interfaces {
if podIntf.CheckPolicyNetwork(policyNetworks) {
comment := fmt.Sprintf("\"policy:%s net-attach-def:%s\"", policy.Name, podIntf.NetattachName)
writeLine(ipt.policyIndex, "-A", ingressChain,
"-m", "comment", "--comment", comment, "-i", podIntf.InterfaceName,
"-j", chainName)
writeLine(ipt.policyIndex, "-A", ingressChain,
"-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN")
}
}

Expand All @@ -179,10 +184,7 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo,
"-j", "MARK", "--set-xmark 0x0/0x30000")
ipt.renderIngressPorts(s, podInfo, idx, n, ingress.Ports, policyNetworks)
ipt.renderIngressFrom(s, podInfo, idx, n, ingress.From, policyNetworks)
writeLine(ipt.policyIndex, "-A", chainName,
"-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN")
}
writeLine(ipt.policyIndex, "-A", chainName, "-j", "DROP")
}

func (ipt *iptableBuffer) renderIngressPorts(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) {
Expand Down Expand Up @@ -280,6 +282,12 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
validPeers++
}
// ingress should accept reverse path
for _, ip := range podIntf.IPs {
writeLine(ipt.ingressFrom, "-A", chainName,
"-i", podIntf.InterfaceName, "-s", ip,
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
}
}
}
}
Expand All @@ -303,6 +311,16 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
validPeers++
}
for _, podIntf := range podInfo.Interfaces {
if !podIntf.CheckPolicyNetwork(policyNetworks) {
continue
}
for _, ip := range podIntf.IPs {
writeLine(ipt.ingressFrom, "-A", chainName,
"-i", podIntf.InterfaceName, "-s", ip,
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
}
}
} else {
klog.Errorf("unknown rule")
}
Expand All @@ -322,21 +340,24 @@ func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo,
ipt.CreateFilterChain(chainName)

egresses := policy.Spec.Egress
if idx == 0 {
writeLine(ipt.policyIndex, "-A", egressChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT")
}
for _, podIntf := range podInfo.Interfaces {
if podIntf.CheckPolicyNetwork(policyNetworks) {
comment := fmt.Sprintf("\"policy:%s net-attach-def:%s\"", policy.Name, podIntf.NetattachName)
writeLine(ipt.policyIndex, "-A", egressChain,
"-m", "comment", "--comment", comment, "-o", podIntf.InterfaceName,
"-j", chainName)
writeLine(ipt.policyIndex, "-A", egressChain,
"-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN")
}
}
for n, egress := range egresses {
writeLine(ipt.policyIndex, "-A", chainName, "-j", "MARK", "--set-xmark 0x0/0x30000")
ipt.renderEgressPorts(s, podInfo, idx, n, egress.Ports, policyNetworks)
ipt.renderEgressTo(s, podInfo, idx, n, egress.To, policyNetworks)
writeLine(ipt.policyIndex, "-A", chainName, "-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN")
}
writeLine(ipt.policyIndex, "-A", chainName, "-j", "DROP")
}

func (ipt *iptableBuffer) renderEgressPorts(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) {
Expand Down Expand Up @@ -435,6 +456,12 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
validPeers++
}
// egress should accept reverse path
for _, ip := range podIntf.IPs {
writeLine(ipt.egressTo, "-A", chainName,
"-o", podIntf.InterfaceName, "-d", ip,
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
}
}
}
}
Expand All @@ -458,6 +485,17 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
validPeers++
}
// egress should accept reverse path
for _, podIntf := range podInfo.Interfaces {
if !podIntf.CheckPolicyNetwork(policyNetworks) {
continue
}
for _, ip := range podIntf.IPs {
writeLine(ipt.egressTo, "-A", chainName,
"-o", podIntf.InterfaceName, "-d", ip,
"-j", "MARK", "--set-xmark", "0x20000/0x20000")
}
}
} else {
klog.Errorf("unknown rule")
}
Expand Down
58 changes: 30 additions & 28 deletions pkg/server/policyrules_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,7 +270,7 @@ var _ = Describe("policyrules testing", func() {
{
IPBlock: &multiv1beta1.IPBlock{
CIDR: "10.1.1.1/24",
Except: []string{"10.1.1.1"},
Except: []string{"10.1.1.254"},
},
},
},
Expand Down Expand Up @@ -309,7 +309,7 @@ var _ = Describe("policyrules testing", func() {
portRules := []byte("-A MULTI-0-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000\n")
Expect(buf.ingressPorts.Bytes()).To(Equal(portRules))

