Allow same subnet traffic

Signed-off-by: yuanliu <[email protected]>

pkg/apis/kubeovn/v1/types.go

@@ -158,7 +158,8 @@ type SubnetSpec struct {
 	EnableIPv6RA  bool   `json:"enableIPv6RA,omitempty"`
 	IPv6RAConfigs string `json:"ipv6RAConfigs,omitempty"`
 
-	Acls []ACL `json:"acls,omitempty"`
+	Acls                   []ACL `json:"acls,omitempty"`
+	AllowSameSubnetTraffic bool  `json:"allowSameSubnetTraffic"`
 
 	NatOutgoingPolicyRules []NatOutgoingPolicyRule `json:"natOutgoingPolicyRules,omitempty"`
 

pkg/controller/subnet.go

@@ -826,7 +826,7 @@ func (c *Controller) handleAddOrUpdateSubnet(key string) error {
 		c.patchSubnetStatus(subnet, "ResetLogicalSwitchAclSuccess", "")
 	}
 
-	if err := c.OVNNbClient.UpdateLogicalSwitchACL(subnet.Name, subnet.Spec.Acls); err != nil {
+	if err := c.OVNNbClient.UpdateLogicalSwitchACL(subnet.Name, subnet.Spec.CIDRBlock, subnet.Spec.Acls, subnet.Spec.AllowSameSubnetTraffic); err != nil {
 		c.patchSubnetStatus(subnet, "SetLogicalSwitchAclsFailed", err.Error())
 		return err
 	}

pkg/daemon/ovs_linux.go

@@ -1479,12 +1479,11 @@ func getShortSharedDir(uid types.UID, volumeName string) string {
 }
 
 func linkExists(name string) (bool, error) {
-	_, err := netlink.LinkByName(name)
-	if err == nil {
-		return true, nil
-	} else if _, ok := err.(netlink.LinkNotFoundError); ok {
-		return false, nil
-	} else {
+	if _, err := netlink.LinkByName(name); err != nil {
+		if _, ok := err.(netlink.LinkNotFoundError); ok {
+			return false, nil
+		}
 		return false, err
 	}
+	return true, nil
 }

pkg/ovs/interface.go

@@ -107,7 +107,7 @@ type ACL interface {
 	CreateSgDenyAllACL(sgName string) error
 	CreateSgBaseACL(sgName, direction string) error
 	UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction string) error
-	UpdateLogicalSwitchACL(lsName string, subnetAcls []kubeovnv1.ACL) error
+	UpdateLogicalSwitchACL(lsName, cidrBlock string, subnetAcls []kubeovnv1.ACL, allowSameSubnetTraffic bool) error
 	SetACLLog(pgName, protocol string, logEnable, isIngress bool) error
 	SetLogicalSwitchPrivate(lsName, cidrBlock, nodeSwitchCIDR string, allowSubnets []string) error
 	DeleteAcls(parentName, parentType, direction string, externalIDs map[string]string) error

pkg/ovs/ovn-nb-acl.go

@@ -417,15 +417,15 @@ func (c *OVNNbClient) UpdateSgACL(sg *kubeovnv1.SecurityGroup, direction string)
 	return nil
 }
 
-func (c *OVNNbClient) UpdateLogicalSwitchACL(lsName string, subnetAcls []kubeovnv1.ACL) error {
+func (c *OVNNbClient) UpdateLogicalSwitchACL(lsName, cidrBlock string, subnetAcls []kubeovnv1.ACL, allowSameSubnetTraffic bool) error {
 	if err := c.DeleteAcls(lsName, logicalSwitchKey, "", map[string]string{"subnet": lsName}); err != nil {
 		return fmt.Errorf("delete subnet acls from %s: %v", lsName, err)
 	}
 
 	if len(subnetAcls) == 0 {
 		return nil
 	}
-	acls := make([]*ovnnb.ACL, 0, len(subnetAcls))
+	acls := make([]*ovnnb.ACL, 0)
 
 	options := func(acl *ovnnb.ACL) {
 		if acl.ExternalIDs == nil {
@@ -434,6 +434,31 @@ func (c *OVNNbClient) UpdateLogicalSwitchACL(lsName string, subnetAcls []kubeovn
 		acl.ExternalIDs["subnet"] = lsName
 	}
 
