Add EnableLogging and LogLabel supports for Node NetworkPolicy

Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
antrea-io · Aug 29, 2024 · 82bc18c · 82bc18c
1 parent 5c0798c
commit 82bc18c
Show file tree

Hide file tree

Showing 6 changed files with 228 additions and 55 deletions.
diff --git a/pkg/agent/controller/networkpolicy/node_reconciler_linux.go b/pkg/agent/controller/networkpolicy/node_reconciler_linux.go
@@ -43,6 +43,10 @@ const (
 	ipv6Any = "::/0"
 )
 
+// The logging of Node NetworkPolicy is implemented by iptables target LOG, which turns on kernel logging of matching
+// packets. The default label is useful for distinguishing Node Network logs.
+const commonLogLabel = "Antrea"
+
 var ipsetTypeHashIP = ipset.HashIP
 
 /*
@@ -124,7 +128,7 @@ directly.
 type coreIPTRule struct {
 	ruleID   string
 	priority *types.Priority
-	ruleStr  string
+	ruleStrs []string
 }
 
 type chainKey struct {
@@ -256,7 +260,7 @@ func (r *nodeReconciler) batchAdd(rules []*CompletedRule) error {
 			}
 
 			// Collect all core iptables rules.
-			coreIPTRule := &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule}
+			coreIPTRule := &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules}
 			if rule.Direction == v1beta2.DirectionIn {
 				ingressCoreIPTRules[ipProtocol] = append(ingressCoreIPTRules[ipProtocol], coreIPTRule)
 			} else {
@@ -322,6 +326,8 @@ func (r *nodeReconciler) GetRuleByFlowID(ruleFlowID uint32) (*types.PolicyRule,
 
 func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Protocol]*types.NodePolicyRule, *nodePolicyLastRealized) {
 	ruleID := rule.ID
+	enableLogging := rule.EnableLogging
+	logLabel := generateLogLabel(rule)
 	lastRealized := newNodePolicyLastRealized()
 	priority := &types.Priority{
 		TierPriority:   *rule.TierPriority,
@@ -362,7 +368,12 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot
 
 		var serviceIPTRules []string
 		if serviceIPTChain != "" {
-			serviceIPTRules = buildServiceIPTRules(ipProtocol, rule.Services, serviceIPTChain, serviceIPTRuleTarget)
+			serviceIPTRules = buildServiceIPTRules(ipProtocol,
+				rule.Services,
+				serviceIPTChain,
+				serviceIPTRuleTarget,
+				enableLogging,
+				logLabel)
 		}
 
 		ipnets := getIPNetsFromRule(rule, isIPv6)
@@ -383,14 +394,19 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot
 			lastRealized.ipnets[ipProtocol] = ipnet
 		}
 
-		coreIPTRule := buildCoreIPTRule(ipProtocol,
+		coreIPTRules := buildCoreIPTRules(ipProtocol,
 			coreIPTChain,
 			ipset,
 			ipnet,
 			coreIPTRuleTarget,
 			coreIPTRuleComment,
 			service,
-			rule.Direction == v1beta2.DirectionIn)
+			rule.Direction == v1beta2.DirectionIn,
+			// If the target of a core iptables rule is not a service chain, the iptables rule for logging should be
+			// generated along with the core iptables rule. Otherwise, the iptables rules for logging should be generated
+			// along with the service iptables rules.
+			enableLogging && serviceIPTChain == "",
+			logLabel)
 
 		nodePolicyRules[ipProtocol] = &types.NodePolicyRule{
 			IPSet:           ipset,
@@ -399,7 +415,7 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot
 			ServiceIPTChain: serviceIPTChain,
 			ServiceIPTRules: serviceIPTRules,
 			CoreIPTChain:    coreIPTChain,
-			CoreIPTRule:     coreIPTRule,
+			CoreIPTRules:    coreIPTRules,
 			IsIPv6:          isIPv6,
 		}
 	}
@@ -422,7 +438,7 @@ func (r *nodeReconciler) add(rule *CompletedRule) error {
 				return err
 			}
 		}
-		if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, false, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule}); err != nil {
+		if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, false, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules}); err != nil {
 			return err
 		}
 	}
@@ -453,7 +469,7 @@ func (r *nodeReconciler) update(lastRealized *nodePolicyLastRealized, newRule *C
 			}
 		}
 		if prevIPSet != ipset || prevIPNet != ipnet {
-			if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, true, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule}); err != nil {
+			if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, true, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules}); err != nil {
 				return err
 			}
 		}
@@ -496,9 +512,7 @@ func (r *nodeReconciler) addOrUpdateCoreIPTRules(chain string, isIPv6 bool, isUp
 	// Get all iptables rules and synchronize them.
 	var ruleStrs []string
 	for _, rule := range rules {
-		if rule.ruleStr != "" {
-			ruleStrs = append(ruleStrs, rule.ruleStr)
-		}
+		ruleStrs = append(ruleStrs, rule.ruleStrs...)
 	}
 	if err := r.routeClient.AddOrUpdateNodeNetworkPolicyIPTables([]string{chain}, [][]string{ruleStrs}, isIPv6); err != nil {
 		return err
@@ -533,7 +547,7 @@ func (r *nodeReconciler) deleteCoreIPTRule(ruleID string, iptChain string, isIPv
 	// Get all the iptables rules and synchronize them.
 	var ruleStrs []string
 	for _, r := range rules {
-		ruleStrs = append(ruleStrs, r.ruleStr)
+		ruleStrs = append(ruleStrs, r.ruleStrs...)
 	}
 	if err := r.routeClient.AddOrUpdateNodeNetworkPolicyIPTables([]string{iptChain}, [][]string{ruleStrs}, isIPv6); err != nil {
 		return err
@@ -614,32 +628,35 @@ func getIPNetsFromRule(rule *CompletedRule, isIPv6 bool) sets.Set[string] {
 	return set
 }
 
