Skip to content

Commit

Permalink
Add ICMP support in ACNP and ANP (#3472)
Browse files Browse the repository at this point in the history 
This PR added ICMP support in Antrea-native policy. User could define
a policy only enfored on ICMP traffic or ICMP traffic with specific
ICMP type or ICMP code.

1. Added a new field called `protocols` which contains protocols that
are not supported by `ports`. Currently, only ICMP protocol is in
this field.

2. On the controller side,
* Both `ports` and `protocols` will be translate into `Service` of
  internalNP
* Added `ICMPType` and `ICMPCode` to `Service`

3. On the agent side,
* Added a new struct `matchPair` which contains one matchKey and one
  matchValue
* Added some new `MatchKey`: `MatchICMPType`, `MatchICMPCode`,
  `MatchICMPv6Type` and `MatchICMPv6Code`
* Change `conjunctiveMatch` from contains only one matchKey-matchValue
  pair to contains a list of `matchPair`, in order to support flows
  with multipul match conditions like this:
  `icmp,icmp_type=8,icmp_code=0,action=conjunction(2,3/3)`

Signed-off-by: wgrayson <[email protected]>
  • Loading branch information
@GraysonWu
GraysonWu authored Apr 25, 2022
1 parent 79414ec commit 2921271
Show file tree
Hide file tree
Showing 42 changed files with 1,315 additions and 285 deletions.
40 changes: 38 additions & 2 deletions build/charts/antrea/templates/crds/clusternetworkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ spec:
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP and REJECT values
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
Expand All @@ -206,6 +206,24 @@ spec:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
from:
type: array
items:
Expand Down Expand Up @@ -385,7 +403,7 @@ spec:
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP and REJECT values
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
Expand All @@ -401,6 +419,24 @@ spec:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
to:
type: array
items:
Expand Down
40 changes: 38 additions & 2 deletions build/charts/antrea/templates/crds/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,7 @@ spec:
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
# Ensure that Action field allows only ALLOW, DROP and REJECT values
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
Expand All @@ -134,6 +134,24 @@ spec:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
from:
type: array
items:
Expand Down Expand Up @@ -282,7 +300,7 @@ spec:
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
# Ensure that Action field allows only ALLOW, DROP and REJECT values
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
Expand All @@ -298,6 +316,24 @@ spec:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
to:
type: array
items:
Expand Down
80 changes: 76 additions & 4 deletions build/yamls/antrea-aks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -938,7 +938,7 @@ spec:
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP and REJECT values
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
Expand All @@ -954,6 +954,24 @@ spec:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
from:
type: array
items:
Expand Down Expand Up @@ -1133,7 +1151,7 @@ spec:
required:
- name
- namespace
# Ensure that Action field allows only ALLOW, DROP and REJECT values
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
Expand All @@ -1149,6 +1167,24 @@ spec:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
to:
type: array
items:
Expand Down Expand Up @@ -1799,7 +1835,7 @@ spec:
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
# Ensure that Action field allows only ALLOW, DROP and REJECT values
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
Expand All @@ -1815,6 +1851,24 @@ spec:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
from:
type: array
items:
Expand Down Expand Up @@ -1963,7 +2017,7 @@ spec:
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
# Ensure that Action field allows only ALLOW, DROP and REJECT values
# Ensure that Action field allows only ALLOW, DROP, REJECT and PASS values
action:
type: string
enum: ['Allow', 'Drop', 'Reject', 'Pass']
Expand All @@ -1979,6 +2033,24 @@ spec:
x-kubernetes-int-or-string: true
endPort:
type: integer
protocols:
type: array
items:
type: object
oneOf:
- required: [icmp]
properties:
icmp:
type: object
properties:
icmpType:
type: integer
minimum: 0
maximum: 255
icmpCode:
type: integer
minimum: 0
maximum: 255
to:
type: array
items:
Expand Down
Loading

0 comments on commit 2921271

Please sign in to comment.