From 1589c2ac5c282c193f368cf9f344bf7bcaebe5f0 Mon Sep 17 00:00:00 2001 From: Hongliang Liu Date: Thu, 22 Aug 2024 19:29:23 +0800 Subject: [PATCH] Add `EnableLogging` and `LogLabel` supports for Node NetworkPolicy Signed-off-by: Hongliang Liu --- docs/antrea-node-network-policy.md | 40 +++++ .../networkpolicy/node_reconciler_linux.go | 98 ++++++++--- .../node_reconciler_linux_test.go | 162 ++++++++++++++---- pkg/agent/types/networkpolicy.go | 2 +- pkg/agent/util/iptables/builder.go | 9 + pkg/agent/util/iptables/builder_test.go | 12 ++ pkg/agent/util/iptables/iptables.go | 2 + pkg/controller/networkpolicy/validate.go | 13 -- pkg/controller/networkpolicy/validate_test.go | 32 ---- 9 files changed, 270 insertions(+), 100 deletions(-) diff --git a/docs/antrea-node-network-policy.md b/docs/antrea-node-network-policy.md index 8f79d0e6c39..0a929b062be 100644 --- a/docs/antrea-node-network-policy.md +++ b/docs/antrea-node-network-policy.md @@ -66,11 +66,15 @@ spec: ports: - protocol: TCP port: 80 + enableLogging: true + logLabel: allow-http - name: drop-other action: Drop ports: - protocol: TCP port: 80 + enableLogging: true + logLabel: default-drop-others ``` An example Node NetworkPolicy that blocks egress traffic from Nodes with label @@ -105,6 +109,42 @@ spec: port: 22 ``` +### Logs + +The `enableLogging` and `logLabel` options provide limited support for Node NetworkPolicies. Since Node NetworkPolicies +are implemented using iptables, enabling `enableLogging` causes the Linux kernel to log information about all matching +packets via the kernel log. However, Antrea cannot process these logs directly. Instead, these logs can be accessed +through syslog, allowing you to filter and direct them to specific files using syslog syntax. + +For example, consider the Node NetworkPolicy `restrict-http-to-node` above: + +```text +Sep 2 10:31:07 k8s-node-control-plane kernel: [6657320.789675] Antrea:In:Allow:allow-http IN=ens224 OUT= MAC=00:50:56:a7:fb:18:00:50:56:a7:23:47:08:00 SRC=10.10.0.10 DST=192.168.240.200 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=52813 DF PROTO=TCP SPT=57658 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 +Sep 2 10:31:11 k8s-node-control-plane kernel: [6657324.899219] Antrea:In:Drop:default-drop- IN=ens224 OUT= MAC=00:50:56:a7:fb:18:00:50:56:a7:23:47:08:00 SRC=192.168.240.201 DST=192.168.240.200 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=27486 DF PROTO=TCP SPT=33152 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 +``` + +In these logs, `Antrea:In:Allow:allow-http` and `Antrea:In:Drop:default-drop-` and the subsequent space are prefixes added +by iptables using the `--log-prefix` parameter. The last letter of the prefix should be a space to prevent the prefix +from being linked with the subsequent log data, e.g., `Antrea:In:Allow:allow-httpIN=ens224`. The iptables log prefix is +limited to 29 characters, as described in the [iptables-extensions manual](https://ipset.netfilter.org/iptables-extensions.man.html). + +The prefix format always includes `Antrea:[In|Out]:[Allow|Drop|Reject]`, followed by the user-defined `logLabel` (if it +is not empty). Due to the length restriction, any part that exceeds the 28-character limit (the last letter should be a +space) will be truncated, as seen with `default-drop-others` being shortened to `default-drop-`. + +To filter these logs using rsyslog, you can use the following configuration syntax on every Node: + +```bash +# Example rsyslog configuration to filter Antrea logs +:msg, contains, "Antrea:In:Allow:allow-http" /var/log/antrea-node-netpol-allow.log +:msg, contains, "Antrea:In:Drop:default-drop" /var/logantrea-node-netpol-drop.log +& stop +``` + +This configuration directs logs with the prefix `Antrea:In:Allow:` to `/var/log/antrea-node-netpol-allow.log` and logs +with the prefix `Antrea:In:Drop:` to `/var/logantrea-node-netpol-drop.log`. The & stop command ensures that these logs +are not processed further. + ## Limitations - This feature is currently only supported for Linux Nodes. diff --git a/pkg/agent/controller/networkpolicy/node_reconciler_linux.go b/pkg/agent/controller/networkpolicy/node_reconciler_linux.go index f3c2d3982ee..ffaee8614d3 100644 --- a/pkg/agent/controller/networkpolicy/node_reconciler_linux.go +++ b/pkg/agent/controller/networkpolicy/node_reconciler_linux.go @@ -43,6 +43,10 @@ const ( ipv6Any = "::/0" ) +// The logging of Node NetworkPolicy is implemented by iptables target LOG, which turns on kernel logging of matching +// packets. The default label is useful for distinguishing Node Network logs. +const commonLogLabel = "Antrea" + var ipsetTypeHashIP = ipset.HashIP /* @@ -124,7 +128,7 @@ directly. type coreIPTRule struct { ruleID string priority *types.Priority - ruleStr string + ruleStrs []string } type chainKey struct { @@ -256,7 +260,7 @@ func (r *nodeReconciler) batchAdd(rules []*CompletedRule) error { } // Collect all core iptables rules. - coreIPTRule := &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule} + coreIPTRule := &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules} if rule.Direction == v1beta2.DirectionIn { ingressCoreIPTRules[ipProtocol] = append(ingressCoreIPTRules[ipProtocol], coreIPTRule) } else { @@ -322,6 +326,8 @@ func (r *nodeReconciler) GetRuleByFlowID(ruleFlowID uint32) (*types.PolicyRule, func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Protocol]*types.NodePolicyRule, *nodePolicyLastRealized) { ruleID := rule.ID + enableLogging := rule.EnableLogging + logLabel := generateLogLabel(rule) lastRealized := newNodePolicyLastRealized() priority := &types.Priority{ TierPriority: *rule.TierPriority, @@ -362,7 +368,12 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot var serviceIPTRules []string if serviceIPTChain != "" { - serviceIPTRules = buildServiceIPTRules(ipProtocol, rule.Services, serviceIPTChain, serviceIPTRuleTarget) + serviceIPTRules = buildServiceIPTRules(ipProtocol, + rule.Services, + serviceIPTChain, + serviceIPTRuleTarget, + enableLogging, + logLabel) } ipnets := getIPNetsFromRule(rule, isIPv6) @@ -383,14 +394,19 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot lastRealized.ipnets[ipProtocol] = ipnet } - coreIPTRule := buildCoreIPTRule(ipProtocol, + coreIPTRules := buildCoreIPTRules(ipProtocol, coreIPTChain, ipset, ipnet, coreIPTRuleTarget, coreIPTRuleComment, service, - rule.Direction == v1beta2.DirectionIn) + rule.Direction == v1beta2.DirectionIn, + // If the target of a core iptables rule is not a service chain, the iptables rule for logging should be + // generated along with the core iptables rule. Otherwise, the iptables rules for logging should be generated + // along with the service iptables rules. + enableLogging && serviceIPTChain == "", + logLabel) nodePolicyRules[ipProtocol] = &types.NodePolicyRule{ IPSet: ipset, @@ -399,7 +415,7 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot ServiceIPTChain: serviceIPTChain, ServiceIPTRules: serviceIPTRules, CoreIPTChain: coreIPTChain, - CoreIPTRule: coreIPTRule, + CoreIPTRules: coreIPTRules, IsIPv6: isIPv6, } } @@ -422,7 +438,7 @@ func (r *nodeReconciler) add(rule *CompletedRule) error { return err } } - if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, false, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule}); err != nil { + if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, false, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules}); err != nil { return err } } @@ -453,7 +469,7 @@ func (r *nodeReconciler) update(lastRealized *nodePolicyLastRealized, newRule *C } } if prevIPSet != ipset || prevIPNet != ipnet { - if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, true, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule}); err != nil { + if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, true, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules}); err != nil { return err } } @@ -496,9 +512,7 @@ func (r *nodeReconciler) addOrUpdateCoreIPTRules(chain string, isIPv6 bool, isUp // Get all iptables rules and synchronize them. var ruleStrs []string for _, rule := range rules { - if rule.ruleStr != "" { - ruleStrs = append(ruleStrs, rule.ruleStr) - } + ruleStrs = append(ruleStrs, rule.ruleStrs...) } if err := r.routeClient.AddOrUpdateNodeNetworkPolicyIPTables([]string{chain}, [][]string{ruleStrs}, isIPv6); err != nil { return err @@ -533,7 +547,7 @@ func (r *nodeReconciler) deleteCoreIPTRule(ruleID string, iptChain string, isIPv // Get all the iptables rules and synchronize them. var ruleStrs []string for _, r := range rules { - ruleStrs = append(ruleStrs, r.ruleStr) + ruleStrs = append(ruleStrs, r.ruleStrs...) } if err := r.routeClient.AddOrUpdateNodeNetworkPolicyIPTables([]string{iptChain}, [][]string{ruleStrs}, isIPv6); err != nil { return err @@ -614,23 +628,26 @@ func getIPNetsFromRule(rule *CompletedRule, isIPv6 bool) sets.Set[string] { return set } -func buildCoreIPTRule(ipProtocol iptables.Protocol, +func buildCoreIPTRules(ipProtocol iptables.Protocol, iptChain string, ipset string, ipnet string, iptRuleTarget string, iptRuleComment string, service *v1beta2.Service, - isIngress bool) string { + isIngress bool, + enableLogging bool, + logLabel string) []string { builder := iptables.NewRuleBuilder(iptChain) + var rules []string if isIngress { if ipset != "" { builder = builder.MatchIPSetSrc(ipset, ipsetTypeHashIP) } else if ipnet != "" { builder = builder.MatchCIDRSrc(ipnet) } else { - // If no source IP address is matched, return an empty string since the core iptables will never be matched. - return "" + // If no source IP address is matched, return an empty slice since the core iptables will never be matched. + return rules } } else { if ipset != "" { @@ -638,8 +655,8 @@ func buildCoreIPTRule(ipProtocol iptables.Protocol, } else if ipnet != "" { builder = builder.MatchCIDRDst(ipnet) } else { - // If no destination IP address is matched, return an empty string since the core iptables will never be matched. - return "" + // If no destination IP address is matched, return an empty slice since the core iptables will never be matched. + return rules } } if service != nil { @@ -657,13 +674,26 @@ func buildCoreIPTRule(ipProtocol iptables.Protocol, builder = builder.MatchICMP(service.ICMPType, service.ICMPCode, ipProtocol) } } - return builder.SetTarget(iptRuleTarget). + if enableLogging { + rules = append(rules, builder.CopyBuilder(). + SetTarget(iptables.LOGTarget). + SetLogPrefix(logLabel). + Done(). + GetRule()) + } + rules = append(rules, builder.SetTarget(iptRuleTarget). SetComment(iptRuleComment). Done(). - GetRule() + GetRule()) + return rules } -func buildServiceIPTRules(ipProtocol iptables.Protocol, services []v1beta2.Service, chain string, ruleTarget string) []string { +func buildServiceIPTRules(ipProtocol iptables.Protocol, + services []v1beta2.Service, + chain string, + ruleTarget string, + enableLogging bool, + logLabel string) []string { var rules []string builder := iptables.NewRuleBuilder(chain) for _, svc := range services { @@ -681,6 +711,13 @@ func buildServiceIPTRules(ipProtocol iptables.Protocol, services []v1beta2.Servi case "icmp": copiedBuilder = copiedBuilder.MatchICMP(svc.ICMPType, svc.ICMPCode, ipProtocol) } + if enableLogging { + rules = append(rules, copiedBuilder.CopyBuilder(). + SetTarget(iptables.LOGTarget). + SetLogPrefix(logLabel). + Done(). + GetRule()) + } rules = append(rules, copiedBuilder.SetTarget(ruleTarget). Done(). GetRule()) @@ -707,3 +744,22 @@ func getServiceTransProtocol(protocol *v1beta2.Protocol) string { } return strings.ToLower(string(*protocol)) } + +func generateLogLabel(rule *CompletedRule) string { + if rule.EnableLogging == false { + return "" + } + logLabel := fmt.Sprintf("%s:%s:%s", commonLogLabel, rule.Direction, *rule.Action) + if rule.LogLabel != "" { + logLabel = fmt.Sprintf("%s:%s", logLabel, rule.LogLabel) + } + // The log label is used as iptables log prefix. According to https://ipset.netfilter.org/iptables-extensions.man.html, + // the prefix is up to 29 letters long. + if len(logLabel) > 28 { + klog.InfoS("The log label is up to 29 letters long, and the part of more than 29 letters will be ignored", "logLabel", logLabel) + logLabel = logLabel[:28] + } + // The last letter must be a space. + logLabel += " " + return logLabel +} diff --git a/pkg/agent/controller/networkpolicy/node_reconciler_linux_test.go b/pkg/agent/controller/networkpolicy/node_reconciler_linux_test.go index 08428520c7a..3b57f1ca1fe 100644 --- a/pkg/agent/controller/networkpolicy/node_reconciler_linux_test.go +++ b/pkg/agent/controller/networkpolicy/node_reconciler_linux_test.go @@ -86,6 +86,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority1, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress1", }, FromAddresses: dualAddressGroup1, ToAddresses: nil, @@ -102,6 +104,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress2", }, FromAddresses: dualAddressGroup1, ToAddresses: nil, @@ -119,6 +123,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: nil, ToAddresses: nil, @@ -136,6 +142,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: addressGroup1, ToAddresses: nil, @@ -152,6 +160,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: addressGroup2, ToAddresses: nil, @@ -168,6 +178,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: addressGroup2.Union(addressGroup1), ToAddresses: nil, @@ -184,6 +196,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: addressGroup2.Union(v1beta2.NewGroupMemberSet(newAddressGroupMember("1.1.1.3"))), ToAddresses: nil, @@ -200,6 +214,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: nil, ToAddresses: nil, @@ -216,6 +232,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority1, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "egress1", }, ToAddresses: dualAddressGroup1, FromAddresses: nil, @@ -232,6 +250,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "egress2:test_log_label", }, ToAddresses: dualAddressGroup1, FromAddresses: nil, @@ -252,14 +272,16 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls func(mockRouteClient *routetest.MockInterfaceMockRecorder) }{ { - name: "IPv4, add an ingress rule, then forget it", + name: "IPv4, add an ingress rule, update it, then forget it", ipv4Enabled: true, ipv6Enabled: false, expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { serviceRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules := [][]string{ @@ -288,8 +310,10 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { serviceRules := [][]string{ { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules := [][]string{ @@ -316,8 +340,10 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { serviceRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRulesIPv4 := [][]string{ @@ -357,8 +383,10 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { serviceRules1 := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules1 := [][]string{ @@ -369,19 +397,23 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { coreRules2 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules3 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDeleted3 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -416,36 +448,45 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { coreRules3 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules2 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } serviceRules1 := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules1 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDelete3 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDelete1 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -476,36 +517,44 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { coreRules2 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } serviceRules1 := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules1 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules3 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDelete2 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDelete1 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -537,21 +586,25 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { coreRules1 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules2 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules3 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.2/32 -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.2/32 -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules4 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE3-4 src -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE3-4 src -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -667,6 +720,7 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { coreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -675,12 +729,15 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } updatedCoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -711,6 +768,7 