support ip-ip policy in EPG.

Signed-off-by: Ranjith <[email protected]>

Author: rchirakk

netctl/netctl.go

@@ -227,9 +227,6 @@ func addRule(ctx *cli.Context) {
 		if ctx.String("to-network") != "" {
 			errExit(ctx, exitHelp, "Cant specify to-network for incoming rule", false)
 		}
-		if ctx.String("to-ip-address") != "" {
-			errExit(ctx, exitHelp, "Cant specify to-ip-address for incoming rule", false)
-		}
 
 		// If from EPG is specified, make sure from network is specified too
 		if ctx.String("from-group") != "" && ctx.String("from-network") != "" {
@@ -340,18 +337,19 @@ func listRules(ctx *cli.Context) {
 		writer := tabwriter.NewWriter(os.Stdout, 0, 2, 2, ' ', 0)
 		defer writer.Flush()
 		writer.Write([]byte("Incoming Rules:\n"))
-		writer.Write([]byte("Rule\tPriority\tFrom EndpointGroup\tFrom Network\tFrom IpAddress\tProtocol\tPort\tAction\n"))
-		writer.Write([]byte("----\t--------\t------------------\t------------\t---------\t--------\t----\t------\n"))
+		writer.Write([]byte("Rule\tPriority\tFrom EndpointGroup\tFrom Network\tFrom IpAddress\tTo IpAddress\tProtocol\tPort\tAction\n"))
+		writer.Write([]byte("----\t--------\t------------------\t------------\t---------\t------------\t--------\t----\t------\n"))
 
 		for _, rule := range results {
 			if rule.Direction == "in" {
 				writer.Write([]byte(fmt.Sprintf(
-					"%v\t%v\t%v\t%v\t%v\t%v\t%v\t%v\n",
+					"%v\t%v\t%v\t%v\t%v\t%v\t%v\t%v\t%v\n",
 					rule.RuleID,
 					rule.Priority,
 					rule.FromEndpointGroup,
 					rule.FromNetwork,
 					rule.FromIpAddress,
+					rule.ToIpAddress,
 					rule.Protocol,
 					rule.Port,
 					rule.Action,

netmaster/mastercfg/policyState.go

@@ -239,6 +239,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 
 		// Set src/dest IP Address
 		ofnetRule.SrcIpAddr = rule.FromIpAddress
+		if len(rule.ToIpAddress) > 0 {
+			ofnetRule.DstIpAddr = rule.ToIpAddress
+		}
 
 		// set port numbers
 		ofnetRule.DstPort = uint16(rule.Port)
@@ -254,6 +257,9 @@ func (gp *EpgPolicy) createOfnetRule(rule *contivModel.Rule, dir string) (*ofnet
 
 		// Set src/dest IP Address
 		ofnetRule.DstIpAddr = rule.FromIpAddress
+		if len(rule.ToIpAddress) > 0 {
+			ofnetRule.SrcIpAddr = rule.ToIpAddress
+		}
 
 		// set port numbers
 		ofnetRule.SrcPort = uint16(rule.Port)

netmaster/objApi/apiController.go

@@ -1502,7 +1502,7 @@ func (ac *APIController) RuleCreate(rule *contivModel.Rule) error {
 
 	// verify parameter values
 	if rule.Direction == "in" {
-		if rule.ToNetwork != "" || rule.ToEndpointGroup != "" || rule.ToIpAddress != "" {
+		if rule.ToNetwork != "" || rule.ToEndpointGroup != "" {
 			return errors.New("can not specify 'to' parameters in incoming rule")
 		}
 		if rule.FromNetwork != "" && rule.FromIpAddress != "" {
@@ -1571,6 +1571,55 @@ func (ac *APIController) RuleCreate(rule *contivModel.Rule) error {
 		return core.Errorf("Policy not found")
 	}
 
+	if rule.Direction == "in" && rule.ToIpAddress != "" {
+		// rules from k8s network policy
+		// verify 'toIpAddress' is part of epg and subnet
+		if len(policy.LinkSets.EndpointGroups) != 1 {
+			errMsg := fmt.Errorf("failed to configure %s, %d endpoint groups linked to policy %s ",
+				rule.ToIpAddress,
+				len(policy.LinkSets.EndpointGroups),
+				rule.PolicyName)
+			log.Error(errMsg)
+			return errMsg
+		}
+		epgKey := ""
+		for key := range policy.LinkSets.EndpointGroups {
+			epgKey = strings.Replace(key, rule.TenantName+":", "", 1) + ":" + rule.TenantName
+		}
+
+		stateDriver, err := utils.GetStateDriver()
+		if err != nil {
+			log.Errorf("failed to configure %s, %s", rule.ToIpAddress, err)
+			return fmt.Errorf("failed to configure %s, unable to connect to key-value store",
+				rule.ToIpAddress)
+		}
+		readEp := &mastercfg.CfgEndpointState{}
+		readEp.StateDriver = stateDriver
+		epCfgs, err := readEp.ReadAll()
+		if err != nil {
+			log.Errorf("failed to configure %s, %s", rule.ToIpAddress, err)
+			return fmt.Errorf("failed to configure %s, unable to read endpoint state", rule.ToIpAddress)
+		}
+
+		// TODO: cache ip <--> epg for performance
+		if func(epgName string) bool {
+			for _, epCfg := range epCfgs {
+				if ep, ok := epCfg.(*mastercfg.CfgEndpointState); ok {
+					if ep.IPAddress == rule.ToIpAddress && ep.EndpointGroupKey == epgName {
+						return true
+					}
+				}
+			}
+			return false
+		}(epgKey) != true {
+			errMsg := fmt.Errorf("failed to configure %s, ip address is not in epg %s",
+				rule.ToIpAddress,
+				epgKey)
+			log.Error(errMsg)
+			return errMsg
+		}
+	}
+
 	// Trigger policyDB Update
 	err := master.PolicyAddRule(policy, rule)
 	if err != nil {

