Fix deny connections tracking for ACNP baseline policy

If we apply a baseline ANP, in deny connections tracking of Flow Exporter, it will be filled as K8s NetworkPolicy instead of ANP since we are ignoring ANP associate tables IngressDefaultTable and EgressDefaultTable for these connections. This PR fixes it by changing the logic for assigning policy type. Signed-off-by: zyiou <zyiou@vmware.com>
antrea-io · Aug 18, 2021 · 2c64a21 · 2c64a21
1 parent 7f90fc0
commit 2c64a21
Showing 1 changed file with 45 additions and 27 deletions.
diff --git a/pkg/agent/controller/networkpolicy/packetin.go b/pkg/agent/controller/networkpolicy/packetin.go
@@ -332,43 +332,61 @@ func (c *Controller) storeDenyConnection(pktIn *ofctrl.PacketIn) error {
 	}
 	disposition := openflow.DispositionToString[id]
 
-	// For K8s NetworkPolicy implicit drop action, we cannot get name/namespace.
-	if tableID == openflow.IngressDefaultTable {
-		denyConn.IngressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
-		denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-	} else if tableID == openflow.EgressDefaultTable {
-		denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
-		denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-	} else { // Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy
-		// Set match to corresponding ingress/egress reg according to disposition
-		match = getMatch(matchers, tableID, id)
+	// Set match to corresponding ingress/egress reg according to disposition
+	match = getMatch(matchers, tableID, id)
+	if match != nil {
 		ruleID, err := getInfoInReg(match, nil)
 		if err != nil {
 			return fmt.Errorf("error when obtaining rule id from reg: %v", err)
 		}
 		policy := c.GetNetworkPolicyByRuleFlowID(ruleID)
 		rule := c.GetRuleByFlowID(ruleID)
-
 		if policy == nil || rule == nil {
-			// Default drop by K8s NetworkPolicy
 			klog.V(4).Infof("Cannot find NetworkPolicy or rule that has ruleID %v", ruleID)
-		} else {
-			if tableID == openflow.AntreaPolicyIngressRuleTable {
-				denyConn.IngressNetworkPolicyName = policy.Name
-				denyConn.IngressNetworkPolicyNamespace = policy.Namespace
-				denyConn.IngressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
-				denyConn.IngressNetworkPolicyRuleName = rule.Name
-				denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-			} else if tableID == openflow.AntreaPolicyEgressRuleTable {
-				denyConn.EgressNetworkPolicyName = policy.Name
-				denyConn.EgressNetworkPolicyNamespace = policy.Namespace
-				denyConn.EgressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
-				denyConn.EgressNetworkPolicyRuleName = rule.Name
-				denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-			}
+		}
+		// Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy
+		if isAntreaPolicyIngressTable(tableID) {
+			denyConn.IngressNetworkPolicyName = policy.Name
+			denyConn.IngressNetworkPolicyNamespace = policy.Namespace
+			denyConn.IngressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
+			denyConn.IngressNetworkPolicyRuleName = rule.Name
+			denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		}
+		if isAntreaPolicyEgressTable(tableID) {
+			denyConn.EgressNetworkPolicyName = policy.Name
+			denyConn.EgressNetworkPolicyNamespace = policy.Namespace
+			denyConn.EgressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
+			denyConn.EgressNetworkPolicyRuleName = rule.Name
+			denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		}
+	} else {
+		// For K8s NetworkPolicy implicit drop action, we cannot get name/namespace.
+		if tableID == openflow.IngressDefaultTable {
+			denyConn.IngressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
+			denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		} else if tableID == openflow.EgressDefaultTable {
+			denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
+			denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
 		}
 	}
-
 	c.denyConnStore.AddOrUpdateConn(&denyConn, time.Now(), uint64(packet.IPLength))
 	return nil
 }
+
+func isAntreaPolicyIngressTable(tableID binding.TableIDType) bool {
+	for _, table := range openflow.GetAntreaPolicyIngressTables() {
+		if table == tableID {
+			return true
+		}
+	}
+	return false
+}
+
+func isAntreaPolicyEgressTable(tableID binding.TableIDType) bool {
+	for _, table := range openflow.GetAntreaPolicyEgressTables() {
+		if table == tableID {
+			return true
+		}
+	}
+	return false
+}