Fix deny connections tracking for ACNP baseline policy

If we apply a baseline ANP, in deny connections tracking of Flow Exporter, it will be filled as K8s NetworkPolicy instead of ANP since we are ignoring ANP associate tables IngressDefaultTable and EgressDefaultTable for these connections. This PR fixes it by changing the logic for assigning policy type. Signed-off-by: zyiou <zyiou@vmware.com>
antrea-io · Aug 12, 2021 · f349100 · f349100
1 parent 9ea4e86
commit f349100
Showing 1 changed file with 23 additions and 22 deletions.
diff --git a/pkg/agent/controller/networkpolicy/packetin.go b/pkg/agent/controller/networkpolicy/packetin.go
@@ -379,34 +379,35 @@ func (c *Controller) storeDenyConnection(pktIn *ofctrl.PacketIn) error {
 	}
 	disposition := openflow.DispositionToString[id]
 
-	// For K8s NetworkPolicy implicit drop action, we cannot get name/namespace.
-	if tableID == openflow.IngressDefaultTable {
-		denyConn.IngressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
-		denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-	} else if tableID == openflow.EgressDefaultTable {
-		denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
-		denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-	} else { // Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy
-		// Set match to corresponding ingress/egress reg according to disposition
-		match = getMatch(matchers, tableID, id)
-		ruleID, err := getInfoInReg(match, nil)
-		if err != nil {
-			return fmt.Errorf("error when obtaining rule id from reg: %v", err)
+	// Set match to corresponding ingress/egress reg according to disposition
+	match = getMatch(matchers, tableID, id)
+	ruleID, err := getInfoInReg(match, nil)
+	if err != nil {
+		return fmt.Errorf("error when obtaining rule id from reg: %v", err)
+	}
+	policy := c.GetNetworkPolicyByRuleFlowID(ruleID)
+	rule := c.GetRuleByFlowID(ruleID)
+	if policy == nil || rule == nil {
+		// For K8s NetworkPolicy implicit drop action, we cannot get name/namespace.
+		if tableID == openflow.IngressDefaultTable {
+			denyConn.IngressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
+			denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
+		} else if tableID == openflow.EgressDefaultTable {
+			denyConn.EgressNetworkPolicyType = registry.PolicyTypeK8sNetworkPolicy
+			denyConn.EgressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
 		}
-		policy := c.GetNetworkPolicyByRuleFlowID(ruleID)
-		rule := c.GetRuleByFlowID(ruleID)
-
-		if policy == nil || rule == nil {
-			// Default drop by K8s NetworkPolicy
-			klog.V(4).Infof("Cannot find NetworkPolicy or rule that has ruleID %v", ruleID)
-		} else {
-			if tableID == openflow.AntreaPolicyIngressRuleTable {
+	} else { // Get name and namespace for Antrea Network Policy or Antrea Cluster Network Policy
+		for _, table := range openflow.GetAntreaPolicyIngressTables() {
+			if table == tableID {
 				denyConn.IngressNetworkPolicyName = policy.Name
 				denyConn.IngressNetworkPolicyNamespace = policy.Namespace
 				denyConn.IngressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)
 				denyConn.IngressNetworkPolicyRuleName = rule.Name
 				denyConn.IngressNetworkPolicyRuleAction = flowexporter.RuleActionToUint8(disposition)
-			} else if tableID == openflow.AntreaPolicyEgressRuleTable {
+			}
+		}
+		for _, table := range openflow.GetAntreaPolicyEgressTables() {
+			if table == tableID {
 				denyConn.EgressNetworkPolicyName = policy.Name
 				denyConn.EgressNetworkPolicyNamespace = policy.Namespace
 				denyConn.EgressNetworkPolicyType = flowexporter.PolicyTypeToUint8(policy.Type)