fromRules := []byte("-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j DROP\n-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000\n")
fromRules := []byte("-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.254 -j DROP\n-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000\n-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000\n")
Expect(buf.ingressFrom.Bytes()).To(Equal(fromRules))

buf.FinalizeRules()
Expand All @@ -320,15 +320,16 @@ var _ = Describe("policyrules testing", func() {
:MULTI-0-INGRESS - [0:0]
:MULTI-0-INGRESS-0-PORTS - [0:0]
:MULTI-0-INGRESS-0-FROM - [0:0]
-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-INGRESS -m comment --comment "policy:ingressPolicies1 net-attach-def:testns1/net-attach1" -i net1 -j MULTI-0-INGRESS
-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j DROP
-A MULTI-0-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j DROP
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.254 -j DROP
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000
COMMIT
`)
Expect(buf.filterRules.Bytes()).To(Equal(finalizedRules))
Expand Down Expand Up @@ -407,7 +408,7 @@ COMMIT
portRules := []byte("-A MULTI-0-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000\n")
Expect(buf.ingressPorts.Bytes()).To(Equal(portRules))

fromRules := []byte("-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000\n")
fromRules := []byte("-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000\n-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000\n")
Expect(buf.ingressFrom.Bytes()).To(Equal(fromRules))

buf.FinalizeRules()
Expand All @@ -418,14 +419,15 @@ COMMIT
:MULTI-0-INGRESS - [0:0]
:MULTI-0-INGRESS-0-PORTS - [0:0]
:MULTI-0-INGRESS-0-FROM - [0:0]
-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-INGRESS -m comment --comment "policy:ingressPolicies1 net-attach-def:testns1/net-attach1" -i net1 -j MULTI-0-INGRESS
-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j DROP
-A MULTI-0-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000
COMMIT
`)
Expect(buf.filterRules.Bytes()).To(Equal(finalizedRules))
Expand Down Expand Up @@ -503,14 +505,15 @@ COMMIT
:MULTI-0-INGRESS - [0:0]
:MULTI-0-INGRESS-0-PORTS - [0:0]
:MULTI-0-INGRESS-0-FROM - [0:0]
-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-INGRESS -m comment --comment "policy:ingressPolicies1 net-attach-def:testns1/net-attach1" -i net1 -j MULTI-0-INGRESS
-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j DROP
-A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000
COMMIT
`)

Expand Down Expand Up @@ -586,14 +589,15 @@ COMMIT
:MULTI-0-INGRESS - [0:0]
:MULTI-0-INGRESS-0-PORTS - [0:0]
:MULTI-0-INGRESS-0-FROM - [0:0]
-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-INGRESS -m comment --comment "policy:ingressPolicies1 net-attach-def:default/net-attach1" -i net1 -j MULTI-0-INGRESS
-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j DROP
-A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000
COMMIT
`)
Expect(buf.filterRules.String()).To(Equal(string(finalizedRules)))
Expand All @@ -620,7 +624,7 @@ COMMIT
{
IPBlock: &multiv1beta1.IPBlock{
CIDR: "10.1.1.1/24",
Except: []string{"10.1.1.1"},
Except: []string{"10.1.1.254"},
},
},
},
Expand Down Expand Up @@ -659,7 +663,7 @@ COMMIT
portRules := []byte("-A MULTI-0-EGRESS-0-PORTS -o net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000\n")
Expect(buf.egressPorts.Bytes()).To(Equal(portRules))

toRules := []byte("-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j DROP\n-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000\n")
toRules := []byte("-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.254 -j DROP\n-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000\n-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000\n")
Expect(buf.egressTo.Bytes()).To(Equal(toRules))

buf.FinalizeRules()
Expand All @@ -670,15 +674,16 @@ COMMIT
:MULTI-0-EGRESS - [0:0]
:MULTI-0-EGRESS-0-PORTS - [0:0]
:MULTI-0-EGRESS-0-TO - [0:0]
-A MULTI-EGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-EGRESS -m comment --comment "policy:EgressPolicies1 net-attach-def:testns1/net-attach1" -o net1 -j MULTI-0-EGRESS
-A MULTI-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-EGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-PORTS
-A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-TO
-A MULTI-0-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-EGRESS -j DROP
-A MULTI-0-EGRESS-0-PORTS -o net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j DROP
-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.254 -j DROP
-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000
COMMIT
`)
Expect(buf.filterRules.Bytes()).To(Equal(finalizedRules))
Expand Down Expand Up @@ -757,7 +762,7 @@ COMMIT
portRules := []byte("-A MULTI-0-EGRESS-0-PORTS -o net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000\n")
Expect(buf.egressPorts.Bytes()).To(Equal(portRules))