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { coreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-6 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -719,8 +777,10 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } updatedCoreRules := [][]string{ @@ -754,12 +814,14 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { ipv4CoreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } ipv6CoreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-6 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -768,18 +830,22 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } ipv4SvcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } ipv6SvcRules := ipv4SvcRules updatedIPv4CoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedIPv6CoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -816,6 +882,7 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { coreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -824,12 +891,15 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } updatedCoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -858,6 +928,7 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { coreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -866,12 +937,15 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } updatedCoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -901,12 +975,14 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { ipv4CoreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } ipv6CoreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -915,18 +991,22 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } ipv4SvcRules := [][]string{ { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } ipv6SvcRules := ipv4SvcRules updatedIPv4CoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedIPv6CoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -961,12 +1041,16 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } ingressCoreChains := []string{"ANTREA-POL-INGRESS-RULES"} @@ -974,22 +1058,26 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { ingressCoreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } egressCoreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedIngressCoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedEgressCoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -1026,12 +1114,16 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } ingressCoreChains := []string{"ANTREA-POL-INGRESS-RULES"} @@ -1039,22 +1131,26 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { ingressCoreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-6 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } egressCoreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedIngressCoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedEgressCoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:tes "`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } diff --git a/pkg/agent/types/networkpolicy.go b/pkg/agent/types/networkpolicy.go index 483c70de108..35116708239 100644 --- a/pkg/agent/types/networkpolicy.go +++ b/pkg/agent/types/networkpolicy.go @@ -84,7 +84,7 @@ type NodePolicyRule struct { ServiceIPTChain string ServiceIPTRules []string CoreIPTChain string - CoreIPTRule string + CoreIPTRules []string IsIPv6 bool } diff --git a/pkg/agent/util/iptables/builder.go b/pkg/agent/util/iptables/builder.go index f247ed5d250..f9b49880f05 100644 --- a/pkg/agent/util/iptables/builder.go +++ b/pkg/agent/util/iptables/builder.go @@ -69,6 +69,15 @@ func (b *iptablesRuleBuilder) MatchCIDRDst(cidr string) IPTablesRuleBuilder { return b } +func (b *iptablesRuleBuilder) SetLogPrefix(prefix string) IPTablesRuleBuilder { + if prefix == "" { + return b + } + matchStr := fmt.Sprintf("--log-prefix \"%s\"", prefix) + b.writeSpec(matchStr) + return b +} + func (b *iptablesRuleBuilder) MatchIPSetSrc(ipsetName string, ipsetType ipset.SetType) IPTablesRuleBuilder { if ipsetName == "" { return b diff --git a/pkg/agent/util/iptables/builder_test.go b/pkg/agent/util/iptables/builder_test.go index c03fc94d949..f81f853769b 100644 --- a/pkg/agent/util/iptables/builder_test.go +++ b/pkg/agent/util/iptables/builder_test.go @@ -103,6 +103,18 @@ func TestBuilders(t *testing.T) { }, expected: `-A FORWARD -i eth0 -p icmp --icmp-type 0/0 -j ACCEPT`, }, + { + name: "Accept ICMP IPv4 with logging", + chain: ForwardChain, + buildFunc: func(builder IPTablesRuleBuilder) IPTablesRule { + return builder.MatchInputInterface(eth0). + MatchICMP(&icmpType0, &icmpCode0, ProtocolIPv4). + SetTarget(LOGTarget). + SetLogPrefix("Accept ICMP IPv4"). + Done() + }, + expected: `-A FORWARD -i eth0 -p icmp --icmp-type 0/0 -j LOG --log-prefix "Accept ICMP IPv4"`, + }, { name: "Accept ICMP IPv6", chain: ForwardChain, diff --git a/pkg/agent/util/iptables/iptables.go b/pkg/agent/util/iptables/iptables.go index 1dec9529d97..e5612c83765 100644 --- a/pkg/agent/util/iptables/iptables.go +++ b/pkg/agent/util/iptables/iptables.go @@ -49,6 +49,7 @@ const ( DNATTarget = "DNAT" RejectTarget = "REJECT" NotrackTarget = "NOTRACK" + LOGTarget = "LOG" PreRoutingChain = "PREROUTING" InputChain = "INPUT" @@ -133,6 +134,7 @@ type IPTablesRuleBuilder interface { MatchEstablishedOrRelated() IPTablesRuleBuilder MatchInputInterface(interfaceName string) IPTablesRuleBuilder MatchOutputInterface(interfaceName string) IPTablesRuleBuilder + SetLogPrefix(prefix string) IPTablesRuleBuilder SetTarget(target string) IPTablesRuleBuilder SetTargetDNATToDst(dnatIP string, dnatPort *int32) IPTablesRuleBuilder SetComment(comment string) IPTablesRuleBuilder diff --git a/pkg/controller/networkpolicy/validate.go b/pkg/controller/networkpolicy/validate.go index e0bda05924b..aed6aad08c5 100644 --- a/pkg/controller/networkpolicy/validate.go +++ b/pkg/controller/networkpolicy/validate.go @@ -599,7 +599,6 @@ func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1beta1.R appliedToEgressRule = 2 ) - appliedToNode := false checkAppliedTo := func(appliedTo []crdv1beta1.AppliedTo, appliedToScope int) (string, bool) { appliedToSvcNum := 0 for _, eachAppliedTo := range appliedTo { @@ -607,12 +606,6 @@ func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1beta1.R if eachAppliedTo.Group != "" && appliedToFieldsNum > 1 { return "group cannot be set with other peers in appliedTo", false } - if eachAppliedTo.NodeSelector != nil { - if appliedToFieldsNum > 1 { - return "nodeSelector cannot be set with other peers in appliedTo", false - } - appliedToNode = true - } if eachAppliedTo.ServiceAccount != nil && appliedToFieldsNum > 1 { return "serviceAccount cannot be set with other peers in appliedTo", false } @@ -640,24 +633,18 @@ func (v *antreaPolicyValidator) validateAppliedTo(ingress, egress []crdv1beta1.R return reason, allowed } - enableLogging := false for _, eachIngress := range ingress { - enableLogging = enableLogging || eachIngress.EnableLogging reason, allowed = checkAppliedTo(eachIngress.AppliedTo, appliedToIngressRule) if !allowed { return reason, allowed } } for _, eachEgress := range egress { - enableLogging = enableLogging || eachEgress.EnableLogging reason, allowed = checkAppliedTo(eachEgress.AppliedTo, appliedToEgressRule) if !allowed { return reason, allowed } } - if enableLogging && appliedToNode { - return "traffic logging for NodeNetworkPolicy is not supported", false - } return "", true } diff --git a/pkg/controller/networkpolicy/validate_test.go b/pkg/controller/networkpolicy/validate_test.go index 94d8bbe8cc3..4461e08b8a2 100644 --- a/pkg/controller/networkpolicy/validate_test.go +++ b/pkg/controller/networkpolicy/validate_test.go @@ -525,38 +525,6 @@ func TestValidateAntreaClusterNetworkPolicy(t *testing.T) { operation: admv1.Create, expectedReason: "", }, - { - name: "acnp-appliedto-node-with-logging", - policy: &crdv1beta1.ClusterNetworkPolicy{ - ObjectMeta: metav1.ObjectMeta{ - Name: "acnp-appliedto-node-with-logging", - }, - Spec: crdv1beta1.ClusterNetworkPolicySpec{ - AppliedTo: []crdv1beta1.AppliedTo{ - { - NodeSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"foo2": "bar2"}, - }, - }, - }, - Ingress: []crdv1beta1.Rule{ - { - Action: &allowAction, - From: []crdv1beta1.NetworkPolicyPeer{ - { - NodeSelector: &metav1.LabelSelector{ - MatchLabels: map[string]string{"foo1": "bar1"}, - }, - }, - }, - EnableLogging: true, - }, - }, - }, - }, - operation: admv1.Create, - expectedReason: "traffic logging for NodeNetworkPolicy is not supported", - }, { name: "acnp-rule-group-set-with-psel", policy: &crdv1beta1.ClusterNetworkPolicy{