Add support for tier acl policy

hcn/hcn.go

@@ -240,6 +240,15 @@ func VxlanPortSupported() error {
 	return platformDoesNotSupportError("VXLAN port configuration")
 }
 
+// TierAclPolicySupported returns an error if the HCN version does not support configuring the TierAcl.
+func TierAclPolicySupported() error {
+	supported := GetSupportedFeatures()
+	if supported.TierAcl {
+		return nil
+	}
+	return platformDoesNotSupportError("TierAcl")
+}
+
 // RequestType are the different operations performed to settings.
 // Used to update the settings of Endpoint/Namespace objects.
 type RequestType string

hcn/hcnendpoint_test.go

@@ -309,3 +309,57 @@ func TestModifyEndpointSettings(t *testing.T) {
 		t.Fatal(err)
 	}
 }
+
+func TestApplyTierAclPolicyOnEndpoint(t *testing.T) {
+	network, err := HcnCreateTestL2BridgeNetwork()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = network.Delete()
+		if err != nil {
+			fmt.Printf("Failed deleting from defer routine network: %s-%s \n", network.Id, network.Name)
+			t.Fatal(err)
+		}
+	}()
+
+	endpoint, err := HcnCreateTestEndpoint(network)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer func() {
+		err = endpoint.Delete()
+		if err != nil {
+			fmt.Printf("Failed deleting from defer routine endpoint: %s-%s \n", endpoint.Id, endpoint.Name)
+			t.Fatal(err)
+		}
+	}()
+
+	endpointPolicyList, err := HcnCreateTierAcls()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	jsonString, err := json.Marshal(*endpointPolicyList)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	fmt.Printf("TierAcls JSON:\n%s \n", jsonString)
+	err = endpoint.ApplyPolicy(RequestTypeUpdate, *endpointPolicyList)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	foundEndpoint, err := GetEndpointByName(endpoint.Name)
+	if err != nil {
+		t.Fatal(err)
+	} else {
+		fmt.Printf("Found endpoint: %s-%s \n", foundEndpoint.Id, foundEndpoint.Name)
+	}
+
+	if len(foundEndpoint.Policies) == 0 {
+		t.Fatal("No Endpoint Policies found")
+	}
+
+}

hcn/hcnglobals.go

@@ -74,6 +74,9 @@ var (
 
 	//HNS 13.2 allows for L4WfpProxy Policy support
 	L4WfpProxyPolicyVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 13, Minor: 2}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
+
+	//HNS 14.0 allows for TierAcl Policy support
+	TierAclPolicyVersion = VersionRanges{VersionRange{MinVersion: Version{Major: 14, Minor: 0}, MaxVersion: Version{Major: math.MaxInt32, Minor: math.MaxInt32}}}
 )
 
 // GetGlobals returns the global properties of the HCN Service.

hcn/hcnpolicy.go

@@ -23,6 +23,7 @@ const (
 	// Endpoint and Network have InterfaceConstraint and ProviderAddress
 	NetworkProviderAddress     EndpointPolicyType = "ProviderAddress"
 	NetworkInterfaceConstraint EndpointPolicyType = "InterfaceConstraint"
+	TierAcl       EndpointPolicyType = "TierAcl"	
 )
 
 // EndpointPolicy is a collection of Policy settings for an Endpoint.
@@ -100,6 +101,8 @@ const (
 	ActionTypeAllow ActionType = "Allow"
 	// Block traffic
 	ActionTypeBlock ActionType = "Block"
+	// Pass traffic
+	ActionTypePass ActionType = "Pass"
 
 	// In is traffic coming to the Endpoint
 	DirectionTypeIn DirectionType = "In"
@@ -289,3 +292,23 @@ type L4ProxyPolicySetting struct {
 	Destination string
 	OutboundNAT bool `json:",omitempty"`
 }
+
+// TierAclRule represents an ACL within TierAclPolicySetting
+type TierAclRule struct {
+	Id                string        `json:",omitempty"`
+	Protocols         string        `json:",omitempty"`
+	TierAclRuleAction ActionType    `json:","`
+	LocalAddresses    string        `json:",omitempty"`
+	RemoteAddresses   string        `json:",omitempty"`
+	LocalPorts        string        `json:",omitempty"`
+	RemotePorts       string        `json:",omitempty"`
+	Priority          uint16        `json:",omitempty"`
+}
+
+// TierAclPolicySetting represents a Tier containing ACLs
+type TierAclPolicySetting struct {
+	Name            string         `json:","`
+	Direction       DirectionType  `json:","`
+	Order           uint16         `json:""`
+	TierAclRules    []TierAclRule  `json:",omitempty"`
+}

hcn/hcnsupport.go

@@ -19,6 +19,7 @@ type SupportedFeatures struct {
 	VxlanPort                bool        `json:"VxlanPort"`
 	L4Proxy                  bool        `json:"L4Proxy"`    // network policy that applies VFP rules to all endpoints on the network to redirect traffic
 	L4WfpProxy               bool        `json:"L4WfpProxy"` // endpoint policy that applies WFP filters to redirect traffic to/from that endpoint
+	TierAcl                  bool        `json:"TierAcl"`
 }
 
 // AclFeatures are the supported ACL possibilities.
@@ -69,6 +70,7 @@ func GetSupportedFeatures() SupportedFeatures {
 	features.VxlanPort = isFeatureSupported(globals.Version, VxlanPortVersion)
 	features.L4Proxy = isFeatureSupported(globals.Version, L4ProxyPolicyVersion)
 	features.L4WfpProxy = isFeatureSupported(globals.Version, L4WfpProxyPolicyVersion)
+	features.TierAcl = isFeatureSupported(globals.Version, TierAclPolicyVersion)
 
 	return features
 }

hcn/hcnsupport_test.go

@@ -149,6 +149,17 @@ func TestL4WfpProxyPolicySupport(t *testing.T) {
 	}
 }
 
+func TestTierAclPolicySupport(t *testing.T) {
+	supportedFeatures := GetSupportedFeatures()
+	err := TierAclPolicySupported()
+	if supportedFeatures.TierAcl && err != nil {
+		t.Fatal(err)
+	}
+	if !supportedFeatures.TierAcl && err == nil {
+		t.Fatal(err)
+	}
+}
+
 func TestIsFeatureSupported(t *testing.T) {
 	// HNSVersion1803 testing (single range tests)
 	if isFeatureSupported(Version{Major: 0, Minor: 0}, HNSVersion1803) {