+	if allowSameSubnetTraffic {
+		for _, cidr := range strings.Split(cidrBlock, ",") {
+			protocol := util.CheckProtocol(cidr)
+
+			ipSuffix := "ip4"
+			if protocol == kubeovnv1.ProtocolIPv6 {
+				ipSuffix = "ip6"
+			}
+
+			/* same subnet acl */
+			sameSubnetMatch := NewAndACLMatch(
+				NewACLMatch(ipSuffix+".src", "==", cidr, ""),
+				NewACLMatch(ipSuffix+".dst", "==", cidr, ""),
+			)
+
+			sameSubnetACL, err := c.newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowSameSubnetPriority, sameSubnetMatch.String(), ovnnb.ACLActionAllowRelated, options)
+			if err != nil {
+				klog.Error(err)
+				return fmt.Errorf("new same subnet ingress acl for logical switch %s: %v", lsName, err)
+			}
+
+			acls = append(acls, sameSubnetACL)
+		}
+	}
+
 	/* recreate logical switch acl */
 	for _, subnetACL := range subnetAcls {
 		acl, err := c.newACL(lsName, subnetACL.Direction, strconv.Itoa(subnetACL.Priority), subnetACL.Match, subnetACL.Action, options)

pkg/ovs/ovn-nb-acl_test.go

@@ -655,6 +655,7 @@ func (suite *OvnClientTestSuite) testUpdateLogicalSwitchACL() {
 
 	ovnClient := suite.ovnClient
 	lsName := "test_update_acl_ls"
+	cidrBlock := "192.168.2.0/24, 2409:8720:4a00::0/64"
 
 	subnetAcls := []kubeovnv1.ACL{
 		{
@@ -674,12 +675,28 @@ func (suite *OvnClientTestSuite) testUpdateLogicalSwitchACL() {
 	err := ovnClient.CreateBareLogicalSwitch(lsName)
 	require.NoError(t, err)
 
-	err = ovnClient.UpdateLogicalSwitchACL(lsName, subnetAcls)
+	err = ovnClient.UpdateLogicalSwitchACL(lsName, cidrBlock, subnetAcls, true)
 	require.NoError(t, err)
 
 	ls, err := ovnClient.GetLogicalSwitch(lsName, false)
 	require.NoError(t, err)
 
+	for _, cidr := range strings.Split(cidrBlock, ",") {
+		protocol := util.CheckProtocol(cidr)
+
+		match := "ip4.src == 192.168.2.0/24 && ip4.dst == 192.168.2.0/24"
+		if protocol == kubeovnv1.ProtocolIPv6 {
+			match = "ip6.src == 2409:8720:4a00::0/64 && ip6.dst == 2409:8720:4a00::0/64"
+		}
+		acl, err := ovnClient.GetACL(lsName, ovnnb.ACLDirectionToLport, util.AllowSameSubnetPriority, match, false)
+		require.NoError(t, err)
+		expect := newACL(lsName, ovnnb.ACLDirectionToLport, util.AllowSameSubnetPriority, match, ovnnb.ACLActionAllowRelated)
+		expect.UUID = acl.UUID
+		expect.ExternalIDs["subnet"] = lsName
+		require.Equal(t, expect, acl)
+		require.Contains(t, ls.ACLs, acl.UUID)
+	}
+
 	for _, subnetACL := range subnetAcls {
 		acl, err := ovnClient.GetACL(lsName, subnetACL.Direction, strconv.Itoa(subnetACL.Priority), subnetACL.Match, false)
 		require.NoError(t, err)

pkg/ovsdb/client/client.go

@@ -75,7 +75,7 @@ func NewOvsDbClient(db, addr string, dbModel model.ClientDBModel, monitors []cli
 		tlsConfig := &tls.Config{
 			Certificates:       []tls.Certificate{cert},
 			RootCAs:            certPool,
-			InsecureSkipVerify: true,
+			InsecureSkipVerify: false,
 		}
 		options = append(options, client.WithTLSConfig(tlsConfig))
 	}

pkg/util/const.go

@@ -140,6 +140,8 @@ const (
 	EgressAllowPriority = "2001"
 	EgressDefaultDrop   = "2000"
 
+	AllowSameSubnetPriority = "1900"
+
 	SubnetAllowPriority = "1001"
 	DefaultDropPriority = "1000"