Closed mimuret closed 1 year ago
Thank you for issue report!
Multi-networkpolicy(and k8s NetworkPolicy as well) from
can have multiple ipBlocks
. So I suppose following config may satisfy your requirements. Could you please check that?
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
(snip)
spec:
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 172.16.0.0/16
- ipBlock:
cidr: 172.17.0.0/16
I add two e2e testcases for ipblock cases and it seems to work, in kind environment so far. So iptables rules seems to be valid. (see below)
In addition, iptables tutorial describes
When/If we reach the end of that chain, we get dropped back to the INPUT chain and the packet starts traversing from the rule one step below where it jumped to the other chain (tcp_packets in this case).
Hence we don't need to add 'RETURN'.
Thanks you for you response.
I think need "RETURN" multiple from rule.
for example,
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
(snip)
spec:
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 172.16.0.0/16
ports:
# for exporter
- port: 8080
protocol: TCP
- from:
- ipBlock:
cidr: 172.17.0.0/16
ports:
# for service port
- port: 443
protocol: TCP
Output iptables rules below. 10.138.140.81 is NIC ip.
If src ip is 172.16.0.1 and dest port 8080. Request matches MULTI-0-INGRESS-0-FROM and MULTI-0-INGRESS-0-PORTS. But mark is resetting before MULTI-0-INGRESS-1-PORTS. I think "RETURN" before reset mark.
(SNIP)
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-1-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-1-FROM
-A MULTI-0-INGRESS-0-FROM -s 172.16.0.0/16 -i net2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-0-FROM -s 10.138.140.81/32 -i net2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-0-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-0-INGRESS-1-FROM -s 172.17.0.0/16 -i net2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-1-FROM -s 10.138.140.81/32 -i net2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-1-PORTS -m comment --comment "no ingress ports, skipped" -j MARK --set-xmark 0x10000/0x10000
-A MULTI-INGRESS -j MULTI-INGRESS-COMMON
-A MULTI-INGRESS -i net2 -m comment --comment "hogehoge" -j MULTI-0-INGRESS
-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-INGRESS -j DROP
-A MULTI-INGRESS-COMMON -p icmp -j ACCEPT
-A MULTI-INGRESS-COMMON -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
workaround is split from resource level.
```yaml
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
(snip)
spec:
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 172.16.0.0/16
ports:
# for exporter
- port: 8080
protocol: TCP
---
apiVersion: k8s.cni.cncf.io/v1beta1
kind: MultiNetworkPolicy
(snip)
spec:
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 172.17.0.0/16
ports:
# for service port
- port: 443
protocol: TCP
It seems to be working fine.
(SNIP)
-A MULTI-0-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-PORTS
-A MULTI-0-INGRESS -j MULTI-0-INGRESS-0-FROM
-A MULTI-0-INGRESS-0-FROM -s 172.16.0.0/16 -i net2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-0-FROM -s 10.138.140.81/32 -i net2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-0-INGRESS-0-PORTS -i net2 -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x10000/0x10000
-A MULTI-1-INGRESS -j MARK --set-xmark 0x0/0x30000
-A MULTI-1-INGRESS -j MULTI-1-INGRESS-0-PORTS
-A MULTI-1-INGRESS -j MULTI-1-INGRESS-0-FROM
-A MULTI-1-INGRESS-0-FROM -s 172.17.0.0/16 -i net2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-1-INGRESS-0-FROM -s 10.138.140.81/32 -i net2 -j MARK --set-xmark 0x20000/0x20000
-A MULTI-1-INGRESS-0-PORTS -i net2 -p tcp -m tcp --dport 443 -j MARK --set-xmark 0x10000/0x10000
-A MULTI-INGRESS -j MULTI-INGRESS-COMMON
-A MULTI-INGRESS -i net2 -m comment --comment "hogehoge" -j MULTI-0-INGRESS
-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-INGRESS -j MULTI-INGRESS-COMMON
-A MULTI-INGRESS -i net2 -m comment --comment "hugahuga" -j MULTI-1-INGRESS
-A MULTI-INGRESS -m mark --mark 0x30000/0x30000 -j RETURN
-A MULTI-INGRESS -j DROP
(SNIP)
Got your point. Let me double check that.
Set multiple ingress rules, but only matches the last rule. For example, This policy only allows from 172.17.0.0/16.
Maybe need a return rule before the next rule. https://github.com/k8snetworkplumbingwg/multi-networkpolicy-iptables/blob/0c6df81c1bf67c0812be0be94b4932388586b4df/pkg/server/policyrules.go#L237