Skip to content

Commit e858e26

Browse files
murali-reddymurali-reddy
authored
change ACCEPT to RETURN with mark when a netpol is matched so that we run through (#915)
all the applicable network policies for a flow
1 parent 4d6b0b8 commit e858e26

File tree

1 file changed

+43
-28
lines changed

1 file changed

+43
-28
lines changed

pkg/controllers/netpol/network_policy_controller.go

Lines changed: 43 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -756,11 +756,21 @@ func (npc *NetworkPolicyController) appendRuleToPolicyChain(iptablesCmdHandler *
756756
if dPort != "" {
757757
args = append(args, "--dport", dPort)
758758
}
759-
args = append(args, "-j", "ACCEPT")
760-
err := iptablesCmdHandler.AppendUnique("filter", policyChainName, args...)
759+
760+
markComment := "rule to mark traffic matching a network policy"
761+
markArgs := append(args, "-j", "MARK", "-m", "comment", "--comment", markComment, "--set-xmark", "0x10000/0x10000")
762+
err := iptablesCmdHandler.AppendUnique("filter", policyChainName, markArgs...)
763+
if err != nil {
764+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
765+
}
766+
767+
returnComment := "rule to RETURN traffic matching a network policy"
768+
returnArgs := append(args, "-m", "comment", "--comment", returnComment, "-m", "mark", "--mark", "0x10000/0x10000", "-j", "RETURN")
769+
err = iptablesCmdHandler.AppendUnique("filter", policyChainName, returnArgs...)
761770
if err != nil {
762771
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
763772
}
773+
764774
return nil
765775
}
766776

@@ -773,6 +783,33 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
773783
glog.Fatalf("Failed to initialize iptables executor: %s", err.Error())
774784
}
775785

786+
dropUnmarkedTrafficRules := func(podName, podNamespace, podFwChainName string) error {
787+
// add rule to log the packets that will be dropped due to network policy enforcement
788+
comment := "rule to log dropped traffic POD name:" + podName + " namespace: " + podNamespace
789+
args := []string{"-m", "comment", "--comment", comment, "-m", "mark", "!", "--mark", "0x10000/0x10000", "-j", "NFLOG", "--nflog-group", "100", "-m", "limit", "--limit", "10/minute", "--limit-burst", "10"}
790+
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
791+
if err != nil {
792+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
793+
}
794+
795+
// add rule to DROP if no applicable network policy permits the traffic
796+
comment = "rule to REJECT traffic destined for POD name:" + podName + " namespace: " + podNamespace
797+
args = []string{"-m", "comment", "--comment", comment, "-m", "mark", "!", "--mark", "0x10000/0x10000", "-j", "REJECT"}
798+
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
799+
if err != nil {
800+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
801+
}
802+
803+
// reset mark to let traffic pass through rest of the chains
804+
args = []string{"-j", "MARK", "--set-mark", "0"}
805+
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
806+
if err != nil {
807+
return fmt.Errorf("Failed to run iptables command: %s", err.Error())
808+
}
809+
810+
return nil
811+
}
812+
776813
// loop through the pods running on the node which to which ingress network policies to be applied
777814
ingressNetworkPolicyEnabledPods, err := npc.getIngressNetworkPolicyEnabledPods(networkPoliciesInfo, npc.nodeIP.String())
778815
if err != nil {
@@ -888,20 +925,9 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
888925
}
889926
}
890927

891-
// add rule to log the packets that will be dropped due to network policy enforcement
892-
comment = "rule to log dropped traffic POD name:" + pod.name + " namespace: " + pod.namespace
893-
args = []string{"-m", "comment", "--comment", comment, "-j", "NFLOG", "--nflog-group", "100", "-m", "limit", "--limit", "10/minute", "--limit-burst", "10"}
894-
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
928+
err = dropUnmarkedTrafficRules(pod.name, pod.namespace, podFwChainName)
895929
if err != nil {
896-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
897-
}
898-
899-
// add default DROP rule at the end of chain
900-
comment = "default rule to REJECT traffic destined for POD name:" + pod.name + " namespace: " + pod.namespace
901-
args = []string{"-m", "comment", "--comment", comment, "-j", "REJECT"}
902-
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
903-
if err != nil {
904-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
930+
return nil, err
905931
}
906932
}
907933

@@ -998,20 +1024,9 @@ func (npc *NetworkPolicyController) syncPodFirewallChains(networkPoliciesInfo []
9981024
}
9991025
}
10001026

1001-
// add rule to log the packets that will be dropped due to network policy enforcement
1002-
comment = "rule to log dropped traffic POD name:" + pod.name + " namespace: " + pod.namespace
1003-
args = []string{"-m", "comment", "--comment", comment, "-j", "NFLOG", "--nflog-group", "100", "-m", "limit", "--limit", "10/minute", "--limit-burst", "10"}
1004-
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
1027+
err = dropUnmarkedTrafficRules(pod.name, pod.namespace, podFwChainName)
10051028
if err != nil {
1006-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
1007-
}
1008-
1009-
// add default DROP rule at the end of chain
1010-
comment = "default rule to REJECT traffic destined for POD name:" + pod.name + " namespace: " + pod.namespace
1011-
args = []string{"-m", "comment", "--comment", comment, "-j", "REJECT"}
1012-
err = iptablesCmdHandler.AppendUnique("filter", podFwChainName, args...)
1013-
if err != nil {
1014-
return nil, fmt.Errorf("Failed to run iptables command: %s", err.Error())
1029+
return nil, err
10151030
}
10161031
}
10171032

0 commit comments

Comments
 (0)