Skip to content

Commit

Permalink
add base rules for allowing vrrp packets
Browse files Browse the repository at this point in the history
Signed-off-by: yuanliu <[email protected]>
  • Loading branch information
lynn901 committed Oct 9, 2023
1 parent b6192f3 commit 9615ecc
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 5 deletions.
18 changes: 16 additions & 2 deletions pkg/ovs/ovn-nb-acl.go
Original file line number Diff line number Diff line change
Expand Up @@ -286,10 +286,18 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error {
portDirection := "outport"
dhcpv4UdpSrc, dhcpv4UdpDst := "67", "68"
dhcpv6UdpSrc, dhcpv6UdpDst := "547", "546"
icmpv6Type := "{130, 134, 135, 136}"
// 130 group membership query
// 133 router solicitation
// 134 router advertisement
// 135 neighbor solicitation
// 136 neighbor advertisement

if direction == ovnnb.ACLDirectionFromLport { // egress rule
portDirection = "inport"
dhcpv4UdpSrc, dhcpv4UdpDst = dhcpv4UdpDst, dhcpv4UdpSrc
dhcpv6UdpSrc, dhcpv6UdpDst = dhcpv6UdpDst, dhcpv6UdpSrc
icmpv6Type = "{130, 133, 135, 136}"
}

acls := make([]*ovnnb.ACL, 0)
Expand All @@ -314,7 +322,7 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error {
// icmpv6
icmpv6Match := NewAndACLMatch(
NewACLMatch(portDirection, "==", "@"+pgName, ""),
NewACLMatch("icmp6.type", "==", "{130, 134, 135, 136}", ""),
NewACLMatch("icmp6.type", "==", icmpv6Type, ""),
NewACLMatch("icmp6.code", "==", "0", ""),
NewACLMatch("ip.ttl", "==", "255", ""),
)
Expand All @@ -336,9 +344,15 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error {
NewACLMatch("udp.dst", "==", dhcpv6UdpDst, ""),
NewACLMatch("ip6", "", "", ""),
)

newACL(dhcpv6Match.String())

// vrrp
vrrpMatch := NewAndACLMatch(
NewACLMatch(portDirection, "==", "@"+pgName, ""),
NewACLMatch("ip.proto", "==", "112", ""),
)
newACL(vrrpMatch.String())

if err := c.CreateAcls(pgName, portGroupKey, acls...); err != nil {
return fmt.Errorf("add ingress acls to port group %s: %v", pgName, err)
}
Expand Down
14 changes: 11 additions & 3 deletions pkg/ovs/ovn-nb-acl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -473,7 +473,7 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() {

pg, err := ovnClient.GetPortGroup(pgName, false)
require.NoError(t, err)
require.Len(t, pg.ACLs, 4)
require.Len(t, pg.ACLs, 5)

// arp
match := fmt.Sprintf("%s == @%s && arp", portDirection, pgName)
Expand All @@ -490,6 +490,10 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() {
// dhcpv6
match = fmt.Sprintf("%s == @%s && udp.src == 547 && udp.dst == 546 && ip6", portDirection, pgName)
expect(pg, match)

// vrrp
match = fmt.Sprintf("%s == @%s && ip.proto == 112", portDirection, pgName)
expect(pg, match)
})

t.Run("create sg base egress acl", func(t *testing.T) {
Expand All @@ -508,14 +512,14 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() {

pg, err := ovnClient.GetPortGroup(pgName, false)
require.NoError(t, err)
require.Len(t, pg.ACLs, 4)
require.Len(t, pg.ACLs, 5)

// arp
match := fmt.Sprintf("%s == @%s && arp", portDirection, pgName)
expect(pg, match)

// icmpv6
match = fmt.Sprintf("%s == @%s && icmp6.type == {130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portDirection, pgName)
match = fmt.Sprintf("%s == @%s && icmp6.type == {130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portDirection, pgName)
expect(pg, match)

// dhcpv4
Expand All @@ -525,6 +529,10 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() {
// dhcpv6
match = fmt.Sprintf("%s == @%s && udp.src == 546 && udp.dst == 547 && ip6", portDirection, pgName)
expect(pg, match)

// vrrp
match = fmt.Sprintf("%s == @%s && ip.proto == 112", portDirection, pgName)
expect(pg, match)
})
}

Expand Down

0 comments on commit 9615ecc

Please sign in to comment.