Skip to content

Commit

Permalink
implement network policy for multicast (#3660)
Browse files Browse the repository at this point in the history 
For multicast traffic, we support ingress rules for IGMP, and egress
rules for multicast data traffic. And apply NetworkPolicy to real
traffic for both. Ingress for multicast traffic is not supported now.

While egress for IGMP only supports IGMP report, which is handled by
packetIn. This patch maintains a rule map for each group address to
fetch the rule which matches the member and also has the highest
priority. And packetIn will decide to allow or drop the IGMP report
traffic based on the matched rule.

Signed-off-by: Bin Liu <[email protected]>
  • Loading branch information
@liu4480
liu4480 authored Jun 9, 2022
1 parent 8e8aafb commit 5a7e5c3
Show file tree
Hide file tree
Showing 46 changed files with 1,684 additions and 240 deletions.
28 changes: 28 additions & 0 deletions build/charts/antrea/templates/crds/clusternetworkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,6 +212,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -224,6 +225,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -425,6 +438,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -437,6 +451,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down
28 changes: 28 additions & 0 deletions build/charts/antrea/templates/crds/networkpolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -152,6 +153,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -322,6 +335,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -334,6 +348,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down
56 changes: 56 additions & 0 deletions build/yamls/antrea-aks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1021,6 +1021,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1033,6 +1034,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -1234,6 +1247,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1246,6 +1260,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down Expand Up @@ -1920,6 +1948,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1932,6 +1961,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -2102,6 +2143,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -2114,6 +2156,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down
56 changes: 56 additions & 0 deletions build/yamls/antrea-eks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1021,6 +1021,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1033,6 +1034,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -1234,6 +1247,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1246,6 +1260,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down Expand Up @@ -1920,6 +1948,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -1932,6 +1961,18 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP query (0x11) is valid igmpType in ingress rules.
enum: [ 0x11 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
from:
type: array
items:
Expand Down Expand Up @@ -2102,6 +2143,7 @@ spec:
type: object
oneOf:
- required: [icmp]
- required: [igmp]
properties:
icmp:
type: object
Expand All @@ -2114,6 +2156,20 @@ spec:
type: integer
minimum: 0
maximum: 255
igmp:
type: object
properties:
igmpType:
type: integer
# Only IGMP reports are igmpType in egress rules,
# 0x12 is IGMP report V1, 0x16 is IGMP report v2, 0x22 is IGMP report v3.
# It will match all IGMP report types if igmpType is not set.
enum: [ 0x12, 0x16, 0x22 ]
groupAddress:
type: string
oneOf:
- format: ipv4
- format: ipv6
to:
type: array
items:
Expand Down
Loading

0 comments on commit 5a7e5c3

Please sign in to comment.