toRules := []byte("-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000\n")
toRules := []byte("-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000\n-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000\n")
Expect(buf.egressTo.Bytes()).To(Equal(toRules))

buf.FinalizeRules()
Expand All @@ -768,14 +773,15 @@ COMMIT
:MULTI-0-EGRESS - [0:0]
:MULTI-0-EGRESS-0-PORTS - [0:0]
:MULTI-0-EGRESS-0-TO - [0:0]
-A MULTI-EGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-EGRESS -m comment --comment "policy:EgressPolicies1 net-attach-def:testns1/net-attach1" -o net1 -j MULTI-0-EGRESS
-A MULTI-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-EGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-PORTS
-A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-TO
-A MULTI-0-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-EGRESS -j DROP
-A MULTI-0-EGRESS-0-PORTS -o net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000
COMMIT
`)
Expect(buf.filterRules.Bytes()).To(Equal(finalizedRules))
Expand Down Expand Up @@ -952,11 +958,10 @@ var _ = Describe("policyrules testing - invalid case", func() {
:MULTI-0-INGRESS - [0:0]
:MULTI-0-INGRESS-0-PORTS - [0:0]
:MULTI-0-INGRESS-0-FROM - [0:0]
-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j DROP
-A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-INGRESS-0-FROM -m comment --comment "no ingress from, skipped" -j MARK --set-xmark 0x20000/0x20000
COMMIT
Expand Down Expand Up @@ -1042,11 +1047,10 @@ COMMIT
:MULTI-0-INGRESS - [0:0]
:MULTI-0-INGRESS-0-PORTS - [0:0]
:MULTI-0-INGRESS-0-FROM - [0:0]
-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-INGRESS -j DROP
-A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-INGRESS-0-FROM -m comment --comment "no ingress from, skipped" -j MARK --set-xmark 0x20000/0x20000
COMMIT
Expand Down Expand Up @@ -1119,11 +1123,10 @@ COMMIT
:MULTI-0-EGRESS - [0:0]
:MULTI-0-EGRESS-0-PORTS - [0:0]
:MULTI-0-EGRESS-0-TO - [0:0]
-A MULTI-EGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-0-EGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-PORTS
-A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-TO
-A MULTI-0-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-EGRESS -j DROP
-A MULTI-0-EGRESS-0-PORTS -m comment --comment "no egress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-EGRESS-0-TO -m comment --comment "no egress to, skipped" -j MARK --set-xmark 0x20000/0x20000
COMMIT
Expand Down Expand Up @@ -1209,11 +1212,10 @@ COMMIT
:MULTI-0-EGRESS - [0:0]
:MULTI-0-EGRESS-0-PORTS - [0:0]
:MULTI-0-EGRESS-0-TO - [0:0]
-A MULTI-EGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A MULTI-0-EGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-PORTS
-A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-TO
-A MULTI-0-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-0-EGRESS -j DROP
-A MULTI-0-EGRESS-0-PORTS -m comment --comment "no egress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-EGRESS-0-TO -m comment --comment "no egress to, skipped" -j MARK --set-xmark 0x20000/0x20000
COMMIT
Expand Down
10 changes: 10 additions & 0 deletions pkg/server/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -538,6 +538,8 @@ func (s *Server) generatePolicyRules(pod *v1.Pod, podInfo *controllers.PodInfo)
iptableBuffer.Reset()

idx := 0
ingressRendered := 0
egressRendered := 0
for _, p := range s.policyMap {
policy := p.Policy
if policy.GetNamespace() != pod.Namespace {
Expand Down Expand Up @@ -586,13 +588,21 @@ func (s *Server) generatePolicyRules(pod *v1.Pod, podInfo *controllers.PodInfo)
if podInfo.CheckPolicyNetwork(policyNetworks) {
if ingressEnable {
iptableBuffer.renderIngress(s, podInfo, idx, policy, policyNetworks)
ingressRendered++
}
if egressEnable {
iptableBuffer.renderEgress(s, podInfo, idx, policy, policyNetworks)
egressRendered++
}
idx++
}
}
if ingressRendered != 0 {
writeLine(iptableBuffer.policyIndex, "-A", "MULTI-INGRESS", "-j", "DROP")
}
if egressRendered != 0 {
writeLine(iptableBuffer.policyIndex, "-A", "MULTI-EGRESS", "-j", "DROP")
}

if !iptableBuffer.IsUsed() {
iptableBuffer.Init(s.ip4Tables)
Expand Down

0 comments on commit ad351c3

Please sign in to comment.