From f2be2d58f3ce834e9140482e65624154ef2d7bb3 Mon Sep 17 00:00:00 2001 From: Zhao Congqi Date: Fri, 2 Feb 2024 13:17:09 +0800 Subject: [PATCH] fix: security group base acl direction (#3690) * fix: security group base acl direction Signed-off-by: zcq98 * fix: test CreateSgBaseACL Signed-off-by: zcq98 --------- Signed-off-by: zcq98 --- pkg/ovs/ovn-nb-acl.go | 2 +- pkg/ovs/ovn-nb-acl_test.go | 26 +++++++++++++------------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/pkg/ovs/ovn-nb-acl.go b/pkg/ovs/ovn-nb-acl.go index 30b214a1a9b..45574ee76ed 100644 --- a/pkg/ovs/ovn-nb-acl.go +++ b/pkg/ovs/ovn-nb-acl.go @@ -303,7 +303,7 @@ func (c *OVNNbClient) CreateSgBaseACL(sgName, direction string) error { acls := make([]*ovnnb.ACL, 0) newACL := func(match string) { - acl, err := c.newACL(pgName, ovnnb.ACLDirectionToLport, util.SecurityGroupBasePriority, match, ovnnb.ACLActionAllowRelated) + acl, err := c.newACL(pgName, direction, util.SecurityGroupBasePriority, match, ovnnb.ACLActionAllowRelated) if err != nil { klog.Error(err) klog.Errorf("new base ingress acl for security group %s: %v", sgName, err) diff --git a/pkg/ovs/ovn-nb-acl_test.go b/pkg/ovs/ovn-nb-acl_test.go index 99679824f7a..9bd53abe15c 100644 --- a/pkg/ovs/ovn-nb-acl_test.go +++ b/pkg/ovs/ovn-nb-acl_test.go @@ -445,11 +445,11 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() { ovnClient := suite.ovnClient - expect := func(pg *ovnnb.PortGroup, match string) { - arpACL, err := ovnClient.GetACL(pg.Name, ovnnb.ACLDirectionToLport, util.SecurityGroupBasePriority, match, false) + expect := func(pg *ovnnb.PortGroup, match, direction string) { + arpACL, err := ovnClient.GetACL(pg.Name, direction, util.SecurityGroupBasePriority, match, false) require.NoError(t, err) - expect := newACL(pg.Name, ovnnb.ACLDirectionToLport, util.SecurityGroupBasePriority, match, ovnnb.ACLActionAllowRelated, func(acl *ovnnb.ACL) { + expect := newACL(pg.Name, direction, util.SecurityGroupBasePriority, match, ovnnb.ACLActionAllowRelated, func(acl *ovnnb.ACL) { acl.UUID = arpACL.UUID }) @@ -477,23 +477,23 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() { // arp match := fmt.Sprintf("%s == @%s && arp", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionToLport) // icmpv6 match = fmt.Sprintf("%s == @%s && icmp6.type == {130, 134, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionToLport) // dhcpv4 match = fmt.Sprintf("%s == @%s && udp.src == 67 && udp.dst == 68 && ip4", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionToLport) // dhcpv6 match = fmt.Sprintf("%s == @%s && udp.src == 547 && udp.dst == 546 && ip6", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionToLport) // vrrp match = fmt.Sprintf("%s == @%s && ip.proto == 112", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionToLport) }) t.Run("create sg base egress acl", func(t *testing.T) { @@ -516,23 +516,23 @@ func (suite *OvnClientTestSuite) testCreateSgBaseACL() { // arp match := fmt.Sprintf("%s == @%s && arp", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionFromLport) // icmpv6 match = fmt.Sprintf("%s == @%s && icmp6.type == {130, 133, 135, 136} && icmp6.code == 0 && ip.ttl == 255", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionFromLport) // dhcpv4 match = fmt.Sprintf("%s == @%s && udp.src == 68 && udp.dst == 67 && ip4", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionFromLport) // dhcpv6 match = fmt.Sprintf("%s == @%s && udp.src == 546 && udp.dst == 547 && ip6", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionFromLport) // vrrp match = fmt.Sprintf("%s == @%s && ip.proto == 112", portDirection, pgName) - expect(pg, match) + expect(pg, match, ovnnb.ACLDirectionFromLport) }) }