add validation webhooks for netfilter nic selector

SchSeba · SchSeba · commit 40e65f287931 · 2025-12-23T16:29:53.000+02:00
Signed-off-by: Sebastian Sch &lt;sebassch@gmail.com&gt;
diff --git a/pkg/webhook/validate.go b/pkg/webhook/validate.go
@@ -153,6 +153,27 @@ func staticValidateSriovNetworkNodePolicy(cr *sriovnetworkv1.SriovNetworkNodePol
 		return false, fmt.Errorf("at least one of these parameters (vendor, deviceID, pfNames, rootDevices or netFilter) has to be defined in nicSelector in CR %s", cr.GetName())
 	}
 
+	// NetFilter specific validations - must be checked early before other validations
+	if cr.Spec.NicSelector.NetFilter != "" {
+		// 1. do not allow to use any other nicSelector fields when NetFilter is specified
+		if cr.Spec.NicSelector.Vendor != "" || cr.Spec.NicSelector.DeviceID != "" ||
+			len(cr.Spec.NicSelector.PfNames) > 0 || len(cr.Spec.NicSelector.RootDevices) > 0 {
+			return false, fmt.Errorf("nicSelector fields vendor, deviceID, pfNames, and rootDevices are not allowed when netFilter is specified")
+		}
+		// 2. do not support changing the EswitchMode when NetFilter is specified
+		if cr.Spec.EswitchMode != "" {
+			return false, fmt.Errorf("eSwitchMode is not supported when netFilter is specified")
+		}
+		// 3. do not allow Bridge when NetFilter is specified
+		if !cr.Spec.Bridge.IsEmpty() {
+			return false, fmt.Errorf("bridge configuration is not supported when netFilter is specified")
+		}
+		// 4. LinkType only "eth", "ETH" allowed when NetFilter is specified
+		if cr.Spec.LinkType != "" && !strings.EqualFold(cr.Spec.LinkType, consts.LinkTypeETH) {
+			return false, fmt.Errorf("linkType %q is not allowed when netFilter is specified, only 'eth' or 'ETH' are supported", cr.Spec.LinkType)
+		}
+	}
+
 	devMode := false
 	if os.Getenv("DEV_MODE") == "TRUE" {
 		devMode = true
@@ -233,6 +254,7 @@ func staticValidateSriovNetworkNodePolicy(cr *sriovnetworkv1.SriovNetworkNodePol
 	if !cr.Spec.Bridge.IsEmpty() && cr.Spec.ExternallyManaged {
 		return false, fmt.Errorf("software bridge management can't be used when the device externally managed")
 	}
+
 	return true, nil
 }
 
diff --git a/pkg/webhook/validate_test.go b/pkg/webhook/validate_test.go
@@ -1190,6 +1190,177 @@ func TestValidatePolicyForNodeStateWithValidNetFilter(t *testing.T) {
 	g.Expect(interfaceSelected).To(Equal(true))
 }
 