netmaster/objApi/objapi_test.go

@@ -1418,8 +1418,12 @@ func TestNetworkPktRanges(t *testing.T) {
 
 // TestPolicyRules tests policy and rule REST objects
 func TestPolicyRules(t *testing.T) {
+	containerID1 := "723e55bf5b244f47c1b184cb786a1c2ad8870cc3a3db723c49ac09f68a9d1e69"
+	ep1 := "657355bf5b244f47c1b184cb786a14535d8870cc3a3db723c49ac09f68a9d6a5"
 	checkCreateNetwork(t, false, "default", "contiv", "data", "vxlan", "10.1.1.1/16", "10.1.1.254", 1, "", "", "")
 	checkCreateEpg(t, false, "default", "contiv", "group1", []string{}, []string{}, "")
+	createEPinEPG(t, "10.1.1.15", "default", "group1", containerID1, "default", ep1, []string{})
+
 	// create policy
 	checkCreatePolicy(t, false, "default", "policy1")
 
@@ -1435,6 +1439,14 @@ func TestPolicyRules(t *testing.T) {
 	checkCreateRule(t, false, "default", "policy1", "6", "in", "", "group1", "", "", "", "", "", "deny", 1, 0)
 	checkCreateRule(t, false, "default", "policy1", "7", "out", "", "", "", "", "group1", "", "tcp", "allow", 1, 80)
 
+	// verify --to-ip, no linked epg fails
+	checkCreateRule(t, true, "default", "policy1", "to-ip", "in", "", "", "10.1.1.15", "", "", "10.2.1.31", "tcp", "allow", 1, 80)
+	// verify --to-ip not in epg fails
+	checkCreateEpg(t, false, "default", "contiv", "group1", []string{"policy1"}, []string{}, "")
+	checkCreateRule(t, true, "default", "policy1", "to-ip", "in", "", "", "10.2.1.115", "", "", "10.1.1.19", "tcp", "allow", 1, 80)
+	checkCreateRule(t, false, "default", "policy1", "to-ip", "in", "", "", "10.2.1.11", "", "", "10.1.1.15", "tcp", "allow", 1, 80)
+	checkCreateEpg(t, false, "default", "contiv", "group1", []string{}, []string{}, "")
+
 	// verify duplicate rule id fails
 	checkCreateRule(t, true, "default", "policy1", "1", "in", "", "", "", "", "", "", "tcp", "allow", 1, 80)
 
@@ -1479,6 +1491,7 @@ func TestPolicyRules(t *testing.T) {
 	// checkCreateRule(t, true, tenant, policy, ruleID, dir, fnet, fepg, fip, tnet, tepg, tip, proto, prio, port)
 
 	// delete rules
+	checkDeleteRule(t, false, "default", "policy1", "to-ip")
 	checkDeleteRule(t, false, "default", "policy1", "1")
 	checkDeleteRule(t, false, "default", "policy1", "2")
 	checkDeleteRule(t, false, "default", "policy1", "3")
@@ -1493,6 +1506,8 @@ func TestPolicyRules(t *testing.T) {
 
 	// delete policy
 	checkDeletePolicy(t, false, "default", "policy1")
+
+	deleteEP(t, "default", "default", ep1)
 	// delete the EPG
 	checkDeleteEpg(t, false, "default", "contiv", "group1")
 	// delete the network
@@ -2245,6 +2260,29 @@ func get(getAll bool, hook func(id string) ([]core.State, error)) func(http.Resp
 	}
 }
 
+func createEPinEPG(t *testing.T, providerIP, network, epg, containerID, tenant, endpointID string, labels []string) {
+
+	epCfg := &mastercfg.CfgEndpointState{
+		NetID:            network,
+		EndpointID:       endpointID,
+		IPAddress:        providerIP,
+		EndpointGroupKey: epg + ":" + tenant,
+	}
+	epCfg.Labels = make(map[string]string)
+	for _, v := range labels {
+		key := strings.Split(v, "=")[0]
+		value := strings.Split(v, "=")[1]
+		epCfg.Labels[key] = value
+	}
+	epCfg.StateDriver = stateStore
+	netID := network + "." + tenant
+	epCfg.ID = netID + "-" + endpointID
+	err := epCfg.Write()
+	if err != nil {
+		t.Errorf("Error creating Ep :%s", err)
+	}
+}
+
 func createEP(t *testing.T, providerIP, network, containerID, tenant, endpointID string, labels []string) {
 
 	epCfg := &mastercfg.CfgEndpointState{

utils/netutils/netutils_test.go

@@ -523,3 +523,22 @@ func TestClearIPAddrRange(t *testing.T) {
 	}
 
 }
+
+func TestIsOverlappingSubnet(t *testing.T) {
+	testAddrRange := []struct {
+		src     string
+		match   string
+		overlap bool
+	}{
+		{src: "10.36.0.1/32", match: "10.36.0.0/24", overlap: true},
+		{src: "20.20.0.20/32", match: "20.20.0.0/16", overlap: true},
+		{src: "20.20.5.20/32", match: "20.20.0.0/24", overlap: false},
+	}
+
+	for _, i := range testAddrRange {
+
+		overlap := IsOverlappingSubnet(i.src, i.match)
+		assertOnTrue(t, overlap != i.overlap, fmt.Sprintf("%+v got %v ", i, overlap))
+	}
+
+}