From 82bc18ce955ee96effda9c0d89fb4c5632e8b2b5 Mon Sep 17 00:00:00 2001 From: Hongliang Liu Date: Thu, 22 Aug 2024 19:29:23 +0800 Subject: [PATCH] Add `EnableLogging` and `LogLabel` supports for Node NetworkPolicy Signed-off-by: Hongliang Liu --- .../networkpolicy/node_reconciler_linux.go | 96 ++++++++--- .../node_reconciler_linux_test.go | 162 ++++++++++++++---- pkg/agent/types/networkpolicy.go | 2 +- pkg/agent/util/iptables/builder.go | 9 + pkg/agent/util/iptables/builder_test.go | 12 ++ pkg/agent/util/iptables/iptables.go | 2 + 6 files changed, 228 insertions(+), 55 deletions(-) diff --git a/pkg/agent/controller/networkpolicy/node_reconciler_linux.go b/pkg/agent/controller/networkpolicy/node_reconciler_linux.go index f3c2d3982ee..fb42d2e9e54 100644 --- a/pkg/agent/controller/networkpolicy/node_reconciler_linux.go +++ b/pkg/agent/controller/networkpolicy/node_reconciler_linux.go @@ -43,6 +43,10 @@ const ( ipv6Any = "::/0" ) +// The logging of Node NetworkPolicy is implemented by iptables target LOG, which turns on kernel logging of matching +// packets. The default label is useful for distinguishing Node Network logs. +const commonLogLabel = "Antrea" + var ipsetTypeHashIP = ipset.HashIP /* @@ -124,7 +128,7 @@ directly. type coreIPTRule struct { ruleID string priority *types.Priority - ruleStr string + ruleStrs []string } type chainKey struct { @@ -256,7 +260,7 @@ func (r *nodeReconciler) batchAdd(rules []*CompletedRule) error { } // Collect all core iptables rules. - coreIPTRule := &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule} + coreIPTRule := &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules} if rule.Direction == v1beta2.DirectionIn { ingressCoreIPTRules[ipProtocol] = append(ingressCoreIPTRules[ipProtocol], coreIPTRule) } else { @@ -322,6 +326,8 @@ func (r *nodeReconciler) GetRuleByFlowID(ruleFlowID uint32) (*types.PolicyRule, func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Protocol]*types.NodePolicyRule, *nodePolicyLastRealized) { ruleID := rule.ID + enableLogging := rule.EnableLogging + logLabel := generateLogLabel(rule) lastRealized := newNodePolicyLastRealized() priority := &types.Priority{ TierPriority: *rule.TierPriority, @@ -362,7 +368,12 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot var serviceIPTRules []string if serviceIPTChain != "" { - serviceIPTRules = buildServiceIPTRules(ipProtocol, rule.Services, serviceIPTChain, serviceIPTRuleTarget) + serviceIPTRules = buildServiceIPTRules(ipProtocol, + rule.Services, + serviceIPTChain, + serviceIPTRuleTarget, + enableLogging, + logLabel) } ipnets := getIPNetsFromRule(rule, isIPv6) @@ -383,14 +394,19 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot lastRealized.ipnets[ipProtocol] = ipnet } - coreIPTRule := buildCoreIPTRule(ipProtocol, + coreIPTRules := buildCoreIPTRules(ipProtocol, coreIPTChain, ipset, ipnet, coreIPTRuleTarget, coreIPTRuleComment, service, - rule.Direction == v1beta2.DirectionIn) + rule.Direction == v1beta2.DirectionIn, + // If the target of a core iptables rule is not a service chain, the iptables rule for logging should be + // generated along with the core iptables rule. Otherwise, the iptables rules for logging should be generated + // along with the service iptables rules. + enableLogging && serviceIPTChain == "", + logLabel) nodePolicyRules[ipProtocol] = &types.NodePolicyRule{ IPSet: ipset, @@ -399,7 +415,7 @@ func (r *nodeReconciler) computeIPTRules(rule *CompletedRule) (map[iptables.Prot ServiceIPTChain: serviceIPTChain, ServiceIPTRules: serviceIPTRules, CoreIPTChain: coreIPTChain, - CoreIPTRule: coreIPTRule, + CoreIPTRules: coreIPTRules, IsIPv6: isIPv6, } } @@ -422,7 +438,7 @@ func (r *nodeReconciler) add(rule *CompletedRule) error { return err } } - if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, false, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule}); err != nil { + if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, false, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules}); err != nil { return err } } @@ -453,7 +469,7 @@ func (r *nodeReconciler) update(lastRealized *nodePolicyLastRealized, newRule *C } } if prevIPSet != ipset || prevIPNet != ipnet { - if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, true, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRule}); err != nil { + if err := r.addOrUpdateCoreIPTRules(iptRule.CoreIPTChain, iptRule.IsIPv6, true, &coreIPTRule{ruleID, iptRule.Priority, iptRule.CoreIPTRules}); err != nil { return err } } @@ -496,9 +512,7 @@ func (r *nodeReconciler) addOrUpdateCoreIPTRules(chain string, isIPv6 bool, isUp // Get all iptables rules and synchronize them. var ruleStrs []string for _, rule := range rules { - if rule.ruleStr != "" { - ruleStrs = append(ruleStrs, rule.ruleStr) - } + ruleStrs = append(ruleStrs, rule.ruleStrs...) } if err := r.routeClient.AddOrUpdateNodeNetworkPolicyIPTables([]string{chain}, [][]string{ruleStrs}, isIPv6); err != nil { return err @@ -533,7 +547,7 @@ func (r *nodeReconciler) deleteCoreIPTRule(ruleID string, iptChain string, isIPv // Get all the iptables rules and synchronize them. var ruleStrs []string for _, r := range rules { - ruleStrs = append(ruleStrs, r.ruleStr) + ruleStrs = append(ruleStrs, r.ruleStrs...) } if err := r.routeClient.AddOrUpdateNodeNetworkPolicyIPTables([]string{iptChain}, [][]string{ruleStrs}, isIPv6); err != nil { return err @@ -614,23 +628,26 @@ func getIPNetsFromRule(rule *CompletedRule, isIPv6 bool) sets.Set[string] { return set } -func buildCoreIPTRule(ipProtocol iptables.Protocol, +func buildCoreIPTRules(ipProtocol iptables.Protocol, iptChain string, ipset string, ipnet string, iptRuleTarget string, iptRuleComment string, service *v1beta2.Service, - isIngress bool) string { + isIngress bool, + enableLogging bool, + logLabel string) []string { builder := iptables.NewRuleBuilder(iptChain) + var rules []string if isIngress { if ipset != "" { builder = builder.MatchIPSetSrc(ipset, ipsetTypeHashIP) } else if ipnet != "" { builder = builder.MatchCIDRSrc(ipnet) } else { - // If no source IP address is matched, return an empty string since the core iptables will never be matched. - return "" + // If no source IP address is matched, return an empty slice since the core iptables will never be matched. + return rules } } else { if ipset != "" { @@ -638,8 +655,8 @@ func buildCoreIPTRule(ipProtocol iptables.Protocol, } else if ipnet != "" { builder = builder.MatchCIDRDst(ipnet) } else { - // If no destination IP address is matched, return an empty string since the core iptables will never be matched. - return "" + // If no destination IP address is matched, return an empty slice since the core iptables will never be matched. + return rules } } if service != nil { @@ -657,13 +674,26 @@ func buildCoreIPTRule(ipProtocol iptables.Protocol, builder = builder.MatchICMP(service.ICMPType, service.ICMPCode, ipProtocol) } } - return builder.SetTarget(iptRuleTarget). + if enableLogging { + rules = append(rules, builder.CopyBuilder(). + SetTarget(iptables.LOGTarget). + SetLogPrefix(logLabel). + Done(). + GetRule()) + } + rules = append(rules, builder.SetTarget(iptRuleTarget). SetComment(iptRuleComment). Done(). - GetRule() + GetRule()) + return rules } -func buildServiceIPTRules(ipProtocol iptables.Protocol, services []v1beta2.Service, chain string, ruleTarget string) []string { +func buildServiceIPTRules(ipProtocol iptables.Protocol, + services []v1beta2.Service, + chain string, + ruleTarget string, + enableLogging bool, + logLabel string) []string { var rules []string builder := iptables.NewRuleBuilder(chain) for _, svc := range services { @@ -681,6 +711,13 @@ func buildServiceIPTRules(ipProtocol iptables.Protocol, services []v1beta2.Servi case "icmp": copiedBuilder = copiedBuilder.MatchICMP(svc.ICMPType, svc.ICMPCode, ipProtocol) } + if enableLogging { + rules = append(rules, copiedBuilder.CopyBuilder(). + SetTarget(iptables.LOGTarget). + SetLogPrefix(logLabel). + Done(). + GetRule()) + } rules = append(rules, copiedBuilder.SetTarget(ruleTarget). Done(). GetRule()) @@ -707,3 +744,20 @@ func getServiceTransProtocol(protocol *v1beta2.Protocol) string { } return strings.ToLower(string(*protocol)) } + +func generateLogLabel(rule *CompletedRule) string { + if rule.EnableLogging == false { + return "" + } + logLabel := fmt.Sprintf("%s:%s:%s", commonLogLabel, rule.Direction, *rule.Action) + if rule.LogLabel != "" { + logLabel = fmt.Sprintf("%s:%s", logLabel, rule.LogLabel) + } + // The log label is used as iptables log prefix. According to https://ipset.netfilter.org/iptables-extensions.man.html, + // the prefix is up to 29 letters long. + if len(logLabel) > 29 { + klog.InfoS("The log label is up to 29 letters long, and the part of more than 29 letters will be ignored", "logLabel", logLabel) + logLabel = logLabel[:29] + } + return logLabel +} diff --git a/pkg/agent/controller/networkpolicy/node_reconciler_linux_test.go b/pkg/agent/controller/networkpolicy/node_reconciler_linux_test.go index 08428520c7a..11ce1f9e242 100644 --- a/pkg/agent/controller/networkpolicy/node_reconciler_linux_test.go +++ b/pkg/agent/controller/networkpolicy/node_reconciler_linux_test.go @@ -86,6 +86,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority1, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress1", }, FromAddresses: dualAddressGroup1, ToAddresses: nil, @@ -102,6 +104,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress2", }, FromAddresses: dualAddressGroup1, ToAddresses: nil, @@ -119,6 +123,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: nil, ToAddresses: nil, @@ -136,6 +142,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: addressGroup1, ToAddresses: nil, @@ -152,6 +160,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: addressGroup2, ToAddresses: nil, @@ -168,6 +178,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: addressGroup2.Union(addressGroup1), ToAddresses: nil, @@ -184,6 +196,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: addressGroup2.Union(v1beta2.NewGroupMemberSet(newAddressGroupMember("1.1.1.3"))), ToAddresses: nil, @@ -200,6 +214,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "ingress3", }, FromAddresses: nil, ToAddresses: nil, @@ -216,6 +232,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority1, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "egress1", }, ToAddresses: dualAddressGroup1, FromAddresses: nil, @@ -232,6 +250,8 @@ var ( PolicyPriority: &policyPriority1, TierPriority: &tierPriority2, SourceRef: &cnp1, + EnableLogging: true, + LogLabel: "egress2:test_log_label", }, ToAddresses: dualAddressGroup1, FromAddresses: nil, @@ -252,14 +272,16 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls func(mockRouteClient *routetest.MockInterfaceMockRecorder) }{ { - name: "IPv4, add an ingress rule, then forget it", + name: "IPv4, add an ingress rule, update it, then forget it", ipv4Enabled: true, ipv6Enabled: false, expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { serviceRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules := [][]string{ @@ -288,8 +310,10 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { serviceRules := [][]string{ { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules := [][]string{ @@ -316,8 +340,10 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { serviceRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRulesIPv4 := [][]string{ @@ -357,8 +383,10 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { serviceRules1 := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules1 := [][]string{ @@ -369,19 +397,23 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { coreRules2 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules3 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDeleted3 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -416,36 +448,45 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { coreRules3 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules2 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } serviceRules1 := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules1 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDelete3 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDelete1 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -476,36 +517,44 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { coreRules2 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } serviceRules1 := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } coreRules1 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules3 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDelete2 := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRulesDelete1 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -537,21 +586,25 @@ func TestNodeReconcilerReconcileAndForget(t *testing.T) { expectedCalls: func(mockRouteClient *routetest.MockInterfaceMockRecorder) { coreRules1 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules2 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules3 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.2/32 -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.2/32 -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } coreRules4 := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE3-4 src -p tcp --dport 8080 -j LOG --log-prefix "Antrea:In:Allow:ingress3"`, `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE3-4 src -p tcp --dport 8080 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-03, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -667,6 +720,7 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { coreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -675,12 +729,15 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } updatedCoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -711,6 +768,7 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { coreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-6 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -719,8 +777,10 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } updatedCoreRules := [][]string{ @@ -754,12 +814,14 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { ipv4CoreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } ipv6CoreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-6 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -768,18 +830,22 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } ipv4SvcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } ipv6SvcRules := ipv4SvcRules updatedIPv4CoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedIPv6CoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -816,6 +882,7 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { coreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -824,12 +891,15 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } updatedCoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -858,6 +928,7 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { coreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -866,12 +937,15 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } updatedCoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -901,12 +975,14 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { ipv4CoreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } ipv6CoreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -915,18 +991,22 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } ipv4SvcRules := [][]string{ { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } ipv6SvcRules := ipv4SvcRules