-func buildCoreIPTRule(ipProtocol iptables.Protocol,
+func buildCoreIPTRules(ipProtocol iptables.Protocol,
 	iptChain string,
 	ipset string,
 	ipnet string,
 	iptRuleTarget string,
 	iptRuleComment string,
 	service *v1beta2.Service,
-	isIngress bool) string {
+	isIngress bool,
+	enableLogging bool,
+	logLabel string) []string {
 	builder := iptables.NewRuleBuilder(iptChain)
+	var rules []string
 	if isIngress {
 		if ipset != "" {
 			builder = builder.MatchIPSetSrc(ipset, ipsetTypeHashIP)
 		} else if ipnet != "" {
 			builder = builder.MatchCIDRSrc(ipnet)
 		} else {
-			// If no source IP address is matched, return an empty string since the core iptables will never be matched.
-			return ""
+			// If no source IP address is matched, return an empty slice since the core iptables will never be matched.
+			return rules
 		}
 	} else {
 		if ipset != "" {
 			builder = builder.MatchIPSetDst(ipset, ipsetTypeHashIP)
 		} else if ipnet != "" {
 			builder = builder.MatchCIDRDst(ipnet)
 		} else {
-			// If no destination IP address is matched, return an empty string since the core iptables will never be matched.
-			return ""
+			// If no destination IP address is matched, return an empty slice since the core iptables will never be matched.
+			return rules
 		}
 	}
 	if service != nil {
@@ -657,13 +674,26 @@ func buildCoreIPTRule(ipProtocol iptables.Protocol,
 			builder = builder.MatchICMP(service.ICMPType, service.ICMPCode, ipProtocol)
 		}
 	}
-	return builder.SetTarget(iptRuleTarget).
+	if enableLogging {
+		rules = append(rules, builder.CopyBuilder().
+			SetTarget(iptables.LOGTarget).
+			SetLogPrefix(logLabel).
+			Done().
+			GetRule())
+	}
+	rules = append(rules, builder.SetTarget(iptRuleTarget).
 		SetComment(iptRuleComment).
 		Done().
-		GetRule()
+		GetRule())
+	return rules
 }
 
-func buildServiceIPTRules(ipProtocol iptables.Protocol, services []v1beta2.Service, chain string, ruleTarget string) []string {
+func buildServiceIPTRules(ipProtocol iptables.Protocol,
+	services []v1beta2.Service,
+	chain string,
+	ruleTarget string,
+	enableLogging bool,
+	logLabel string) []string {
 	var rules []string
 	builder := iptables.NewRuleBuilder(chain)
 	for _, svc := range services {
@@ -681,6 +711,13 @@ func buildServiceIPTRules(ipProtocol iptables.Protocol, services []v1beta2.Servi
 		case "icmp":
 			copiedBuilder = copiedBuilder.MatchICMP(svc.ICMPType, svc.ICMPCode, ipProtocol)
 		}
+		if enableLogging {
+			rules = append(rules, copiedBuilder.CopyBuilder().
+				SetTarget(iptables.LOGTarget).
+				SetLogPrefix(logLabel).
+				Done().
+				GetRule())
+		}
 		rules = append(rules, copiedBuilder.SetTarget(ruleTarget).
 			Done().
 			GetRule())
@@ -707,3 +744,20 @@ func getServiceTransProtocol(protocol *v1beta2.Protocol) string {
 	}
 	return strings.ToLower(string(*protocol))
 }
+
+func generateLogLabel(rule *CompletedRule) string {
+	if rule.EnableLogging == false {
+		return ""
+	}
+	logLabel := fmt.Sprintf("%s:%s:%s", commonLogLabel, rule.Direction, *rule.Action)
+	if rule.LogLabel != "" {
+		logLabel = fmt.Sprintf("%s:%s", logLabel, rule.LogLabel)
+	}
+	// The log label is used as iptables log prefix. According to https://ipset.netfilter.org/iptables-extensions.man.html,
+	// the prefix is up to 29 letters long.
+	if len(logLabel) > 29 {
+		klog.InfoS("The log label is up to 29 letters long, and the part of more than 29 letters will be ignored", "logLabel", logLabel)
+		logLabel = logLabel[:29]
+	}
+	return logLabel
+}