Last active
June 5, 2023 19:06
-
-
Save trozet/0c343d357d00ccab57baaed51ee4407f to your computer and use it in GitHub Desktop.
NP with port range vs individual ports
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## NP with port range | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: NetworkPolicy | |
metadata: | |
name: default-deny-egress | |
spec: | |
podSelector: | |
policyTypes: | |
- Egress | |
egress: | |
- to: | |
- ipBlock: | |
cidr: 10.244.0.0/16 | |
ports: | |
- protocol: TCP | |
port: 2000 | |
endPort: 2005 | |
# created NP ACL | |
_uuid : 05eeee1f-1fcc-4aec-9882-5ed5702821ce | |
action : allow-related | |
direction : from-lport | |
external_ids : {direction=Egress, gress-index="0", ip-block-index="0", "k8s.ovn.org/id"="default-network-controller:NetworkPolicy:default:default-deny-egress:Egress:0:0:0", "k8s.ovn.org/name"="default:default-deny-egress", "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=NetworkPolicy, port-policy-index="0"} | |
label : 0 | |
log : false | |
match : "ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579" | |
meter : acl-logging | |
name : "NP:default:default-deny-egress:Egress:0" | |
options : {apply-after-lb="true"} | |
priority : 1001 | |
severity : [] | |
# Logical flows in SBDB (2) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579)), action=(next;) | |
_uuid : f5924248-11e5-4945-8c50-0c0579f054b9 | |
actions : "reg0[1] = 1; next;" | |
controller_meter : [] | |
external_ids : {source="northd.c:6429", stage-hint="05eeee1f", stage-name=ls_in_acl_after_lb} | |
logical_datapath : e233833e-52d0-4126-bb95-a8860a233a63 | |
logical_dp_group : [] | |
match : "reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579)" | |
pipeline : ingress | |
priority : 2001 | |
table_id : 17 | |
tags : {} | |
hash : 0 | |
_uuid : 89cbd0b3-b3d6-4d97-b6f6-353f474d5c47 | |
4058 actions : "next;" | |
4059 controller_meter : [] | |
4060 external_ids : {source="northd.c:6454", stage-hint="05eeee1f", stage-name=ls_in_acl_after_lb} | |
4061 logical_datapath : e233833e-52d0-4126-bb95-a8860a233a63 | |
4062 logical_dp_group : [] | |
4063 match : "reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && 2000<=tcp.dst<=2005 && inport == @a4596619555129805579)" | |
4064 pipeline : ingress | |
4065 priority : 2001 | |
4066 table_id : 17 | |
4067 tags : {} | |
4068 hash : 0 | |
# OpenFlow Flows (10) | |
[root@ovn-worker ~]# ovs-ofctl dump-flows br-int | grep f5924248 | |
cookie=0xf5924248, duration=203.806s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=0x7d2/0xfffe actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0xf5924248, duration=203.806s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2005 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0xf5924248, duration=203.806s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2000 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0xf5924248, duration=203.805s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2004 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0xf5924248, duration=203.805s, table=25, n_packets=0, n_bytes=0, idle_age=203, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2001 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
[root@ovn-worker ~]# ovs-ofctl dump-flows br-int | grep 89cbd0b3 | |
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2004 actions=resubmit(,26) | |
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2000 actions=resubmit(,26) | |
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2001 actions=resubmit(,26) | |
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2005 actions=resubmit(,26) | |
cookie=0x89cbd0b3, duration=268.971s, table=25, n_packets=0, n_bytes=0, idle_age=268, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=0x7d2/0xfffe actions=resubmit(,26) | |
## NP with individual ports | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: NetworkPolicy | |
metadata: | |
name: default-deny-egress | |
spec: | |
podSelector: | |
policyTypes: | |
- Egress | |
egress: | |
- to: | |
- ipBlock: | |
cidr: 10.244.0.0/16 | |
ports: | |
- protocol: TCP | |
port: 2000 | |
endPort: 2005 | |
[trozet@fedora ~]$ cat network_policy_many_ports.yml | |
--- | |
apiVersion: networking.k8s.io/v1 | |
kind: NetworkPolicy | |
metadata: | |
name: default-deny-egress | |
spec: | |
podSelector: | |
policyTypes: | |
- Egress | |
egress: | |
- to: | |
- ipBlock: | |
cidr: 10.244.0.0/16 | |
ports: | |
- protocol: TCP | |
port: 2000 | |
- protocol: TCP | |
port: 2001 | |