+func TestStaticValidateSriovNetworkNodePolicyWithNetFilterAndOtherNicSelectors(t *testing.T) {
+	testCases := []struct {
+		name        string
+		nicSelector SriovNetworkNicSelector
+		expectError string
+	}{
+		{
+			name: "netFilter with vendor",
+			nicSelector: SriovNetworkNicSelector{
+				NetFilter: "openstack/NetworkID:ada9ec67-2c97-467c-b674-c47200e2f5da",
+				Vendor:    "8086",
+			},
+			expectError: "nicSelector fields vendor, deviceID, pfNames, and rootDevices are not allowed when netFilter is specified",
+		},
+		{
+			name: "netFilter with deviceID",
+			nicSelector: SriovNetworkNicSelector{
+				NetFilter: "openstack/NetworkID:ada9ec67-2c97-467c-b674-c47200e2f5da",
+				DeviceID:  "158b",
+			},
+			expectError: "nicSelector fields vendor, deviceID, pfNames, and rootDevices are not allowed when netFilter is specified",
+		},
+		{
+			name: "netFilter with pfNames",
+			nicSelector: SriovNetworkNicSelector{
+				NetFilter: "openstack/NetworkID:ada9ec67-2c97-467c-b674-c47200e2f5da",
+				PfNames:   []string{"ens803f0"},
+			},
+			expectError: "nicSelector fields vendor, deviceID, pfNames, and rootDevices are not allowed when netFilter is specified",
+		},
+		{
+			name: "netFilter with rootDevices",
+			nicSelector: SriovNetworkNicSelector{
+				NetFilter:   "openstack/NetworkID:ada9ec67-2c97-467c-b674-c47200e2f5da",
+				RootDevices: []string{"0000:86:00.0"},
+			},
+			expectError: "nicSelector fields vendor, deviceID, pfNames, and rootDevices are not allowed when netFilter is specified",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewGomegaWithT(t)
+			policy := &SriovNetworkNodePolicy{
+				Spec: SriovNetworkNodePolicySpec{
+					DeviceType:   "netdevice",
+					NicSelector:  tc.nicSelector,
+					NumVfs:       1,
+					ResourceName: "p0",
+				},
+			}
+			ok, err := staticValidateSriovNetworkNodePolicy(policy)
+			g.Expect(err).To(MatchError(ContainSubstring(tc.expectError)))
+			g.Expect(ok).To(Equal(false))
+		})
+	}
+}
+
+func TestStaticValidateSriovNetworkNodePolicyWithNetFilterAndEswitchMode(t *testing.T) {
+	g := NewGomegaWithT(t)
+	policy := &SriovNetworkNodePolicy{
+		Spec: SriovNetworkNodePolicySpec{
+			DeviceType: "netdevice",
+			NicSelector: SriovNetworkNicSelector{
+				NetFilter: "openstack/NetworkID:ada9ec67-2c97-467c-b674-c47200e2f5da",
+			},
+			EswitchMode:  "switchdev",
+			NumVfs:       1,
+			ResourceName: "p0",
+		},
+	}
+	ok, err := staticValidateSriovNetworkNodePolicy(policy)
+	g.Expect(err).To(MatchError(ContainSubstring("eSwitchMode is not supported when netFilter is specified")))
+	g.Expect(ok).To(Equal(false))
+}
+
+func TestStaticValidateSriovNetworkNodePolicyWithNetFilterAndBridge(t *testing.T) {
+	g := NewGomegaWithT(t)
+	policy := &SriovNetworkNodePolicy{
+		Spec: SriovNetworkNodePolicySpec{
+			DeviceType: "netdevice",
+			NicSelector: SriovNetworkNicSelector{
+				NetFilter: "openstack/NetworkID:ada9ec67-2c97-467c-b674-c47200e2f5da",
+			},
+			Bridge:       Bridge{OVS: &OVSConfig{}},
+			NumVfs:       1,
+			ResourceName: "p0",
+		},
+	}
+	ok, err := staticValidateSriovNetworkNodePolicy(policy)
+	g.Expect(err).To(MatchError(ContainSubstring("bridge configuration is not supported when netFilter is specified")))
+	g.Expect(ok).To(Equal(false))
+}
+
+func TestStaticValidateSriovNetworkNodePolicyWithNetFilterAndInvalidLinkType(t *testing.T) {
+	testCases := []struct {
+		name        string
+		linkType    string
+		expectError bool
+	}{
+		{
+			name:        "netFilter with linkType ib",
+			linkType:    "ib",
+			expectError: true,
+		},
+		{
+			name:        "netFilter with linkType IB",
+			linkType:    "IB",
+			expectError: true,
+		},
+		{
+			name:        "netFilter with linkType eth",
+			linkType:    "eth",
+			expectError: false,
+		},
+		{
+			name:        "netFilter with linkType ETH",
+			linkType:    "ETH",
+			expectError: false,
+		},
+		{
+			name:        "netFilter with empty linkType",
+			linkType:    "",
+			expectError: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			g := NewGomegaWithT(t)
+			policy := &SriovNetworkNodePolicy{
+				Spec: SriovNetworkNodePolicySpec{
+					DeviceType: "netdevice",
+					NicSelector: SriovNetworkNicSelector{
+						NetFilter: "openstack/NetworkID:ada9ec67-2c97-467c-b674-c47200e2f5da",
+					},
+					LinkType:     tc.linkType,
+					NumVfs:       1,
+					ResourceName: "p0",
+				},
+			}
+			ok, err := staticValidateSriovNetworkNodePolicy(policy)
+			if tc.expectError {
+				g.Expect(err).To(MatchError(ContainSubstring("linkType")))
+				g.Expect(err).To(MatchError(ContainSubstring("is not allowed when netFilter is specified")))
+				g.Expect(ok).To(Equal(false))
+			} else {
+				g.Expect(err).NotTo(HaveOccurred())
+				g.Expect(ok).To(Equal(true))
+			}
+		})
+	}
+}
+
+func TestStaticValidateSriovNetworkNodePolicyWithNetFilterOnly(t *testing.T) {
+	g := NewGomegaWithT(t)
+	policy := &SriovNetworkNodePolicy{
+		Spec: SriovNetworkNodePolicySpec{
+			DeviceType: "netdevice",
+			NicSelector: SriovNetworkNicSelector{
+				NetFilter: "openstack/NetworkID:ada9ec67-2c97-467c-b674-c47200e2f5da",
+			},
+			NumVfs:       1,
+			ResourceName: "p0",
+		},
+	}
+	ok, err := staticValidateSriovNetworkNodePolicy(policy)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(ok).To(Equal(true))
+}
+
 func TestValidatePolicyForNodeStateWithValidVFAndNetFilter(t *testing.T) {
 	interfaceSelected = false
 	state := &SriovNetworkNodeState{
