Skip to content

Commit

Permalink
Merge pull request #1134 from kubeovn/sg-acl
Browse files Browse the repository at this point in the history
add sg acl check when init
  • Loading branch information
hongzhen-ma authored Dec 3, 2021
2 parents 5d8dba9 + 2048007 commit 4499505
Showing 1 changed file with 29 additions and 4 deletions.
33 changes: 29 additions & 4 deletions pkg/ovs/ovn-nbctl.go
Original file line number Diff line number Diff line change
Expand Up @@ -1731,14 +1731,26 @@ func (c Client) createSgRuleACL(sgName string, direction AclDirection, rule *kub

func (c Client) CreateSgDenyAllACL() error {
portGroupName := GetSgPortGroupName(util.DenyAllSecurityGroup)
if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupDropPriority,
fmt.Sprintf("outport==@%s && ip", portGroupName), "drop"); err != nil {
exist, err := c.AclExists(util.SecurityGroupDropPriority, string(SgAclIngressDirection))
if err != nil {
return err
}
if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupDropPriority,
fmt.Sprintf("inport==@%s && ip", portGroupName), "drop"); err != nil {
if !exist {
if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclIngressDirection), util.SecurityGroupDropPriority,
fmt.Sprintf("outport==@%s && ip", portGroupName), "drop"); err != nil {
return err
}
}
exist, err = c.AclExists(util.SecurityGroupDropPriority, string(SgAclEgressDirection))
if err != nil {
return err
}
if !exist {
if _, err := c.ovnNbCommand(MayExist, "--type=port-group", "acl-add", portGroupName, string(SgAclEgressDirection), util.SecurityGroupDropPriority,
fmt.Sprintf("inport==@%s && ip", portGroupName), "drop"); err != nil {
return err
}
}
return nil
}

Expand Down Expand Up @@ -1816,3 +1828,16 @@ func (c Client) SetLspExternalIds(cmd []string) error {
}
return nil
}

func (c *Client) AclExists(priority, direction string) (bool, error) {
priorityVal, _ := strconv.Atoi(priority)
results, err := c.CustomFindEntity("acl", []string{"match"}, fmt.Sprintf("priority=%d", priorityVal), fmt.Sprintf("direction=%s", direction))
if err != nil {
klog.Errorf("customFindEntity failed, %v", err)
return false, err
}
if len(results) == 0 {
return false, nil
}
return true, nil
}

0 comments on commit 4499505

Please sign in to comment.