From ad351c3a7e986d27af03e7fbf728697c4cddc862 Mon Sep 17 00:00:00 2001 From: Tomofumi Hayashi Date: Mon, 11 Jul 2022 22:47:40 +0900 Subject: [PATCH] Refine policy generation routine to support multiple policies This change refines policy rule generation to introduce conntrack and support multiple policies in a pod. Fix #17 and #18 --- pkg/server/policyrules.go | 48 +++++++++++++++++++++++++--- pkg/server/policyrules_test.go | 58 ++++++++++++++++++---------------- pkg/server/server.go | 10 ++++++ 3 files changed, 83 insertions(+), 33 deletions(-) diff --git a/pkg/server/policyrules.go b/pkg/server/policyrules.go index 4b21e7c2..e621641d 100644 --- a/pkg/server/policyrules.go +++ b/pkg/server/policyrules.go @@ -165,12 +165,17 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, ipt.CreateFilterChain(chainName) ingresses := policy.Spec.Ingress + if idx == 0 { + writeLine(ipt.policyIndex, "-A", ingressChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") + } for _, podIntf := range podInfo.Interfaces { if podIntf.CheckPolicyNetwork(policyNetworks) { comment := fmt.Sprintf("\"policy:%s net-attach-def:%s\"", policy.Name, podIntf.NetattachName) writeLine(ipt.policyIndex, "-A", ingressChain, "-m", "comment", "--comment", comment, "-i", podIntf.InterfaceName, "-j", chainName) + writeLine(ipt.policyIndex, "-A", ingressChain, + "-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN") } } @@ -179,10 +184,7 @@ func (ipt *iptableBuffer) renderIngress(s *Server, podInfo *controllers.PodInfo, "-j", "MARK", "--set-xmark 0x0/0x30000") ipt.renderIngressPorts(s, podInfo, idx, n, ingress.Ports, policyNetworks) ipt.renderIngressFrom(s, podInfo, idx, n, ingress.From, policyNetworks) - writeLine(ipt.policyIndex, "-A", chainName, - "-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN") } - writeLine(ipt.policyIndex, "-A", chainName, "-j", "DROP") } func (ipt *iptableBuffer) renderIngressPorts(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) { @@ -280,6 +282,12 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI "-j", "MARK", "--set-xmark", "0x20000/0x20000") validPeers++ } + // ingress should accept reverse path + for _, ip := range podIntf.IPs { + writeLine(ipt.ingressFrom, "-A", chainName, + "-i", podIntf.InterfaceName, "-s", ip, + "-j", "MARK", "--set-xmark", "0x20000/0x20000") + } } } } @@ -303,6 +311,16 @@ func (ipt *iptableBuffer) renderIngressFrom(s *Server, podInfo *controllers.PodI "-j", "MARK", "--set-xmark", "0x20000/0x20000") validPeers++ } + for _, podIntf := range podInfo.Interfaces { + if !podIntf.CheckPolicyNetwork(policyNetworks) { + continue + } + for _, ip := range podIntf.IPs { + writeLine(ipt.ingressFrom, "-A", chainName, + "-i", podIntf.InterfaceName, "-s", ip, + "-j", "MARK", "--set-xmark", "0x20000/0x20000") + } + } } else { klog.Errorf("unknown rule") } @@ -322,21 +340,24 @@ func (ipt *iptableBuffer) renderEgress(s *Server, podInfo *controllers.PodInfo, ipt.CreateFilterChain(chainName) egresses := policy.Spec.Egress + if idx == 0 { + writeLine(ipt.policyIndex, "-A", egressChain, "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") + } for _, podIntf := range podInfo.Interfaces { if podIntf.CheckPolicyNetwork(policyNetworks) { comment := fmt.Sprintf("\"policy:%s net-attach-def:%s\"", policy.Name, podIntf.NetattachName) writeLine(ipt.policyIndex, "-A", egressChain, "-m", "comment", "--comment", comment, "-o", podIntf.InterfaceName, "-j", chainName) + writeLine(ipt.policyIndex, "-A", egressChain, + "-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN") } } for n, egress := range egresses { writeLine(ipt.policyIndex, "-A", chainName, "-j", "MARK", "--set-xmark 0x0/0x30000") ipt.renderEgressPorts(s, podInfo, idx, n, egress.Ports, policyNetworks) ipt.renderEgressTo(s, podInfo, idx, n, egress.To, policyNetworks) - writeLine(ipt.policyIndex, "-A", chainName, "-m", "mark", "--mark", "0x30000/0x30000", "-j", "RETURN") } - writeLine(ipt.policyIndex, "-A", chainName, "-j", "DROP") } func (ipt *iptableBuffer) renderEgressPorts(s *Server, podInfo *controllers.PodInfo, pIndex, iIndex int, ports []multiv1beta1.MultiNetworkPolicyPort, policyNetworks []string) { @@ -435,6 +456,12 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo "-j", "MARK", "--set-xmark", "0x20000/0x20000") validPeers++ } + // egress should accept reverse path + for _, ip := range podIntf.IPs { + writeLine(ipt.egressTo, "-A", chainName, + "-o", podIntf.InterfaceName, "-d", ip, + "-j", "MARK", "--set-xmark", "0x20000/0x20000") + } } } } @@ -458,6 +485,17 @@ func (ipt *iptableBuffer) renderEgressTo(s *Server, podInfo *controllers.PodInfo "-j", "MARK", "--set-xmark", "0x20000/0x20000") validPeers++ } + // egress should accept reverse path + for _, podIntf := range podInfo.Interfaces { + if !podIntf.CheckPolicyNetwork(policyNetworks) { + continue + } + for _, ip := range podIntf.IPs { + writeLine(ipt.egressTo, "-A", chainName, + "-o", podIntf.InterfaceName, "-d", ip, + "-j", "MARK", "--set-xmark", "0x20000/0x20000") + } + } } else { klog.Errorf("unknown rule") } diff --git a/pkg/server/policyrules_test.go b/pkg/server/policyrules_test.go index 5a25a38e..b25669dd 100644 --- a/pkg/server/policyrules_test.go +++ b/pkg/server/policyrules_test.go @@ -270,7 +270,7 @@ var _ = Describe("policyrules testing", func() { { IPBlock: &multiv1beta1.IPBlock{ CIDR: "10.1.1.1/24", - Except: []string{"10.1.1.1"}, + Except: []string{"10.1.1.254"}, }, }, }, @@ -309,7 +309,7 @@ var _ = Describe("policyrules testing", func() { portRules := []byte("-A MULTI-0-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000\n") Expect(buf.ingressPorts.Bytes()).To(Equal(portRules)) - fromRules := []byte("-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j DROP\n-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000\n") + fromRules := []byte("-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.254 -j DROP\n-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000\n-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000\n") Expect(buf.ingressFrom.Bytes()).To(Equal(fromRules)) buf.FinalizeRules() @@ -320,15 +320,16 @@ var _ = Describe("policyrules testing", func() { :MULTI-0-INGRESS - [0:0] :MULTI-0-INGRESS-0-PORTS - [0:0] :MULTI-0-INGRESS-0-FROM - [0:0] +-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-INGRESS -m comment --comment "policy:ingressPolicies1 net-attach-def:testns1/net-attach1" -i net1 -j MULTI-0-INGRESS +-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN -A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM --A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-INGRESS -j DROP -A MULTI-0-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000 --A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j DROP +-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.254 -j DROP -A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000 +-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000 COMMIT `) Expect(buf.filterRules.Bytes()).To(Equal(finalizedRules)) @@ -407,7 +408,7 @@ COMMIT portRules := []byte("-A MULTI-0-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000\n") Expect(buf.ingressPorts.Bytes()).To(Equal(portRules)) - fromRules := []byte("-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000\n") + fromRules := []byte("-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000\n-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000\n") Expect(buf.ingressFrom.Bytes()).To(Equal(fromRules)) buf.FinalizeRules() @@ -418,14 +419,15 @@ COMMIT :MULTI-0-INGRESS - [0:0] :MULTI-0-INGRESS-0-PORTS - [0:0] :MULTI-0-INGRESS-0-FROM - [0:0] +-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-INGRESS -m comment --comment "policy:ingressPolicies1 net-attach-def:testns1/net-attach1" -i net1 -j MULTI-0-INGRESS +-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN -A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM --A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-INGRESS -j DROP -A MULTI-0-INGRESS-0-PORTS -i net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000 -A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000 +-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000 COMMIT `) Expect(buf.filterRules.Bytes()).To(Equal(finalizedRules)) @@ -503,14 +505,15 @@ COMMIT :MULTI-0-INGRESS - [0:0] :MULTI-0-INGRESS-0-PORTS - [0:0] :MULTI-0-INGRESS-0-FROM - [0:0] +-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-INGRESS -m comment --comment "policy:ingressPolicies1 net-attach-def:testns1/net-attach1" -i net1 -j MULTI-0-INGRESS +-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN -A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM --A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-INGRESS -j DROP -A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000 -A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000 +-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000 COMMIT `) @@ -586,14 +589,15 @@ COMMIT :MULTI-0-INGRESS - [0:0] :MULTI-0-INGRESS-0-PORTS - [0:0] :MULTI-0-INGRESS-0-FROM - [0:0] +-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-INGRESS -m comment --comment "policy:ingressPolicies1 net-attach-def:default/net-attach1" -i net1 -j MULTI-0-INGRESS +-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN -A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM --A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-INGRESS -j DROP -A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000 -A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000 +-A MULTI-0-INGRESS-0-FROM -i net1 -s 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000 COMMIT `) Expect(buf.filterRules.String()).To(Equal(string(finalizedRules))) @@ -620,7 +624,7 @@ COMMIT { IPBlock: &multiv1beta1.IPBlock{ CIDR: "10.1.1.1/24", - Except: []string{"10.1.1.1"}, + Except: []string{"10.1.1.254"}, }, }, }, @@ -659,7 +663,7 @@ COMMIT portRules := []byte("-A MULTI-0-EGRESS-0-PORTS -o net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000\n") Expect(buf.egressPorts.Bytes()).To(Equal(portRules)) - toRules := []byte("-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j DROP\n-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000\n") + toRules := []byte("-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.254 -j DROP\n-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000\n-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000\n") Expect(buf.egressTo.Bytes()).To(Equal(toRules)) buf.FinalizeRules() @@ -670,15 +674,16 @@ COMMIT :MULTI-0-EGRESS - [0:0] :MULTI-0-EGRESS-0-PORTS - [0:0] :MULTI-0-EGRESS-0-TO - [0:0] +-A MULTI-EGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-EGRESS -m comment --comment "policy:EgressPolicies1 net-attach-def:testns1/net-attach1" -o net1 -j MULTI-0-EGRESS +-A MULTI-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN -A MULTI-0-EGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-PORTS -A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-TO --A MULTI-0-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-EGRESS -j DROP -A MULTI-0-EGRESS-0-PORTS -o net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000 --A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j DROP +-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.254 -j DROP -A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1/24 -j MARK --set-xmark 0x20000/0x20000 +-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000 COMMIT `) Expect(buf.filterRules.Bytes()).To(Equal(finalizedRules)) @@ -757,7 +762,7 @@ COMMIT portRules := []byte("-A MULTI-0-EGRESS-0-PORTS -o net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000\n") Expect(buf.egressPorts.Bytes()).To(Equal(portRules)) - toRules := []byte("-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000\n") + toRules := []byte("-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000\n-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000\n") Expect(buf.egressTo.Bytes()).To(Equal(toRules)) buf.FinalizeRules() @@ -768,14 +773,15 @@ COMMIT :MULTI-0-EGRESS - [0:0] :MULTI-0-EGRESS-0-PORTS - [0:0] :MULTI-0-EGRESS-0-TO - [0:0] +-A MULTI-EGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-EGRESS -m comment --comment "policy:EgressPolicies1 net-attach-def:testns1/net-attach1" -o net1 -j MULTI-0-EGRESS +-A MULTI-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN -A MULTI-0-EGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-PORTS -A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-TO --A MULTI-0-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-EGRESS -j DROP -A MULTI-0-EGRESS-0-PORTS -o net1 -m tcp -p tcp --dport 8888 -j MARK --set-xmark 0x10000/0x10000 -A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.2 -j MARK --set-xmark 0x20000/0x20000 +-A MULTI-0-EGRESS-0-TO -o net1 -d 10.1.1.1 -j MARK --set-xmark 0x20000/0x20000 COMMIT `) Expect(buf.filterRules.Bytes()).To(Equal(finalizedRules)) @@ -952,11 +958,10 @@ var _ = Describe("policyrules testing - invalid case", func() { :MULTI-0-INGRESS - [0:0] :MULTI-0-INGRESS-0-PORTS - [0:0] :MULTI-0-INGRESS-0-FROM - [0:0] +-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM --A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-INGRESS -j DROP -A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000 -A MULTI-0-INGRESS-0-FROM -m comment --comment "no ingress from, skipped" -j MARK --set-xmark 0x20000/0x20000 COMMIT @@ -1042,11 +1047,10 @@ COMMIT :MULTI-0-INGRESS - [0:0] :MULTI-0-INGRESS-0-PORTS - [0:0] :MULTI-0-INGRESS-0-FROM - [0:0] +-A MULTI-INGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS -A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM --A MULTI-0-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-INGRESS -j DROP -A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000 -A MULTI-0-INGRESS-0-FROM -m comment --comment "no ingress from, skipped" -j MARK --set-xmark 0x20000/0x20000 COMMIT @@ -1119,11 +1123,10 @@ COMMIT :MULTI-0-EGRESS - [0:0] :MULTI-0-EGRESS-0-PORTS - [0:0] :MULTI-0-EGRESS-0-TO - [0:0] +-A MULTI-EGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-0-EGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-PORTS -A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-TO --A MULTI-0-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-EGRESS -j DROP -A MULTI-0-EGRESS-0-PORTS -m comment --comment "no egress ports, skipped" -j MARK --set-xmark 0x10000/0x10000 -A MULTI-0-EGRESS-0-TO -m comment --comment "no egress to, skipped" -j MARK --set-xmark 0x20000/0x20000 COMMIT @@ -1209,11 +1212,10 @@ COMMIT :MULTI-0-EGRESS - [0:0] :MULTI-0-EGRESS-0-PORTS - [0:0] :MULTI-0-EGRESS-0-TO - [0:0] +-A MULTI-EGRESS -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A MULTI-0-EGRESS -j MARK --set-xmark 0x0/0x30000 -A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-PORTS -A MULTI-0-EGRESS -j MULTI-0-EGRESS-0-TO --A MULTI-0-EGRESS -m mark --mark 0x30000/0x30000 -j RETURN --A MULTI-0-EGRESS -j DROP -A MULTI-0-EGRESS-0-PORTS -m comment --comment "no egress ports, skipped" -j MARK --set-xmark 0x10000/0x10000 -A MULTI-0-EGRESS-0-TO -m comment --comment "no egress to, skipped" -j MARK --set-xmark 0x20000/0x20000 COMMIT diff --git a/pkg/server/server.go b/pkg/server/server.go index 6e824eda..50cfc5d9 100644 --- a/pkg/server/server.go +++ b/pkg/server/server.go @@ -538,6 +538,8 @@ func (s *Server) generatePolicyRules(pod *v1.Pod, podInfo *controllers.PodInfo) iptableBuffer.Reset() idx := 0 + ingressRendered := 0 + egressRendered := 0 for _, p := range s.policyMap { policy := p.Policy if policy.GetNamespace() != pod.Namespace { @@ -586,13 +588,21 @@ func (s *Server) generatePolicyRules(pod *v1.Pod, podInfo *controllers.PodInfo) if podInfo.CheckPolicyNetwork(policyNetworks) { if ingressEnable { iptableBuffer.renderIngress(s, podInfo, idx, policy, policyNetworks) + ingressRendered++ } if egressEnable { iptableBuffer.renderEgress(s, podInfo, idx, policy, policyNetworks) + egressRendered++ } idx++ } } + if ingressRendered != 0 { + writeLine(iptableBuffer.policyIndex, "-A", "MULTI-INGRESS", "-j", "DROP") + } + if egressRendered != 0 { + writeLine(iptableBuffer.policyIndex, "-A", "MULTI-EGRESS", "-j", "DROP") + } if !iptableBuffer.IsUsed() { iptableBuffer.Init(s.ip4Tables)