Skip to content

Commit

Permalink
Add egress firewall external id to make name+externalIDs unique even
Browse files Browse the repository at this point in the history 
when the acl name is cropped. That happens when namespace name is
longer than 43 symbols.

Signed-off-by: Nadia Pinaeva <[email protected]>
(cherry picked from commit dafe82b)
(cherry picked from commit d74d6ea)

Conflicts:
	go-controller/pkg/ovn/egressfirewall_test.go -
use hardcoded address set hash names
  • Loading branch information
@npinaeva
npinaeva committed Mar 7, 2023
1 parent 5f8cd83 commit a5f65cb
Show file tree
Hide file tree
Showing 2 changed files with 151 additions and 15 deletions.
8 changes: 6 additions & 2 deletions go-controller/pkg/ovn/egressfirewall.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ const (
egressFirewallAppliedCorrectly = "EgressFirewall Rules applied"
egressFirewallAddError = "EgressFirewall Rules not correctly added"
// egressFirewallACLExtIdKey external ID key for egress firewall ACLs
egressFirewallACLExtIdKey = "egressFirewall"
egressFirewallACLExtIdKey = "egressFirewall"
egressFirewallACLPriorityKey = "priority"
)

type egressFirewall struct {
Expand Down Expand Up @@ -347,7 +348,10 @@ func (oc *Controller) createEgressFirewallRules(priority int, match, action, ext
aclLogging,
// since egressFirewall has direction to-lport, set type to ingress
lportIngress,
map[string]string{egressFirewallACLExtIdKey: externalID},
map[string]string{
egressFirewallACLExtIdKey: externalID,
egressFirewallACLPriorityKey: fmt.Sprintf("%d", priority),
},
)
ops, err := libovsdbops.CreateOrUpdateACLsOps(oc.nbClient, nil, egressFirewallACL)
if err != nil {
Expand Down
158 changes: 145 additions & 13 deletions go-controller/pkg/ovn/egressfirewall_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,18 +195,32 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
// Both ACLs will be removed from the node switch
nodeSwitch.ACLs = nil

// keepACL will be re-created with the new external ID
newKeepACL := libovsdbops.BuildACL(
buildEgressFwAclName(namespace1.Name, t.EgressFirewallStartPriority),
nbdb.ACLDirectionToLport,
t.EgressFirewallStartPriority,
"(ip4.dst == 1.2.3.4/23) && ip4.src == $a10481622940199974102",
nbdb.ACLActionAllow,
t.OvnACLLoggingMeter,
"",
false,
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
newKeepACL.UUID = "newKeepACL-UUID"
// keepACL will be added to the clusterPortGroup
clusterPortGroup.ACLs = []string{keepACL.UUID}
clusterPortGroup.ACLs = []string{newKeepACL.UUID}

// Direction of both ACLs will be converted to
keepACL.Direction = nbdb.ACLDirectionToLport
newName := buildEgressFwAclName(namespace1.Name, t.EgressFirewallStartPriority)
keepACL.Name = &newName
// check severity was reset from default to nil
keepACL.Severity = nil
// subnet exclusion will be deleted
keepACL.Match = "(ip4.dst == 1.2.3.4/23) && ip4.src == $a10481622940199974102"

