Skip ipv6 address in Antrea NetworkPolicy

Added integration test too. Signed-off-by: Rahul Jain <[email protected]>
antrea-io · May 12, 2023 · 0791dc0 · 0791dc0
1 parent 57220b6
commit 0791dc0
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/pkg/controllers/networkpolicy/networkpolicy.go b/pkg/controllers/networkpolicy/networkpolicy.go
@@ -1185,6 +1185,11 @@ func (r *networkPolicyRule) rules(rr *NetworkPolicyReconciler) (ingressList []*s
 		for _, ip := range rule.From.IPBlocks {
 			ingress := &securitygroup.IngressRule{}
 			ipNet := net.IPNet{IP: net.IP(ip.CIDR.IP), Mask: net.CIDRMask(int(ip.CIDR.PrefixLength), 32)}
+			if ipNet.IP.To4() == nil {
+				// TODO: Enable this when IPv6 is supported in Nephe.
+				rr.Log.V(1).Info("IPv6 address detected in the rule. Skipping it for now.")
+				continue
+			}
 			ingress.FromSrcIP = append(ingress.FromSrcIP, &ipNet)
 			iRules = append(iRules, ingress)
 		}
@@ -1241,6 +1246,11 @@ func (r *networkPolicyRule) rules(rr *NetworkPolicyReconciler) (ingressList []*s
 	for _, ip := range rule.To.IPBlocks {
 		egress := &securitygroup.EgressRule{}
 		ipNet := net.IPNet{IP: net.IP(ip.CIDR.IP), Mask: net.CIDRMask(int(ip.CIDR.PrefixLength), 32)}
+		if ipNet.IP.To4() == nil {
+			// TODO: Enable this when IPv6 is supported in Nephe.
+			rr.Log.V(1).Info("IPv6 address detected in the rule. Skipping it for now.")
+			continue
+		}
 		egress.ToDstIP = append(egress.ToDstIP, &ipNet)
 		eRules = append(eRules, egress)
 	}

diff --git a/test/integration/cloudresource_e2e_test.go b/test/integration/cloudresource_e2e_test.go
@@ -136,9 +136,11 @@ var _ = Describe(fmt.Sprintf("%s,%s: NetworkPolicy On Cloud Resources", focusAws
 	configANPToFrom = func(kind, instanceName, vpc, tagKey, tagVal, ipBlock, nsName string, ports []string,
 		denyAll bool) *k8stemplates.ToFromParameters {
 		ret := &k8stemplates.ToFromParameters{
-			IPBlock: ipBlock,
 			DenyAll: denyAll,
 		}
+		if len(ipBlock) > 0 {
+			ret.IPBlock = ipBlock
+		}
 		if len(kind) > 0 {
 			ret.Entity = &k8stemplates.EntitySelectorParameters{
 				Kind: labels.ExternalEntityLabelKeyKind + ": " + strings.ToLower(kind),
@@ -594,6 +596,32 @@ var _ = Describe(fmt.Sprintf("%s,%s: NetworkPolicy On Cloud Resources", focusAws
 		verifyIngress(kind, ids[appliedIdx], ips[appliedIdx], srcVMs, oks, false)
 	}
 
+	testIngressAllowAll := func(kind string) {
+		var ids []string
+		var ips []string
+		if kind == reflect.TypeOf(runtimev1alpha1.VirtualMachine{}).Name() {
+			ids = cloudVPC.GetVMs()
+			ips = cloudVPC.GetVMPrivateIPs()
+		} else {
+			Fail("Unsupported type")
+		}
+		setup(kind, len(ids), []string{"22"}, false)
+
+		appliedIdx := len(ids) - 1
+		srcVMs := cloudVPC.GetVMs()[:appliedIdx]
+		anpParams.AppliedTo = configANPApplyTo(kind, ids[appliedIdx], "", "", "")
+
+		By(fmt.Sprintf("Ingress AllowAll NetworkPolicy"))
+		oks := make([]bool, len(ids)-1)
+		for i := range oks {
+			oks[i] = true
+		}
+		// wildcard ipblock and port.
+		anpParams.From = configANPToFrom("", "", "", "", "", "", namespace.Name,
+			[]string{}, false)
+		verifyIngress(kind, ids[appliedIdx], ips[appliedIdx], srcVMs, oks, false)
+	}
+
 	DescribeTable("AppliedTo",
 		func(kind string) {
 			testAppliedTo(kind)
@@ -626,6 +654,14 @@ var _ = Describe(fmt.Sprintf("%s,%s: NetworkPolicy On Cloud Resources", focusAws
 			reflect.TypeOf(runtimev1alpha1.VirtualMachine{}).Name()),
 	)
 
+	DescribeTable("Ingress AllowAll",
+		func(kind string) {
+			testIngressAllowAll(kind)
+		},
+		Entry(fmt.Sprintf("%s %s: VM In Same Namespace", focusAzure, focusAgent),
+			reflect.TypeOf(runtimev1alpha1.VirtualMachine{}).Name()),
+	)
+
 	Context("Enforce Before Import", func() {
 		JustBeforeEach(func() {
 			importAfterANP = true