From 3ab3c06abd7871b64b388389a5a0b8429e280fa9 Mon Sep 17 00:00:00 2001
From: zyiou <zyiou@vmware.com>
Date: Thu, 5 Aug 2021 10:35:20 -0700
Subject: [PATCH] Fix deny connections tracking for ANP baseline tier

If we apply a baseline ANP, in deny connections tracking of Flow
Exporter, it will be filled as K8s NetworkPolicy instead of ANP
since the connection will be in IngressDefaultTable/EgressDefaultTable.
This PR fixes it by changing the logic for assigning policy type.

Signed-off-by: zyiou <zyiou@vmware.com>
---
 .../controller/networkpolicy/packetin.go      | 63 +++++++++----------
 1 file changed, 30 insertions(+), 33 deletions(-)

diff --git a/pkg/agent/controller/networkpolicy/packetin.go b/pkg/agent/controller/networkpolicy/packetin.go
index 8657c633b1c..503c06e8559 100644
--- a/pkg/agent/controller/networkpolicy/packetin.go
+++ b/pkg/agent/controller/networkpolicy/packetin.go
@@ -379,40 +379,37 @@ func (c *Controller) storeDenyConnection(pktIn *ofctrl.PacketIn) error {
 	}
 	disposition := openflow.DispositionToString[id]
 
-	// For K8s NetworkPolicy implicit drop action, we cannot get name/namespace.
-	if tableID == openflow.IngressDefaultTable {
-		denyConn.IngressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
-		denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-	} else if tableID == openflow.EgressDefaultTable {
-		denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
-		denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-	} else { // Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy
-		// Set match to corresponding ingress/egress reg according to disposition
-		match = getMatch(matchers, tableID, id)
-		ruleID, err := getInfoInReg(match, nil)
-		if err != nil {
-			return fmt.Errorf("error when obtaining rule id from reg: %v", err)
+	// Set match to corresponding ingress/egress reg according to disposition
+	match = getMatch(matchers, tableID, id)
+	ruleID, err := getInfoInReg(match, nil)
+	if err != nil {
+		return fmt.Errorf("error when obtaining rule id from reg: %v", err)
+	}
+	policy := c.GetNetworkPolicyByRuleFlowID(ruleID)
+	rule := c.GetRuleByFlowID(ruleID)
+
+	if policy == nil || rule == nil {
+		// For K8s NetworkPolicy implicit drop action, we cannot get name/namespace.
+		if tableID == openflow.IngressDefaultTable {
+			denyConn.IngressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
+			denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		} else if tableID == openflow.EgressDefaultTable {
+			denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
+			denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
 		}
-		policy := c.GetNetworkPolicyByRuleFlowID(ruleID)
-		rule := c.GetRuleByFlowID(ruleID)
-
-		if policy == nil || rule == nil {
-			// Default drop by K8s NetworkPolicy
-			klog.V(4).Infof("Cannot find NetworkPolicy or rule that has ruleID %v", ruleID)
-		} else {
-			if tableID == openflow.AntreaPolicyIngressRuleTable {
-				denyConn.IngressNetworkPolicyName = policy.Name
-				denyConn.IngressNetworkPolicyNamespace = policy.Namespace
-				denyConn.IngressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
-				denyConn.IngressNetworkPolicyRuleName = rule.Name
-				denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-			} else if tableID == openflow.AntreaPolicyEgressRuleTable {
-				denyConn.EgressNetworkPolicyName = policy.Name
-				denyConn.EgressNetworkPolicyNamespace = policy.Namespace
-				denyConn.EgressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
-				denyConn.EgressNetworkPolicyRuleName = rule.Name
-				denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-			}
+	} else { // Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy
+		if tableID == openflow.AntreaPolicyIngressRuleTable {
+			denyConn.IngressNetworkPolicyName = policy.Name
+			denyConn.IngressNetworkPolicyNamespace = policy.Namespace
+			denyConn.IngressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
+			denyConn.IngressNetworkPolicyRuleName = rule.Name
+			denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		} else if tableID == openflow.AntreaPolicyEgressRuleTable {
+			denyConn.EgressNetworkPolicyName = policy.Name
+			denyConn.EgressNetworkPolicyNamespace = policy.Namespace
+			denyConn.EgressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
+			denyConn.EgressNetworkPolicyRuleName = rule.Name
+			denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
 		}
 	}