Skip to content

Commit

Permalink
Bug Fix: Protocol Ports not being honored in v1 policies if they do n…
Browse files Browse the repository at this point in the history
…ot reference external networks
  • Loading branch information
Satyam Sinha committed Apr 21, 2022
1 parent 6a67c70 commit 9dc0806
Show file tree
Hide file tree
Showing 3 changed files with 44 additions and 28 deletions.
12 changes: 10 additions & 2 deletions apoxfrm/libs/networkpolicies/networkpolicies.go
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 291,11 @@ func (n *netPolInfo) xfrm() {
for index, s := range subjects {
i := n.incomingRule.DeepCopy()
i.Object = [][]string{s}
i.ProtocolPorts = n.subjectProtocolPorts[index]
if len(n.subjectProtocolPorts[index]) == 0 {
i.ProtocolPorts = n.netpol.Ports
} else {
i.ProtocolPorts = n.subjectProtocolPorts[index]
}
n.incoming.IncomingRules = append(n.incoming.IncomingRules, i)
}

Expand All @@ -300,7 304,11 @@ func (n *netPolInfo) xfrm() {
for index, s := range objects {
o := n.outgoingRule.DeepCopy()
o.Object = [][]string{s}
o.ProtocolPorts = n.objectProtocolPorts[index]
if len(n.objectProtocolPorts[index]) == 0 {
o.ProtocolPorts = n.netpol.Ports
} else {
o.ProtocolPorts = n.objectProtocolPorts[index]
}
n.outgoing.OutgoingRules = append(n.outgoing.OutgoingRules, o)
}

Expand Down
28 changes: 16 additions & 12 deletions apoxfrm/tests/pu2pu-parent-ns/policy-export.yaml
Original file line number Diff line number Diff line change
@@ -1,17 1,21 @@
APIVersion: 1
data:
networkaccesspolicies:
- applyPolicyMode: IncomingTraffic
description: unidirectional incoming traffic from private to protected
logsEnabled: true
name: 'test: pu2pu-parent-ns accept from private to protected'
object:
- - $namespace=/saurabh/parent/protected
propagate: true
subject:
- - $namespace=/saurabh/parent/private
- applyPolicyMode: IncomingTraffic
description: unidirectional incoming traffic from private to protected
logsEnabled: true
name: "test: pu2pu-parent-ns accept from private to protected"
object:
- - $namespace=/saurabh/parent/protected
propagate: true
subject:
- - $namespace=/saurabh/parent/private
ports:
- icmp6
- udp/1:65535
- tcp/1:65535
- icmp
identities:
- networkaccesspolicy
- externalnetwork
- networkaccesspolicy
- externalnetwork
label: policytest1

32 changes: 18 additions & 14 deletions apoxfrm/tests/pu2pu-same-ns/policy-export.yaml
Original file line number Diff line number Diff line change
@@ -1,19 1,23 @@
APIVersion: 1
data:
networkaccesspolicies:
- applyPolicyMode: IncomingTraffic
description: Unidirectional incomingPolicy, subject, object in same namespace
logsEnabled: true
name: 'test: pu2pu-pu-ns unidirectional incoming traffic in same ns'
object:
- - $namespace=/saurabh/parent/private
- '@app:docker:name=protected-nginx'
propagate: true
subject:
- - $namespace=/saurabh/parent/private
- '@app:docker:name=private-nginx'
- applyPolicyMode: IncomingTraffic
description: Unidirectional incomingPolicy, subject, object in same namespace
logsEnabled: true
name: "test: pu2pu-pu-ns unidirectional incoming traffic in same ns"
object:
- - $namespace=/saurabh/parent/private
- "@app:docker:name=protected-nginx"
propagate: true
subject:
- - $namespace=/saurabh/parent/private
- "@app:docker:name=private-nginx"
ports:
- icmp6
- udp/1:65535
- tcp/1:65535
- icmp
identities:
- networkaccesspolicy
- externalnetwork
- networkaccesspolicy
- externalnetwork
label: policytest2

0 comments on commit 9dc0806

Please sign in to comment.