// purgeACL ACL will be deleted when test server starts deleting dereferenced ACLs
// for now we need to update its fields, since it is present in the db
purgeACL.Direction = nbdb.ACLDirectionToLport
Expand All @@ -217,6 +231,7 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
expectedDatabaseState := []libovsdb.TestData{
otherACL,
purgeACL,
newKeepACL,
keepACL,
nodeSwitch,
joinSwitch,
Expand Down Expand Up @@ -282,7 +297,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
ipv4ACL.UUID = "ipv4ACL-UUID"
Expand Down Expand Up @@ -350,7 +368,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
ipv6ACL.UUID = "ipv6ACL-UUID"
Expand Down Expand Up @@ -427,7 +448,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
udpACL.UUID = "udpACL-UUID"
Expand Down Expand Up @@ -501,7 +525,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
ipv4ACL.UUID = "ipv4ACL-UUID"
Expand Down Expand Up @@ -583,7 +610,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
ipv4ACL.UUID = "ipv4ACL-UUID"
Expand Down Expand Up @@ -660,7 +690,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
ipv4ACL.UUID = "ipv4ACL-UUID"
Expand Down Expand Up @@ -767,7 +800,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
ipv4ACL.UUID = "ipv4ACL-UUID"
Expand Down Expand Up @@ -869,7 +905,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
ipv4ACL.UUID = "ipv4ACL-UUID"
Expand Down Expand Up @@ -954,7 +993,10 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
t.OvnACLLoggingMeter,
"",
false,
map[string]string{egressFirewallACLExtIdKey: "namespace1"},
map[string]string{
egressFirewallACLExtIdKey: "namespace1",
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
acl.UUID = "acl-UUID"
Expand All @@ -969,6 +1011,96 @@ var _ = ginkgo.Describe("OVN EgressFirewall Operations", func() {
err := app.Run([]string{app.Name})
gomega.Expect(err).NotTo(gomega.HaveOccurred())
})
ginkgo.It(fmt.Sprintf("correctly creates an egressfirewall for namespace name > 43 symbols, gateway mode %s", gwMode), func() {
app.Action = func(ctx *cli.Context) error {
// 52 characters namespace
namespace1 := *newNamespace("abcdefghigklmnopqrstuvwxyzabcdefghigklmnopqrstuvwxyz")
egressFirewall := newEgressFirewallObject("default", namespace1.Name, []egressfirewallapi.EgressFirewallRule{
{
Type: "Allow",
To: egressfirewallapi.EgressFirewallDestination{
CIDRSelector: "1.2.3.5/23",
},
},
{
Type: "Allow",
To: egressfirewallapi.EgressFirewallDestination{
CIDRSelector: "2.2.3.5/23",
},
},
})

fakeOVN.startWithDBSetup(dbSetup,
&egressfirewallapi.EgressFirewallList{
Items: []egressfirewallapi.EgressFirewall{
*egressFirewall,
},
},
&v1.NamespaceList{
Items: []v1.Namespace{
namespace1,
},
})

err := fakeOVN.controller.WatchNamespaces()
gomega.Expect(err).NotTo(gomega.HaveOccurred())
err = fakeOVN.controller.WatchEgressFirewall()
gomega.Expect(err).NotTo(gomega.HaveOccurred())

ipv4ACL1 := libovsdbops.BuildACL(
buildEgressFwAclName(namespace1.Name, t.EgressFirewallStartPriority),
nbdb.ACLDirectionToLport,
t.EgressFirewallStartPriority,
"(ip4.dst == 1.2.3.5/23) && ip4.src == $a9275935520880020708",
nbdb.ACLActionAllow,
t.OvnACLLoggingMeter,
"",
false,
map[string]string{
egressFirewallACLExtIdKey: namespace1.Name,
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority),
},
nil,
)
ipv4ACL1.UUID = "ipv4ACL1-UUID"
ipv4ACL2 := libovsdbops.BuildACL(
buildEgressFwAclName(namespace1.Name, t.EgressFirewallStartPriority-1),
nbdb.ACLDirectionToLport,
t.EgressFirewallStartPriority-1,
"(ip4.dst == 2.2.3.5/23) && ip4.src == $a9275935520880020708",
nbdb.ACLActionAllow,
t.OvnACLLoggingMeter,
"",
false,
map[string]string{
egressFirewallACLExtIdKey: namespace1.Name,
egressFirewallACLPriorityKey: fmt.Sprintf("%d", t.EgressFirewallStartPriority-1),
},
nil,
)
ipv4ACL2.UUID = "ipv4ACL2-UUID"

// new ACL will be added to the port group
clusterPortGroup.ACLs = []string{ipv4ACL1.UUID, ipv4ACL2.UUID}
expectedDatabaseState := append(initialData, ipv4ACL1, ipv4ACL2)

gomega.Eventually(fakeOVN.nbClient).Should(libovsdbtest.HaveData(expectedDatabaseState))

err = fakeOVN.fakeClient.EgressFirewallClient.K8sV1().EgressFirewalls(egressFirewall.Namespace).Delete(context.TODO(), egressFirewall.Name, *metav1.NewDeleteOptions(0))
gomega.Expect(err).NotTo(gomega.HaveOccurred())

// ACL should be removed from the port group egfw is deleted
clusterPortGroup.ACLs = []string{}
// this ACL will be deleted when test server starts deleting dereferenced ACLs
expectedDatabaseState = append(initialData, ipv4ACL1, ipv4ACL2)
gomega.Eventually(fakeOVN.nbClient).Should(libovsdbtest.HaveData(expectedDatabaseState))

return nil
}

err := app.Run([]string{app.Name})
gomega.Expect(err).NotTo(gomega.HaveOccurred())
})
}
})
})
Expand Down

0 comments on commit a5f65cb

Please sign in to comment.