- protocol: TCP | |
port: 2002 | |
- protocol: TCP | |
port: 2003 | |
- protocol: TCP | |
port: 2004 | |
- protocol: TCP | |
port: 2005 | |
# Created 6 NP ACLs in NBDB (only showing 2 in the output below) | |
_uuid : 5fa02ca1-2925-44ac-bf8e-bd5785b75b99 | |
action : allow-related | |
direction : from-lport | |
external_ids : {direction=Egress, gress-index="0", ip-block-index="0", "k8s.ovn.org/id"="default-network-controller:NetworkPolicy:default:default-deny-egress:Egress:0:5:0", "k8s.ovn.org/name"="default:default-deny-egress", "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=NetworkPolicy, port-policy-index="5"} | |
label : 0 | |
log : false | |
match : "ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2005 && inport == @a4596619555129805579" | |
meter : acl-logging | |
name : "NP:default:default-deny-egress:Egress:0" | |
options : {apply-after-lb="true"} | |
priority : 1001 | |
severity : [] | |
_uuid : 923069ba-e8cc-4c9c-bc47-06ac0dc0c945 | |
action : allow-related | |
direction : from-lport | |
external_ids : {direction=Egress, gress-index="0", ip-block-index="0", "k8s.ovn.org/id"="default-network-controller:NetworkPolicy:default:default-deny-egress:Egress:0:1:0", "k8s.ovn.org/name"="default:default-deny-egress", "k8s.ovn.org/owner-controller"=default-network-controller, "k8s.ovn.org/owner-type"=NetworkPolicy, port-policy-index="1"} | |
label : 0 | |
log : false | |
match : "ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2001 && inport == @a4596619555129805579" | |
meter : acl-logging | |
name : "NP:default:default-deny-egress:Egress:0" | |
options : {apply-after-lb="true"} | |
priority : 1001 | |
severity : [] | |
# logical flows (SBDB) (12) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2000 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2001 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2002 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2003 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2004 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[7] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2005 && inport == @a4596619555129805579)), action=(reg0[1] = 1; next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2000 && inport == @a4596619555129805579)), action=(next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2001 && inport == @a4596619555129805579)), action=(next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2002 && inport == @a4596619555129805579)), action=(next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2003 && inport == @a4596619555129805579)), action=(next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2004 && inport == @a4596619555129805579)), action=(next;) | |
table=17(ls_in_acl_after_lb ), priority=2001 , match=(reg0[8] == 1 && (ip4.dst == 10.244.0.0/16 && tcp && tcp.dst==2005 && inport == @a4596619555129805579)), action=(next;) | |
# OpenFlow Flows (12) | |
cookie=0xa8d875f0, duration=139.678s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2000 actions=resubmit(,26) | |
cookie=0xb2ff3b50, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2003 actions=resubmit(,26) | |
cookie=0x770402da, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2005 actions=resubmit(,26) | |
cookie=0x2ac5696c, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2004 actions=resubmit(,26) | |
cookie=0x8c10f68f, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2001 actions=resubmit(,26) | |
cookie=0x458b5a7f, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x100/0x100,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2002 actions=resubmit(,26) | |
priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2001 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0x2dfe89d3, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2002 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0x3dfcbff7, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2000 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0xb23703a9, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2004 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0xc976141b, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2003 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) | |
cookie=0xae75df8f, duration=139.677s, table=25, n_packets=0, n_bytes=0, priority=2001,tcp,reg0=0x80/0x80,reg14=0x6,metadata=0x4,nw_dst=10.244.0.0/16,tp_dst=2005 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,26) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment