fix subnet acl with same net allow

Signed-off-by: lynn901 <[email protected]>
kubeovn · Apr 30, 2024 · 2a00c59 · 2a00c59
1 parent dd9a25d
commit 2a00c59
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 12 deletions.
diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go
@@ -440,13 +440,19 @@ func (c *OVNNbClient) UpdateLogicalSwitchACL(lsName, cidrBlock string, subnetAcl
 				NewACLMatch(ipSuffix+".dst", "==", cidr, ""),
 			)
 
-			sameSubnetACL, err := c.newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllowRelated, options)
-			if err != nil {
-				klog.Error(err)
-				return fmt.Errorf("new same subnet ingress acl for logical switch %s: %v", lsName, err)
+			ingressSameSubnetACL, ingressErr := c.newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllow, options)
+			if ingressErr != nil {
+				klog.Error(ingressErr)
+				return fmt.Errorf("new same subnet ingress acl for logical switch %s: %v", lsName, ingressErr)
 			}
+			acls = append(acls, ingressSameSubnetACL)
 
-			acls = append(acls, sameSubnetACL)
+			egressSameSubnetACL, EgressErr := c.newACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllow, options)
+			if EgressErr != nil {
+				klog.Error(EgressErr)
+				return fmt.Errorf("new same subnet egress acl for logical switch %s: %v", lsName, EgressErr)
+			}
+			acls = append(acls, egressSameSubnetACL)
 		}
 	}
 

diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go
@@ -688,13 +688,20 @@ func (suite *OvnClientTestSuite) testUpdateLogicalSwitchACL() {
 		if protocol == kubeovnv1.ProtocolIPv6 {
 			match = "ip6.src == 2409:8720:4a00::0/64 && ip6.dst == 2409:8720:4a00::0/64"
 		}
-		acl, err := ovnClient.GetACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, false)
-		require.NoError(t, err)
-		expect := newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllowRelated)
-		expect.UUID = acl.UUID
-		expect.ExternalIDs["subnet"] = lsName
-		require.Equal(t, expect, acl)
-		require.Contains(t, ls.ACLs, acl.UUID)
+		ingressAcl, ingressErr := ovnClient.GetACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, false)
+		require.NoError(t, ingressErr)
+		ingressExpect := newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllow)
+		ingressExpect.UUID = ingressAcl.UUID
+		ingressExpect.ExternalIDs["subnet"] = lsName
+		require.Equal(t, ingressExpect, ingressAcl)
+		require.Contains(t, ls.ACLs, ingressAcl.UUID)
+		egressAcl, egressErr := ovnClient.GetACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, match, false)
+		require.NoError(t, egressErr)
+		egressExpect := newACL(lsName, ovnnb.ACLDirectionFromLport, util.AllowEWTrafficPriority, match, ovnnb.ACLActionAllow)
+		egressExpect.UUID = ingressAcl.UUID
+		egressExpect.ExternalIDs["subnet"] = lsName
+		require.Equal(t, egressExpect, egressAcl)
+		require.Contains(t, ls.ACLs, egressAcl.UUID)
 	}
 
 	for _, subnetACL := range subnetAcls {