incusd/network/acl: Add allow-stateless action

Signed-off-by: Yueyuanmei Zhang <yymzhang@cs.utexas.edu>
lxc · May 1, 2024 · 6d59afb · 6d59afb
1 parent 80d219e
commit 6d59afb
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/internal/server/network/acl/acl_firewall.go b/internal/server/network/acl/acl_firewall.go
@@ -17,6 +17,7 @@ func FirewallApplyACLRules(s *state.State, logger logger.Logger, aclProjectName
 	var dropRules []firewallDrivers.ACLRule
 	var rejectRules []firewallDrivers.ACLRule
 	var allowRules []firewallDrivers.ACLRule
+	var allowStatelessRules []firewallDrivers.ACLRule
 
 	// convertACLRules converts the ACL rules to Firewall ACL rules.
 	convertACLRules := func(direction string, logPrefix string, rules ...api.NetworkACLRule) error {
@@ -50,6 +51,8 @@ func FirewallApplyACLRules(s *state.State, logger logger.Logger, aclProjectName
 				rejectRules = append(rejectRules, firewallACLRule)
 			case rule.Action == "allow":
 				allowRules = append(allowRules, firewallACLRule)
+			case rule.Action == "allow-stateless": // TODO: add NOTRACK support
+				allowStatelessRules = append(allowStatelessRules, firewallACLRule)
 			default:
 				return fmt.Errorf("Unrecognised action %q", rule.Action)
 			}
@@ -90,6 +93,7 @@ func FirewallApplyACLRules(s *state.State, logger logger.Logger, aclProjectName
 	rules = append(rules, dropRules...)
 	rules = append(rules, rejectRules...)
 	rules = append(rules, allowRules...)
+	rules = append(rules, allowStatelessRules...)
 
 	// Add the automatic default ACL rule for the network.
 	egressAction, egressLogged := firewallACLDefaults(aclNet.Config, "egress")

diff --git a/internal/server/network/acl/acl_ovn.go b/internal/server/network/acl/acl_ovn.go
@@ -440,7 +440,10 @@ func ovnRuleCriteriaToOVNACLRule(direction string, rule *api.NetworkACLRule, por
 	// Populate Action and Priority based on rule's Action.
 	switch rule.Action {
 	case "allow":
-		portGroupRule.Action = "allow-related" // TODO add stateless support.
+		portGroupRule.Action = "allow-related"
+		portGroupRule.Priority = ovnACLPriorityPortGroupAllow
+	case "allow-stateless":
+		portGroupRule.Action = "allow-stateless"
 		portGroupRule.Priority = ovnACLPriorityPortGroupAllow
 	case "reject":
 		portGroupRule.Action = "reject"

diff --git a/internal/server/network/acl/driver_common.go b/internal/server/network/acl/driver_common.go
@@ -48,7 +48,7 @@ var ruleSubjectInternalAliases = []string{ruleSubjectInternal, "#internal"}
 var ruleSubjectExternalAliases = []string{ruleSubjectExternal, "#external"}
 
 // ValidActions defines valid actions for rules.
-var ValidActions = []string{"allow", "drop", "reject"}
+var ValidActions = []string{"allow", "allow-stateless", "drop", "reject"}
 
 // common represents a Network ACL.
 type common struct {