Support for ACL (Hnsv2) (#705)

* initial changes

* remove extraneous code

* Add ACL and wireserver ACL

* add ACLs

* default acls

* address comments

* addressed comment

Author: ninzavivek

cni/azure-windows.conflist

@@ -40,6 +40,46 @@
                         "DestinationPrefix": "10.0.0.0/8",
                         "NeedEncap": true
                     }
+                },
+                {
+                    "Name": "EndpointPolicy",
+                    "Value": {
+                        "Type": "ACL",
+                        "Action": "Allow",
+                        "Direction": "Out",
+                        "RemoteAddresses": "168.63.129.16/32",
+                        "Protocols": "17",
+                        "RemotePorts": "53",
+                        "Priority": 200
+                    }
+                },
+                {
+                    "Name": "EndpointPolicy",
+                    "Value": {
+                        "Type": "ACL",
+                        "Action": "Block",
+                        "Direction": "Out",
+                        "RemoteAddresses": "168.63.129.16/32",
+                        "Priority": 65000
+                    }
+                },
+                {
+                    "Name": "EndpointPolicy",
+                    "Value": {
+                        "Type": "ACL",
+                        "Action": "Allow",
+                        "Direction": "Out",
+                        "Priority": 65500
+                    }
+                },
+                {
+                    "Name": "EndpointPolicy",
+                    "Value": {
+                        "Type": "ACL",
+                        "Action": "Allow",
+                        "Direction": "In",
+                        "Priority": 65500
+                    }
                 }
             ]
         }

network/policy/policy.go

@@ -10,6 +10,7 @@ const (
 	OutBoundNatPolicy CNIPolicyType = "OutBoundNAT"
 	RoutePolicy       CNIPolicyType = "ROUTE"
 	PortMappingPolicy CNIPolicyType = "NAT"
+	ACLPolicy         CNIPolicyType = "ACL"
 )
 
 type CNIPolicyType string

network/policy/policy_windows.go

@@ -176,6 +176,11 @@ func GetPolicyType(policy Policy) CNIPolicyType {
 		}
 	}
 
+	// Check if the type is ACLPolicy
+	if policy.Type == ACLPolicy {
+		return ACLPolicy
+	}
+
 	// Return empty string if the policy type is invalid
 	log.Printf("Returning policyType INVALID")
 	return ""
@@ -343,6 +348,28 @@ func GetHcnPortMappingPolicy(policy Policy) (hcn.EndpointPolicy, error) {
 	return portMappingPolicy, nil
 }
 
+// GetHcnACLPolicy returns ACL policy.
+func GetHcnACLPolicy(policy Policy) (hcn.EndpointPolicy, error) {
+	aclEndpolicySetting := hcn.EndpointPolicy{
+		Type: hcn.ACL,
+	}
+
+	// Check beforehand, the input meets the expected format
+	// otherwise, endpoint creation will fail later on.
+	var aclPolicySetting hcn.AclPolicySetting
+	if err := json.Unmarshal(policy.Data, &aclPolicySetting); err != nil {
+		return aclEndpolicySetting, err
+	}
+
+	aclPolicySettingBytes, err := json.Marshal(aclPolicySetting)
+	if err != nil {
+		return aclEndpolicySetting, err
+	}
+
+	aclEndpolicySetting.Settings = aclPolicySettingBytes
+	return aclEndpolicySetting, nil
+}
+
 // GetHcnEndpointPolicies returns array of all endpoint policies.
 func GetHcnEndpointPolicies(policyType CNIPolicyType, policies []Policy, epInfoData map[string]interface{}, enableSnatForDns, enableMultiTenancy bool) ([]hcn.EndpointPolicy, error) {
 	var (
@@ -363,6 +390,8 @@ func GetHcnEndpointPolicies(policyType CNIPolicyType, policies []Policy, epInfoD
 				endpointPolicy, err = GetHcnRoutePolicy(policy)
 			case PortMappingPolicy:
 				endpointPolicy, err = GetHcnPortMappingPolicy(policy)
+			case ACLPolicy:
+				endpointPolicy, err = GetHcnACLPolicy(policy)
 			default:
 				// return error as we should be able to parse all the policies specified
 				return hcnEndPointPolicies, fmt.Errorf("Failed to set Policy: Type: %s, Data: %s", policy.Type, policy.Data)