updatedIPv4CoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedIPv6CoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -961,12 +1041,16 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } ingressCoreChains := []string{"ANTREA-POL-INGRESS-RULES"} @@ -974,22 +1058,26 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { ingressCoreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-4 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } egressCoreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedIngressCoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedEgressCoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 1.1.1.1/32 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } @@ -1026,12 +1114,16 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { } svcRules := [][]string{ { - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress1"`, + `-A ANTREA-POL-INGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, { - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT", - "-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT", + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 80 -j ACCEPT`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress1"`, + `-A ANTREA-POL-EGRESSRULE1 -p tcp --dport 443 -j ACCEPT`, }, } ingressCoreChains := []string{"ANTREA-POL-INGRESS-RULES"} @@ -1039,22 +1131,26 @@ func TestNodeReconcilerBatchReconcileAndForget(t *testing.T) { ingressCoreRules := [][]string{ { `-A ANTREA-POL-INGRESS-RULES -m set --match-set ANTREA-POL-INGRESSRULE1-6 src -j ANTREA-POL-INGRESSRULE1 -m comment --comment "Antrea: for rule ingress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } egressCoreRules := [][]string{ { `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -j ANTREA-POL-EGRESSRULE1 -m comment --comment "Antrea: for rule egress-rule-01, policy AntreaClusterNetworkPolicy:name1"`, + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedIngressCoreRules := [][]string{ { + `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:In:Allow:ingress2"`, `-A ANTREA-POL-INGRESS-RULES -s 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule ingress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } updatedEgressCoreRules := [][]string{ { + `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j LOG --log-prefix "Antrea:Out:Allow:egress2:test"`, `-A ANTREA-POL-EGRESS-RULES -d 2002:1a23:fb44::1/128 -p tcp --dport 443 -j ACCEPT -m comment --comment "Antrea: for rule egress-rule-02, policy AntreaClusterNetworkPolicy:name1"`, }, } diff --git a/pkg/agent/types/networkpolicy.go b/pkg/agent/types/networkpolicy.go index 483c70de108..35116708239 100644 --- a/pkg/agent/types/networkpolicy.go +++ b/pkg/agent/types/networkpolicy.go @@ -84,7 +84,7 @@ type NodePolicyRule struct { ServiceIPTChain string ServiceIPTRules []string CoreIPTChain string - CoreIPTRule string + CoreIPTRules []string IsIPv6 bool } diff --git a/pkg/agent/util/iptables/builder.go b/pkg/agent/util/iptables/builder.go index f247ed5d250..f9b49880f05 100644 --- a/pkg/agent/util/iptables/builder.go +++ b/pkg/agent/util/iptables/builder.go @@ -69,6 +69,15 @@ func (b *iptablesRuleBuilder) MatchCIDRDst(cidr string) IPTablesRuleBuilder { return b } +func (b *iptablesRuleBuilder) SetLogPrefix(prefix string) IPTablesRuleBuilder { + if prefix == "" { + return b + } + matchStr := fmt.Sprintf("--log-prefix \"%s\"", prefix) + b.writeSpec(matchStr) + return b +} + func (b *iptablesRuleBuilder) MatchIPSetSrc(ipsetName string, ipsetType ipset.SetType) IPTablesRuleBuilder { if ipsetName == "" { return b diff --git a/pkg/agent/util/iptables/builder_test.go b/pkg/agent/util/iptables/builder_test.go index c03fc94d949..f81f853769b 100644 --- a/pkg/agent/util/iptables/builder_test.go +++ b/pkg/agent/util/iptables/builder_test.go @@ -103,6 +103,18 @@ func TestBuilders(t *testing.T) { }, expected: `-A FORWARD -i eth0 -p icmp --icmp-type 0/0 -j ACCEPT`, }, + { + name: "Accept ICMP IPv4 with logging", + chain: ForwardChain, + buildFunc: func(builder IPTablesRuleBuilder) IPTablesRule { + return builder.MatchInputInterface(eth0). + MatchICMP(&icmpType0, &icmpCode0, ProtocolIPv4). + SetTarget(LOGTarget). + SetLogPrefix("Accept ICMP IPv4"). + Done() + }, + expected: `-A FORWARD -i eth0 -p icmp --icmp-type 0/0 -j LOG --log-prefix "Accept ICMP IPv4"`, + }, { name: "Accept ICMP IPv6", chain: ForwardChain, diff --git a/pkg/agent/util/iptables/iptables.go b/pkg/agent/util/iptables/iptables.go index 3eee6ba1d00..65d35bee1f8 100644 --- a/pkg/agent/util/iptables/iptables.go +++ b/pkg/agent/util/iptables/iptables.go @@ -49,6 +49,7 @@ const ( DNATTarget = "DNAT" RejectTarget = "REJECT" NotrackTarget = "NOTRACK" + LOGTarget = "LOG" PreRoutingChain = "PREROUTING" InputChain = "INPUT" @@ -121,6 +122,7 @@ type IPTablesRuleBuilder interface { MatchEstablishedOrRelated() IPTablesRuleBuilder MatchInputInterface(interfaceName string) IPTablesRuleBuilder MatchOutputInterface(interfaceName string) IPTablesRuleBuilder + SetLogPrefix(prefix string) IPTablesRuleBuilder SetTarget(target string) IPTablesRuleBuilder SetTargetDNATToDst(dnatIP string, dnatPort *int32) IPTablesRuleBuilder SetComment(comment string) IPTablesRuleBuilder