From 2c64a219c912ee87e77039c46fbf2cc9c2161355 Mon Sep 17 00:00:00 2001
From: zyiou <zyiou@vmware.com>
Date: Thu, 5 Aug 2021 11:58:16 -0700
Subject: [PATCH] Fix deny connections tracking for ACNP baseline policy

If we apply a baseline ANP, in deny connections tracking of Flow
Exporter, it will be filled as K8s NetworkPolicy instead of ANP
since we are ignoring ANP associate tables IngressDefaultTable
and EgressDefaultTable for these connections.
This PR fixes it by changing the logic for assigning policy type.

Signed-off-by: zyiou <zyiou@vmware.com>
---
 .../controller/networkpolicy/packetin.go      | 72 ++++++++++++-------
 1 file changed, 45 insertions(+), 27 deletions(-)

diff --git a/pkg/agent/controller/networkpolicy/packetin.go b/pkg/agent/controller/networkpolicy/packetin.go
index 5d6da0ece6c..ccf819509dc 100644
--- a/pkg/agent/controller/networkpolicy/packetin.go
+++ b/pkg/agent/controller/networkpolicy/packetin.go
@@ -332,43 +332,61 @@ func (c *Controller) storeDenyConnection(pktIn *ofctrl.PacketIn) error {
 	}
 	disposition := openflow.DispositionToString[id]
 
-	// For K8s NetworkPolicy implicit drop action, we cannot get name/namespace.
-	if tableID == openflow.IngressDefaultTable {
-		denyConn.IngressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
-		denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-	} else if tableID == openflow.EgressDefaultTable {
-		denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
-		denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-	} else { // Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy
-		// Set match to corresponding ingress/egress reg according to disposition
-		match = getMatch(matchers, tableID, id)
+	// Set match to corresponding ingress/egress reg according to disposition
+	match = getMatch(matchers, tableID, id)
+	if match != nil {
 		ruleID, err := getInfoInReg(match, nil)
 		if err != nil {
 			return fmt.Errorf("error when obtaining rule id from reg: %v", err)
 		}
 		policy := c.GetNetworkPolicyByRuleFlowID(ruleID)
 		rule := c.GetRuleByFlowID(ruleID)
-
 		if policy == nil || rule == nil {
-			// Default drop by K8s NetworkPolicy
 			klog.V(4).Infof("Cannot find NetworkPolicy or rule that has ruleID %v", ruleID)
-		} else {
-			if tableID == openflow.AntreaPolicyIngressRuleTable {
-				denyConn.IngressNetworkPolicyName = policy.Name
-				denyConn.IngressNetworkPolicyNamespace = policy.Namespace
-				denyConn.IngressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
-				denyConn.IngressNetworkPolicyRuleName = rule.Name
-				denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-			} else if tableID == openflow.AntreaPolicyEgressRuleTable {
-				denyConn.EgressNetworkPolicyName = policy.Name
-				denyConn.EgressNetworkPolicyNamespace = policy.Namespace
-				denyConn.EgressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
-				denyConn.EgressNetworkPolicyRuleName = rule.Name
-				denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-			}
+		}
+		// Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy
+		if isAntreaPolicyIngressTable(tableID) {
+			denyConn.IngressNetworkPolicyName = policy.Name
+			denyConn.IngressNetworkPolicyNamespace = policy.Namespace
+			denyConn.IngressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
+			denyConn.IngressNetworkPolicyRuleName = rule.Name
+			denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		}
+		if isAntreaPolicyEgressTable(tableID) {
+			denyConn.EgressNetworkPolicyName = policy.Name
+			denyConn.EgressNetworkPolicyNamespace = policy.Namespace
+			denyConn.EgressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
+			denyConn.EgressNetworkPolicyRuleName = rule.Name
+			denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		}
+	} else {
+		// For K8s NetworkPolicy implicit drop action, we cannot get name/namespace.
+		if tableID == openflow.IngressDefaultTable {
+			denyConn.IngressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
+			denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		} else if tableID == openflow.EgressDefaultTable {
+			denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
+			denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
 		}
 	}
-
 	c.denyConnStore.AddOrUpdateConn(&denyConn, time.Now(), uint64(packet.IPLength))
 	return nil
 }
+
+func isAntreaPolicyIngressTable(tableID binding.TableIDType) bool {
+	for _, table := range openflow.GetAntreaPolicyIngressTables() {
+		if table == tableID {
+			return true
+		}
+	}
+	return false
+}
+
+func isAntreaPolicyEgressTable(tableID binding.TableIDType) bool {
+	for _, table := range openflow.GetAntreaPolicyEgressTables() {
+		if table == tableID {
+			return true
+		}
+	}
+	return false
+}